View Full Version : IDP & Crypt AQLW Trojan DDS Log pasted.
osjknights
2012-04-21, 18:30
I am affected with the IDP & Crypt AQLW Trojan
Below is the DDS Log.
I an Running AVG which has removed infected files, and I have renamed the file ping.exe with .tmp
I have used Malawarebytes and Spy Hunter without any sucess.
Osjknights.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dr Michael Foster at 16:44:25 on 2012-04-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2149 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\FaxTalk\FTClCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Magic Formation\MagicFormation.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\winfax\WFXMOD32.EXE
C:\Program Files\FaxTalk\FTmsgsvc.exe
C:\Program Files\FaxTalk\FAPIEXE.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG2012\avgui.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www2.prestel.co.uk/church/oosj/osj.htm
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [nwiz] nwiz.exe /install
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [FaxTalk FaxCenter Pro 8] "c:\program files\faxtalk\FTClCtrl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NSU_agent] "c:\program files\nokia\nokia software updater\nsu3ui_agent.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\magicf~1.lnk - c:\program files\magic formation\MagicFormation.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{91110409-6000-11d3-8cfe-0150048383c9}\outicon.exe
uPolicies-explorer: EditLevel = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272219582312
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272219964125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{66288D8B-0BDD-49CD-A8BF-F60503515F72} : DhcpNameServer = 192.168.1.254
Handler: AutorunsDisabled\belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-3-11 56208]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 295248]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2010-5-7 16048]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-3-11 71440]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-3-11 164112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-11-13 116608]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2010-7-31 162096]
R2 FaxTalk FaxCenter Pro 8;FaxTalk FaxCenter Pro 8;c:\program files\faxtalk\FTmsgsvc.exe [2011-9-23 33120]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-21 654408]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-3-11 931640]
R2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\soliddocuments\solidpdfcreator\spc\SolidPdfService.exe [2009-3-18 189696]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2012-1-18 737184]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
R3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]
R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-21 22344]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 ccevtmgr;Bdfdll;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-14 136176]
S2 navapel;SaiNtBus;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-4-28 1691480]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-14 136176]
S3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\drivers\IntelH51.sys [2009-4-18 469935]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2012-1-15 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2012-1-15 8576]
S3 RapportIaso;RapportIaso;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-7-19 21520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
.
=============== Created Last 30 ================
.
2012-04-21 08:26:33 -------- d-----w- c:\documents and settings\dr michael foster\application data\Malwarebytes
2012-04-21 08:26:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-21 08:26:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 08:26:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-21 08:25:42 -------- d-----w- C:\Malwarebytes
2012-04-20 17:49:14 4948 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-20 17:40:28 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-20 14:55:45 110080 ----a-r- c:\documents and settings\dr michael foster\application data\microsoft\installer\{4e0c6314-a8b8-4026-ac15-084e8b63afb5}\IconF7A21AF7.exe
2012-04-20 14:55:45 110080 ----a-r- c:\documents and settings\dr michael foster\application data\microsoft\installer\{4e0c6314-a8b8-4026-ac15-084e8b63afb5}\IconD7F16134.exe
2012-04-20 14:55:45 110080 ----a-r- c:\documents and settings\dr michael foster\application data\microsoft\installer\{4e0c6314-a8b8-4026-ac15-084e8b63afb5}\IconCF33A0CE.exe
2012-04-20 14:55:39 -------- d-----w- C:\sh4ldr
2012-04-20 14:55:39 -------- d-----w- c:\program files\Enigma Software Group
2012-04-20 14:54:49 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-04-20 14:51:45 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-04-20 14:51:44 -------- d-----w- c:\documents and settings\dr michael foster\application data\TestApp
2012-04-20 14:20:53 664 ----a-w- c:\windows\system32\x(dat)d3d9caps.dat.tmp
2012-04-20 14:00:41 0 --sha-w- c:\windows\system32\x(cmd)dds_trash_log.cmd.tmp
2012-04-20 14:00:40 -------- d-----w- c:\documents and settings\all users\application data\B7E8587A4FE3ECF660BFD1C8D151FC4E
2012-04-04 15:18:29 -------- d-----w- c:\program files\Copy of WinFax
2012-04-04 14:18:04 -------- d-----w- c:\program files\winfax
2012-04-04 05:53:56 182160 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-04-03 07:25:03 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-24 16:12:21 -------- d-----w- c:\program files\Attribute Changer
.
==================== Find3M ====================
.
2012-04-20 14:14:26 80428 ----a-w- c:\windows\system32\x(dat)perfc009.dat.tmp
2012-04-20 14:14:26 553232 ----a-w- c:\windows\system32\x(INI)PerfStringBackup.INI.tmp
2012-04-20 14:14:26 462756 ----a-w- c:\windows\system32\x(dat)perfh009.dat.tmp
2012-04-13 17:58:09 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:18:09 41 ----a-w- c:\windows\WFXDEL.BAT
2012-03-11 12:48:50 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ------w- c:\windows\system32\html.iec
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 16:45:05.26 ===============
Hi and Welcome!! :) My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
IMPORTANT NOTE : Please do not delete anything unless instructed to.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.
Vista and Windows 7 users:
These tools MUST be run from the executable (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")
Stay with this topic until I give you the all clean post.
First we need to make all files and folders VISIBLE:
Go to start>control panel>folder options>view
Choose to "show hidden files and folders,"
Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
Close the window with OK
---------
**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
If you would like to format and reinstall your Operating System please let me know and we can assist you with that.
If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :)
----------
Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Right click and Run as Administrator the aswMBR icon to run it.
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png)
Click the image to enlarge it
----------
osjknights
2012-04-22, 12:19
I could not sign in as Administrator (although I have never set a password the dialogue asked for one).
Here is the Scan Result;
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-22 08:18:41
-----------------------------
08:18:41.140 OS Version: Windows 5.1.2600 Service Pack 3
08:18:41.140 Number of processors: 4 586 0xF0B
08:18:41.140 ComputerName: KNIGHTS-2EE6007 UserName:
08:18:43.000 Initialize success
08:20:05.656 AVAST engine defs: 12042101
08:20:40.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
08:20:40.093 Disk 0 Vendor: WDC_WD2500JS-55NCB1 10.02E01 Size: 238475MB BusType: 3
08:20:40.093 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
08:20:40.093 Disk 1 Vendor: WDC_WD10EARS-00MVWB0 51.0AB51 Size: 953869MB BusType: 3
08:20:40.125 Disk 0 MBR read successfully
08:20:40.125 Disk 0 MBR scan
08:20:40.171 Disk 0 Windows XP default MBR code
08:20:40.171 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
08:20:40.171 Disk 0 scanning sectors +488376000
08:20:40.281 Disk 0 scanning C:\WINDOWS\system32\drivers
08:20:40.765 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Aluroot-C [Rtk]
08:20:53.609 Disk 0 trace - called modules:
08:20:53.625 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a621fd0]<<
08:20:53.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae6dab8]
08:20:53.640 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> [0x8aa45920]
08:20:53.640 \Driver\00002377[0x8acbd270] -> IRP_MJ_CREATE -> 0x8a621fd0
08:20:54.812 AVAST engine scan C:\WINDOWS
08:21:03.453 AVAST engine scan C:\WINDOWS\system32
08:21:08.750 File: C:\WINDOWS\system32\bc_ip_f.dll **INFECTED** Win32:Sirefef-SM [Trj]
08:21:49.234 File: C:\WINDOWS\system32\MA8032M.dll **INFECTED** Win32:Sirefef-SM [Trj]
08:22:19.250 File: C:\WINDOWS\system32\ose.dll **INFECTED** Win32:Sirefef-SM [Trj]
08:23:56.937 AVAST engine scan C:\WINDOWS\system32\drivers
08:23:57.484 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Aluroot-C [Rtk]
08:24:16.812 AVAST engine scan C:\Documents and Settings\Dr Michael Foster
08:49:24.812 AVAST engine scan C:\Documents and Settings\All Users
09:28:45.921 Scan finished successfully
09:58:06.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dr Michael Foster\My Files\MBR.dat"
09:58:06.968 The log file has been saved successfully to "C:\Documents and Settings\Dr Michael Foster\My Files\aswMBR.txt"
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-22 08:18:41
-----------------------------
08:18:41.140 OS Version: Windows 5.1.2600 Service Pack 3
08:18:41.140 Number of processors: 4 586 0xF0B
08:18:41.140 ComputerName: KNIGHTS-2EE6007 UserName:
08:18:43.000 Initialize success
08:20:05.656 AVAST engine defs: 12042101
08:20:40.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
08:20:40.093 Disk 0 Vendor: WDC_WD2500JS-55NCB1 10.02E01 Size: 238475MB BusType: 3
08:20:40.093 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
08:20:40.093 Disk 1 Vendor: WDC_WD10EARS-00MVWB0 51.0AB51 Size: 953869MB BusType: 3
08:20:40.125 Disk 0 MBR read successfully
08:20:40.125 Disk 0 MBR scan
08:20:40.171 Disk 0 Windows XP default MBR code
08:20:40.171 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
08:20:40.171 Disk 0 scanning sectors +488376000
08:20:40.281 Disk 0 scanning C:\WINDOWS\system32\drivers
08:20:40.765 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Aluroot-C [Rtk]
08:20:53.609 Disk 0 trace - called modules:
08:20:53.625 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8a621fd0]<<
08:20:53.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae6dab8]
08:20:53.640 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> [0x8aa45920]
08:20:53.640 \Driver\00002377[0x8acbd270] -> IRP_MJ_CREATE -> 0x8a621fd0
08:20:54.812 AVAST engine scan C:\WINDOWS
08:21:03.453 AVAST engine scan C:\WINDOWS\system32
08:21:08.750 File: C:\WINDOWS\system32\bc_ip_f.dll **INFECTED** Win32:Sirefef-SM [Trj]
08:21:49.234 File: C:\WINDOWS\system32\MA8032M.dll **INFECTED** Win32:Sirefef-SM [Trj]
08:22:19.250 File: C:\WINDOWS\system32\ose.dll **INFECTED** Win32:Sirefef-SM [Trj]
08:23:56.937 AVAST engine scan C:\WINDOWS\system32\drivers
08:23:57.484 File: C:\WINDOWS\system32\drivers\afd.sys **INFECTED** Win32:Aluroot-C [Rtk]
08:24:16.812 AVAST engine scan C:\Documents and Settings\Dr Michael Foster
08:49:24.812 AVAST engine scan C:\Documents and Settings\All Users
09:28:45.921 Scan finished successfully
09:58:06.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dr Michael Foster\My Files\MBR.dat"
09:58:06.968 The log file has been saved successfully to "C:\Documents and Settings\Dr Michael Foster\My Files\aswMBR.txt"
10:04:16.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dr Michael Foster\My Files\MBR.dat"
10:04:16.843 The log file has been saved successfully to "C:\Documents and Settings\Dr Michael Foster\My Files\aswMBR.txt"
osjknights
2012-04-22, 14:02
PS Jeff - Thanks for assisting me. Michael.
Hi,
Looks like we have quite an infection here.
Please download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)
Double-click to run TDSSKiller.exe
Press Change Parameters
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click on the Start Scan button
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Copy and paste the log in your next reply
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
----------
osjknights
2012-04-22, 21:52
The program did not offer a choice on delete or cure, but listed Delete, or Copy to Quarantine or Skip - and made its own judgement according to assessment of risk - then when I pressed continue it states "cure in progress" and then asked for reboot which I have not yet done. I await your OK on the Report.
Here is the report - I await to reboot - but do not wish to loose valuable files. I do have a second hard disk "F" with Windows 7, to which I can reboot if I wish, but prefer to use my Xp system which is now infected.
Also Windows Explorer will not fire up. I have one window open, if I loose that I cannot access any files!
Report
20:42:53.0531 1144 TDSS rootkit removing tool 2.7.31.0 Apr 20 2012 19:49:47
20:42:54.0015 1144 ============================================================
20:42:54.0015 1144 Current date / time: 2012/04/22 20:42:54.0015
20:42:54.0015 1144 SystemInfo:
20:42:54.0015 1144
20:42:54.0015 1144 OS Version: 5.1.2600 ServicePack: 3.0
20:42:54.0015 1144 Product type: Workstation
20:42:54.0015 1144 ComputerName: KNIGHTS-2EE6007
20:42:54.0015 1144 UserName: Dr Michael Foster
20:42:54.0015 1144 Windows directory: C:\WINDOWS
20:42:54.0015 1144 System windows directory: C:\WINDOWS
20:42:54.0015 1144 Processor architecture: Intel x86
20:42:54.0015 1144 Number of processors: 4
20:42:54.0015 1144 Page size: 0x1000
20:42:54.0015 1144 Boot type: Normal boot
20:42:54.0015 1144 ============================================================
20:42:54.0593 1144 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:42:54.0609 1144 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
20:42:54.0671 1144 Drive \Device\Harddisk2\DR5 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'W'
20:42:54.0718 1144 Drive \Device\Harddisk7\DR21 - Size: 0x3BA800000 (14.91 Gb), SectorSize: 0x200, Cylinders: 0x79A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
20:42:54.0718 1144 \Device\Harddisk0\DR0:
20:42:54.0718 1144 MBR partitions:
20:42:54.0718 1144 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
20:42:54.0718 1144 \Device\Harddisk1\DR1:
20:42:54.0718 1144 MBR partitions:
20:42:54.0718 1144 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
20:42:54.0718 1144 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x746D3800
20:42:54.0718 1144 \Device\Harddisk2\DR5:
20:42:54.0718 1144 MBR partitions:
20:42:54.0718 1144 \Device\Harddisk2\DR5\Partition0: MBR, Type 0x7, StartLBA 0xABE800, BlocksNum 0x2EE000
20:42:54.0718 1144 \Device\Harddisk2\DR5\Partition1: MBR, Type 0x7, StartLBA 0xDAC800, BlocksNum 0x1C418800
20:42:54.0718 1144 \Device\Harddisk7\DR21:
20:42:54.0718 1144 MBR partitions:
20:42:54.0718 1144 \Device\Harddisk7\DR21\Partition0: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0x1DD2080
20:42:54.0781 1144 C: <-> \Device\Harddisk0\DR0\Partition0
20:42:54.0781 1144 E: <-> \Device\Harddisk1\DR1\Partition0
20:42:54.0812 1144 F: <-> \Device\Harddisk1\DR1\Partition1
20:42:54.0812 1144 L: <-> \Device\Harddisk2\DR5\Partition0
20:42:54.0812 1144 M: <-> \Device\Harddisk2\DR5\Partition1
20:42:54.0812 1144 Initialize success
20:42:54.0812 1144 ============================================================
20:43:01.0953 2240 ============================================================
20:43:01.0953 2240 Scan started
20:43:01.0953 2240 Mode: Manual; SigCheck; TDLFS;
20:43:01.0953 2240 ============================================================
20:43:02.0656 2240 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
20:43:02.0765 2240 !SASCORE - ok
20:43:02.0906 2240 3combootp (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\SaiU040B.dll
20:43:02.0937 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\SaiU040B.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:02.0937 2240 3combootp ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:02.0937 2240 3combootp - detected Backdoor.Multi.ZAccess.gen (0)
20:43:03.0015 2240 48309816 (58169ffb207940d4d84b4e85db02cc1e) C:\WINDOWS\system32\drivers\36856496.sys
20:43:03.0093 2240 55688713 (58169ffb207940d4d84b4e85db02cc1e) C:\WINDOWS\system32\drivers\20783334.sys
20:43:03.0156 2240 75860562 (58169ffb207940d4d84b4e85db02cc1e) C:\WINDOWS\system32\drivers\44860080.sys
20:43:03.0218 2240 79782063 (58169ffb207940d4d84b4e85db02cc1e) C:\WINDOWS\system32\drivers\25315525.sys
20:43:03.0234 2240 Abiosdsk - ok
20:43:03.0234 2240 abp480n5 - ok
20:43:03.0312 2240 acmservice (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\pnkbstra.dll
20:43:03.0343 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\pnkbstra.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:03.0343 2240 acmservice ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:03.0343 2240 acmservice - detected Backdoor.Multi.ZAccess.gen (0)
20:43:03.0406 2240 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:43:03.0859 2240 ACPI - ok
20:43:03.0890 2240 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:43:03.0984 2240 ACPIEC - ok
20:43:04.0000 2240 adaptecstoragemanageragent - ok
20:43:04.0031 2240 adfs (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\tifm.dll
20:43:04.0031 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\tifm.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:04.0031 2240 adfs ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:04.0031 2240 adfs - detected Backdoor.Multi.ZAccess.gen (0)
20:43:04.0109 2240 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
20:43:04.0125 2240 AdobeFlashPlayerUpdateSvc - ok
20:43:04.0140 2240 adpu160m - ok
20:43:04.0140 2240 adsexpb - ok
20:43:04.0203 2240 ADSMService (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\vpcvmm.dll
20:43:04.0343 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\vpcvmm.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:04.0343 2240 ADSMService ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:04.0343 2240 ADSMService - detected Backdoor.Multi.ZAccess.gen (0)
20:43:04.0468 2240 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:43:04.0562 2240 aec - ok
20:43:04.0640 2240 AFD (c72ab380d32c2bf8bcb62504f1998254) C:\WINDOWS\System32\drivers\afd.sys
20:43:04.0734 2240 AFD ( UnsignedFile.Multi.Generic ) - warning
20:43:04.0734 2240 AFD - detected UnsignedFile.Multi.Generic (1)
20:43:04.0765 2240 Aha154x - ok
20:43:04.0781 2240 aic78u2 - ok
20:43:04.0796 2240 aic78xx - ok
20:43:04.0796 2240 alcxsens - ok
20:43:04.0859 2240 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
20:43:04.0968 2240 Alerter - ok
20:43:04.0968 2240 alertservice - ok
20:43:04.0984 2240 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
20:43:05.0046 2240 ALG - ok
20:43:05.0218 2240 AliIde - ok
20:43:06.0406 2240 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
20:43:06.0593 2240 Ambfilt - ok
20:43:06.0875 2240 amdk7 - ok
20:43:06.0968 2240 amsint - ok
20:43:07.0171 2240 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
20:43:07.0187 2240 Apple Mobile Device - ok
20:43:07.0328 2240 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
20:43:07.0375 2240 AppMgmt - ok
20:43:07.0406 2240 ar5211 - ok
20:43:07.0437 2240 arkbcfltr - ok
20:43:07.0515 2240 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:43:07.0609 2240 Arp1394 - ok
20:43:07.0625 2240 asc - ok
20:43:07.0625 2240 asc3350p - ok
20:43:07.0640 2240 asc3550 - ok
20:43:07.0765 2240 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
20:43:07.0781 2240 aspnet_state - ok
20:43:07.0968 2240 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:43:08.0062 2240 AsyncMac - ok
20:43:08.0109 2240 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:43:08.0203 2240 atapi - ok
20:43:08.0265 2240 Atdisk - ok
20:43:08.0328 2240 atiavaiw (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\UVCFTR.dll
20:43:08.0343 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\UVCFTR.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:08.0343 2240 atiavaiw ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:08.0343 2240 atiavaiw - detected Backdoor.Multi.ZAccess.gen (0)
20:43:08.0421 2240 atimtag (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\imountsrv.dll
20:43:08.0453 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\imountsrv.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:08.0453 2240 atimtag ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:08.0453 2240 atimtag - detected Backdoor.Multi.ZAccess.gen (0)
20:43:08.0562 2240 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:43:08.0656 2240 Atmarpc - ok
20:43:08.0718 2240 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
20:43:08.0828 2240 AudioSrv - ok
20:43:08.0890 2240 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:43:08.0984 2240 audstub - ok
20:43:09.0265 2240 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
20:43:09.0437 2240 AVGIDSAgent - ok
20:43:09.0484 2240 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
20:43:09.0484 2240 AVGIDSDriver - ok
20:43:09.0531 2240 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
20:43:09.0546 2240 AVGIDSEH - ok
20:43:09.0562 2240 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
20:43:09.0578 2240 AVGIDSFilter - ok
20:43:09.0640 2240 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
20:43:09.0640 2240 AVGIDSShim - ok
20:43:09.0687 2240 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
20:43:09.0703 2240 Avgldx86 - ok
20:43:09.0734 2240 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
20:43:09.0734 2240 Avgmfx86 - ok
20:43:09.0765 2240 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
20:43:09.0781 2240 Avgrkx86 - ok
20:43:09.0859 2240 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
20:43:09.0875 2240 Avgtdix - ok
20:43:09.0906 2240 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
20:43:09.0921 2240 avgwd - ok
20:43:09.0984 2240 avpnnic (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ikfileflt.dll
20:43:10.0015 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ikfileflt.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:10.0015 2240 avpnnic ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:10.0015 2240 avpnnic - detected Backdoor.Multi.ZAccess.gen (0)
20:43:10.0109 2240 backupclientsvc (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ARCSOFTVIRTUALCAPTURE.dll
20:43:10.0156 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ARCSOFTVIRTUALCAPTURE.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:10.0156 2240 backupclientsvc ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:10.0156 2240 backupclientsvc - detected Backdoor.Multi.ZAccess.gen (0)
20:43:10.0234 2240 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
20:43:10.0265 2240 BANTExt ( UnsignedFile.Multi.Generic ) - warning
20:43:10.0265 2240 BANTExt - detected UnsignedFile.Multi.Generic (1)
20:43:10.0359 2240 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:43:10.0468 2240 Beep - ok
20:43:10.0468 2240 belmonitorservice - ok
20:43:10.0546 2240 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
20:43:10.0640 2240 BITS - ok
20:43:10.0687 2240 bobo (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\agnwifi.dll
20:43:10.0687 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\agnwifi.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:10.0687 2240 bobo ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:10.0687 2240 bobo - detected Backdoor.Multi.ZAccess.gen (0)
20:43:10.0781 2240 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
20:43:10.0875 2240 Browser - ok
20:43:10.0890 2240 BrUsbSer - ok
20:43:10.0984 2240 btcsrusb (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\AtiHdmiService.dll
20:43:10.0984 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\AtiHdmiService.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:10.0984 2240 btcsrusb ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:10.0984 2240 btcsrusb - detected Backdoor.Multi.ZAccess.gen (0)
20:43:11.0062 2240 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
20:43:11.0156 2240 BthEnum - ok
20:43:11.0187 2240 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
20:43:11.0265 2240 BTHMODEM - ok
20:43:11.0312 2240 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
20:43:11.0437 2240 BthPan - ok
20:43:11.0484 2240 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
20:43:11.0531 2240 BTHPORT - ok
20:43:11.0562 2240 BthServ (f4c43c66471b87996d95db7a3a664a37) C:\WINDOWS\System32\bthserv.dll
20:43:11.0671 2240 BthServ - ok
20:43:11.0703 2240 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
20:43:11.0781 2240 BTHUSB - ok
20:43:11.0828 2240 btwdndis (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\Shockprf.dll
20:43:11.0828 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\Shockprf.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:11.0828 2240 btwdndis ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:11.0828 2240 btwdndis - detected Backdoor.Multi.ZAccess.gen (0)
20:43:11.0843 2240 C-Dilla - ok
20:43:11.0890 2240 Cap7134 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\CdaC15BA.dll
20:43:11.0906 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\CdaC15BA.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:11.0906 2240 Cap7134 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:11.0906 2240 Cap7134 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:11.0984 2240 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:43:12.0078 2240 cbidf2k - ok
20:43:12.0109 2240 ccevtmgr - ok
20:43:12.0125 2240 cd20xrnt - ok
20:43:12.0125 2240 CdaD10BA - ok
20:43:12.0140 2240 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:43:12.0234 2240 Cdaudio - ok
20:43:12.0328 2240 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:43:12.0437 2240 Cdfs - ok
20:43:12.0531 2240 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:43:12.0625 2240 Cdrom - ok
20:43:12.0656 2240 Changer (daf1a8193b6caf0fb858cadcc5c4af4a) C:\WINDOWS\system32\drivers\Changer.sys
20:43:12.0750 2240 Changer - ok
20:43:12.0796 2240 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
20:43:12.0875 2240 CiSvc - ok
20:43:12.0937 2240 CLBStor (0252b4007a8f3a6cc61220cbe122544d) C:\WINDOWS\system32\drivers\CLBStor.sys
20:43:12.0953 2240 CLBStor - ok
20:43:13.0000 2240 CLBUDF (dc705765a170f7bd8af3632c93b03f0b) C:\WINDOWS\system32\drivers\CLBUDF.sys
20:43:13.0015 2240 CLBUDF - ok
20:43:13.0015 2240 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
20:43:13.0125 2240 ClipSrv - ok
20:43:13.0203 2240 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:43:13.0218 2240 clr_optimization_v2.0.50727_32 - ok
20:43:13.0281 2240 cmbatt (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\swwd.dll
20:43:13.0296 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\swwd.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:13.0296 2240 cmbatt ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:13.0296 2240 cmbatt - detected Backdoor.Multi.ZAccess.gen (0)
20:43:13.0296 2240 CmdIde - ok
20:43:13.0312 2240 CoachUsb - ok
20:43:13.0312 2240 commserver - ok
20:43:13.0328 2240 COMSysApp - ok
20:43:13.0328 2240 Cpqarray - ok
20:43:13.0421 2240 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
20:43:13.0421 2240 cpudrv - ok
20:43:13.0484 2240 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
20:43:13.0562 2240 CryptSvc - ok
20:43:13.0609 2240 ctprxy2k (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\fsdfwd.dll
20:43:13.0609 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\fsdfwd.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:13.0609 2240 ctprxy2k ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:13.0609 2240 ctprxy2k - detected Backdoor.Multi.ZAccess.gen (0)
20:43:13.0703 2240 curtainssyssvc (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\imountsrv.dll
20:43:13.0703 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\imountsrv.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:13.0703 2240 curtainssyssvc ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:13.0703 2240 curtainssyssvc - detected Backdoor.Multi.ZAccess.gen (0)
20:43:13.0781 2240 CXAVXBAR (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\PQNTDrv.dll
20:43:13.0796 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\PQNTDrv.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:13.0796 2240 CXAVXBAR ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:13.0796 2240 CXAVXBAR - detected Backdoor.Multi.ZAccess.gen (0)
20:43:13.0796 2240 cygserver - ok
20:43:13.0796 2240 dac2w2k - ok
20:43:13.0812 2240 dac960nt - ok
20:43:13.0812 2240 DC21x4 - ok
20:43:13.0890 2240 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
20:43:13.0937 2240 DcomLaunch - ok
20:43:14.0015 2240 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
20:43:14.0109 2240 Dhcp - ok
20:43:14.0171 2240 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:43:14.0281 2240 Disk - ok
20:43:14.0328 2240 dladresn - ok
20:43:14.0328 2240 dmadmin - ok
20:43:14.0437 2240 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:43:14.0562 2240 dmboot - ok
20:43:14.0609 2240 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:43:14.0718 2240 dmio - ok
20:43:14.0765 2240 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:43:14.0859 2240 dmload - ok
20:43:15.0156 2240 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
20:43:15.0250 2240 dmserver - ok
20:43:15.0312 2240 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:43:15.0406 2240 DMusic - ok
20:43:15.0468 2240 DNE (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\PNDIS5.dll
20:43:15.0500 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\PNDIS5.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:15.0500 2240 DNE ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:15.0500 2240 DNE - detected Backdoor.Multi.ZAccess.gen (0)
20:43:15.0562 2240 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
20:43:15.0609 2240 Dnscache - ok
20:43:15.0671 2240 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
20:43:15.0765 2240 Dot3svc - ok
20:43:15.0781 2240 dpti2o - ok
20:43:15.0828 2240 dptrackerd (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\aavmker4.dll
20:43:15.0859 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\aavmker4.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:15.0859 2240 dptrackerd ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:15.0859 2240 dptrackerd - detected Backdoor.Multi.ZAccess.gen (0)
20:43:15.0890 2240 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:43:15.0984 2240 drmkaud - ok
20:43:16.0062 2240 DS1410D (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\amdagp.dll
20:43:16.0171 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\amdagp.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:16.0171 2240 DS1410D ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:16.0171 2240 DS1410D - detected Backdoor.Multi.ZAccess.gen (0)
20:43:16.0203 2240 EACSvrMngr - ok
20:43:16.0281 2240 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
20:43:16.0375 2240 EapHost - ok
20:43:16.0437 2240 EL90X - ok
20:43:16.0500 2240 eloggersvc6 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\logonsvcid.dll
20:43:16.0515 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\logonsvcid.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:16.0515 2240 eloggersvc6 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:16.0515 2240 eloggersvc6 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:16.0562 2240 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
20:43:16.0656 2240 ERSvc - ok
20:43:16.0781 2240 esgiguard (2407b8164e966755bc6a4242fc9de31e) C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
20:43:16.0796 2240 esgiguard - ok
20:43:16.0796 2240 EU3_USB - ok
20:43:16.0859 2240 EUSBMSD (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ZSMC301b.dll
20:43:16.0859 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ZSMC301b.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:16.0859 2240 EUSBMSD ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:16.0859 2240 EUSBMSD - detected Backdoor.Multi.ZAccess.gen (0)
20:43:16.0906 2240 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
20:43:16.0953 2240 Eventlog - ok
20:43:17.0000 2240 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
20:43:17.0046 2240 EventSystem - ok
20:43:17.0156 2240 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:43:17.0250 2240 Fastfat - ok
20:43:17.0328 2240 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:43:17.0359 2240 FastUserSwitchingCompatibility - ok
20:43:17.0437 2240 FaxTalk FaxCenter Pro 8 (18ef9f53f127b8758b257117983df520) C:\Program Files\FaxTalk\FTmsgsvc.exe
20:43:17.0453 2240 FaxTalk FaxCenter Pro 8 - ok
20:43:17.0484 2240 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
20:43:17.0578 2240 Fdc - ok
20:43:17.0593 2240 FINEPIX_PCC - ok
20:43:17.0625 2240 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:43:17.0734 2240 Fips - ok
20:43:17.0765 2240 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:43:17.0843 2240 Flpydisk - ok
20:43:17.0890 2240 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:43:17.0968 2240 FltMgr - ok
20:43:18.0140 2240 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
20:43:18.0156 2240 FontCache3.0.0.0 - ok
20:43:18.0218 2240 forcewarewebinterface (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\VRADFIL.dll
20:43:18.0218 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\VRADFIL.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:18.0218 2240 forcewarewebinterface ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:18.0218 2240 forcewarewebinterface - detected Backdoor.Multi.ZAccess.gen (0)
20:43:18.0265 2240 fsaa - ok
20:43:18.0296 2240 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:43:18.0406 2240 Fs_Rec - ok
20:43:18.0453 2240 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:43:18.0546 2240 Ftdisk - ok
20:43:18.0625 2240 fuj02b1 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\zpnodecollector.dll
20:43:18.0625 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\zpnodecollector.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:18.0625 2240 fuj02b1 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:18.0625 2240 fuj02b1 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:18.0687 2240 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
20:43:18.0687 2240 GEARAspiWDM - ok
20:43:18.0750 2240 generichidservice (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\purgeieservice.dll
20:43:18.0765 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\purgeieservice.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:18.0765 2240 generichidservice ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:18.0765 2240 generichidservice - detected Backdoor.Multi.ZAccess.gen (0)
20:43:18.0765 2240 getPlusHelper - ok
20:43:18.0781 2240 giveio - ok
20:43:18.0843 2240 GoProto (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ikfileflt.dll
20:43:18.0843 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ikfileflt.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:18.0843 2240 GoProto ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:18.0843 2240 GoProto - detected Backdoor.Multi.ZAccess.gen (0)
20:43:18.0890 2240 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:43:18.0984 2240 Gpc - ok
20:43:19.0156 2240 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
20:43:19.0171 2240 gupdate - ok
20:43:19.0187 2240 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
20:43:19.0203 2240 gupdatem - ok
20:43:19.0328 2240 ham50 (575976cd9f6a60be788f8aebaef44ae5) C:\WINDOWS\system32\DRIVERS\IntelH51.sys
20:43:19.0359 2240 ham50 ( UnsignedFile.Multi.Generic ) - warning
20:43:19.0359 2240 ham50 - detected UnsignedFile.Multi.Generic (1)
20:43:19.0375 2240 hap16v2k - ok
20:43:19.0406 2240 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:43:19.0500 2240 HDAudBus - ok
20:43:19.0531 2240 helpsvc - ok
20:43:19.0546 2240 HidServ - ok
20:43:19.0609 2240 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
20:43:19.0703 2240 hkmsvc - ok
20:43:19.0703 2240 hpn - ok
20:43:19.0765 2240 HSFHWBS2 (6312dc46356df3974e88aa51b69360dc) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
20:43:19.0812 2240 HSFHWBS2 - ok
20:43:19.0859 2240 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
20:43:19.0906 2240 HSF_DPV - ok
20:43:20.0015 2240 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:43:20.0062 2240 HTTP - ok
20:43:20.0125 2240 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
20:43:20.0234 2240 HTTPFilter - ok
20:43:20.0296 2240 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:43:20.0375 2240 i2omgmt - ok
20:43:20.0375 2240 i2omp - ok
20:43:20.0421 2240 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:43:20.0531 2240 i8042prt - ok
20:43:20.0531 2240 icdsptsv - ok
20:43:20.0687 2240 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
20:43:20.0718 2240 idsvc - ok
20:43:20.0828 2240 ikfileflt (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\us30service.dll
20:43:20.0843 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\us30service.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:20.0843 2240 ikfileflt ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:20.0843 2240 ikfileflt - detected Backdoor.Multi.ZAccess.gen (0)
20:43:20.0921 2240 imap4d32 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ino_flpy.dll
20:43:20.0921 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ino_flpy.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:20.0921 2240 imap4d32 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:20.0921 2240 imap4d32 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:20.0968 2240 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:43:21.0046 2240 Imapi - ok
20:43:21.0125 2240 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
20:43:21.0203 2240 ImapiService - ok
20:43:21.0281 2240 infrastructure (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\cvintdrv.dll
20:43:21.0281 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\cvintdrv.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:21.0281 2240 infrastructure ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:21.0281 2240 infrastructure - detected Backdoor.Multi.ZAccess.gen (0)
20:43:21.0296 2240 ini910u - ok
20:43:21.0296 2240 int15 - ok
20:43:21.0515 2240 IntcAzAudAddService (718f495096df8d94fb66c9c962646372) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:43:21.0750 2240 IntcAzAudAddService - ok
20:43:21.0765 2240 IntelIde - ok
20:43:21.0843 2240 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:43:21.0921 2240 intelppm - ok
20:43:21.0937 2240 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:43:22.0031 2240 Ip6Fw - ok
20:43:22.0046 2240 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:43:22.0156 2240 IpFilterDriver - ok
20:43:22.0156 2240 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:43:22.0250 2240 IpInIp - ok
20:43:22.0296 2240 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:43:22.0390 2240 IpNat - ok
20:43:22.0531 2240 iPod Service (3a6d4d8abacf64292d060c9e06d2050d) C:\Program Files\iPod\bin\iPodService.exe
20:43:22.0546 2240 iPod Service - ok
20:43:22.0609 2240 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:43:22.0718 2240 IPSec - ok
20:43:22.0765 2240 ipsraidn (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\viagfx.dll
20:43:22.0765 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\viagfx.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:22.0765 2240 ipsraidn ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:22.0765 2240 ipsraidn - detected Backdoor.Multi.ZAccess.gen (0)
20:43:22.0781 2240 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:43:22.0828 2240 IRENUM - ok
20:43:22.0859 2240 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:43:22.0953 2240 isapnp - ok
20:43:23.0015 2240 iviregmgr (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\MpFilter.dll
20:43:23.0015 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\MpFilter.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:23.0015 2240 iviregmgr ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:23.0015 2240 iviregmgr - detected Backdoor.Multi.ZAccess.gen (0)
20:43:23.0078 2240 IWCA (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\btwavdt.dll
20:43:23.0078 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\btwavdt.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:23.0078 2240 IWCA ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:23.0078 2240 IWCA - detected Backdoor.Multi.ZAccess.gen (0)
20:43:23.0156 2240 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
20:43:23.0171 2240 JavaQuickStarterService - ok
20:43:23.0250 2240 JGOGO (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\pml.dll
20:43:23.0265 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\pml.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:23.0265 2240 JGOGO ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:23.0265 2240 JGOGO - detected Backdoor.Multi.ZAccess.gen (0)
20:43:23.0312 2240 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:43:23.0390 2240 Kbdclass - ok
20:43:23.0437 2240 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:43:23.0531 2240 kmixer - ok
20:43:23.0609 2240 kodakccs (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\iaimfp0.dll
20:43:23.0609 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\iaimfp0.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:23.0609 2240 kodakccs ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:23.0609 2240 kodakccs - detected Backdoor.Multi.ZAccess.gen (0)
20:43:23.0625 2240 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:43:23.0656 2240 KSecDD - ok
20:43:23.0718 2240 l8042pr2 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\tpkmpsvc.dll
20:43:23.0718 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\tpkmpsvc.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:23.0718 2240 l8042pr2 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:23.0718 2240 l8042pr2 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:23.0765 2240 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
20:43:23.0796 2240 lanmanserver - ok
20:43:23.0828 2240 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
20:43:23.0828 2240 lanmanworkstation - ok
20:43:23.0890 2240 lbrtfdc (cc50a66548c2f285bc8a7b0b8aa578e3) C:\WINDOWS\system32\drivers\lbrtfdc.sys
20:43:23.0968 2240 lbrtfdc - ok
20:43:24.0031 2240 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
20:43:24.0109 2240 LmHosts - ok
20:43:24.0171 2240 lxbs_device (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\SrvcSSIOMngr.dll
20:43:24.0234 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\SrvcSSIOMngr.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:24.0234 2240 lxbs_device ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:24.0234 2240 lxbs_device - detected Backdoor.Multi.ZAccess.gen (0)
20:43:24.0281 2240 lxce_device (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\cicsclient.dll
20:43:24.0296 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\cicsclient.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:24.0296 2240 lxce_device ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:24.0296 2240 lxce_device - detected Backdoor.Multi.ZAccess.gen (0)
20:43:24.0359 2240 lxct_device (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\st330service.dll
20:43:24.0375 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\st330service.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:24.0375 2240 lxct_device ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:24.0375 2240 lxct_device - detected Backdoor.Multi.ZAccess.gen (0)
20:43:24.0375 2240 lxrsge10s - ok
20:43:24.0531 2240 MatSvc (0cf633a54c681c65297c63106c4bc376) C:\Program Files\Microsoft Fix it Center\Matsvc.exe
20:43:24.0546 2240 MatSvc - ok
20:43:24.0578 2240 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
20:43:24.0593 2240 MBAMProtector - ok
20:43:24.0656 2240 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
20:43:24.0687 2240 MBAMService - ok
20:43:24.0796 2240 McComponentHostService (f453d1e6d881e8f8717e20ccd4199e85) C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
20:43:24.0812 2240 McComponentHostService - ok
20:43:24.0921 2240 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:43:24.0953 2240 mdmxsdk - ok
20:43:25.0031 2240 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
20:43:25.0125 2240 Messenger - ok
20:43:25.0140 2240 mf - ok
20:43:25.0187 2240 mi-raysat_3dsMax2008_32 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\W8335XP.dll
20:43:25.0203 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\W8335XP.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:25.0203 2240 mi-raysat_3dsMax2008_32 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:25.0203 2240 mi-raysat_3dsMax2008_32 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:25.0203 2240 mindrepair - ok
20:43:25.0265 2240 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:43:25.0359 2240 mnmdd - ok
20:43:25.0406 2240 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
20:43:25.0515 2240 mnmsrvc - ok
20:43:25.0546 2240 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:43:25.0656 2240 Modem - ok
20:43:25.0703 2240 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
20:43:25.0796 2240 MODEMCSA - ok
20:43:25.0875 2240 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
20:43:25.0921 2240 Monfilt - ok
20:43:25.0953 2240 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:43:26.0046 2240 Mouclass - ok
20:43:26.0062 2240 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:43:26.0171 2240 MountMgr - ok
20:43:26.0171 2240 MR97310_USB_DUAL_CAMERA - ok
20:43:26.0187 2240 mraid35x - ok
20:43:26.0187 2240 MRV6X32P - ok
20:43:26.0218 2240 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:43:26.0312 2240 MRxDAV - ok
20:43:26.0421 2240 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:43:26.0453 2240 MRxSmb - ok
20:43:26.0484 2240 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
20:43:26.0562 2240 MSDTC - ok
20:43:26.0578 2240 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:43:26.0671 2240 Msfs - ok
20:43:26.0687 2240 MSICPL - ok
20:43:26.0687 2240 MSIServer - ok
20:43:26.0703 2240 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:43:26.0781 2240 MSKSSRV - ok
20:43:26.0843 2240 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:43:26.0921 2240 MSPCLOCK - ok
20:43:26.0937 2240 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:43:27.0015 2240 MSPQM - ok
20:43:27.0078 2240 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:43:27.0156 2240 mssmbios - ok
20:43:27.0234 2240 mssql$sqlexpress (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\tap0901.dll
20:43:27.0234 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\tap0901.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:27.0234 2240 mssql$sqlexpress ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:27.0234 2240 mssql$sqlexpress - detected Backdoor.Multi.ZAccess.gen (0)
20:43:27.0281 2240 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:43:27.0312 2240 Mup - ok
20:43:27.0312 2240 Mvc25U870_VID_1262&PID_25FD - ok
20:43:27.0359 2240 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
20:43:27.0437 2240 napagent - ok
20:43:27.0500 2240 navapel (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ndassvc.dll
20:43:27.0500 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ndassvc.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:27.0515 2240 navapel ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:27.0515 2240 navapel - detected Backdoor.Multi.ZAccess.gen (0)
20:43:27.0578 2240 nchssvad (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\k750mdfl.dll
20:43:27.0578 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\k750mdfl.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:27.0578 2240 nchssvad ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:27.0578 2240 nchssvad - detected Backdoor.Multi.ZAccess.gen (0)
20:43:27.0593 2240 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:43:27.0687 2240 NDIS - ok
20:43:27.0734 2240 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:43:27.0765 2240 NdisTapi - ok
20:43:27.0796 2240 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:43:27.0875 2240 Ndisuio - ok
20:43:27.0875 2240 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:43:27.0984 2240 NdisWan - ok
20:43:28.0015 2240 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:43:28.0015 2240 NDProxy - ok
20:43:28.0046 2240 NeroMediaHomeService.4 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\UsbserFilt.dll
20:43:28.0062 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\UsbserFilt.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:28.0062 2240 NeroMediaHomeService.4 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:28.0062 2240 NeroMediaHomeService.4 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:28.0062 2240 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:43:28.0171 2240 NetBIOS - ok
20:43:28.0203 2240 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:43:28.0312 2240 NetBT - ok
20:43:28.0328 2240 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
20:43:28.0421 2240 NetDDE - ok
20:43:28.0437 2240 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
20:43:28.0515 2240 NetDDEdsdm - ok
20:43:28.0562 2240 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:43:28.0656 2240 Netlogon - ok
20:43:28.0703 2240 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
20:43:28.0812 2240 Netman - ok
20:43:29.0000 2240 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
20:43:29.0000 2240 NetTcpPortSharing - ok
20:43:29.0046 2240 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:43:29.0156 2240 NIC1394 - ok
20:43:29.0234 2240 nicconfigsvc (9c454cd857b4c0ccf7a614b047616503) C:\WINDOWS\system32\SimpTcp.dll
20:43:29.0328 2240 nicconfigsvc - ok
20:43:29.0406 2240 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
20:43:29.0437 2240 Nla - ok
20:43:29.0531 2240 NMSCFG (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\kbdclass.dll
20:43:29.0562 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\kbdclass.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:29.0562 2240 NMSCFG ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:29.0562 2240 NMSCFG - detected Backdoor.Multi.ZAccess.gen (0)
20:43:29.0625 2240 nmwcd (f6c40e0a565ee3ce5aeeb325e10054f2) C:\WINDOWS\system32\drivers\ccdcmb.sys
20:43:29.0703 2240 nmwcd - ok
20:43:29.0734 2240 nmwcdc (2a394e9e1fa3565e4b2fea470ffe4d6b) C:\WINDOWS\system32\drivers\ccdcmbo.sys
20:43:29.0796 2240 nmwcdc - ok
20:43:29.0828 2240 nmwcdnsu (99b224f8026cb534724aa3c408561e45) C:\WINDOWS\system32\drivers\nmwcdnsu.sys
20:43:29.0906 2240 nmwcdnsu - ok
20:43:29.0921 2240 nmwcdnsuc (d23257682d349a5e2e4507ed33decc16) C:\WINDOWS\system32\drivers\nmwcdnsuc.sys
20:43:30.0000 2240 nmwcdnsuc - ok
20:43:30.0046 2240 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:43:30.0156 2240 Npfs - ok
20:43:30.0218 2240 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:43:30.0328 2240 Ntfs - ok
20:43:30.0406 2240 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:43:30.0484 2240 NtLmSsp - ok
20:43:30.0531 2240 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
20:43:30.0640 2240 NtmsSvc - ok
20:43:30.0750 2240 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:43:30.0843 2240 Null - ok
20:43:31.0109 2240 nv (ceab17ba3e0f7de96a4649f896b35131) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:43:31.0328 2240 nv ( UnsignedFile.Multi.Generic ) - warning
20:43:31.0328 2240 nv - detected UnsignedFile.Multi.Generic (1)
20:43:31.0390 2240 NVR0FLASHDev (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\MA8032M.dll
20:43:31.0390 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\MA8032M.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:31.0390 2240 NVR0FLASHDev ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:31.0390 2240 NVR0FLASHDev - detected Backdoor.Multi.ZAccess.gen (0)
20:43:31.0468 2240 NVSvc (df6fd57d6807ae459b3463fbfda02d49) C:\WINDOWS\system32\nvsvc32.exe
20:43:31.0484 2240 NVSvc ( UnsignedFile.Multi.Generic ) - warning
20:43:31.0484 2240 NVSvc - detected UnsignedFile.Multi.Generic (1)
20:43:31.0500 2240 NWHOST - ok
20:43:31.0578 2240 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:43:31.0687 2240 NwlnkFlt - ok
20:43:31.0687 2240 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:43:31.0765 2240 NwlnkFwd - ok
20:43:31.0843 2240 NWSIPX32 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\SGIR.dll
20:43:31.0843 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\SGIR.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:31.0843 2240 NWSIPX32 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:31.0843 2240 NWSIPX32 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:31.0875 2240 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:43:31.0968 2240 ohci1394 - ok
20:43:31.0968 2240 omci - ok
20:43:32.0046 2240 omniusb (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ZuneBusEnum.dll
20:43:32.0046 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ZuneBusEnum.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:32.0046 2240 omniusb ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:32.0046 2240 omniusb - detected Backdoor.Multi.ZAccess.gen (0)
20:43:32.0125 2240 ood2000 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\mouhid.dll
20:43:32.0125 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\mouhid.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:32.0125 2240 ood2000 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:32.0125 2240 ood2000 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:32.0156 2240 osanbm (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\O2SCBUS.dll
20:43:32.0156 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\O2SCBUS.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:32.0156 2240 osanbm ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:32.0156 2240 osanbm - detected Backdoor.Multi.ZAccess.gen (0)
20:43:32.0281 2240 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:43:32.0281 2240 ose - ok
20:43:32.0359 2240 Packet (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\HPFXBULK.dll
20:43:32.0359 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\HPFXBULK.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:32.0359 2240 Packet ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:32.0359 2240 Packet - detected Backdoor.Multi.ZAccess.gen (0)
20:43:32.0406 2240 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
20:43:32.0500 2240 Parport - ok
20:43:32.0609 2240 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:43:32.0703 2240 PartMgr - ok
20:43:32.0781 2240 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:43:32.0875 2240 ParVdm - ok
20:43:32.0937 2240 pav_service (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\tmmbd.dll
20:43:32.0937 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\tmmbd.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:32.0937 2240 pav_service ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:32.0937 2240 pav_service - detected Backdoor.Multi.ZAccess.gen (0)
20:43:33.0015 2240 pca (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\adsexpb.dll
20:43:33.0015 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\adsexpb.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:33.0015 2240 pca ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:33.0015 2240 pca - detected Backdoor.Multi.ZAccess.gen (0)
20:43:33.0078 2240 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
20:43:33.0109 2240 pccsmcfd - ok
20:43:33.0140 2240 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:43:33.0250 2240 PCI - ok
20:43:33.0281 2240 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:43:33.0375 2240 PCIIde - ok
20:43:33.0406 2240 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:43:33.0500 2240 Pcmcia - ok
20:43:33.0515 2240 pdlndldl - ok
20:43:33.0546 2240 pdlnepkt (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\pctfw1.dll
20:43:33.0546 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\pctfw1.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:33.0546 2240 pdlnepkt ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:33.0546 2240 pdlnepkt - detected Backdoor.Multi.ZAccess.gen (0)
20:43:33.0546 2240 perc2 - ok
20:43:33.0562 2240 perc2hib - ok
20:43:33.0578 2240 pgpsdkservice - ok
20:43:33.0640 2240 PGPwded (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ni_nic.dll
20:43:33.0750 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ni_nic.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:33.0750 2240 PGPwded ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:33.0750 2240 PGPwded - detected Backdoor.Multi.ZAccess.gen (0)
20:43:33.0750 2240 pktfilter - ok
20:43:33.0812 2240 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
20:43:33.0828 2240 PlugPlay - ok
20:43:33.0859 2240 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:43:33.0937 2240 PolicyAgent - ok
20:43:34.0000 2240 pop3d32 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\diskperf.dll
20:43:34.0015 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\diskperf.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:34.0015 2240 pop3d32 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:34.0015 2240 pop3d32 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:34.0078 2240 ppped (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\wdelmgr20.dll
20:43:34.0093 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\wdelmgr20.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:34.0093 2240 ppped ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:34.0093 2240 ppped - detected Backdoor.Multi.ZAccess.gen (0)
20:43:34.0140 2240 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:43:34.0234 2240 PptpMiniport - ok
20:43:34.0328 2240 prism_a02 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\fasttrackinstallerservice.dll
20:43:34.0343 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\fasttrackinstallerservice.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:34.0343 2240 prism_a02 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:34.0343 2240 prism_a02 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:34.0343 2240 procexp100 - ok
20:43:34.0359 2240 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:43:34.0437 2240 ProtectedStorage - ok
20:43:34.0437 2240 protectionservice - ok
20:43:34.0484 2240 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:43:34.0578 2240 PSched - ok
20:43:34.0640 2240 pshost (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ICM10USB.dll
20:43:34.0656 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ICM10USB.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:34.0656 2240 pshost ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:34.0656 2240 pshost - detected Backdoor.Multi.ZAccess.gen (0)
20:43:34.0656 2240 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:43:34.0765 2240 Ptilink - ok
20:43:34.0765 2240 ql1080 - ok
20:43:34.0765 2240 Ql10wnt - ok
20:43:34.0781 2240 ql12160 - ok
20:43:34.0781 2240 ql1240 - ok
20:43:34.0796 2240 ql1280 - ok
20:43:34.0859 2240 ql2100 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\trackcam4.dll
20:43:34.0875 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\trackcam4.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:34.0875 2240 ql2100 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:34.0875 2240 ql2100 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:34.0953 2240 QWAVEDRV (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\eeyeevnt.dll
20:43:34.0953 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\eeyeevnt.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:34.0953 2240 QWAVEDRV ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:34.0953 2240 QWAVEDRV - detected Backdoor.Multi.ZAccess.gen (0)
20:43:35.0015 2240 RalinkRegistryWriter (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\se2Bunic.dll
20:43:35.0031 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\se2Bunic.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:35.0031 2240 RalinkRegistryWriter ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:35.0031 2240 RalinkRegistryWriter - detected Backdoor.Multi.ZAccess.gen (0)
20:43:35.0203 2240 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
20:43:35.0218 2240 RapportCerberus_34302 - ok
20:43:35.0328 2240 RapportEI (43b9aa1423bf54367c5a3de1559780e8) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
20:43:35.0328 2240 RapportEI - ok
20:43:35.0437 2240 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
20:43:35.0453 2240 RapportIaso - ok
20:43:35.0468 2240 RapportKELL (118600ab8f15fe27f2c865f3fb4efa58) C:\WINDOWS\system32\Drivers\RapportKELL.sys
20:43:35.0484 2240 RapportKELL - ok
20:43:35.0531 2240 RapportMgmtService (d9ef54568fafcb4be4637068e768409a) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
20:43:35.0562 2240 RapportMgmtService - ok
20:43:35.0609 2240 RapportPG (4af05a67b643a5190dfcbb793273e0bc) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
20:43:35.0625 2240 RapportPG - ok
20:43:35.0656 2240 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:43:35.0734 2240 RasAcd - ok
20:43:35.0796 2240 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
20:43:35.0890 2240 RasAuto - ok
20:43:35.0953 2240 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:43:36.0046 2240 Rasl2tp - ok
20:43:36.0109 2240 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
20:43:36.0187 2240 RasMan - ok
20:43:36.0296 2240 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:43:36.0390 2240 RasPppoe - ok
20:43:36.0484 2240 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:43:36.0578 2240 Raspti - ok
20:43:36.0609 2240 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:43:36.0687 2240 Rdbss - ok
20:43:36.0718 2240 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:43:36.0812 2240 RDPCDD - ok
20:43:36.0875 2240 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:43:36.0984 2240 rdpdr - ok
20:43:37.0046 2240 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
20:43:37.0078 2240 RDPWD - ok
20:43:37.0109 2240 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
20:43:37.0203 2240 RDSessMgr - ok
20:43:37.0515 2240 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:43:37.0640 2240 redbook - ok
20:43:38.0171 2240 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
20:43:38.0281 2240 RemoteAccess - ok
20:43:38.0796 2240 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
20:43:38.0921 2240 RemoteRegistry - ok
20:43:38.0984 2240 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
20:43:39.0078 2240 RFCOMM - ok
20:43:39.0312 2240 RichVideo (4d05898896ec49cf663dda61041ab096) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
20:43:39.0328 2240 RichVideo - ok
20:43:39.0328 2240 roxmediadb - ok
20:43:39.0406 2240 roxmediadb9 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\bdfdll.dll
20:43:39.0406 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\bdfdll.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:39.0406 2240 roxmediadb9 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:39.0406 2240 roxmediadb9 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:39.0453 2240 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
osjknights
2012-04-22, 21:53
I had to cut it into two - as it was too long for a reply
second half;
20:43:39.0531 2240 RpcLocator - ok
20:43:39.0593 2240 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
20:43:39.0609 2240 RpcSs - ok
20:43:39.0671 2240 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
20:43:39.0750 2240 RSVP - ok
20:43:39.0843 2240 rtl8023 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ini910u.dll
20:43:39.0843 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ini910u.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:39.0843 2240 rtl8023 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:39.0843 2240 rtl8023 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:39.0906 2240 RTL8023xp (69ee1e8dc0c750a5d03739e6e9429959) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
20:43:39.0937 2240 RTL8023xp ( UnsignedFile.Multi.Generic ) - warning
20:43:39.0937 2240 RTL8023xp - detected UnsignedFile.Multi.Generic (1)
20:43:40.0000 2240 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
20:43:40.0078 2240 rtl8139 - ok
20:43:40.0140 2240 RTL8169 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\lxcgcustomerconnect.dll
20:43:40.0156 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\lxcgcustomerconnect.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:40.0156 2240 RTL8169 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:40.0156 2240 RTL8169 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:40.0234 2240 s716nd5 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\SWUMX51.dll
20:43:40.0234 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\SWUMX51.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:40.0234 2240 s716nd5 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:40.0234 2240 s716nd5 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:40.0343 2240 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
20:43:40.0421 2240 SamSs - ok
20:43:40.0515 2240 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:43:40.0531 2240 SASDIFSV - ok
20:43:40.0531 2240 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
20:43:40.0546 2240 SASKUTIL - ok
20:43:40.0625 2240 savrt (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ose.dll
20:43:40.0625 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ose.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:40.0625 2240 savrt ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:40.0625 2240 savrt - detected Backdoor.Multi.ZAccess.gen (0)
20:43:40.0687 2240 scan (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ntuneservice.dll
20:43:40.0687 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ntuneservice.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:40.0687 2240 scan ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:40.0687 2240 scan - detected Backdoor.Multi.ZAccess.gen (0)
20:43:40.0718 2240 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
20:43:40.0812 2240 SCardSvr - ok
20:43:40.0875 2240 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
20:43:40.0968 2240 Schedule - ok
20:43:41.0046 2240 scsiaccess (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\RMSvc.dll
20:43:41.0046 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\RMSvc.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:41.0046 2240 scsiaccess ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:41.0046 2240 scsiaccess - detected Backdoor.Multi.ZAccess.gen (0)
20:43:41.0234 2240 SdReadSpool (b9443470baae569d9a3fabbfeb35c4e7) C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe
20:43:41.0250 2240 SdReadSpool - ok
20:43:41.0359 2240 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:43:41.0421 2240 Secdrv - ok
20:43:41.0515 2240 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
20:43:41.0609 2240 seclogon - ok
20:43:41.0687 2240 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\System32\sens.dll
20:43:41.0765 2240 SENS - ok
20:43:41.0796 2240 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
20:43:41.0890 2240 Serial - ok
20:43:41.0953 2240 service1 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\{95808DC4-FA4A-4c74-92FE-5B863F82066B}.dll
20:43:41.0953 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\{95808DC4-FA4A-4c74-92FE-5B863F82066B}.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:41.0953 2240 service1 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:41.0953 2240 service1 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:42.0046 2240 ServiceLayer (f31e9531af225ca25350d5e87e999b31) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
20:43:42.0078 2240 ServiceLayer - ok
20:43:42.0156 2240 SfCtlCom - ok
20:43:42.0234 2240 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
20:43:42.0328 2240 Sfloppy - ok
20:43:42.0421 2240 sfsync02 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\rp_fws.dll
20:43:42.0421 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\rp_fws.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:42.0421 2240 sfsync02 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:42.0421 2240 sfsync02 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:42.0437 2240 sfsync04 - ok
20:43:42.0515 2240 SGHIDI (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\CAMFLT.dll
20:43:42.0515 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\CAMFLT.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:42.0515 2240 SGHIDI ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:42.0515 2240 SGHIDI - detected Backdoor.Multi.ZAccess.gen (0)
20:43:42.0562 2240 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
20:43:42.0671 2240 SharedAccess - ok
20:43:42.0718 2240 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:43:42.0734 2240 ShellHWDetection - ok
20:43:42.0796 2240 Si3114r5 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ctljystk.dll
20:43:42.0859 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ctljystk.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:42.0859 2240 Si3114r5 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:42.0859 2240 Si3114r5 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:42.0875 2240 Simbad - ok
20:43:42.0921 2240 SimpTcp (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\ppmoucls.dll
20:43:42.0984 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\ppmoucls.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:42.0984 2240 SimpTcp ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:42.0984 2240 SimpTcp - detected Backdoor.Multi.ZAccess.gen (0)
20:43:43.0000 2240 SiRemFil - ok
20:43:43.0000 2240 smservaz - ok
20:43:43.0078 2240 smstsmgr (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\Subsonic.dll
20:43:43.0109 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\Subsonic.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:43.0109 2240 smstsmgr ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:43.0109 2240 smstsmgr - detected Backdoor.Multi.ZAccess.gen (0)
20:43:43.0140 2240 softfax - ok
20:43:43.0171 2240 Sparrow - ok
20:43:43.0250 2240 spbbcsvc (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\SerTVOutCtlr.dll
20:43:43.0312 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\SerTVOutCtlr.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:43.0312 2240 spbbcsvc ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:43.0312 2240 spbbcsvc - detected Backdoor.Multi.ZAccess.gen (0)
20:43:43.0359 2240 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:43:43.0453 2240 splitter - ok
20:43:43.0531 2240 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
20:43:43.0546 2240 Spooler - ok
20:43:43.0671 2240 SpyHunter 4 Service (63f2b52947577dbb075fe646bc758a2f) C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
20:43:43.0687 2240 SpyHunter 4 Service - ok
20:43:43.0796 2240 SQLAgent$MICROSOFTBCM (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\askernel.dll
20:43:43.0796 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\askernel.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:43.0796 2240 SQLAgent$MICROSOFTBCM ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:43.0796 2240 SQLAgent$MICROSOFTBCM - detected Backdoor.Multi.ZAccess.gen (0)
20:43:43.0890 2240 sqlagent$pinnaclesys (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\xfactorae1.dll
20:43:43.0890 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\xfactorae1.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:43.0890 2240 sqlagent$pinnaclesys ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:43.0890 2240 sqlagent$pinnaclesys - detected Backdoor.Multi.ZAccess.gen (0)
20:43:43.0937 2240 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:43:44.0000 2240 sr - ok
20:43:44.0046 2240 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
20:43:44.0093 2240 srservice - ok
20:43:44.0171 2240 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:43:44.0203 2240 Srv - ok
20:43:44.0250 2240 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
20:43:44.0312 2240 SSDPSRV - ok
20:43:44.0343 2240 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
20:43:44.0437 2240 stisvc - ok
20:43:44.0546 2240 superproserver (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\TIEHDUSB.dll
20:43:44.0640 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\TIEHDUSB.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:44.0640 2240 superproserver ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:44.0640 2240 superproserver - detected Backdoor.Multi.ZAccess.gen (0)
20:43:44.0703 2240 surveyor (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\relational.dll
20:43:44.0703 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\relational.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:44.0718 2240 surveyor ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:44.0718 2240 surveyor - detected Backdoor.Multi.ZAccess.gen (0)
20:43:44.0796 2240 susbser (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\vstor2.dll
20:43:44.0812 2240 Suspicious file (NoAccess): C:\WINDOWS\system32\vstor2.dll. md5: 11028c6a84a967070cb1286550f2058f
20:43:44.0812 2240 susbser ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:44.0812 2240 susbser - detected Backdoor.Multi.ZAccess.gen (0)
20:43:44.0921 2240 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:43:44.0984 2240 swenum - ok
20:43:45.0062 2240 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:43:45.0156 2240 swmidi - ok
20:43:45.0156 2240 SwPrv - ok
20:43:45.0171 2240 symc810 - ok
20:43:45.0171 2240 symc8xx - ok
20:43:45.0187 2240 symdns - ok
20:43:45.0187 2240 sym_hi - ok
20:43:45.0203 2240 sym_u3 - ok
20:43:45.0234 2240 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:43:45.0343 2240 sysaudio - ok
20:43:45.0390 2240 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
20:43:45.0484 2240 SysmonLog - ok
20:43:45.0609 2240 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
20:43:45.0703 2240 TapiSrv - ok
20:43:45.0796 2240 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:43:45.0812 2240 Tcpip - ok
20:43:45.0859 2240 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:43:45.0953 2240 TDPIPE - ok
20:43:45.0968 2240 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:43:46.0078 2240 TDTCP - ok
20:43:46.0484 2240 TeamViewer (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\xpadminserver.dll
20:43:46.0484 2240 TeamViewer ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:46.0484 2240 TeamViewer - detected Backdoor.Multi.ZAccess.gen (0)
20:43:46.0765 2240 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:43:46.0875 2240 TermDD - ok
20:43:46.0921 2240 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
20:43:47.0015 2240 TermService - ok
20:43:47.0109 2240 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
20:43:47.0125 2240 Themes - ok
20:43:47.0250 2240 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
20:43:47.0296 2240 TlntSvr - ok
20:43:47.0343 2240 TosIde - ok
20:43:47.0437 2240 trackcam4 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\bdfdll.dll
20:43:47.0437 2240 trackcam4 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:47.0437 2240 trackcam4 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:47.0531 2240 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
20:43:47.0625 2240 TrkWks - ok
20:43:47.0625 2240 trlokom_rmhsvc - ok
20:43:47.0687 2240 TSHWMDTCP (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\cq_mem.dll
20:43:47.0687 2240 TSHWMDTCP ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:47.0687 2240 TSHWMDTCP - detected Backdoor.Multi.ZAccess.gen (0)
20:43:47.0687 2240 U2SP - ok
20:43:47.0781 2240 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:43:47.0890 2240 Udfs - ok
20:43:47.0890 2240 ultra - ok
20:43:48.0046 2240 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
20:43:48.0078 2240 UnlockerDriver5 ( UnsignedFile.Multi.Generic ) - warning
20:43:48.0078 2240 UnlockerDriver5 - detected UnsignedFile.Multi.Generic (1)
20:43:48.0140 2240 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:43:48.0250 2240 Update - ok
20:43:48.0281 2240 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
20:43:48.0328 2240 upnphost - ok
20:43:48.0437 2240 upperdev (47f5f9d837d80ffd5882a14db9da0a67) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
20:43:48.0515 2240 upperdev - ok
20:43:48.0531 2240 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
20:43:48.0625 2240 UPS - ok
20:43:48.0640 2240 upsentry_smart - ok
20:43:48.0687 2240 USA49W (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\lmimirr.dll
20:43:48.0687 2240 USA49W ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:48.0687 2240 USA49W - detected Backdoor.Multi.ZAccess.gen (0)
20:43:48.0687 2240 USB11LDR - ok
20:43:48.0750 2240 usb20l (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\stacsv.dll
20:43:48.0750 2240 usb20l ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:48.0750 2240 usb20l - detected Backdoor.Multi.ZAccess.gen (0)
20:43:48.0781 2240 USBAAPL - ok
20:43:48.0859 2240 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:43:48.0968 2240 usbehci - ok
20:43:49.0015 2240 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:43:49.0140 2240 usbhub - ok
20:43:49.0265 2240 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:43:49.0343 2240 usbprint - ok
20:43:49.0375 2240 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:43:49.0453 2240 usbscan - ok
20:43:49.0484 2240 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
20:43:49.0562 2240 usbser - ok
20:43:49.0609 2240 UsbserFilt (e44f0d17be0908b58dcc99ccb99c6c32) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
20:43:49.0656 2240 UsbserFilt - ok
20:43:49.0718 2240 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:43:49.0812 2240 USBSTOR - ok
20:43:49.0906 2240 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:43:50.0000 2240 usbuhci - ok
20:43:50.0000 2240 USBVCD - ok
20:43:50.0062 2240 UxTuneUp (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\xaudioservice.dll
20:43:50.0062 2240 UxTuneUp ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:50.0062 2240 UxTuneUp - detected Backdoor.Multi.ZAccess.gen (0)
20:43:50.0140 2240 vaiomediaplatform-integratedserver-appserver (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\xpagentserver.dll
20:43:50.0140 2240 vaiomediaplatform-integratedserver-appserver ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:50.0140 2240 vaiomediaplatform-integratedserver-appserver - detected Backdoor.Multi.ZAccess.gen (0)
20:43:50.0171 2240 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:43:50.0281 2240 VgaSave - ok
20:43:50.0281 2240 ViaIde - ok
20:43:50.0328 2240 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:43:50.0406 2240 VolSnap - ok
20:43:50.0421 2240 vrservice - ok
20:43:50.0468 2240 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
20:43:50.0515 2240 VSS - ok
20:43:50.0515 2240 w29n51 - ok
20:43:50.0562 2240 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
20:43:50.0656 2240 W32Time - ok
20:43:50.0734 2240 W700obex (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\bc_ip_f.dll
20:43:50.0734 2240 W700obex ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:50.0734 2240 W700obex - detected Backdoor.Multi.ZAccess.gen (0)
20:43:50.0781 2240 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:43:50.0875 2240 Wanarp - ok
20:43:50.0953 2240 was (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\nocashio.dll
20:43:50.0953 2240 was ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:50.0953 2240 was - detected Backdoor.Multi.ZAccess.gen (0)
20:43:50.0984 2240 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
20:43:51.0000 2240 Wdf01000 - ok
20:43:51.0031 2240 WDICA - ok
20:43:51.0093 2240 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:43:51.0203 2240 wdmaud - ok
20:43:51.0265 2240 wdm_au8820 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\pdiddcci.dll
20:43:51.0265 2240 wdm_au8820 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:51.0265 2240 wdm_au8820 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:51.0359 2240 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
20:43:51.0468 2240 WebClient - ok
20:43:51.0515 2240 websenseclientdeployservice (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\wdelmgr20.dll
20:43:51.0515 2240 websenseclientdeployservice ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:51.0515 2240 websenseclientdeployservice - detected Backdoor.Multi.ZAccess.gen (0)
20:43:51.0562 2240 wfxsvc (be2157595c087207676ec716a6be4cce) C:\WINDOWS\system32\WFXSVC.EXE
20:43:51.0593 2240 wfxsvc ( UnsignedFile.Multi.Generic ) - warning
20:43:51.0593 2240 wfxsvc - detected UnsignedFile.Multi.Generic (1)
20:43:51.0687 2240 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
20:43:51.0750 2240 winachsf - ok
20:43:51.0843 2240 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
20:43:51.0921 2240 winmgmt - ok
20:43:52.0000 2240 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
20:43:52.0031 2240 WinRM - ok
20:43:52.0109 2240 wlsetupsvc (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\entertainment.dll
20:43:52.0109 2240 wlsetupsvc ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:52.0109 2240 wlsetupsvc - detected Backdoor.Multi.ZAccess.gen (0)
20:43:52.0125 2240 wmccds (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\pdiddcci.dll
20:43:52.0125 2240 wmccds ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:52.0125 2240 wmccds - detected Backdoor.Multi.ZAccess.gen (0)
20:43:52.0171 2240 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
20:43:52.0171 2240 WmdmPmSN - ok
20:43:52.0281 2240 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
20:43:52.0312 2240 Wmi - ok
20:43:52.0375 2240 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
20:43:52.0468 2240 WmiApSrv - ok
20:43:52.0640 2240 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
20:43:52.0671 2240 WMPNetworkSvc - ok
20:43:52.0734 2240 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
20:43:52.0765 2240 WpdUsb - ok
20:43:52.0859 2240 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
20:43:52.0937 2240 wuauserv - ok
20:43:53.0000 2240 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:43:53.0031 2240 WudfPf - ok
20:43:53.0078 2240 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:43:53.0093 2240 WudfRd - ok
20:43:53.0140 2240 WudfSvc (ddee3682fe97037c45f4d7ab467cb8b6) C:\WINDOWS\System32\WUDFSvc.dll
20:43:53.0187 2240 WudfSvc - ok
20:43:53.0265 2240 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
20:43:53.0359 2240 WZCSVC - ok
20:43:53.0421 2240 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
20:43:53.0500 2240 xmlprov - ok
20:43:53.0562 2240 ZDPSp50 (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\psimsvc.dll
20:43:53.0562 2240 ZDPSp50 ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:53.0562 2240 ZDPSp50 - detected Backdoor.Multi.ZAccess.gen (0)
20:43:53.0750 2240 {95808DC4-FA4A-4c74-92FE-5B863F82066B} (8098180b3f6c430a4e60333bc036f936) C:\Program Files\CyberLink\PowerDVD\000.fcl
20:43:54.0140 2240 {95808DC4-FA4A-4c74-92FE-5B863F82066B} - ok
20:43:54.0187 2240 {eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc} (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\yukonwxp.dll
20:43:54.0187 2240 {eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc} ( Backdoor.Multi.ZAccess.gen ) - infected
20:43:54.0187 2240 {eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc} - detected Backdoor.Multi.ZAccess.gen (0)
20:43:54.0203 2240 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:43:54.0437 2240 \Device\Harddisk0\DR0 - ok
20:43:54.0437 2240 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk1\DR1
20:43:55.0125 2240 \Device\Harddisk1\DR1 - ok
20:43:55.0125 2240 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk2\DR5
20:43:55.0203 2240 \Device\Harddisk2\DR5 - ok
20:43:55.0203 2240 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk7\DR21
20:43:55.0765 2240 \Device\Harddisk7\DR21 - ok
20:43:55.0765 2240 Boot (0x1200) (de17a28ffae56733026be20e47e5fe8c) \Device\Harddisk0\DR0\Partition0
20:43:55.0765 2240 \Device\Harddisk0\DR0\Partition0 - ok
20:43:55.0765 2240 Boot (0x1200) (ab81bc14f7e65a74e1d70e016623b088) \Device\Harddisk1\DR1\Partition0
20:43:55.0765 2240 \Device\Harddisk1\DR1\Partition0 - ok
20:43:55.0781 2240 Boot (0x1200) (f0463477c940dfacd8991233674ec997) \Device\Harddisk1\DR1\Partition1
20:43:55.0781 2240 \Device\Harddisk1\DR1\Partition1 - ok
20:43:55.0781 2240 Boot (0x1200) (eeec5da32dfa12e1263fca298252a021) \Device\Harddisk2\DR5\Partition0
20:43:55.0781 2240 \Device\Harddisk2\DR5\Partition0 - ok
20:43:55.0781 2240 Boot (0x1200) (8cbb6491629c9a350163059652938fd4) \Device\Harddisk2\DR5\Partition1
20:43:55.0781 2240 \Device\Harddisk2\DR5\Partition1 - ok
20:43:55.0781 2240 Boot (0x1200) (ae6d43163817660b690c504c0593845a) \Device\Harddisk7\DR21\Partition0
20:43:55.0781 2240 \Device\Harddisk7\DR21\Partition0 - ok
20:43:55.0781 2240 ============================================================
20:43:55.0781 2240 Scan finished
20:43:55.0781 2240 ============================================================
20:43:55.0890 3780 Detected object count: 102
20:43:55.0890 3780 Actual detected object count: 102
20:47:33.0468 3780 C:\WINDOWS\system32\SaiU040B.dll - copied to quarantine
20:47:33.0468 3780 HKLM\SYSTEM\ControlSet001\services\3combootp - will be deleted on reboot
20:47:33.0468 3780 HKLM\SYSTEM\ControlSet003\services\3combootp - will be deleted on reboot
20:47:33.0468 3780 C:\WINDOWS\system32\SaiU040B.dll - will be deleted on reboot
20:47:33.0468 3780 3combootp ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:33.0625 3780 C:\WINDOWS\system32\pnkbstra.dll - copied to quarantine
20:47:33.0640 3780 HKLM\SYSTEM\ControlSet001\services\acmservice - will be deleted on reboot
20:47:33.0640 3780 C:\WINDOWS\system32\pnkbstra.dll - will be deleted on reboot
20:47:33.0640 3780 acmservice ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:33.0656 3780 C:\WINDOWS\system32\tifm.dll - copied to quarantine
20:47:33.0656 3780 HKLM\SYSTEM\ControlSet001\services\adfs - will be deleted on reboot
20:47:33.0656 3780 C:\WINDOWS\system32\tifm.dll - will be deleted on reboot
20:47:33.0656 3780 adfs ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:33.0781 3780 C:\WINDOWS\system32\vpcvmm.dll - copied to quarantine
20:47:33.0781 3780 HKLM\SYSTEM\ControlSet001\services\ADSMService - will be deleted on reboot
20:47:33.0781 3780 HKLM\SYSTEM\ControlSet003\services\ADSMService - will be deleted on reboot
20:47:33.0781 3780 C:\WINDOWS\system32\vpcvmm.dll - will be deleted on reboot
20:47:33.0781 3780 ADSMService ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:33.0781 3780 AFD ( UnsignedFile.Multi.Generic ) - skipped by user
20:47:33.0781 3780 AFD ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:47:33.0859 3780 C:\WINDOWS\system32\UVCFTR.dll - copied to quarantine
20:47:33.0859 3780 HKLM\SYSTEM\ControlSet001\services\atiavaiw - will be deleted on reboot
20:47:33.0859 3780 HKLM\SYSTEM\ControlSet003\services\atiavaiw - will be deleted on reboot
20:47:33.0859 3780 C:\WINDOWS\system32\UVCFTR.dll - will be deleted on reboot
20:47:33.0859 3780 atiavaiw ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:33.0984 3780 C:\WINDOWS\system32\imountsrv.dll - copied to quarantine
20:47:33.0984 3780 HKLM\SYSTEM\ControlSet001\services\atimtag - will be deleted on reboot
20:47:33.0984 3780 HKLM\SYSTEM\ControlSet003\services\atimtag - will be deleted on reboot
20:47:33.0984 3780 C:\WINDOWS\system32\imountsrv.dll - will be deleted on reboot
20:47:33.0984 3780 atimtag ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0062 3780 C:\WINDOWS\system32\ikfileflt.dll - copied to quarantine
20:47:34.0062 3780 HKLM\SYSTEM\ControlSet001\services\avpnnic - will be deleted on reboot
20:47:34.0062 3780 HKLM\SYSTEM\ControlSet003\services\avpnnic - will be deleted on reboot
20:47:34.0062 3780 C:\WINDOWS\system32\ikfileflt.dll - will be deleted on reboot
20:47:34.0062 3780 avpnnic ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0171 3780 C:\WINDOWS\system32\ARCSOFTVIRTUALCAPTURE.dll - copied to quarantine
20:47:34.0171 3780 HKLM\SYSTEM\ControlSet001\services\backupclientsvc - will be deleted on reboot
20:47:34.0171 3780 C:\WINDOWS\system32\ARCSOFTVIRTUALCAPTURE.dll - will be deleted on reboot
20:47:34.0171 3780 backupclientsvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0171 3780 BANTExt ( UnsignedFile.Multi.Generic ) - skipped by user
20:47:34.0171 3780 BANTExt ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:47:34.0250 3780 C:\WINDOWS\system32\agnwifi.dll - copied to quarantine
20:47:34.0250 3780 HKLM\SYSTEM\ControlSet001\services\bobo - will be deleted on reboot
20:47:34.0250 3780 C:\WINDOWS\system32\agnwifi.dll - will be deleted on reboot
20:47:34.0250 3780 bobo ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0406 3780 C:\WINDOWS\system32\AtiHdmiService.dll - copied to quarantine
20:47:34.0406 3780 HKLM\SYSTEM\ControlSet001\services\btcsrusb - will be deleted on reboot
20:47:34.0406 3780 HKLM\SYSTEM\ControlSet003\services\btcsrusb - will be deleted on reboot
20:47:34.0421 3780 C:\WINDOWS\system32\AtiHdmiService.dll - will be deleted on reboot
20:47:34.0421 3780 btcsrusb ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0484 3780 C:\WINDOWS\system32\Shockprf.dll - copied to quarantine
20:47:34.0484 3780 HKLM\SYSTEM\ControlSet001\services\btwdndis - will be deleted on reboot
20:47:34.0484 3780 C:\WINDOWS\system32\Shockprf.dll - will be deleted on reboot
20:47:34.0484 3780 btwdndis ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0609 3780 C:\WINDOWS\system32\CdaC15BA.dll - copied to quarantine
20:47:34.0609 3780 HKLM\SYSTEM\ControlSet001\services\Cap7134 - will be deleted on reboot
20:47:34.0609 3780 C:\WINDOWS\system32\CdaC15BA.dll - will be deleted on reboot
20:47:34.0609 3780 Cap7134 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0734 3780 C:\WINDOWS\system32\swwd.dll - copied to quarantine
20:47:34.0734 3780 HKLM\SYSTEM\ControlSet001\services\cmbatt - will be deleted on reboot
20:47:34.0734 3780 HKLM\SYSTEM\ControlSet003\services\cmbatt - will be deleted on reboot
20:47:34.0734 3780 C:\WINDOWS\system32\swwd.dll - will be deleted on reboot
20:47:34.0734 3780 cmbatt ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0812 3780 C:\WINDOWS\system32\fsdfwd.dll - copied to quarantine
20:47:34.0812 3780 HKLM\SYSTEM\ControlSet001\services\ctprxy2k - will be deleted on reboot
20:47:34.0812 3780 C:\WINDOWS\system32\fsdfwd.dll - will be deleted on reboot
20:47:34.0812 3780 ctprxy2k ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0828 3780 C:\WINDOWS\system32\imountsrv.dll - copied to quarantine
20:47:34.0828 3780 HKLM\SYSTEM\ControlSet001\services\curtainssyssvc - will be deleted on reboot
20:47:34.0828 3780 HKLM\SYSTEM\ControlSet003\services\curtainssyssvc - will be deleted on reboot
20:47:34.0828 3780 C:\WINDOWS\system32\imountsrv.dll - will be deleted on reboot
20:47:34.0828 3780 curtainssyssvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:34.0968 3780 C:\WINDOWS\system32\PQNTDrv.dll - copied to quarantine
20:47:34.0968 3780 HKLM\SYSTEM\ControlSet001\services\CXAVXBAR - will be deleted on reboot
20:47:34.0968 3780 C:\WINDOWS\system32\PQNTDrv.dll - will be deleted on reboot
20:47:34.0968 3780 CXAVXBAR ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0046 3780 C:\WINDOWS\system32\PNDIS5.dll - copied to quarantine
20:47:35.0046 3780 HKLM\SYSTEM\ControlSet001\services\DNE - will be deleted on reboot
20:47:35.0046 3780 C:\WINDOWS\system32\PNDIS5.dll - will be deleted on reboot
20:47:35.0046 3780 DNE ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0171 3780 C:\WINDOWS\system32\aavmker4.dll - copied to quarantine
20:47:35.0171 3780 HKLM\SYSTEM\ControlSet001\services\dptrackerd - will be deleted on reboot
20:47:35.0171 3780 HKLM\SYSTEM\ControlSet003\services\dptrackerd - will be deleted on reboot
20:47:35.0171 3780 C:\WINDOWS\system32\aavmker4.dll - will be deleted on reboot
20:47:35.0171 3780 dptrackerd ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0265 3780 C:\WINDOWS\system32\amdagp.dll - copied to quarantine
20:47:35.0265 3780 HKLM\SYSTEM\ControlSet001\services\DS1410D - will be deleted on reboot
20:47:35.0265 3780 HKLM\SYSTEM\ControlSet003\services\DS1410D - will be deleted on reboot
20:47:35.0265 3780 C:\WINDOWS\system32\amdagp.dll - will be deleted on reboot
20:47:35.0265 3780 DS1410D ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0437 3780 C:\WINDOWS\system32\logonsvcid.dll - copied to quarantine
20:47:35.0437 3780 HKLM\SYSTEM\ControlSet001\services\eloggersvc6 - will be deleted on reboot
20:47:35.0437 3780 C:\WINDOWS\system32\logonsvcid.dll - will be deleted on reboot
20:47:35.0437 3780 eloggersvc6 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0515 3780 C:\WINDOWS\system32\ZSMC301b.dll - copied to quarantine
20:47:35.0515 3780 HKLM\SYSTEM\ControlSet001\services\EUSBMSD - will be deleted on reboot
20:47:35.0515 3780 C:\WINDOWS\system32\ZSMC301b.dll - will be deleted on reboot
20:47:35.0515 3780 EUSBMSD ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0625 3780 C:\WINDOWS\system32\VRADFIL.dll - copied to quarantine
20:47:35.0625 3780 HKLM\SYSTEM\ControlSet001\services\forcewarewebinterface - will be deleted on reboot
20:47:35.0625 3780 C:\WINDOWS\system32\VRADFIL.dll - will be deleted on reboot
20:47:35.0625 3780 forcewarewebinterface ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0734 3780 C:\WINDOWS\system32\zpnodecollector.dll - copied to quarantine
20:47:35.0734 3780 HKLM\SYSTEM\ControlSet001\services\fuj02b1 - will be deleted on reboot
20:47:35.0734 3780 HKLM\SYSTEM\ControlSet003\services\fuj02b1 - will be deleted on reboot
20:47:35.0734 3780 C:\WINDOWS\system32\zpnodecollector.dll - will be deleted on reboot
20:47:35.0734 3780 fuj02b1 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0843 3780 C:\WINDOWS\system32\purgeieservice.dll - copied to quarantine
20:47:35.0843 3780 HKLM\SYSTEM\ControlSet001\services\generichidservice - will be deleted on reboot
20:47:35.0843 3780 HKLM\SYSTEM\ControlSet003\services\generichidservice - will be deleted on reboot
20:47:35.0859 3780 C:\WINDOWS\system32\purgeieservice.dll - will be deleted on reboot
20:47:35.0859 3780 generichidservice ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0890 3780 C:\WINDOWS\system32\ikfileflt.dll - copied to quarantine
20:47:35.0890 3780 HKLM\SYSTEM\ControlSet001\services\GoProto - will be deleted on reboot
20:47:35.0906 3780 HKLM\SYSTEM\ControlSet003\services\GoProto - will be deleted on reboot
20:47:35.0906 3780 C:\WINDOWS\system32\ikfileflt.dll - will be deleted on reboot
20:47:35.0906 3780 GoProto ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:35.0906 3780 ham50 ( UnsignedFile.Multi.Generic ) - skipped by user
20:47:35.0906 3780 ham50 ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:47:36.0031 3780 C:\WINDOWS\system32\us30service.dll - copied to quarantine
20:47:36.0031 3780 HKLM\SYSTEM\ControlSet001\services\ikfileflt - will be deleted on reboot
20:47:36.0031 3780 HKLM\SYSTEM\ControlSet003\services\ikfileflt - will be deleted on reboot
20:47:36.0031 3780 C:\WINDOWS\system32\us30service.dll - will be deleted on reboot
20:47:36.0031 3780 ikfileflt ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0093 3780 C:\WINDOWS\system32\ino_flpy.dll - copied to quarantine
20:47:36.0093 3780 HKLM\SYSTEM\ControlSet001\services\imap4d32 - will be deleted on reboot
20:47:36.0093 3780 C:\WINDOWS\system32\ino_flpy.dll - will be deleted on reboot
20:47:36.0093 3780 imap4d32 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0281 3780 C:\WINDOWS\system32\cvintdrv.dll - copied to quarantine
20:47:36.0281 3780 HKLM\SYSTEM\ControlSet001\services\infrastructure - will be deleted on reboot
20:47:36.0296 3780 C:\WINDOWS\system32\cvintdrv.dll - will be deleted on reboot
20:47:36.0296 3780 infrastructure ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0343 3780 C:\WINDOWS\system32\viagfx.dll - copied to quarantine
20:47:36.0343 3780 HKLM\SYSTEM\ControlSet001\services\ipsraidn - will be deleted on reboot
20:47:36.0343 3780 C:\WINDOWS\system32\viagfx.dll - will be deleted on reboot
20:47:36.0343 3780 ipsraidn ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0453 3780 C:\WINDOWS\system32\MpFilter.dll - copied to quarantine
20:47:36.0453 3780 HKLM\SYSTEM\ControlSet001\services\iviregmgr - will be deleted on reboot
20:47:36.0453 3780 C:\WINDOWS\system32\MpFilter.dll - will be deleted on reboot
20:47:36.0453 3780 iviregmgr ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0515 3780 C:\WINDOWS\system32\btwavdt.dll - copied to quarantine
20:47:36.0515 3780 HKLM\SYSTEM\ControlSet001\services\IWCA - will be deleted on reboot
20:47:36.0515 3780 C:\WINDOWS\system32\btwavdt.dll - will be deleted on reboot
20:47:36.0515 3780 IWCA ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0609 3780 C:\WINDOWS\system32\pml.dll - copied to quarantine
20:47:36.0609 3780 HKLM\SYSTEM\ControlSet001\services\JGOGO - will be deleted on reboot
20:47:36.0625 3780 C:\WINDOWS\system32\pml.dll - will be deleted on reboot
20:47:36.0625 3780 JGOGO ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0656 3780 C:\WINDOWS\system32\iaimfp0.dll - copied to quarantine
20:47:36.0656 3780 HKLM\SYSTEM\ControlSet001\services\kodakccs - will be deleted on reboot
20:47:36.0656 3780 C:\WINDOWS\system32\iaimfp0.dll - will be deleted on reboot
20:47:36.0656 3780 kodakccs ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0765 3780 C:\WINDOWS\system32\tpkmpsvc.dll - copied to quarantine
20:47:36.0765 3780 HKLM\SYSTEM\ControlSet001\services\l8042pr2 - will be deleted on reboot
20:47:36.0765 3780 C:\WINDOWS\system32\tpkmpsvc.dll - will be deleted on reboot
20:47:36.0765 3780 l8042pr2 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0859 3780 C:\WINDOWS\system32\SrvcSSIOMngr.dll - copied to quarantine
20:47:36.0859 3780 HKLM\SYSTEM\ControlSet001\services\lxbs_device - will be deleted on reboot
20:47:36.0859 3780 HKLM\SYSTEM\ControlSet003\services\lxbs_device - will be deleted on reboot
20:47:36.0859 3780 C:\WINDOWS\system32\SrvcSSIOMngr.dll - will be deleted on reboot
20:47:36.0859 3780 lxbs_device ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:36.0953 3780 C:\WINDOWS\system32\cicsclient.dll - copied to quarantine
20:47:36.0953 3780 HKLM\SYSTEM\ControlSet001\services\lxce_device - will be deleted on reboot
20:47:36.0953 3780 C:\WINDOWS\system32\cicsclient.dll - will be deleted on reboot
20:47:36.0953 3780 lxce_device ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0015 3780 C:\WINDOWS\system32\st330service.dll - copied to quarantine
20:47:37.0015 3780 HKLM\SYSTEM\ControlSet001\services\lxct_device - will be deleted on reboot
20:47:37.0015 3780 C:\WINDOWS\system32\st330service.dll - will be deleted on reboot
20:47:37.0015 3780 lxct_device ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0156 3780 C:\WINDOWS\system32\W8335XP.dll - copied to quarantine
20:47:37.0156 3780 HKLM\SYSTEM\ControlSet001\services\mi-raysat_3dsMax2008_32 - will be deleted on reboot
20:47:37.0156 3780 C:\WINDOWS\system32\W8335XP.dll - will be deleted on reboot
20:47:37.0156 3780 mi-raysat_3dsMax2008_32 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0218 3780 C:\WINDOWS\system32\tap0901.dll - copied to quarantine
20:47:37.0218 3780 HKLM\SYSTEM\ControlSet001\services\mssql$sqlexpress - will be deleted on reboot
20:47:37.0218 3780 C:\WINDOWS\system32\tap0901.dll - will be deleted on reboot
20:47:37.0218 3780 mssql$sqlexpress ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0390 3780 C:\WINDOWS\system32\ndassvc.dll - copied to quarantine
20:47:37.0390 3780 HKLM\SYSTEM\ControlSet001\services\navapel - will be deleted on reboot
20:47:37.0390 3780 HKLM\SYSTEM\ControlSet003\services\navapel - will be deleted on reboot
20:47:37.0390 3780 C:\WINDOWS\system32\ndassvc.dll - will be deleted on reboot
20:47:37.0390 3780 navapel ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0437 3780 C:\WINDOWS\system32\k750mdfl.dll - copied to quarantine
20:47:37.0437 3780 HKLM\SYSTEM\ControlSet001\services\nchssvad - will be deleted on reboot
20:47:37.0437 3780 HKLM\SYSTEM\ControlSet003\services\nchssvad - will be deleted on reboot
20:47:37.0453 3780 C:\WINDOWS\system32\k750mdfl.dll - will be deleted on reboot
20:47:37.0453 3780 nchssvad ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0531 3780 C:\WINDOWS\system32\UsbserFilt.dll - copied to quarantine
20:47:37.0531 3780 HKLM\SYSTEM\ControlSet001\services\NeroMediaHomeService.4 - will be deleted on reboot
20:47:37.0531 3780 HKLM\SYSTEM\ControlSet003\services\NeroMediaHomeService.4 - will be deleted on reboot
20:47:37.0531 3780 C:\WINDOWS\system32\UsbserFilt.dll - will be deleted on reboot
20:47:37.0546 3780 NeroMediaHomeService.4 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0640 3780 C:\WINDOWS\system32\kbdclass.dll - copied to quarantine
20:47:37.0640 3780 HKLM\SYSTEM\ControlSet001\services\NMSCFG - will be deleted on reboot
20:47:37.0640 3780 HKLM\SYSTEM\ControlSet003\services\NMSCFG - will be deleted on reboot
20:47:37.0640 3780 C:\WINDOWS\system32\kbdclass.dll - will be deleted on reboot
20:47:37.0640 3780 NMSCFG ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0640 3780 nv ( UnsignedFile.Multi.Generic ) - skipped by user
20:47:37.0640 3780 nv ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:47:37.0750 3780 C:\WINDOWS\system32\MA8032M.dll - copied to quarantine
20:47:37.0750 3780 HKLM\SYSTEM\ControlSet001\services\NVR0FLASHDev - will be deleted on reboot
20:47:37.0750 3780 C:\WINDOWS\system32\MA8032M.dll - will be deleted on reboot
20:47:37.0750 3780 NVR0FLASHDev ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0750 3780 NVSvc ( UnsignedFile.Multi.Generic ) - skipped by user
20:47:37.0750 3780 NVSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:47:37.0781 3780 C:\WINDOWS\system32\SGIR.dll - copied to quarantine
20:47:37.0781 3780 HKLM\SYSTEM\ControlSet001\services\NWSIPX32 - will be deleted on reboot
20:47:37.0781 3780 HKLM\SYSTEM\ControlSet003\services\NWSIPX32 - will be deleted on reboot
20:47:37.0781 3780 C:\WINDOWS\system32\SGIR.dll - will be deleted on reboot
20:47:37.0781 3780 NWSIPX32 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0890 3780 C:\WINDOWS\system32\ZuneBusEnum.dll - copied to quarantine
20:47:37.0890 3780 HKLM\SYSTEM\ControlSet001\services\omniusb - will be deleted on reboot
20:47:37.0890 3780 C:\WINDOWS\system32\ZuneBusEnum.dll - will be deleted on reboot
20:47:37.0890 3780 omniusb ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:37.0968 3780 C:\WINDOWS\system32\mouhid.dll - copied to quarantine
20:47:37.0968 3780 HKLM\SYSTEM\ControlSet001\services\ood2000 - will be deleted on reboot
20:47:37.0968 3780 C:\WINDOWS\system32\mouhid.dll - will be deleted on reboot
20:47:37.0968 3780 ood2000 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0046 3780 C:\WINDOWS\system32\O2SCBUS.dll - copied to quarantine
20:47:38.0046 3780 HKLM\SYSTEM\ControlSet001\services\osanbm - will be deleted on reboot
20:47:38.0046 3780 HKLM\SYSTEM\ControlSet003\services\osanbm - will be deleted on reboot
20:47:38.0062 3780 C:\WINDOWS\system32\O2SCBUS.dll - will be deleted on reboot
20:47:38.0062 3780 osanbm ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0171 3780 C:\WINDOWS\system32\HPFXBULK.dll - copied to quarantine
20:47:38.0171 3780 HKLM\SYSTEM\ControlSet001\services\Packet - will be deleted on reboot
20:47:38.0171 3780 HKLM\SYSTEM\ControlSet003\services\Packet - will be deleted on reboot
20:47:38.0171 3780 C:\WINDOWS\system32\HPFXBULK.dll - will be deleted on reboot
20:47:38.0171 3780 Packet ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0265 3780 C:\WINDOWS\system32\tmmbd.dll - copied to quarantine
20:47:38.0265 3780 HKLM\SYSTEM\ControlSet001\services\pav_service - will be deleted on reboot
20:47:38.0265 3780 C:\WINDOWS\system32\tmmbd.dll - will be deleted on reboot
20:47:38.0265 3780 pav_service ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0453 3780 C:\WINDOWS\system32\adsexpb.dll - copied to quarantine
20:47:38.0453 3780 HKLM\SYSTEM\ControlSet001\services\pca - will be deleted on reboot
20:47:38.0453 3780 HKLM\SYSTEM\ControlSet003\services\pca - will be deleted on reboot
20:47:38.0453 3780 C:\WINDOWS\system32\adsexpb.dll - will be deleted on reboot
20:47:38.0453 3780 pca ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0546 3780 C:\WINDOWS\system32\pctfw1.dll - copied to quarantine
20:47:38.0546 3780 HKLM\SYSTEM\ControlSet001\services\pdlnepkt - will be deleted on reboot
20:47:38.0546 3780 HKLM\SYSTEM\ControlSet003\services\pdlnepkt - will be deleted on reboot
20:47:38.0546 3780 C:\WINDOWS\system32\pctfw1.dll - will be deleted on reboot
20:47:38.0546 3780 pdlnepkt ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0671 3780 C:\WINDOWS\system32\ni_nic.dll - copied to quarantine
20:47:38.0671 3780 HKLM\SYSTEM\ControlSet001\services\PGPwded - will be deleted on reboot
20:47:38.0671 3780 HKLM\SYSTEM\ControlSet003\services\PGPwded - will be deleted on reboot
20:47:38.0671 3780 C:\WINDOWS\system32\ni_nic.dll - will be deleted on reboot
20:47:38.0671 3780 PGPwded ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0750 3780 C:\WINDOWS\system32\diskperf.dll - copied to quarantine
20:47:38.0750 3780 HKLM\SYSTEM\ControlSet001\services\pop3d32 - will be deleted on reboot
20:47:38.0750 3780 HKLM\SYSTEM\ControlSet003\services\pop3d32 - will be deleted on reboot
20:47:38.0750 3780 C:\WINDOWS\system32\diskperf.dll - will be deleted on reboot
20:47:38.0750 3780 pop3d32 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0828 3780 C:\WINDOWS\system32\wdelmgr20.dll - copied to quarantine
20:47:38.0828 3780 HKLM\SYSTEM\ControlSet001\services\ppped - will be deleted on reboot
20:47:38.0828 3780 HKLM\SYSTEM\ControlSet003\services\ppped - will be deleted on reboot
20:47:38.0843 3780 C:\WINDOWS\system32\wdelmgr20.dll - will be deleted on reboot
20:47:38.0843 3780 ppped ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:38.0890 3780 C:\WINDOWS\system32\fasttrackinstallerservice.dll - copied to quarantine
20:47:38.0890 3780 HKLM\SYSTEM\ControlSet001\services\prism_a02 - will be deleted on reboot
20:47:38.0906 3780 C:\WINDOWS\system32\fasttrackinstallerservice.dll - will be deleted on reboot
20:47:38.0906 3780 prism_a02 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0015 3780 C:\WINDOWS\system32\ICM10USB.dll - copied to quarantine
20:47:39.0015 3780 HKLM\SYSTEM\ControlSet001\services\pshost - will be deleted on reboot
20:47:39.0015 3780 C:\WINDOWS\system32\ICM10USB.dll - will be deleted on reboot
20:47:39.0015 3780 pshost ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0093 3780 C:\WINDOWS\system32\trackcam4.dll - copied to quarantine
20:47:39.0093 3780 HKLM\SYSTEM\ControlSet001\services\ql2100 - will be deleted on reboot
20:47:39.0093 3780 HKLM\SYSTEM\ControlSet003\services\ql2100 - will be deleted on reboot
20:47:39.0093 3780 C:\WINDOWS\system32\trackcam4.dll - will be deleted on reboot
20:47:39.0093 3780 ql2100 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0312 3780 C:\WINDOWS\system32\eeyeevnt.dll - copied to quarantine
20:47:39.0312 3780 HKLM\SYSTEM\ControlSet001\services\QWAVEDRV - will be deleted on reboot
20:47:39.0312 3780 C:\WINDOWS\system32\eeyeevnt.dll - will be deleted on reboot
20:47:39.0312 3780 QWAVEDRV ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0375 3780 C:\WINDOWS\system32\se2Bunic.dll - copied to quarantine
20:47:39.0375 3780 HKLM\SYSTEM\ControlSet001\services\RalinkRegistryWriter - will be deleted on reboot
20:47:39.0390 3780 C:\WINDOWS\system32\se2Bunic.dll - will be deleted on reboot
20:47:39.0390 3780 RalinkRegistryWriter ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0515 3780 C:\WINDOWS\system32\bdfdll.dll - copied to quarantine
20:47:39.0515 3780 HKLM\SYSTEM\ControlSet001\services\roxmediadb9 - will be deleted on reboot
20:47:39.0515 3780 HKLM\SYSTEM\ControlSet003\services\roxmediadb9 - will be deleted on reboot
20:47:39.0515 3780 C:\WINDOWS\system32\bdfdll.dll - will be deleted on reboot
20:47:39.0515 3780 roxmediadb9 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0593 3780 C:\WINDOWS\system32\ini910u.dll - copied to quarantine
20:47:39.0593 3780 HKLM\SYSTEM\ControlSet001\services\rtl8023 - will be deleted on reboot
20:47:39.0593 3780 HKLM\SYSTEM\ControlSet003\services\rtl8023 - will be deleted on reboot
20:47:39.0593 3780 C:\WINDOWS\system32\ini910u.dll - will be deleted on reboot
20:47:39.0593 3780 rtl8023 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0593 3780 RTL8023xp ( UnsignedFile.Multi.Generic ) - skipped by user
20:47:39.0593 3780 RTL8023xp ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:47:39.0718 3780 C:\WINDOWS\system32\lxcgcustomerconnect.dll - copied to quarantine
20:47:39.0734 3780 HKLM\SYSTEM\ControlSet001\services\RTL8169 - will be deleted on reboot
20:47:39.0734 3780 HKLM\SYSTEM\ControlSet003\services\RTL8169 - will be deleted on reboot
20:47:39.0734 3780 C:\WINDOWS\system32\lxcgcustomerconnect.dll - will be deleted on reboot
20:47:39.0734 3780 RTL8169 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0828 3780 C:\WINDOWS\system32\SWUMX51.dll - copied to quarantine
20:47:39.0843 3780 HKLM\SYSTEM\ControlSet001\services\s716nd5 - will be deleted on reboot
20:47:39.0843 3780 HKLM\SYSTEM\ControlSet003\services\s716nd5 - will be deleted on reboot
20:47:39.0843 3780 C:\WINDOWS\system32\SWUMX51.dll - will be deleted on reboot
20:47:39.0843 3780 s716nd5 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0921 3780 C:\WINDOWS\system32\ose.dll - copied to quarantine
20:47:39.0921 3780 HKLM\SYSTEM\ControlSet001\services\savrt - will be deleted on reboot
20:47:39.0921 3780 C:\WINDOWS\system32\ose.dll - will be deleted on reboot
20:47:39.0921 3780 savrt ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:39.0984 3780 C:\WINDOWS\system32\ntuneservice.dll - copied to quarantine
20:47:39.0984 3780 HKLM\SYSTEM\ControlSet001\services\scan - will be deleted on reboot
20:47:39.0984 3780 C:\WINDOWS\system32\ntuneservice.dll - will be deleted on reboot
20:47:39.0984 3780 scan ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0093 3780 C:\WINDOWS\system32\RMSvc.dll - copied to quarantine
20:47:40.0093 3780 HKLM\SYSTEM\ControlSet001\services\scsiaccess - will be deleted on reboot
20:47:40.0109 3780 HKLM\SYSTEM\ControlSet003\services\scsiaccess - will be deleted on reboot
20:47:40.0109 3780 C:\WINDOWS\system32\RMSvc.dll - will be deleted on reboot
20:47:40.0109 3780 scsiaccess ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0171 3780 C:\WINDOWS\system32\{95808DC4-FA4A-4c74-92FE-5B863F82066B}.dll - copied to quarantine
20:47:40.0171 3780 HKLM\SYSTEM\ControlSet001\services\service1 - will be deleted on reboot
20:47:40.0171 3780 C:\WINDOWS\system32\{95808DC4-FA4A-4c74-92FE-5B863F82066B}.dll - will be deleted on reboot
20:47:40.0171 3780 service1 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0375 3780 C:\WINDOWS\system32\rp_fws.dll - copied to quarantine
20:47:40.0375 3780 HKLM\SYSTEM\ControlSet001\services\sfsync02 - will be deleted on reboot
20:47:40.0375 3780 HKLM\SYSTEM\ControlSet003\services\sfsync02 - will be deleted on reboot
20:47:40.0375 3780 C:\WINDOWS\system32\rp_fws.dll - will be deleted on reboot
20:47:40.0375 3780 sfsync02 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0437 3780 C:\WINDOWS\system32\CAMFLT.dll - copied to quarantine
20:47:40.0453 3780 HKLM\SYSTEM\ControlSet001\services\SGHIDI - will be deleted on reboot
20:47:40.0453 3780 C:\WINDOWS\system32\CAMFLT.dll - will be deleted on reboot
20:47:40.0453 3780 SGHIDI ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0562 3780 C:\WINDOWS\system32\ctljystk.dll - copied to quarantine
20:47:40.0562 3780 HKLM\SYSTEM\ControlSet001\services\Si3114r5 - will be deleted on reboot
20:47:40.0562 3780 HKLM\SYSTEM\ControlSet003\services\Si3114r5 - will be deleted on reboot
20:47:40.0562 3780 C:\WINDOWS\system32\ctljystk.dll - will be deleted on reboot
20:47:40.0562 3780 Si3114r5 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0640 3780 C:\WINDOWS\system32\ppmoucls.dll - copied to quarantine
20:47:40.0640 3780 HKLM\SYSTEM\ControlSet001\services\SimpTcp - will be deleted on reboot
20:47:40.0640 3780 C:\WINDOWS\system32\ppmoucls.dll - will be deleted on reboot
20:47:40.0640 3780 SimpTcp ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0765 3780 C:\WINDOWS\system32\Subsonic.dll - copied to quarantine
20:47:40.0765 3780 HKLM\SYSTEM\ControlSet001\services\smstsmgr - will be deleted on reboot
20:47:40.0765 3780 HKLM\SYSTEM\ControlSet003\services\smstsmgr - will be deleted on reboot
20:47:40.0765 3780 C:\WINDOWS\system32\Subsonic.dll - will be deleted on reboot
20:47:40.0765 3780 smstsmgr ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0828 3780 C:\WINDOWS\system32\SerTVOutCtlr.dll - copied to quarantine
20:47:40.0828 3780 HKLM\SYSTEM\ControlSet001\services\spbbcsvc - will be deleted on reboot
20:47:40.0828 3780 C:\WINDOWS\system32\SerTVOutCtlr.dll - will be deleted on reboot
20:47:40.0828 3780 spbbcsvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:40.0968 3780 C:\WINDOWS\system32\askernel.dll - copied to quarantine
20:47:40.0968 3780 HKLM\SYSTEM\ControlSet001\services\SQLAgent$MICROSOFTBCM - will be deleted on reboot
20:47:40.0968 3780 C:\WINDOWS\system32\askernel.dll - will be deleted on reboot
20:47:40.0968 3780 SQLAgent$MICROSOFTBCM ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0046 3780 C:\WINDOWS\system32\xfactorae1.dll - copied to quarantine
20:47:41.0046 3780 HKLM\SYSTEM\ControlSet001\services\sqlagent$pinnaclesys - will be deleted on reboot
20:47:41.0062 3780 C:\WINDOWS\system32\xfactorae1.dll - will be deleted on reboot
20:47:41.0062 3780 sqlagent$pinnaclesys ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0171 3780 C:\WINDOWS\system32\TIEHDUSB.dll - copied to quarantine
20:47:41.0187 3780 HKLM\SYSTEM\ControlSet001\services\superproserver - will be deleted on reboot
20:47:41.0187 3780 HKLM\SYSTEM\ControlSet003\services\superproserver - will be deleted on reboot
20:47:41.0187 3780 C:\WINDOWS\system32\TIEHDUSB.dll - will be deleted on reboot
20:47:41.0187 3780 superproserver ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0296 3780 C:\WINDOWS\system32\relational.dll - copied to quarantine
20:47:41.0296 3780 HKLM\SYSTEM\ControlSet001\services\surveyor - will be deleted on reboot
20:47:41.0296 3780 C:\WINDOWS\system32\relational.dll - will be deleted on reboot
20:47:41.0296 3780 surveyor ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0515 3780 C:\WINDOWS\system32\vstor2.dll - copied to quarantine
20:47:41.0515 3780 HKLM\SYSTEM\ControlSet001\services\susbser - will be deleted on reboot
20:47:41.0515 3780 HKLM\SYSTEM\ControlSet003\services\susbser - will be deleted on reboot
20:47:41.0515 3780 C:\WINDOWS\system32\vstor2.dll - will be deleted on reboot
20:47:41.0515 3780 susbser ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0578 3780 C:\WINDOWS\system32\xpadminserver.dll - copied to quarantine
20:47:41.0578 3780 HKLM\SYSTEM\ControlSet001\services\TeamViewer - will be deleted on reboot
20:47:41.0578 3780 C:\WINDOWS\system32\xpadminserver.dll - will be deleted on reboot
20:47:41.0578 3780 TeamViewer ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0640 3780 C:\WINDOWS\system32\bdfdll.dll - copied to quarantine
20:47:41.0640 3780 HKLM\SYSTEM\ControlSet001\services\trackcam4 - will be deleted on reboot
20:47:41.0640 3780 HKLM\SYSTEM\ControlSet003\services\trackcam4 - will be deleted on reboot
20:47:41.0640 3780 C:\WINDOWS\system32\bdfdll.dll - will be deleted on reboot
20:47:41.0640 3780 trackcam4 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0687 3780 C:\WINDOWS\system32\cq_mem.dll - copied to quarantine
20:47:41.0687 3780 HKLM\SYSTEM\ControlSet001\services\TSHWMDTCP - will be deleted on reboot
20:47:41.0687 3780 HKLM\SYSTEM\ControlSet003\services\TSHWMDTCP - will be deleted on reboot
20:47:41.0687 3780 C:\WINDOWS\system32\cq_mem.dll - will be deleted on reboot
20:47:41.0687 3780 TSHWMDTCP ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0687 3780 UnlockerDriver5 ( UnsignedFile.Multi.Generic ) - skipped by user
20:47:41.0687 3780 UnlockerDriver5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:47:41.0765 3780 C:\WINDOWS\system32\lmimirr.dll - copied to quarantine
20:47:41.0765 3780 HKLM\SYSTEM\ControlSet001\services\USA49W - will be deleted on reboot
20:47:41.0765 3780 C:\WINDOWS\system32\lmimirr.dll - will be deleted on reboot
20:47:41.0765 3780 USA49W ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0828 3780 C:\WINDOWS\system32\stacsv.dll - copied to quarantine
20:47:41.0828 3780 HKLM\SYSTEM\ControlSet001\services\usb20l - will be deleted on reboot
20:47:41.0828 3780 C:\WINDOWS\system32\stacsv.dll - will be deleted on reboot
20:47:41.0828 3780 usb20l ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:41.0921 3780 C:\WINDOWS\system32\xaudioservice.dll - copied to quarantine
20:47:41.0921 3780 HKLM\SYSTEM\ControlSet001\services\UxTuneUp - will be deleted on reboot
20:47:41.0921 3780 HKLM\SYSTEM\ControlSet003\services\UxTuneUp - will be deleted on reboot
20:47:41.0937 3780 C:\WINDOWS\system32\xaudioservice.dll - will be deleted on reboot
20:47:41.0937 3780 UxTuneUp ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0015 3780 C:\WINDOWS\system32\xpagentserver.dll - copied to quarantine
20:47:42.0015 3780 HKLM\SYSTEM\ControlSet001\services\vaiomediaplatform-integratedserver-appserver - will be deleted on reboot
20:47:42.0015 3780 HKLM\SYSTEM\ControlSet003\services\vaiomediaplatform-integratedserver-appserver - will be deleted on reboot
20:47:42.0015 3780 C:\WINDOWS\system32\xpagentserver.dll - will be deleted on reboot
20:47:42.0015 3780 vaiomediaplatform-integratedserver-appserver ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0140 3780 C:\WINDOWS\system32\bc_ip_f.dll - copied to quarantine
20:47:42.0140 3780 HKLM\SYSTEM\ControlSet001\services\W700obex - will be deleted on reboot
20:47:42.0140 3780 C:\WINDOWS\system32\bc_ip_f.dll - will be deleted on reboot
20:47:42.0140 3780 W700obex ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0187 3780 C:\WINDOWS\system32\nocashio.dll - copied to quarantine
20:47:42.0187 3780 HKLM\SYSTEM\ControlSet001\services\was - will be deleted on reboot
20:47:42.0187 3780 C:\WINDOWS\system32\nocashio.dll - will be deleted on reboot
20:47:42.0187 3780 was ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0375 3780 C:\WINDOWS\system32\pdiddcci.dll - copied to quarantine
20:47:42.0375 3780 HKLM\SYSTEM\ControlSet001\services\wdm_au8820 - will be deleted on reboot
20:47:42.0375 3780 C:\WINDOWS\system32\pdiddcci.dll - will be deleted on reboot
20:47:42.0375 3780 wdm_au8820 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0484 3780 C:\WINDOWS\system32\wdelmgr20.dll - copied to quarantine
20:47:42.0484 3780 HKLM\SYSTEM\ControlSet001\services\websenseclientdeployservice - will be deleted on reboot
20:47:42.0484 3780 HKLM\SYSTEM\ControlSet003\services\websenseclientdeployservice - will be deleted on reboot
20:47:42.0484 3780 C:\WINDOWS\system32\wdelmgr20.dll - will be deleted on reboot
20:47:42.0484 3780 websenseclientdeployservice ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0484 3780 wfxsvc ( UnsignedFile.Multi.Generic ) - skipped by user
20:47:42.0484 3780 wfxsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:47:42.0593 3780 C:\WINDOWS\system32\entertainment.dll - copied to quarantine
20:47:42.0593 3780 HKLM\SYSTEM\ControlSet001\services\wlsetupsvc - will be deleted on reboot
20:47:42.0593 3780 C:\WINDOWS\system32\entertainment.dll - will be deleted on reboot
20:47:42.0593 3780 wlsetupsvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0609 3780 C:\WINDOWS\system32\pdiddcci.dll - copied to quarantine
20:47:42.0609 3780 HKLM\SYSTEM\ControlSet001\services\wmccds - will be deleted on reboot
20:47:42.0609 3780 HKLM\SYSTEM\ControlSet003\services\wmccds - will be deleted on reboot
20:47:42.0609 3780 C:\WINDOWS\system32\pdiddcci.dll - will be deleted on reboot
20:47:42.0609 3780 wmccds ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0703 3780 C:\WINDOWS\system32\psimsvc.dll - copied to quarantine
20:47:42.0703 3780 HKLM\SYSTEM\ControlSet001\services\ZDPSp50 - will be deleted on reboot
20:47:42.0703 3780 HKLM\SYSTEM\ControlSet003\services\ZDPSp50 - will be deleted on reboot
20:47:42.0703 3780 C:\WINDOWS\system32\psimsvc.dll - will be deleted on reboot
20:47:42.0703 3780 ZDPSp50 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
20:47:42.0796 3780 C:\WINDOWS\system32\yukonwxp.dll - copied to quarantine
20:47:42.0796 3780 HKLM\SYSTEM\ControlSet001\services\{eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc} - will be deleted on reboot
20:47:42.0796 3780 HKLM\SYSTEM\ControlSet003\services\{eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc} - will be deleted on reboot
20:47:42.0796 3780 C:\WINDOWS\system32\yukonwxp.dll - will be deleted on reboot
20:47:42.0796 3780 {eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc} ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
osjknights
2012-04-23, 00:29
I can continue to access this page as I have another machine XP SP3 - from which I can harness any replacement files if needed!
osjknights
2012-04-23, 09:14
I was forced to reboot as the machine froze - the system has returned OK but AVG still flashes up the Trojan as being active. I have disabled the lan under networking.
Hi,
Ok...you have multiple severe infections that all have backdoor capabilities. Do not use the system for anything except coming here for instruction or to download tools as directed. Be sure to go to a computer that is clean and change all passwords to everything!
----------
Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop.
Doubleclick CKScanner.exe then click Search For Files
When the cursor hourglass disappears, click Save List To File
A message box will verify the file saved
Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
----------
osjknights
2012-04-23, 18:24
Thanks for the warning. My Banks needs a number generated from a dongle - so is safe, and I have changed my paypal account with authorisation via my mobile needed - other than my bank and paypal details (now wiped - with the password not kept on the machine) I do not keep passwords on the machine. I have done no transactions from the machine since the Trojan arrived.
here is the scanner results;
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\all users\favorites\computerfixes\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\all users\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\beginners guide to hacking windows - part 2 governmentsecurity.org.url
c:\documents and settings\all users\favorites\computerfixes\cracks\brian carr's home pagewindows.url
c:\documents and settings\all users\favorites\computerfixes\cracks\bugmenot.com - login with these free web passwords to bypass compulsory registration.url
c:\documents and settings\all users\favorites\computerfixes\cracks\bypass windows genuine advantage validation check in windows update » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\cracks\crackskeygen.url
c:\documents and settings\all users\favorites\computerfixes\cracks\cracksserial numbers&passwords..url
c:\documents and settings\all users\favorites\computerfixes\cracks\daring devil 'i'.url
c:\documents and settings\all users\favorites\computerfixes\cracks\filehippo.com - download free software.url
c:\documents and settings\all users\favorites\computerfixes\cracks\free email account with sky sky.com.url
c:\documents and settings\all users\favorites\computerfixes\cracks\keygen.cc - download keygen crack serial patch.url
c:\documents and settings\all users\favorites\computerfixes\cracks\official ways to disable or manually uninstall the microsoft windows genuine advantage notifications from microsoft » my digita.url
c:\documents and settings\all users\favorites\computerfixes\cracks\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\cracks\remove, bypass, patch and disable microsoft windows genuine advantage wga validation version 1.5.708.0 with legitcheckcontrol.d.url
c:\documents and settings\all users\favorites\computerfixes\cracks\sagem router has been cracked - take 2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\samsung sgh-e900 - support forum - expansys uk.url
c:\documents and settings\all users\favorites\computerfixes\cracks\software serial numbers and passwords..url
c:\documents and settings\all users\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\all users\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\wga remover.url
c:\documents and settings\all users\favorites\gizmos\crack.ms - download eudora email v7.0.0.16 crack or serial for free.url
c:\documents and settings\all users\favorites\gizmos\seriall.com - serials, keys, keygen, cracks.url
c:\documents and settings\dr michael foster\favorites\computerfixes\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\dr michael foster\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\beginners guide to hacking windows - part 2 governmentsecurity.org.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\brian carr's home pagewindows.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\bugmenot.com - login with these free web passwords to bypass compulsory registration.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\bypass windows genuine advantage validation check in windows update » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\crackskeygen.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\cracksserial numbers&passwords..url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\daring devil 'i'.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\filehippo.com - download free software.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\free email account with sky sky.com.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\keyfinder magical jelly bean.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\keygen.cc - download keygen crack serial patch.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\official ways to disable or manually uninstall the microsoft windows genuine advantage notifications from microsoft » my digita.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\remove, bypass, patch and disable microsoft windows genuine advantage wga validation version 1.5.708.0 with legitcheckcontrol.d.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\sagem router has been cracked - take 2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\samsung sgh-e900 - support forum - expansys uk.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\software serial numbers and passwords..url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\wga remover.url
c:\documents and settings\dr michael foster\favorites\gizmos\crack.ms - download eudora email v7.0.0.16 crack or serial for free.url
c:\documents and settings\dr michael foster\favorites\gizmos\seriall.com - serials, keys, keygen, cracks.url
c:\documents and settings\dr michael foster\my files\crack.htm
c:\program files\qualcomm\eudora\attach\crackers bulk buy.doc
c:\program files\qualcomm\yyeudora\attach\crackers bulk buy.doc
scanner sequence 3.ZZ.11.KEAPIG
----- EOF -----
osjknights
2012-04-23, 20:00
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\all users\favorites\computerfixes\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\all users\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\beginners guide to hacking windows - part 2 governmentsecurity.org.url
c:\documents and settings\all users\favorites\computerfixes\cracks\brian carr's home pagewindows.url
c:\documents and settings\all users\favorites\computerfixes\cracks\bugmenot.com - login with these free web passwords to bypass compulsory registration.url
c:\documents and settings\all users\favorites\computerfixes\cracks\bypass windows genuine advantage validation check in windows update » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\cracks\crackskeygen.url
c:\documents and settings\all users\favorites\computerfixes\cracks\cracksserial numbers&passwords..url
c:\documents and settings\all users\favorites\computerfixes\cracks\daring devil 'i'.url
c:\documents and settings\all users\favorites\computerfixes\cracks\filehippo.com - download free software.url
c:\documents and settings\all users\favorites\computerfixes\cracks\free email account with sky sky.com.url
c:\documents and settings\all users\favorites\computerfixes\cracks\keygen.cc - download keygen crack serial patch.url
c:\documents and settings\all users\favorites\computerfixes\cracks\official ways to disable or manually uninstall the microsoft windows genuine advantage notifications from microsoft » my digita.url
c:\documents and settings\all users\favorites\computerfixes\cracks\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\cracks\remove, bypass, patch and disable microsoft windows genuine advantage wga validation version 1.5.708.0 with legitcheckcontrol.d.url
c:\documents and settings\all users\favorites\computerfixes\cracks\sagem router has been cracked - take 2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\samsung sgh-e900 - support forum - expansys uk.url
c:\documents and settings\all users\favorites\computerfixes\cracks\software serial numbers and passwords..url
c:\documents and settings\all users\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\all users\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\wga remover.url
c:\documents and settings\all users\favorites\gizmos\crack.ms - download eudora email v7.0.0.16 crack or serial for free.url
c:\documents and settings\all users\favorites\gizmos\seriall.com - serials, keys, keygen, cracks.url
c:\documents and settings\dr michael foster\favorites\computerfixes\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\dr michael foster\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\beginners guide to hacking windows - part 2 governmentsecurity.org.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\brian carr's home pagewindows.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\bugmenot.com - login with these free web passwords to bypass compulsory registration.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\bypass windows genuine advantage validation check in windows update » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\crackskeygen.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\cracksserial numbers&passwords..url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\daring devil 'i'.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\filehippo.com - download free software.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\free email account with sky sky.com.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\keyfinder magical jelly bean.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\keygen.cc - download keygen crack serial patch.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\official ways to disable or manually uninstall the microsoft windows genuine advantage notifications from microsoft » my digita.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\remove, bypass, patch and disable microsoft windows genuine advantage wga validation version 1.5.708.0 with legitcheckcontrol.d.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\sagem router has been cracked - take 2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\samsung sgh-e900 - support forum - expansys uk.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\software serial numbers and passwords..url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\wga remover.url
c:\documents and settings\dr michael foster\favorites\gizmos\crack.ms - download eudora email v7.0.0.16 crack or serial for free.url
c:\documents and settings\dr michael foster\favorites\gizmos\seriall.com - serials, keys, keygen, cracks.url
c:\documents and settings\dr michael foster\my files\crack.htm
c:\program files\qualcomm\eudora\attach\crackers bulk buy.doc
c:\program files\qualcomm\yyeudora\attach\crackers bulk buy.doc
scanner sequence 3.ZZ.11.KEAPIG
----- EOF -----
CKScanner has detected illegal software on your system. Besides being illegal, it's the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of illegal software except for their removal. If I were to continue helping you with illegal software installed, it could be construed in the eyes of the law as aiding and abetting a crime.
I have worked up a fix for their removal. If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean. Please let me know if you wish to continue.
osjknights
2012-04-23, 22:23
The URLs and other items were left over from the time when my youngsters all had access to my machine. My oldest son had a mate who was in to computers, and seemed to be somewhat of a buff. My son left home some years ago. I even have his folders with his homework in!!!
All my software programs have legitimate licences. The folder with the URLs in was kept as it also contains some solutions to past troubles with Norton which kept failing to update. I swapped to AVG since then. Looking at the list - these are sites I have not visited, and it is no problem to remove the URLs. My software is plain and simple - just for word processing, graphic scanning and research in history, and printing booklets. All for which I have legit software.
The Bulk buy crackers listing ammused me when I went to look at the doc and it is a letter offering bulk buying of Christmas Crackers!
In case I have problems I used Belarch Adviser to find my software licences and I have printed them out. The operating system is that purchased with the machine (XP) - by PC World. The windows 7 on my second disk was supplied from a shop again with a licence.
So no problem with agreeing with your request.
osjknights
2012-04-24, 00:33
Besides the urls list for the various crack sites, which I have not bothered looking into (for the reasons you suggest) I have just looked at the crack.htm listed in "my files" and in fact it is a saved web page for a religious society - why it was named crack I have no idea! Its a page which is three years old!
I have deleted the urls.
I had four youngster, who all at one time used my computer, and I never bothered removing their folders just in case they needed the information. I have folders for them all under family, but for the life of me, I have not really searched what is there - they lay forgotten. Two have moved home, and the other two have their own machines - so I need to ask them to either delete their files or transfer them (if it is safe so to do) - as there is a good number of mp3s (I noticed once when I had to search for an mp3 file), it will save me a lot of space.
Hi,
Not all of them are bad. Let me review everything and make sure I get it all and I will return as quickly as I can.
Hi,
Please read through these instructions to familarize yourself with what to expect when this tool runs
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
5. If after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.
---------
osjknights
2012-04-24, 11:35
The progran did indeed load a recovery console. Then the program detected a rootkit asked to reboot, so I clicked OK - went away for five minutes to come back to a loading page (wallpaper visible) but with no other signs of life, save that I can move the arrow cursor. It has been like that for a good ten minutes.
osjknights
2012-04-24, 12:09
The machine after half an hour is still stalled. In reflection, it may not have closed down (rather than failed to have rebooted). Cttl Alt Del had brought up the Windows Task Manager, which shows under apps that I have a web page running (MS ei) and my Outlook Calender, which suggest it did not shut down (the web page should not be running after a reboot).
osjknights
2012-04-24, 13:17
After well over 1 1/2 hours, I have rebooted. The blank wallpaper is back, and ComboFix has appeared. The legend is;
Please wait.
ComboFix is preparing to run.
There has been no activity since ComboFix reappeared, and this has been 10 minutes!
osjknights
2012-04-24, 13:22
I stored some vital files onto a usb memory stick, whilst the computer was infected. Can I use this usb stick to transfer the files to another machine to allow me to continue work?
Hi,
Ok let's do this. Boot into Safe Mode and then try to run ComboFix from there. With the number of infections and their severity it may take several attempts to even get our tools to run correctly and then to remove all of them.
If ComboFix runs through post the log created to your next reply. :)
osjknights
2012-04-24, 14:22
Hi Jeff,
Safe mode did the trick - it rebooted ok and is now scanning.
Am I safe to use my USB Stick which has MS Word files loaded off the infected machine to load these on my wife's machine?
Again thanks for your assistance.
osjknights
2012-04-24, 14:41
Hi
ComboFix has scanned to stge 50 and then deleted a whole pile of files, and three folders and has grounded to a halt and been like that for 10 imns.
osjknights
2012-04-24, 15:49
Hi
Although ComboFix has halted I have Windows Task Manager available and it is listed in the Apps, so I can end it via the Task Manager if needed.
Hi,
Hold off on transferring files yet, but if you are worried about losing them, put the files on a CD which is a more stable source to store on rather than a USB drive.
----------
Give ComboFix a little bit longer...your system was severely infected and it may take some time to finish. If it still has not finished in about 30 minutes or so, go ahead and stop it and reboot your system. If there is a log created post that. If you don't see a log created, check inside of C:\ComboFix.txt and see if that file was created. If it is there post that. :)
osjknights
2012-04-24, 16:27
Hi
I rebooted as an hour has past. Back to the desktop but no report in C:
Ok....go ahead and run ComboFix again in Safe Mode and see if it will run through.
osjknights
2012-04-24, 18:22
I ran ComboFix in ordinary mode as AVG had not flashed up any virus warnings (before every five minutes!). However after reaching stage 50 - it has stalled - and has been like this 1/2 hour - shall I reboot into safe mode & run it again?
Go ahead and reboot...do the following:
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please attach the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
osjknights
2012-04-24, 23:13
OTL logfile created on: 24/04/2012 22:06:45 - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Dr Michael Foster\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.00 Gb Total Physical Memory | 2.40 Gb Available Physical Memory | 80.02% Memory free
4.84 Gb Paging File | 4.38 Gb Available in Paging File | 90.55% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 77.16 Gb Free Space | 33.13% Space Free | Partition Type: NTFS
Drive E: | 100.00 Mb Total Space | 65.25 Mb Free Space | 65.25% Space Free | Partition Type: NTFS
Drive F: | 931.41 Gb Total Space | 776.89 Gb Free Space | 83.41% Space Free | Partition Type: NTFS
Drive L: | 1.46 Gb Total Space | 1.42 Gb Free Space | 97.18% Space Free | Partition Type: NTFS
Drive M: | 226.05 Gb Total Space | 225.63 Gb Free Space | 99.81% Space Free | Partition Type: NTFS
Computer Name: KNIGHTS-2EE6007 | User Name: Dr Michael Foster | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Dr Michael Foster\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
PRC - C:\Program Files\AVG\AVG2012\avgui.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe (Enigma Software Group USA, LLC.)
PRC - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
PRC - C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe (Nokia)
PRC - C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
PRC - C:\Program Files\FaxTalk\FTmsgsvc.exe (Thought Communications, Inc.)
PRC - C:\Program Files\FaxTalk\FTclctrl.exe (Thought Communications, Inc.)
PRC - C:\Program Files\FaxTalk\fapiexe.exe (Thought Communications, Inc.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Magic Formation\MagicFormation.exe ()
PRC - C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe (Solid Documents, LLC)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe (ScanSoft, Inc.)
PRC - C:\Program Files\winfax\WFXMOD32.EXE (Symantec Corporation)
PRC - C:\WINDOWS\system32\WFXSNT40.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\WFXSVC.EXE (Symantec Corporation)
========== Modules (No Company Name) ==========
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\QtXml4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\QtSvg4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\QtGUI4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\QtCore4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\imageformats\qsvg4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\imageformats\qjpeg4.dll ()
MOD - C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportMS.dll ()
MOD - C:\Program Files\Magic Formation\MagicFormation.exe ()
MOD - C:\Program Files\Magic Formation\MFHook.dll ()
MOD - C:\WINDOWS\system32\solidlocalmon.dll ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()
MOD - C:\Program Files\winfax\DCCDA32I.DLL ()
MOD - C:\Program Files\winfax\WFXVW32I.DLL ()
MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\WFXPNT40.DLL ()
MOD - C:\Program Files\winfax\SENGINE.DLL ()
MOD - C:\Program Files\winfax\DCCTBP32.DLL ()
========== Win32 Services (SafeList) ==========
SRV - (winpowermanager) -- %systemroot%\system32\oracleorahome92pagingserver.dll File not found
SRV - (wap3gx) -- %systemroot%\system32\ati2mpaa.dll File not found
SRV - (w29n51) -- %systemroot%\system32\cpqfcalm.dll File not found
SRV - (vrservice) -- %systemroot%\system32\NETw4v32.dll File not found
SRV - (USBVCD) -- %systemroot%\system32\msgsrvservice.dll File not found
SRV - (USBAAPL) -- %systemroot%\system32\stisvc.dlle File not found
SRV - (USB11LDR) -- %systemroot%\system32\olregcap.dll File not found
SRV - (upsentry_smart) -- %systemroot%\system32\RR2Vbi.dll File not found
SRV - (U2SP) -- %systemroot%\system32\rpsupdaterr.dll File not found
SRV - (trlokom_rmhsvc) -- %systemroot%\system32\iksyssec.dll File not found
SRV - (symdns) -- %systemroot%\system32\SunkFilt39.dll File not found
SRV - (softfax) -- %systemroot%\system32\beatjamupnpmusicserver.dll File not found
SRV - (smservaz) -- %systemroot%\system32\s217mgmt.dll File not found
SRV - (smartwiservice) -- %systemroot%\system32\emupia.dll File not found
SRV - (SiRemFil) -- %systemroot%\system32\backupexecnamingservice.dll File not found
SRV - (sfsync04) -- %systemroot%\system32\dcsloader.dll File not found
SRV - (SfCtlCom) -- %systemroot%\system32\djsnetcn.dll File not found
SRV - (SaiMini) -- %systemroot%\system32\webrootenterpriseupdateservice.dll File not found
SRV - (roxmediadb) -- %systemroot%\system32\motmodem.dll File not found
SRV - (ql2100) -- %systemroot%\system32\DLH5X.dll File not found
SRV - (protectionservice) -- %systemroot%\system32\PCDRSRVC.dll File not found
SRV - (procexp100) -- %systemroot%\system32\PTDCBus.dll File not found
SRV - (pktfilter) -- %systemroot%\system32\PDExchange.dll File not found
SRV - (pgpsdkservice) -- %systemroot%\system32\besclient.dll File not found
SRV - (pdlndldl) -- %systemroot%\system32\vds.dll File not found
SRV - (omci) -- %systemroot%\system32\EIO_XP.dll File not found
SRV - (NWHOST) -- %systemroot%\system32\outpostfirewall.dll File not found
SRV - (n558) -- %systemroot%\system32\iolo_srv.dll File not found
SRV - (Mvc25U870_VID_1262&PID_25FD) -- %systemroot%\system32\StickyMesger.dll File not found
SRV - (MSICPL) -- %systemroot%\system32\SaiH040B.dll File not found
SRV - (MSCamSvc) -- %systemroot%\system32\NsTrcNT.dll File not found
SRV - (MRV6X32P) -- %systemroot%\system32\n3900.dll File not found
SRV - (MR97310_USB_DUAL_CAMERA) -- %systemroot%\system32\viamraid.dllrvc File not found
SRV - (mindrepair) -- %systemroot%\system32\epson_pm_rpcv2_02.dll File not found
SRV - (mf) -- %systemroot%\system32\ql2100.dll File not found
SRV - (mcdetect.exe) -- %systemroot%\system32\InterBaseGuardian.dll File not found
SRV - (mafwboot) -- %systemroot%\system32\vds.dll File not found
SRV - (lxrsge10s) -- %systemroot%\system32\snapman.dll File not found
SRV - (LUsbFilt) -- %systemroot%\system32\NwSapAgent.dll File not found
SRV - (int15) -- %systemroot%\system32\isapnp.dll File not found
SRV - (incdfs) -- %systemroot%\system32\flutilssvc.dll File not found
SRV - (icdsptsv) -- %systemroot%\system32\DS1410D.dll File not found
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (helpsvc) -- %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dlles\pchsvc.dll File not found
SRV - (hap16v2k) -- %systemroot%\system32\qbfcservice.dll File not found
SRV - (giveio) -- %systemroot%\system32\winachsx.dll File not found
SRV - (getPlusHelper) -- %systemroot%\system32\smserial.dll File not found
SRV - (fsaa) -- %systemroot%\system32\mxssvr.dll File not found
SRV - (FINEPIX_PCC) -- %systemroot%\system32\mail2ec.dll File not found
SRV - (EU3_USB) -- %systemroot%\system32\symwsc.dll File not found
SRV - (EL90X) -- %systemroot%\system32\sentinel.dll File not found
SRV - (EACSvrMngr) -- %systemroot%\system32\int15.sys.dll File not found
SRV - (dlaopiom) -- %systemroot%\system32\CXTUNE.dll File not found
SRV - (dladresn) -- %systemroot%\system32\crystaloutputfileserver.dll File not found
SRV - (DC21x4) -- %systemroot%\system32\RapiMgr.dll File not found
SRV - (cygserver) -- %systemroot%\system32\snapman380.dll File not found
SRV - (commserver) -- %systemroot%\system32\ndis.dll File not found
SRV - (CoachUsb) -- %systemroot%\system32\mqdmmdm.dll File not found
SRV - (C-Dilla) -- %systemroot%\system32\ONSIO.dll File not found
SRV - (CdaD10BA) -- %systemroot%\system32\ctac32k.dll File not found
SRV - (ccevtmgr) -- %systemroot%\system32\btkrnl.dll File not found
SRV - (BrUsbSer) -- %systemroot%\system32\olapserver.dll File not found
SRV - (belmonitorservice) -- %systemroot%\system32\z800mdm.dll File not found
SRV - (ATKGFNEXSrv) -- %systemroot%\system32\AIRPLUS.dll File not found
SRV - (arkbcfltr) -- %systemroot%\system32\mirrorv3.dll File not found
SRV - (ar5211) -- %systemroot%\system32\arhidfltr.dll File not found
SRV - (amdk7) -- %systemroot%\system32\niorbk.dll File not found
SRV - (alertservice) -- %systemroot%\system32\sp_clamsrv.dll File not found
SRV - (alcxsens) -- %systemroot%\system32\dbmang.dll File not found
SRV - (adsexpb) -- %systemroot%\system32\idsvc.dll File not found
SRV - (adaptecstoragemanageragent) -- %systemroot%\system32\ccproxy.dll File not found
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (RapportMgmtService) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
SRV - (SpyHunter 4 Service) -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe (Enigma Software Group USA, LLC.)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (FaxTalk FaxCenter Pro 8) -- C:\Program Files\FaxTalk\FTmsgsvc.exe (Thought Communications, Inc.)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (MatSvc) -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe (Microsoft Corporation)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (SdReadSpool) -- C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe (Solid Documents, LLC)
SRV - (nicconfigsvc) -- C:\WINDOWS\system32\simptcp.dll (Microsoft Corporation)
SRV - (wfxsvc) -- C:\WINDOWS\system32\WFXSVC.EXE (Symantec Corporation)
========== Driver Services (SafeList) ==========
DRV - (WDICA) -- File not found
DRV - (redbook) -- system32\DRIVERS\redbook.sys File not found
DRV - (PCIDump) -- File not found
DRV - (ham50) -- system32\DRIVERS\IntelH51.sys File not found
DRV - (catchme) -- C:\DOCUME~1\DRMICH~1\LOCALS~1\Temp\catchme.sys File not found
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (RapportEI) -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys (Trusteer Ltd.)
DRV - (RapportPG) -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (Trusteer Ltd.)
DRV - (RapportKELL) -- C:\WINDOWS\system32\drivers\RapportKELL.sys (Trusteer Ltd.)
DRV - (RapportCerberus_34302) -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys ()
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (nmwcdnsu) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcdnsuc) -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys (Nokia)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (RapportIaso) -- c:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys (Trusteer Ltd.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys ()
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (cpudrv) -- C:\Program Files\SystemRequirementsLab\cpudrv.sys ()
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (CLBStor) -- C:\WINDOWS\System32\drivers\CLBStor.sys (Cyberlink Co.,Ltd.)
DRV - (CLBUDF) -- C:\WINDOWS\System32\drivers\CLBUDF.sys (CyberLink Corporation.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - ({95808DC4-FA4A-4c74-92FE-5B863F82066B}) -- C:\Program Files\CyberLink\PowerDVD\000.fcl (Cyberlink Corp.)
DRV - (Changer) -- C:\WINDOWS\System32\drivers\changer.sys (Microsoft Corporation)
DRV - (lbrtfdc) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys (Toshiba Corp.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www2.prestel.co.uk/church/oosj/osj.htm
IE - HKCU\..\SearchScopes,DefaultScope = {7E8B17A6-0BA8-4A61-9FB7-E2F5D8151A6E}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{7E8B17A6-0BA8-4A61-9FB7-E2F5D8151A6E}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\..\SearchScopes\{9F1DD16A-D24B-4BE4-9B4D-14C8B2F5CD65}: "URL" = http://search.avg.com/?d=4dc3cee9&i=23&tp=chrome&q={searchTerms}&lng={language}&nt=1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Musicnotes.com/Musicnotes Viewer: C:\Program Files\Musicnotes\npmusicn.dll (Musicnotes, Inc.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+(R),version=1.6.2.91: C:\Program Files\NOS\bin\np_gp.dll File not found
FF - HKLM\Software\MozillaPlugins\@Sibelius.com/Scorch Plugin: C:\Program Files\Musicnotes\npsibelius.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG2012\Firefox\ [2012/02/01 11:12:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/01 11:12:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fe_9.0@nokia.com: C:\Program Files\Nokia\Nokia Suite\Connectors\Bookmarks Connector\FirefoxExtension_9.0 [2012/03/05 20:43:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\te_9.0@nokia.com: C:\Program Files\Nokia\Nokia Suite\Connectors\Thunderbird Connector\ThunderbirdExtension_9.0 [2012/03/05 20:43:35 | 000,000,000 | ---D | M]
========== Chrome ==========
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Musicnotes (Enabled) = C:\Program Files\Musicnotes\npmusicn.dll
CHR - plugin: ScorchPlugin (Enabled) = C:\Program Files\Musicnotes\npsibelius.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: YouTube = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Google Search = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: AVG Safe Search = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\
CHR - Extension: Gmail = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\
CHR - Extension: Gmail = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
Hosts file not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [FaxTalk FaxCenter Pro 8] C:\Program Files\FaxTalk\FTClCtrl.exe (Thought Communications, Inc.)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NSU_agent] C:\Program Files\Nokia\Nokia Software Updater\nsu3ui_agent.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install File not found
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [WFXSwtch] C:\PROGRA~1\winfax\WFXSWTCH.exe File not found
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinFaxAppPortStarter] C:\WINDOWS\System32\WFXSNT40.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MagicFormation.lnk = C:\Program Files\Magic Formation\MagicFormation.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Outlook 2003.lnk = C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Backward &Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cac&hed Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Si&milar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272219582312 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272219964125 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Windows\Win7.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Windows\Win7.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {A213B520-C6C2-11d0-AF9D-008029E1027E} - C:\Program Files\winfax\WFXSEH32.DLL (Symantec Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/24 18:11:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - F:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk /k:F *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2012/04/24 22:05:07 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dr Michael Foster\Desktop\OTL.exe
[2012/04/24 16:32:34 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/04/24 13:06:07 | 000,092,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mqac.svs
[2012/04/24 10:17:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/04/24 10:13:41 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/04/24 10:13:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/04/24 10:13:41 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/04/24 09:53:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Start Menu\Programs\CyberLink BD Solution
[2012/04/24 09:51:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dr Michael Foster\Recent
[2012/04/24 09:23:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/04/24 08:58:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/04/24 08:50:07 | 004,470,025 | R--- | C] (Swearware) -- C:\Documents and Settings\Dr Michael Foster\Desktop\ComboFix.exe
[2012/04/22 20:35:54 | 002,072,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dr Michael Foster\My Files\tdsskiller.exe
[2012/04/22 20:27:55 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/04/22 13:34:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Start Menu\Programs\Google Chrome
[2012/04/22 08:14:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Desktop\Tools
[2012/04/21 09:26:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Malwarebytes
[2012/04/21 09:26:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/21 09:26:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/04/21 09:26:18 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/21 09:26:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/04/21 09:25:42 | 000,000,000 | ---D | C] -- C:\Malwarebytes
[2012/04/20 15:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Start Menu\Programs\SpyHunter
[2012/04/20 15:55:39 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/04/20 15:55:39 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012/04/20 15:51:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2012/04/20 15:51:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Application Data\TestApp
[2012/04/20 15:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/04/20 15:19:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/04/20 15:00:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
[2012/04/04 16:18:29 | 000,000,000 | ---D | C] -- C:\Program Files\Copy of WinFax
[2012/04/04 15:18:04 | 000,000,000 | ---D | C] -- C:\Program Files\winfax
[2012/04/03 08:25:03 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/04/24 22:09:10 | 000,000,908 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/24 21:58:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/24 21:38:10 | 000,001,026 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
[2012/04/24 20:41:00 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\tasks\DataUpload.job
[2012/04/24 18:39:27 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Outlook 2003.lnk
[2012/04/24 18:39:22 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/24 18:39:22 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\tasks\ConfigExec.job
[2012/04/24 18:39:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/24 12:07:41 | 000,518,144 | R--- | M] () -- C:\WINDOWS\SWREG.exe
[2012/04/24 10:17:39 | 000,000,444 | RHS- | M] () -- C:\boot.ini
[2012/04/24 09:51:39 | 000,000,328 | ---- | M] () -- C:\Boot.bak
[2012/04/24 09:38:58 | 096,117,289 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/04/24 09:34:24 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/23 16:59:51 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\MBR.dat
[2012/04/23 13:38:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
[2012/04/22 20:35:54 | 002,072,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dr Michael Foster\My Files\tdsskiller.exe
[2012/04/22 18:01:13 | 000,280,844 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/04/22 13:34:09 | 000,002,372 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\Google Chrome.lnk
[2012/04/22 13:34:09 | 000,002,350 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/04/21 16:47:55 | 000,006,764 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\attach.zip
[2012/04/21 14:12:10 | 004,470,025 | R--- | M] (Swearware) -- C:\Documents and Settings\Dr Michael Foster\Desktop\ComboFix.exe
[2012/04/21 14:10:42 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dr Michael Foster\Desktop\OTL.exe
[2012/04/21 09:26:23 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/20 18:49:56 | 000,001,034 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\NokiaUtils.lnk
[2012/04/20 15:57:46 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MS Office Outlook.lnk
[2012/04/20 15:55:43 | 000,001,997 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\SpyHunter.lnk
[2012/04/20 15:51:46 | 000,000,725 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\sdsetup_aff.exe.lnk
[2012/04/18 20:22:30 | 000,218,311 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\cemmguidance.pdf
[2012/04/17 19:29:25 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Streetmap.co.uk.url
[2012/04/17 10:07:29 | 007,438,896 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\08 - Evacuee2.mp3
[2012/04/17 10:07:16 | 000,008,663 | -HS- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\Folder.jpg
[2012/04/17 10:07:16 | 000,002,348 | -HS- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\AlbumArtSmall.jpg
[2012/04/16 17:46:01 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\doxillionShakeIcon.job
[2012/04/13 18:58:09 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/13 18:58:09 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/04/13 08:02:28 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/04/10 17:56:26 | 001,254,622 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\LittleYellowBook.pdf
[2012/04/09 01:31:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/04/07 16:04:44 | 000,000,218 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\BT Home Hub Manager - Home.url
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/04 15:18:09 | 000,000,041 | ---- | M] () -- C:\WINDOWS\WFXDEL.BAT
[2012/04/04 13:51:10 | 000,003,654 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SAYNOTO0870.url
[2012/04/04 10:59:40 | 000,167,156 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\Fold-shapes.pdf
[2012/04/02 11:38:49 | 000,000,688 | ---- | M] () -- C:\WINDOWS\CDPHOTO.INI
[2012/04/01 14:13:34 | 000,038,674 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\phosphine.pdf
[2012/03/27 17:52:47 | 000,044,466 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\DIY Eucharist.pdf
[2012/03/26 15:32:32 | 001,539,897 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\13Letters of Paul.pdf
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/04/24 10:17:39 | 000,000,328 | ---- | C] () -- C:\Boot.bak
[2012/04/24 10:17:36 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/04/24 10:13:41 | 000,518,144 | R--- | C] () -- C:\WINDOWS\SWREG.exe
[2012/04/24 10:13:41 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/04/24 10:13:41 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/04/24 10:13:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/04/24 10:13:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/04/24 10:13:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/04/22 13:34:09 | 000,002,372 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\Google Chrome.lnk
[2012/04/22 13:34:09 | 000,002,350 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/04/22 13:33:08 | 000,001,026 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
[2012/04/22 13:33:07 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
[2012/04/22 09:58:06 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\MBR.dat
[2012/04/21 16:47:55 | 000,006,764 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\attach.zip
[2012/04/21 09:26:23 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/20 15:55:43 | 000,001,997 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\SpyHunter.lnk
[2012/04/20 15:51:46 | 000,000,725 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\sdsetup_aff.exe.lnk
[2012/04/18 20:22:30 | 000,218,311 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\cemmguidance.pdf
[2012/04/17 10:07:21 | 007,438,896 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\08 - Evacuee2.mp3
[2012/04/17 10:07:16 | 000,008,663 | -HS- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\Folder.jpg
[2012/04/17 10:07:16 | 000,002,348 | -HS- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\AlbumArtSmall.jpg
[2012/04/10 17:56:26 | 001,254,622 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\LittleYellowBook.pdf
[2012/04/04 10:59:40 | 000,167,156 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\Fold-shapes.pdf
[2012/04/03 08:25:04 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/02 11:32:33 | 000,197,561 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\S-ILoveToHearTheStory-PipeLC-48-CAM(1).mp3
[2012/04/02 11:31:50 | 000,038,674 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\phosphine.pdf
[2012/03/29 17:46:16 | 000,000,308 | ---- | C] () -- C:\WINDOWS\tasks\doxillionShakeIcon.job
[2012/03/27 17:52:43 | 000,044,466 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\DIY Eucharist.pdf
[2012/03/26 15:32:31 | 001,539,897 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\13Letters of Paul.pdf
[2012/02/15 11:32:39 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/12/15 08:29:18 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2010/12/15 08:29:16 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2010/10/27 10:46:00 | 000,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2010/09/07 07:12:44 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2010/08/01 16:54:09 | 000,000,026 | ---- | C] () -- C:\WINDOWS\dvdSanta.INI
[2010/08/01 16:48:21 | 001,216,512 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/08/01 16:48:21 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2010/08/01 16:48:21 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/08/01 16:48:21 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2010/08/01 16:48:21 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2010/08/01 16:48:21 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2010/06/14 19:40:05 | 001,107,192 | ---- | C] () -- C:\WINDOWS\Xwmba500.dll
[2010/06/14 19:40:05 | 000,260,440 | ---- | C] () -- C:\WINDOWS\Xwmhb500.dll
[2010/06/14 19:40:05 | 000,174,352 | ---- | C] () -- C:\WINDOWS\Xwmte500.dll
[2010/06/14 19:40:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\PHAssist.ini
[2010/06/01 15:16:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WTNSETUP.INI
[2010/06/01 15:10:00 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\DCCWFP32.DLL
[2010/06/01 15:10:00 | 000,000,250 | ---- | C] () -- C:\WINDOWS\WINFAX.INI
[2010/06/01 15:09:59 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\IMPLODE.DLL
[2010/05/31 21:48:38 | 000,021,248 | ---- | C] () -- C:\WINDOWS\System32\solidlocalmon.dll
[2010/05/31 21:48:38 | 000,013,568 | ---- | C] () -- C:\WINDOWS\System32\solidlocalui.dll
[2010/05/26 12:30:18 | 000,002,220 | ---- | C] () -- C:\WINDOWS\GWSFILTR.INI
[2010/05/26 12:27:06 | 000,000,041 | ---- | C] () -- C:\WINDOWS\gwspcam.ini
[2010/05/26 12:27:04 | 000,212,992 | ---- | C] () -- C:\WINDOWS\ALCHUNIN.EXE
[2010/05/26 12:26:46 | 000,007,806 | R--- | C] () -- C:\WINDOWS\gwspro.ini
[2010/05/06 10:47:02 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/05/05 22:28:28 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/05 22:28:27 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/30 08:30:38 | 000,000,688 | ---- | C] () -- C:\WINDOWS\CDPHOTO.INI
[2010/04/30 08:30:38 | 000,000,193 | ---- | C] () -- C:\WINDOWS\EFICOLOR.INI
[2010/04/29 07:49:10 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\ippsra611.dll
[2010/04/29 07:49:10 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\ippcv11.dll
[2010/04/29 07:49:10 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ippsr11.dll
[2010/04/29 07:49:10 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IPPCPUID.DLL
[2010/04/29 07:48:23 | 000,011,776 | ---- | C] () -- C:\WINDOWS\System32\pmsbfn32.dll
[2010/04/29 07:43:54 | 000,000,416 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2010/04/28 16:14:51 | 000,000,059 | ---- | C] () -- C:\WINDOWS\FSaver.ini
[2010/04/28 16:14:50 | 000,000,052 | ---- | C] () -- C:\WINDOWS\Aubade.ini
[2010/04/27 15:49:30 | 000,000,043 | ---- | C] () -- C:\WINDOWS\IMASTER.INI
[2010/04/27 14:29:14 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\JGFR400.DLL
[2010/04/26 22:48:01 | 000,000,812 | ---- | C] () -- C:\WINDOWS\unins001.dat
[2010/04/26 22:47:52 | 000,000,812 | ---- | C] () -- C:\WINDOWS\unins000.dat
[2010/04/26 22:42:10 | 000,000,829 | ---- | C] () -- C:\WINDOWS\System32\unins000.dat
========== LOP Check ==========
[2011/10/20 07:16:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2012/04/24 07:02:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2010/10/20 08:29:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2012/04/20 15:12:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
[2011/05/11 11:40:39 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/03/05 20:30:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2010/05/08 07:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki
[2012/04/24 09:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/09/14 15:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2010/05/01 15:41:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2012/03/05 20:43:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2012/03/14 09:23:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaInstallerCache
[2011/10/17 08:37:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2010/04/29 07:43:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2010/05/31 21:47:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SolidDocuments
[2011/12/07 17:46:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Thought Communications
[2010/07/20 16:45:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2011/08/14 19:16:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/08/11 23:01:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Amazon
[2011/07/14 08:37:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\AVG
[2011/10/20 07:15:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\AVG2012
[2011/06/20 12:58:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\BitTorrent
[2010/06/29 06:59:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Canon
[2011/04/16 23:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\FontCreator
[2011/06/15 14:18:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Helios
[2012/04/18 19:01:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Mp3tag
[2010/05/01 15:41:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\NCH Swift Sound
[2010/05/11 11:56:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\NewSoft
[2012/03/14 09:40:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Nokia
[2012/03/14 09:40:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Nokia Suite
[2010/06/07 09:58:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\OfficeRecovery
[2010/07/06 14:39:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\OpenOffice.org
[2011/12/02 08:22:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\PC Suite
[2010/07/06 22:47:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Recolored
[2010/04/29 07:43:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\ScanSoft
[2012/04/14 14:16:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\SolidDocuments
[2011/06/20 22:31:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Spotify
[2012/04/20 15:51:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\TestApp
[2010/07/20 16:46:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Trusteer
[2010/06/17 06:58:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Uniblue
[2011/06/16 17:29:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr Michael Foster\Application Data\uTorrent
[2012/04/24 18:39:22 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\Tasks\ConfigExec.job
[2012/04/24 20:41:00 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\Tasks\DataUpload.job
[2011/11/11 09:10:13 | 000,000,292 | ---- | M] () -- C:\WINDOWS\Tasks\debutDowngrade.job
[2011/11/11 09:10:14 | 000,000,292 | ---- | M] () -- C:\WINDOWS\Tasks\debutShakeIcon.job
[2012/04/16 17:46:01 | 000,000,308 | ---- | M] () -- C:\WINDOWS\Tasks\doxillionShakeIcon.job
[2012/04/09 01:31:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/01/20 15:41:01 | 000,000,308 | ---- | M] () -- C:\WINDOWS\Tasks\pixillionShakeIcon.job
[2011/11/11 09:10:16 | 000,000,292 | ---- | M] () -- C:\WINDOWS\Tasks\prismShakeIcon.job
[2011/11/11 09:10:16 | 000,000,304 | ---- | M] () -- C:\WINDOWS\Tasks\videopadShakeIcon.job
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\Dr Michael Foster\My Files\FromHeavenYouCame-Kendrick.mid:�SummaryInformation
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\Dr Michael Foster\My Files\FromHeavenYouCame-Kendrick.mid:�DocumentSummaryInformation
< End of report >
osjknights
2012-04-24, 23:15
OTL Extras logfile created on: 24/04/2012 22:06:45 - Run 1
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Dr Michael Foster\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.00 Gb Total Physical Memory | 2.40 Gb Available Physical Memory | 80.02% Memory free
4.84 Gb Paging File | 4.38 Gb Available in Paging File | 90.55% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 77.16 Gb Free Space | 33.13% Space Free | Partition Type: NTFS
Drive E: | 100.00 Mb Total Space | 65.25 Mb Free Space | 65.25% Space Free | Partition Type: NTFS
Drive F: | 931.41 Gb Total Space | 776.89 Gb Free Space | 83.41% Space Free | Partition Type: NTFS
Drive L: | 1.46 Gb Total Space | 1.42 Gb Free Space | 97.18% Space Free | Partition Type: NTFS
Drive M: | 226.05 Gb Total Space | 225.63 Gb Free Space | 99.81% Space Free | Partition Type: NTFS
Computer Name: KNIGHTS-2EE6007 | User Name: Dr Michael Foster | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Aolpress\Ws_ftp\WS_FTP95.exe" = C:\Program Files\Aolpress\Ws_ftp\WS_FTP95.exe:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA 02173)
"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:PowerDVD -- (CyberLink Corp.)
"C:\Program Files\ArcSoft\PhotoStudio 5.5\PhotoStudio.exe" = C:\Program Files\ArcSoft\PhotoStudio 5.5\PhotoStudio.exe:*:Enabled:PhotoStudio -- (ArcSoft, Inc.)
"C:\Program Files\NewSoft\Presto! PageManager 7.15\Pmsb.exe" = C:\Program Files\NewSoft\Presto! PageManager 7.15\Pmsb.exe:*:Enabled:Presto! Scan Buttons -- (NewSoft Technology Corporation)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer
"C:\Program Files\ScanSoft\OmniPageSE4.0\TwainClient.exe" = C:\Program Files\ScanSoft\OmniPageSE4.0\TwainClient.exe:*:Enabled:ScanSoft Scanner System - TwainClient.exe -- (Nuance Communications, Inc.)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\FaxTalk\FTmsgsvc.exe" = C:\Program Files\FaxTalk\FTmsgsvc.exe:*:Enabled:FaxTalk Service -- (Thought Communications, Inc.)
"C:\Program Files\FaxTalk\fapiexe.exe" = C:\Program Files\FaxTalk\fapiexe.exe:*:Enabled:FaxTalk -- (Thought Communications, Inc.)
"C:\Program Files\FaxTalk\FTclctrl.exe" = C:\Program Files\FaxTalk\FTclctrl.exe:*:Enabled:FaxTalk CallControl -- (Thought Communications, Inc.)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)
"C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\Application\chrome.exe:*:Enabled:Google Chrome -- (Google Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{059DB9E1-936B-4511-9A77-7CDF68AAC9E1}" = Eudora
"{069C1AD7-AC72-40E0-A156-7442EA6A48D7}" = AVG 2012
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4803" = CanoScan 4400F
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{19C64880-BBCA-11D4-9EEE-0004ACDDDB3B}" = CyberLink InstantBurn
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = BD Solution
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2304F821-BA4F-4f0c-B971-C5A1ADC919AB}" = Windows XP Valentine Screen Saver
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22
"{27263813-8BDE-4CD2-84D3-02536743428A}_is1" = Attribute Changer 7.0
"{27D0C7AB-59F1-4D4D-A0BB-05A31AC919EA}" = Windows XP Winter Fun Pack Screensavers
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{41313863-5170-4D7E-AD60-3CDF4DEBA81F}" = Nokia PC Suite
"{46BD06C2-8D71-4A41-A71F-2EEA0FB2AEAB}_is1" = Wondershare PDF Converter (Build 2.0.2)
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{485E6526-EA98-4F04-925A-67424D12E1E2}" = Windows XP Creativity Fun Packs - Windows XP Power Toys
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AA68A73-DB9C-439D-9481-981C82BD008B}" = Nokia Connectivity Cable Driver
"{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}" = SpyHunter
"{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{616E8966-0574-4E9E-A9CD-9CB819EBC162}" = KONICA MINOLTA TWAIN Ver.3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7523F68F-3DA4-452A-A17F-4AF55A8A25BB}" = ChristmasTheme
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{82AF3E91-57E1-4754-84D0-40A46E2479AB}" = OpenOffice.org 3.3
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{868291A4-229E-4795-B0B0-E60E87AF53CD}" = Sibelius Scorch (ActiveX Only)
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{889D48DA-457F-4C8B-9095-6458F2793B12}" = Nokia Software Updater
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E436940-A944-4D67-A45B-1876E23BB9C0}" = e-Sword
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{92D1CEBC-7C72-4ECF-BFC6-C131EF3FE6A7}" = Nokia Suite
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{98FD8BB5-59A9-4163-883C-2997F7BB59D9}" = Microsoft Video Screensaver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2AA4204-C05A-4013-888A-AD153139297F}" = PC Connectivity Solution
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B19C841C-D60A-462F-AB86-4FDD51A77FA3}" = NILE THEME
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{B7588D45-AFDC-4C93-9E2E-A100F3554B64}" = Microsoft Fix it Center
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B8971880-0060-11D8-87CB-C2A1A3E71907}_is1" = Index.dat Suite
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1008475-75B2-4475-B98C-51FAE8B62960}" = Concord WinFax Plugin v3.0
"{C16DD2B9-04B1-42D4-87C1-0121E54BB263}" = FaxTalk FaxCenter Pro 8
"{C1E693A4-B1D5-4DCD-B68D-2087835B7184}" = ScanSoft OmniPage SE 4.0
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C73CA646-73B3-4AEF-A136-C37505745174}" = iTunes
"{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb" = Microsoft Automated Troubleshooting Services Shim
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.14
"{D36DD326-7280-11D8-97C8-000129760CBE}" = PhotoNow! 1.0
"{D85E93D8-BF44-4BE5-962D-EB8EFDACC073}" = KONICA MINOLTA HDD TWAIN Ver.3
"{DFE70CCC-0ACB-45B7-94F4-9DC6F01B7928}" = SolidPDFCreator
"{E3387EAB-DFD3-4894-9F4C-B27669D35ED8}" = Images of Ireland Theme for Windows XP
"{E3B64CC5-C011-40C0-92BC-7316CD5E5688}" = Microsoft_VC100_CRT_SP1_x86
"{ED36C999-9843-4A4E-B60A-5152074D5EDD}_is1" = 1.0.3
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{EE60BB9B-E721-454C-9B61-34EE8B36B8A7}" = Nokia PC Internet Access
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7FC9307-374E-4017-8E9D-DE1154780480}" = System Requirements Lab for Intel
"{FFC5C6DA-6BC0-47C1-9EC0-8E1A1294E4F7}" = Windows XP Winter Fun Pack for Windows Movie Maker 2
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"72A50F48CC5601190B9C4E74D81161693133E7F7" = Windows Driver Package - Nokia Modem (02/25/2011 7.01.0.9)
"A to B Britain" = A to B Britain
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Amazing Windows XP Screen Saver_is1" = Amazing Windows XP Screen Saver 1.2
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.9
"AnarkClient" = Anark Client 1.0
"Arisctoc Screensaver" = Arisctoc Screensaver
"Aristoc2" = Aristoc2
"AVG" = AVG 2012
"Bathroom Exposure" = Bathroom Exposure Screen Saver
"Bedroom Scandals" = Bedroom Scandals Screen Saver
"Belarc Advisor" = Belarc Advisor 8.1
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_HSF" = PCI SoftV92 Modem
"Debut" = Debut Video Capture Software
"Doxillion" = Doxillion Document Converter
"Drive Rescue_is1" = Drive Rescue 1.9
"Driver Genius Professional Edition 2007_is1" = Driver Genius Professional Edition 2007
"dvdSanta 4.50 - Make your own DVD movies!_is1" = dvdSanta 4.50
"E0AC723A3DE3A04256288CADBBB011B112AED454" = Windows Driver Package - Nokia Modem (02/25/2011 4.7)
"EndItAll_is1" = EndItAll 2.0
"Flash Movie Player" = Flash Movie Player 1.5
"FLV Player" = FLV Player 2.0 (build 25)
"FontCreator6_is1" = High-Logic FontCreator 6.0
"FREE Hi-Q Recorder_is1" = FREE Hi-Q Recorder 1.92
"Free Internet Window Washer" = Free Internet Window Washer
"FreeCommander_is1" = FreeCommander 2009.02b
"Graphic Workshop Professional" = Graphic Workshop Professional
"Holiday Snowflakes Screen Saver_is1" = Holiday Snowflakes Screen Saver 1.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Kitchen Secrets" = Kitchen Secrets Screen Saver
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mp3tag" = Mp3tag v2.49
"MRU-Blaster_is1" = MRU-Blaster v1.5 (Database 3/28/2004)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Musicnotes Combined Installer_is1" = Musicnotes Software Suite 1.5.5
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"nLite_is1" = nLite 1.4.9.1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia PC Internet Access" = Nokia PC Internet Access
"Nokia PC Suite" = Nokia PC Suite
"Nokia Suite" = Nokia Suite
"Outdoor Revelations" = Outdoor Revelations Screen Saver
"Physician's Home Assistant 1.8" = Physician's Home Assistant 1.8
"Pixillion" = Pixillion Image Converter
"Pretty Polly Intimates Collection" = Pretty Polly Intimates Collection Screen Saver
"Prism" = Prism Video File Converter
"Rapport_msi" = Rapport
"Recuva" = Recuva
"RegCmd_is1" = Registry Commander v1.04
"Spotify" = Spotify
"The Scriptures_is1" = The Scriptures
"Tweak UI 2.10" = Tweak UI
"TweakNow RegCleaner_is1" = TweakNow RegCleaner
"VideoPad" = VideoPad Video Editor
"WallpaperToy" = Wallpaper Changer for Windows XP
"WavePad" = WavePad Sound Editor
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"Windows XP Video Screensaver Powertoy_is1" = Windows XP Video Screensaver Powertoy
"WinFax" = Symantec WinFax PRO
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"XP Codec Pack" = XP Codec Pack
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"48f759f27f96d78f" = DJweb
"Google Chrome" = Google Chrome
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 23/04/2012 15:11:44 | Computer Name = KNIGHTS-2EE6007 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00011780.
Error - 23/04/2012 15:12:21 | Computer Name = KNIGHTS-2EE6007 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00011780.
Error - 23/04/2012 15:12:51 | Computer Name = KNIGHTS-2EE6007 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00011780.
Error - 24/04/2012 04:25:44 | Computer Name = KNIGHTS-2EE6007 | Source = MatSvc | ID = 262147
Description = The MATS service encountered a web service failure. hr=0x80072EE7
Error - 24/04/2012 04:25:50 | Computer Name = KNIGHTS-2EE6007 | Source = MatSvc | ID = 262152
Description = The MATS service encountered a failure when loading SAP. hr=0x80070002
SAP folder: C:\Program Files\Microsoft Fix it Center\SAPFolder\Scheduled\DDA435FA-6E05-4DBF-80FE-C4EBE882E798.28
Error - 24/04/2012 04:25:51 | Computer Name = KNIGHTS-2EE6007 | Source = MatSvc | ID = 262159
Description = The scheduled MATS task encountered a failure when collecting configuration
data. hr=0x80070002 .
Error - 24/04/2012 05:16:32 | Computer Name = KNIGHTS-2EE6007 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
Error - 24/04/2012 07:04:20 | Computer Name = KNIGHTS-2EE6007 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro
Error - 24/04/2012 07:04:20 | Computer Name = KNIGHTS-2EE6007 | Source = VSS | ID = 8193
Description = Volume Shadow Copy Service error: Unexpected error calling routine
CoCreateInstance. hr = 0x80040206.
Error - 24/04/2012 11:14:28 | Computer Name = KNIGHTS-2EE6007 | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.6055, fault address 0x00011780.
[ System Events ]
Error - 24/04/2012 08:09:24 | Computer Name = KNIGHTS-2EE6007 | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume F:.
Error - 24/04/2012 10:19:11 | Computer Name = KNIGHTS-2EE6007 | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume F:.
Error - 24/04/2012 10:20:11 | Computer Name = KNIGHTS-2EE6007 | Source = Service Control Manager | ID = 7000
Description = The SAS Core Service service failed to start due to the following
error: %%2
Error - 24/04/2012 10:20:12 | Computer Name = KNIGHTS-2EE6007 | Source = Service Control Manager | ID = 7023
Description = The Usrbridg service terminated with the following error: %%126
Error - 24/04/2012 11:41:55 | Computer Name = KNIGHTS-2EE6007 | Source = DCOM | ID = 10010
Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
with DCOM within the required timeout.
Error - 24/04/2012 11:43:55 | Computer Name = KNIGHTS-2EE6007 | Source = DCOM | ID = 10010
Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
with DCOM within the required timeout.
Error - 24/04/2012 12:09:04 | Computer Name = KNIGHTS-2EE6007 | Source = Service Control Manager | ID = 7034
Description = The WinFax PRO service terminated unexpectedly. It has done this
1 time(s).
Error - 24/04/2012 13:39:31 | Computer Name = KNIGHTS-2EE6007 | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume F:.
Error - 24/04/2012 13:40:38 | Computer Name = KNIGHTS-2EE6007 | Source = Service Control Manager | ID = 7000
Description = The SAS Core Service service failed to start due to the following
error: %%2
Error - 24/04/2012 13:40:38 | Computer Name = KNIGHTS-2EE6007 | Source = Service Control Manager | ID = 7023
Description = The Usrbridg service terminated with the following error: %%126
< End of report >
osjknights
2012-04-24, 23:15
Thanks for the time you are taking.:bigthumb:
osjknights
2012-04-25, 12:43
I had lost the two DVD drives I had. The Drivers were corruped. I reinstalled the drivers, to no avail then unistalled the Drives under Hardware in the System properties, and on reinstallation (found new hardware notice) they came back OK.
AVG reports Trojan infection in files in the F Drive (my Windows 7 Drive, which is bottable) and so I have disabled it in the Hardware list.
My questionis this - will this drive (F Drive) have the infection now, if I seek to boot on it - as the XP system keeps crashing, but is just about workable.
I was trying to burn files to a DVD to save them, this is how I realised I had no DVD Drives working!
Sorry for the delay in response...
I have been working to collect everything that I can to remove as much as possible in one sweep. There is just a lot to go through so that is why the time has been extended, but just so you know we really haven't removed anything yet so AVG is probably just picking up the same infections that were there to begin with. I hope to be finishing up shortly. I appreciate your patience. :bigthumb:
Hi,
Please download ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2010/05/05 22:28:27 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
:Files
c:\documents and settings\all users\favorites\computerfixes\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\all users\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\beginners guide to hacking windows - part 2 governmentsecurity.org.url
c:\documents and settings\all users\favorites\computerfixes\cracks\brian carr's home pagewindows.url
c:\documents and settings\all users\favorites\computerfixes\cracks\bugmenot.com - login with these free web passwords to bypass compulsory registration.url
c:\documents and settings\all users\favorites\computerfixes\cracks\bypass windows genuine advantage validation check in windows update » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\cracks\crackskeygen.url
c:\documents and settings\all users\favorites\computerfixes\cracks\cracksserial numbers&passwords..url
c:\documents and settings\all users\favorites\computerfixes\cracks\daring devil 'i'.url
c:\documents and settings\all users\favorites\computerfixes\cracks\filehippo.com - download free software.url
c:\documents and settings\all users\favorites\computerfixes\cracks\free email account with sky sky.com.url
c:\documents and settings\all users\favorites\computerfixes\cracks\keygen.cc - download keygen crack serial patch.url
c:\documents and settings\all users\favorites\computerfixes\cracks\official ways to disable or manually uninstall the microsoft windows genuine advantage notifications from microsoft » my digita.url
c:\documents and settings\all users\favorites\computerfixes\cracks\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\all users\favorites\computerfixes\cracks\remove, bypass, patch and disable microsoft windows genuine advantage wga validation version 1.5.708.0 with legitcheckcontrol.d.url
c:\documents and settings\all users\favorites\computerfixes\cracks\sagem router has been cracked - take 2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\samsung sgh-e900 - support forum - expansys uk.url
c:\documents and settings\all users\favorites\computerfixes\cracks\software serial numbers and passwords..url
c:\documents and settings\all users\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\all users\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\all users\favorites\computerfixes\cracks\wga remover.url
c:\documents and settings\all users\favorites\gizmos\crack.ms - download eudora email v7.0.0.16 crack or serial for free.url
c:\documents and settings\all users\favorites\gizmos\seriall.com - serials, keys, keygen, cracks.url
c:\documents and settings\dr michael foster\favorites\computerfixes\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\dr michael foster\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\beginners guide to hacking windows - part 2 governmentsecurity.org.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\brian carr's home pagewindows.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\bugmenot.com - login with these free web passwords to bypass compulsory registration.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\bypass windows genuine advantage validation check in windows update » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\crackskeygen.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\cracksserial numbers&passwords..url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\daring devil 'i'.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\filehippo.com - download free software.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\free email account with sky sky.com.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\keyfinder magical jelly bean.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\keygen.cc - download keygen crack serial patch.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\official ways to disable or manually uninstall the microsoft windows genuine advantage notifications from microsoft » my digita.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\remove, bypass, patch and disable microsoft windows genuine advantage wga validation version 1.5.708.0 with legitcheckcontrol.d.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\sagem router has been cracked - take 2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\samsung sgh-e900 - support forum - expansys uk.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\software serial numbers and passwords..url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url
c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\wga remover.url
c:\documents and settings\dr michael foster\favorites\gizmos\crack.ms - download eudora email v7.0.0.16 crack or serial for free.url
c:\documents and settings\dr michael foster\favorites\gizmos\seriall.com - serials, keys, keygen, cracks.url
c:\documents and settings\dr michael foster\my files\crack.htm
ipconfig /flushdns /c
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"=-
"2869:TCP"=-
"139:TCP"=-
"445:TCP"=-
"137:UDP"=-
"138:UDP"=-
"5985:TCP"=-
:Commands
[purity]
[resethosts]
[createrestorepoints]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
osjknights
2012-04-25, 20:41
Thanks for stayng on the case.
I am doing this in between my work (as I guess is true for you).
PS I had removed the URLs for the Crack sites (as soon as you pointed them out to me) - which lay long forgotten as is true of all of my youngsters' items on this machine.
Here is the log;
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
C:\WINDOWS\System32\PerfStringBackup.TMP deleted successfully.
C:\WINDOWS\System32\x(cmd)dds_trash_log.cmd.tmp deleted successfully.
C:\WINDOWS\System32\x(dat)d3d9caps.dat.tmp deleted successfully.
C:\WINDOWS\System32\x(dat)perfc009.dat.tmp deleted successfully.
C:\WINDOWS\System32\x(dat)perfh009.dat.tmp deleted successfully.
C:\WINDOWS\System32\x(INI)PerfStringBackup.INI.tmp deleted successfully.
C:\WINDOWS\4E0C6314A8B84026AC15084E8B63AFB5.TMP\WiseCustomCalla21.exe deleted successfully.
C:\WINDOWS\4E0C6314A8B84026AC15084E8B63AFB5.TMP folder deleted successfully.
C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
========== FILES ==========
File\Folder c:\documents and settings\all users\favorites\computerfixes\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\beginners guide to hacking windows - part 2 governmentsecurity.org.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\brian carr's home pagewindows.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\bugmenot.com - login with these free web passwords to bypass compulsory registration.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\bypass windows genuine advantage validation check in windows update » my digital life.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\crackskeygen.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\cracksserial numbers&passwords..url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\daring devil 'i'.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\filehippo.com - download free software.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\free email account with sky sky.com.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\keygen.cc - download keygen crack serial patch.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\official ways to disable or manually uninstall the microsoft windows genuine advantage notifications from microsoft » my digita.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\remove, bypass, patch and disable microsoft windows genuine advantage wga validation version 1.5.708.0 with legitcheckcontrol.d.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\sagem router has been cracked - take 2.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\samsung sgh-e900 - support forum - expansys uk.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\software serial numbers and passwords..url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url not found.
File\Folder c:\documents and settings\all users\favorites\computerfixes\cracks\wga remover.url not found.
c:\documents and settings\all users\favorites\gizmos\CRACK.MS - Download Eudora Email v7.0.0.16 CRACK or SERIAL for FREE.url moved successfully.
c:\documents and settings\all users\favorites\gizmos\SeriAll.Com - Serials, Keys, Keygen, Cracks.url moved successfully.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\beginners guide to hacking windows - part 2 governmentsecurity.org.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\brian carr's home pagewindows.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\bugmenot.com - login with these free web passwords to bypass compulsory registration.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\bypass windows genuine advantage validation check in windows update » my digital life.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\crackskeygen.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\cracksserial numbers&passwords..url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\daring devil 'i'.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\filehippo.com - download free software.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\free email account with sky sky.com.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\keyfinder magical jelly bean.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\keygen.cc - download keygen crack serial patch.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\official ways to disable or manually uninstall the microsoft windows genuine advantage notifications from microsoft » my digita.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\permanent method to crack wga and patch windows xp (inc mce) or 2003 as genuine » my digital life.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\remove, bypass, patch and disable microsoft windows genuine advantage wga validation version 1.5.708.0 with legitcheckcontrol.d.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\sagem router has been cracked - take 2.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\samsung sgh-e900 - support forum - expansys uk.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\software serial numbers and passwords..url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows validat.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\ways to crack and disable wga validation tool and wga notifications plus download and install bypassing genuine windows2.url not found.
File\Folder c:\documents and settings\dr michael foster\favorites\computerfixes\cracks\wga remover.url not found.
c:\documents and settings\dr michael foster\favorites\gizmos\CRACK.MS - Download Eudora Email v7.0.0.16 CRACK or SERIAL for FREE.url moved successfully.
c:\documents and settings\dr michael foster\favorites\gizmos\SeriAll.Com - Serials, Keys, Keygen, Cracks.url moved successfully.
c:\documents and settings\dr michael foster\my files\crack.htm moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Dr Michael Foster\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Dr Michael Foster\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\5985:TCP deleted successfully.
========== COMMANDS ==========
HOSTS file reset successfully
Error: Unable to interpret <[createrestorepoints]> in the current context!
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes
User: Dr Michael Foster
->Temp folder emptied: 1683814 bytes
->Temporary Internet Files folder emptied: 3793356 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 15783852 bytes
->Flash cache emptied: 787 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2130054 bytes
->Flash cache emptied: 5514 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 494 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 402 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 22.00 mb
Error: Unable to interpret <[Reboot]Then click the Run Fix button at the top > in the current context!
OTL by OldTimer - Version 3.2.40.0 log created on 04252012_191942
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Dr Michael Foster\Local Settings\Temp\~DFCAD4.tmp not found!
File\Folder C:\Documents and Settings\Dr Michael Foster\Local Settings\Temporary Internet Files\Content.Word\~WRS4043.tmp not found!
C:\Documents and Settings\Dr Michael Foster\Local Settings\Temporary Internet Files\Content.IE5\ATQL68NI\showthread[1].htm moved successfully.
Registry entries deleted on Reboot...
Hi,
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------
ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the Start button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the Back button.
Push Finish
http://www.eset.com/onlinescan/
----------
In your next reply please post the logs made by Malwarebytes and ESET. :)
osjknights
2012-04-25, 21:56
I will have to do these 9am UK BST. I am out on a visit (for my work), now until late! Again thanks.
osjknights
2012-04-26, 09:47
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.04.21.06
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dr Michael Foster :: KNIGHTS-2EE6007 [administrator]
Protection: Disabled
26/04/2012 06:36:11
mbam-log-2012-04-26 (06-36-11).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190327
Time elapsed: 5 minute(s), 7 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
osjknights
2012-04-26, 14:28
Hi! The ESET Scan is still running and has been doing so for the last four hours. It is at 57% - so by 17:00 hrs BST I should be able to paste a report.
The nuisance is that AVG keeps kicking in after 15 minutes – and I do not always get back to the machine to top up the 15 minutes in time. Good Job, I am working from home today! I have not found any real method to extend the 15 minutes. Mind you my worry is that AVG let the Trojan in, in the first place, so I will need advice on a decent Anti Virus/Trojan program, man enough for the job. By 18:00 BST I will have to go out to a work meeting, but should get back, but I guess I will have other jobs with which to catch up.
osjknights
2012-04-26, 14:28
Mind you it has found some 404 infected files thus far!
osjknights
2012-04-26, 16:44
Its only 59% after 6 1/2 hours, so I guess it will not be complete until at least 20:00 hrs BST.
Hi,
If you are having problems with AVG and want to change antivirus programs anyway you could always just uninstall it and then run ESET again. ESET may take quite some time though which is normal.
If you do remove it, be sure to only come here and to ESET until we get another antivirus program on your system. :)
osjknights
2012-04-26, 18:08
It zoomed from 59%, at which it was stuck a good long time and suddenly it was 100%!
The Scan is below. The entries for the F Drive are Tools (usually to do with rescuing the machine) or Jokes - the Joke programs were from my old win 95 machine - like doing tricks with the cursor but always exited on pressing the Esc key.
SCAN RESULTS
C:\Qoobox\Quarantine\C\WINDOWS\system32\flutilssvc.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\InterBaseGuardian.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mountmgr.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\queuemgr.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\siswlsvc.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\VirtualCam.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP542\A1999103.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP543\A1999133.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP543\A1999146.exe a variant of Win32/Kryptik.AEMK trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP543\A1999151.exe Win32/TrojanDownloader.Prodatect.BL trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999202.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999222.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999234.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999329.exe a variant of Win32/Kryptik.AELC trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999330.exe a variant of Win32/Kryptik.AELC trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999337.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999349.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999350.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999351.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999352.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999353.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999354.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999355.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999356.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999392.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999427.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999467.dll a variant of Win32/Kryptik.AEMZ trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999473.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999495.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999514.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999515.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999516.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999517.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999518.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP544\A1999537.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2000537.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001537.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001550.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001551.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001552.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001553.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001554.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001555.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001556.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001557.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001558.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001559.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001560.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001561.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001562.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001563.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001564.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001565.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001566.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001567.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001568.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001569.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001570.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP545\A2001571.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP546\A2002046.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2003063.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2003076.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2003144.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2003170.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2003231.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2004231.sys Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2005231.sys a variant of Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2005351.sys a variant of Win32/Sirefef.DA trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2005393.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2005394.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2005395.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2005396.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2005397.dll Win32/Sirefef.ER trojan
C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP547\A2005398.dll Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0000\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0001\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0002\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0003\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0004\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0005\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0006\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0007\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0008\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0009\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0010\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0011\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0012\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0013\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0014\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0015\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0016\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0017\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0018\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0019\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0020\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0021\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0022\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0023\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0024\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0025\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0026\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0027\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0028\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0029\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0030\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.23.43\zaea0031\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0000\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0001\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0002\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0003\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0004\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0005\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0006\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0007\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0008\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0009\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0010\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0011\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0012\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0013\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.29.39\zaea0014\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0000\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0001\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0002\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0003\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0004\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0005\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0006\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0007\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0008\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0009\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0010\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0011\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0012\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0013\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0014\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0015\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0016\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0017\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0018\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0019\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0020\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0021\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0022\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0023\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0024\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0025\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0026\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0027\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0028\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0029\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0030\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0031\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0032\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0033\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0034\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0035\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0036\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0037\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0038\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0039\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0040\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0041\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0042\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0043\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0044\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0045\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0046\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0047\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0048\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0049\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0050\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0051\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0052\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0053\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0054\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0055\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0056\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0057\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0058\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0059\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0060\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0061\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0062\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0063\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0064\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0065\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0066\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0067\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0068\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0069\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0070\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0071\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0072\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0073\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0074\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0075\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0076\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0077\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0078\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0079\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0080\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0081\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0082\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0083\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0084\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0085\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0086\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0087\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0088\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0089\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0090\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0091\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.36.06\zaea0092\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0000\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0001\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0002\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0003\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0004\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0005\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0006\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0007\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0008\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0009\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0010\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0011\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0012\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0013\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0014\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0015\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0016\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0017\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0018\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0019\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0020\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0021\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0022\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0023\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0024\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0025\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0026\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0027\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0028\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0029\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0030\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0031\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0032\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0033\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0034\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0035\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0036\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0037\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0038\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0039\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0040\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0041\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0042\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0043\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0044\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0045\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0046\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0047\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0048\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0049\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0050\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0051\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0052\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0053\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0054\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0055\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0056\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0057\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0058\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0059\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0060\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0061\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0062\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0063\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0064\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0065\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0066\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0067\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0068\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0069\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0070\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0071\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0072\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0073\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0074\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0075\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0076\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0077\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0078\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0079\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0080\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0081\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0082\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0083\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0084\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0085\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0086\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0087\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0088\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0089\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0090\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0091\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.38.59\zaea0092\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0000\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0001\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0002\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0003\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0004\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0005\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0006\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0007\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0008\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0009\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0010\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0011\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0012\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0013\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0014\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0015\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0016\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0017\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0018\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0019\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0020\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0021\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0022\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0023\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0024\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0025\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0026\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0027\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0028\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0029\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0030\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0031\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0032\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0033\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0034\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0035\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0036\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0037\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0038\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0039\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0040\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0041\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0042\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0043\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0044\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0045\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0046\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0047\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0048\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0049\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0050\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0051\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0052\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0053\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0054\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0055\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0056\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0057\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0058\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0059\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0060\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0061\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0062\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0063\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0064\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0065\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0066\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0067\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0068\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0069\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0070\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0071\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0072\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0073\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0074\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0075\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0076\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0077\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0078\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0079\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0080\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0081\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0082\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0083\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0084\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0085\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0086\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0087\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0088\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0089\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0090\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0091\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0092\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
C:\TDSSKiller_Quarantine\22.04.2012_20.42.54\zaea0093\svc0000\tsk0000.dta Win32/Sirefef.ER trojan
F:\WinInstallers\1stAidDisk\virus&trojans\trojankiller-setup.exe probably a variant of Win32/Adware.IeDefender.NHA application
F:\WinInstallers\adblockplus\cnet_simpleadblock1_0_9_msi.exe a variant of Win32/InstallCore.D application
F:\WinInstallers\Games\Snake\eipcsnake.exe multiple threats
F:\WinInstallers\Mp3 Wma Converter\Setup_FreeConverter.exe Win32/Toolbar.Widgi application
F:\WinInstallers\Pranks\avoid.zip probably a variant of Win32/Agent.DKIVYTJ trojan
F:\WinInstallers\Pranks\followme.zip probably a variant of Win32/Agent.FTGMOC trojan
F:\WinInstallers\Pranks\printme.zip probably a variant of Win32/Agent.CDYNSKQ trojan
F:\WinInstallers\Pranks\avoid\avoid.exe probably a variant of Win32/Agent.DKIVYTJ trojan
F:\WinInstallers\Pranks\followme\followme.exe probably a variant of Win32/Agent.FTGMOC trojan
F:\WinInstallers\Pranks\printme\printme.exe probably a variant of Win32/Agent.CDYNSKQ trojan
F:\WinInstallers\Virus&trojans\trojankiller-setup.exe probably a variant of Win32/Adware.IeDefender.NHA application
F:\WinInstallers\Virus&trojans\avg\AVG9\registrybooster.exe a variant of Win32/RegistryBooster application
F:\WinInstallers\WExplorers\FreeCommander\fc_setup2-2009.exe a variant of Win32/Adware.ADON application
F:\WinInstallers\Wipe\Unlocker\Unlocker1.9.1-x64.exe Win32/Adware.ADON application
F:\WinInstallers\Wipe\Unlocker\Unlocker1.9.1.exe Win32/Adware.ADON application
Hi,
The entries for the F Drive are Tools (usually to do with rescuing the machine) or Jokes - the Joke programs were from my old win 95 machine - like doing tricks with the cursor but always exited on pressing the Esc key. I see them. I am removing the ones that are threats only. If you want to still have them wait until we are complete to put them back on. :)
----------
Run OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
F:\WinInstallers\1stAidDisk\virus&trojans\trojankiller-setup.exe
F:\WinInstallers\Games\Snake\eipcsnake.exe
F:\WinInstallers\Pranks\avoid.zip
F:\WinInstallers\Pranks\followme.zip
F:\WinInstallers\Pranks\printme.zip
F:\WinInstallers\Pranks\avoid\avoid.exe
F:\WinInstallers\Pranks\followme\followme.exe
F:\WinInstallers\Pranks\printme\printme.exe
F:\WinInstallers\Virus&trojans\trojankiller-setup.exe
F:\WinInstallers\WExplorers\FreeCommander\fc_setup2-2009.exe
F:\WinInstallers\Wipe\Unlocker\Unlocker1.9.1-x64.exe
F:\WinInstallers\Wipe\Unlocker\Unlocker1.9.1.exe
:Commands
[purity]
[resethosts]
[emptytemp]
[clearallrestorepoints]
[start explorer]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
In your next reply please post the logs made by OTL and let me know how your system is running now. :)
osjknights
2012-04-27, 10:32
Hi
here is the OTL Report;
All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
F:\WinInstallers\1stAidDisk\virus&trojans\trojankiller-setup.exe moved successfully.
F:\WinInstallers\Games\Snake\eipcsnake.exe moved successfully.
F:\WinInstallers\Pranks\avoid.zip moved successfully.
F:\WinInstallers\Pranks\followme.zip moved successfully.
F:\WinInstallers\Pranks\printme.zip moved successfully.
F:\WinInstallers\Pranks\avoid\avoid.exe moved successfully.
F:\WinInstallers\Pranks\followme\followme.exe moved successfully.
F:\WinInstallers\Pranks\printme\printme.exe moved successfully.
F:\WinInstallers\Virus&trojans\trojankiller-setup.exe moved successfully.
F:\WinInstallers\WExplorers\FreeCommander\fc_setup2-2009.exe moved successfully.
F:\WinInstallers\Wipe\Unlocker\Unlocker1.9.1-x64.exe moved successfully.
F:\WinInstallers\Wipe\Unlocker\Unlocker1.9.1.exe moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Dr Michael Foster
->Temp folder emptied: 1506333 bytes
->Temporary Internet Files folder emptied: 17139549 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 8985244 bytes
->Flash cache emptied: 456 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 494 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 26.00 mb
Restore points cleared and new OTL Restore Point set!
OTL by OldTimer - Version 3.2.40.0 log created on 04272012_072107
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Dr Michael Foster\Local Settings\Temp\~DFBF80.tmp not found!
File\Folder C:\Documents and Settings\Dr Michael Foster\Local Settings\Temporary Internet Files\Content.Word\~WRS0001.tmp not found!
C:\Documents and Settings\Dr Michael Foster\Local Settings\Temporary Internet Files\Content.IE5\11IADA0Y\showthread[3].htm moved successfully.
Registry entries deleted on Reboot...
SYSTEM BEHAVIOUR.
Window's Explorer keeps crashing
I have an odd directory/folder appear ComboFix in the C:/ Directory - when you click on it, it duplicates the "My Computer" window! See attached jpgs.
I must have lost a few system files. I had certainly lost ping.exe, but replaced it with a copy from the other PC.
Is there any way I can restore lost system files?
Again thanks for your help
Hi,
Please visit the site here (https://skydrive.live.com/?cid=4551147508EEE574&id=4551147508EEE574%21107) and download vagetatool and save it directly to your C:\ folder. Once it is there run the tool and post the log that is related.
osjknights
2012-04-27, 16:05
Hi -
I got this message at the start of the Vegetatool (which refers to itself as ComboFix) - "You are infected with Rootkit.ZeroAccess!
It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.
If for any reason that you’re unable to connect to the internet after running ComboFix, reboot....." The app then moved onto a scan so I did not get the rest of the message - but basically suggests rebooting twice to return the connection to the Internet.
However, after stage 50 was reached and files and folders have been deleted, it has hung up, and been like that for the last half hour!
osjknights
2012-04-27, 16:13
It could be that AVG has kicked in - and is throwing a spanner in the works - As there is no way to halt AVG for more than 15 minutes - do I need to remove AVG and start again?
Hi,
We need to uninstall AVG. Please uninstall AVG by going to Start >> Control Panel >> Add/Remove Programs. We need to make sure that it doesn't interfere. We will reinstall it later.
I appreciate your patience with this. Your system was extremely infected and we are still dealing with the infection.
--------
Please boot into Safe Mode and attempt to run vagetatool again and hopefully it will run through. If the log is created post that to your next reply.
osjknights
2012-04-27, 18:01
Ran Vagetatool without ditching AVG. I kept the machine booting into safe mode which did the trick. I had taken the network cable out for safety. On each reboot the machine sought to dial out as the DUN kept popping up (I have a modem on board for some old freebie dialup accounts, just in case my broadband has a problem (in this rural area every so often) - so something is going on in the background. Also when Vagetatool had done its thing, it ended up with my display drivers removed, so I restored these. Here is the Report;
ComboFix 12-04-27.01 - Dr Michael Foster 27/04/2012 16:04:39.5.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2791 [GMT 1:00]
Running from: c:\documents and settings\Dr Michael Foster\Desktop\vagetatool.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\urttemp
c:\windows\system32\urttemp\regtlib.exe
.
Infected copy of c:\windows\system32\drivers\nv4_mini.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 14:59 . 2004-08-03 21:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-04-26 16:38 . 2012-04-26 16:38 17920 -c--a-w- c:\windows\system32\dllcache\ping.exe
2012-04-26 16:38 . 2012-04-26 16:38 17920 ----a-w- c:\windows\system32\ping.exe
2012-04-26 07:59 . 2012-04-26 07:59 -------- d-----w- c:\program files\ESET
2012-04-25 18:19 . 2012-04-25 18:19 -------- d-----w- C:\_OTL
2012-04-25 16:31 . 2012-04-25 16:31 -------- d-----w- c:\program files\ERUNT
2012-04-25 09:11 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-04-24 09:21 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-22 19:27 . 2012-04-22 19:36 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-21 08:26 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 08:25 . 2012-04-21 08:25 -------- d-----w- C:\Malwarebytes
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconF7A21AF7.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconD7F16134.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconCF33A0CE.exe
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- C:\sh4ldr
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- c:\program files\Enigma Software Group
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\TestApp
2012-04-20 14:00 . 2012-04-20 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
2012-04-04 15:18 . 2012-04-04 15:18 -------- d-----w- c:\program files\Copy of WinFax
2012-04-04 14:18 . 2012-04-08 06:29 -------- d-----w- c:\program files\winfax
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2012-04-03 07:25 . 2012-04-13 17:58 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 17:58 . 2011-05-17 06:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:18 . 2010-05-05 05:48 41 ----a-w- c:\windows\WFXDEL.BAT
2012-03-11 12:48 . 2012-03-11 12:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut47_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut46_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 53248 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\ARPPRODUCTICON.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-12-16 1508408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2002-12-12 45568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"FaxTalk FaxCenter Pro 8"="c:\program files\FaxTalk\FTClCtrl.exe" [2011-09-23 120672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-12-13 190768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MagicFormation.lnk - c:\program files\Magic Formation\MagicFormation.exe [2010-4-28 454656]
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2010-4-25 794624]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-11-13 113024]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\winfax\WfxSeh32.Dll" [1998-07-27 38400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Aolpress\\Ws_ftp\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\ArcSoft\\PhotoStudio 5.5\\PhotoStudio.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 7.15\\Pmsb.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE4.0\\TwainClient.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\FaxTalk\\FTmsgsvc.exe"=
"c:\\Program Files\\FaxTalk\\fapiexe.exe"=
"c:\\Program Files\\FaxTalk\\FTclctrl.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\Dr Michael Foster\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [07/05/2010 11:55 16048]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/03/2012 13:48 56208]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 04:48 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 23:20 295248]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 18:00 228208]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/03/2012 13:48 71440]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/03/2012 13:48 164112]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 11:25 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 67664]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
S2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [31/07/2010 20:34 162096]
S2 FaxTalk FaxCenter Pro 8;FaxTalk FaxCenter Pro 8;c:\program files\FaxTalk\FTmsgsvc.exe [23/09/2011 11:07 33120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/04/2012 09:26 654408]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/03/2012 13:48 931640]
S2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [18/03/2009 18:08 189696]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/01/2012 06:21 737184]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 08:25 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28/04/2010 20:33 1691480]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 16720]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [06/05/2011 15:57 13904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\DRIVERS\IntelH51.sys --> c:\windows\system32\DRIVERS\IntelH51.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/04/2012 09:26 22344]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [15/01/2012 08:31 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [15/01/2012 08:31 8576]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [19/07/2011 09:52 21520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
fsaa
pgpsdkservice
omci
mindrepair
SfCtlCom
dladresn
alertservice
ADSMService
avpnnic
websenseclientdeployservice
symdns
EACSvrMngr
arkbcfltr
protectionservice
pdlndldl
adaptecstoragemanageragent
upsentry_smart
trackcam4
giveio
ccevtmgr
{eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc}
int15
scsiaccess
icdsptsv
ppped
C-Dilla
belmonitorservice
Packet
rtl8023
osanbm
NWHOST
pca
navapel
btcsrusb
fuj02b1
smstsmgr
NMSCFG
MRV6X32P
pop3d32
trlokom_rmhsvc
mf
procexp100
adsexpb
TSHWMDTCP
sqlagent$pinnaclesys
NeroMediaHomeService.4
3combootp
atiavaiw
eloggersvc6
SGHIDI
savrt
W700obex
iviregmgr
prism_a02
mi-raysat_3dsMax2008_32
Cap7134
wdm_au8820
ctprxy2k
spbbcsvc
IWCA
pshost
omniusb
acmservice
EUSBMSD
adfs
btwdndis
ipsraidn
l8042pr2
cygserver
ood2000
QWAVEDRV
EL90X
backupclientsvc
service1
TeamViewer
DNE
MSCamSvc
mafwboot
smartwiservice
LUsbFilt
winpowermanager
ZDPNDIS5
mcdetect.exe
CAM1210
incdfs
se45bus
SaiMini
s116mdm
ATKGFNEXSrv
wap3gx
dlaopiom
n558
CXAVXBAR
MSICPL
lxce_device
pktfilter
sfsync04
pav_service
mssql$sqlexpress
was
lxct_device
wlsetupsvc
vrservice
USA49W
infrastructure
SQLAgent$MICROSOFTBCM
surveyor
Mvc25U870_VID_1262&PID_25FD
bobo
RalinkRegistryWriter
usb20l
SimpTcp
imap4d32
kodakccs
JGOGO
forcewarewebinterface
scan
nicconfigsvc
NVR0FLASHDev
w70n51
ikfileflt
s716nd5
ZDPSp50
lxbs_device
sfsync02
generichidservice
alcxsens
NWSIPX32
curtainssyssvc
wmccds
cmbatt
pdlnepkt
PGPwded
Si3114r5
RTL8169
DS1410D
susbser
GoProto
ql2100
vaiomediaplatform-integratedserver-appserver
nchssvad
atimtag
SiRemFil
roxmediadb9
dptrackerd
UxTuneUp
EU3_USB
CoachUsb
USBAAPL
CdaD10BA
FINEPIX_PCC
MR97310_USB_DUAL_CAMERA
softfax
roxmediadb
U2SP
w29n51
getPlusHelper
superproserver
BrUsbSer
lxrsge10s
USB11LDR
smservaz
commserver
amdk7
ar5211
hap16v2k
DC21x4
USBVCD
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:58]
.
2012-04-27 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2012-04-27 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2011-11-11 c:\windows\Tasks\debutDowngrade.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2011-11-11 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2012-04-16 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-23 07:38]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2012-01-20 c:\windows\Tasks\pixillionShakeIcon.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2011-04-02 13:28]
.
2011-11-11 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2010-08-07 14:27]
.
2011-11-11 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-07 14:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www2.prestel.co.uk/church/oosj/osj.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-WFXSwtch - c:\progra~1\winfax\WFXSWTCH.exe
HKLM-Run-nwiz - nwiz.exe
SafeBoot-48309816.sys
SafeBoot-55688713.sys
SafeBoot-69944965.sys
SafeBoot-75860562.sys
SafeBoot-79782063.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-WinDefend
AddRemove-A to B Britain - c:\program files\AtoB4\Uninst.isu
AddRemove-WinFax - c:\program files\winfax\WFXUNIST.ISU
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-27 16:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(256)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
.
Completion time: 2012-04-27 16:23:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-27 15:23
.
Pre-Run: 107,584,679,936 bytes free
Post-Run: 107,540,197,376 bytes free
.
- - End Of File - - F515367D4109A49104AEA989306E2C32
Hi,
Okie dokie.... :cowboy:
Next I would like you to take the following steps:
Click Start then Run type Notepad and click Ok
Copy and Paste the contents of the Code box below into Notepad
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\
76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\
65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\
00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\
49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\
57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\
6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\
61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\
52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\
75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\
63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\
68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\
56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\
73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,6e,61,70,61,67,65,6e,74,00,68,6b,\
6d,73,76,63,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,68,65,6c,6c,48,\
57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,76,63,00,00
Save as regfix.reg to your Desktop
Make sure to save file type as All Files
Now right-click regfix.reg and select Merge
----------
Now reboot your system and run a new scan with ComboFix and post the newly made log. :)
osjknights
2012-04-27, 23:40
I have just finished work. I have merge the reg file, and will rescan early tomorrow. Then Saturday after early am (from 9am thru to afternoon) is written off - but I will continue early sunday morning for an hour, but am working mid morning. Thanks for you assistance - and it is good that I have my wife's machine on which to continue my work, and catch up with your help. Thanks.
Hi,
No problem...take your time. :bigthumb:
osjknights
2012-04-28, 09:07
On running the app again this message appears;
"You are infected with Rootkit.ZeroAccess!
It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.
If for any reason that you’re unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time"
I guess I will get time to complete the scan but will post on my return home (have to go out). I might be able to post later today, but I will have a an early slot tommorrow.
Again thanks
osjknights
2012-04-28, 13:18
ComboFix 12-04-27.01 - Dr Michael Foster 28/04/2012 8:02.6.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2788 [GMT 1:00]
Running from: c:\documents and settings\Dr Michael Foster\Desktop\vagetatool.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\nv4_mini.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
.
.
2012-04-28 06:57 . 2004-08-03 21:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-04-27 16:23 . 2012-04-27 16:23 4948 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-26 16:38 . 2012-04-26 16:38 17920 -c--a-w- c:\windows\system32\dllcache\ping.exe
2012-04-26 16:38 . 2012-04-26 16:38 17920 ----a-w- c:\windows\system32\ping.exe
2012-04-26 07:59 . 2012-04-26 07:59 -------- d-----w- c:\program files\ESET
2012-04-25 18:19 . 2012-04-25 18:19 -------- d-----w- C:\_OTL
2012-04-25 16:31 . 2012-04-25 16:31 -------- d-----w- c:\program files\ERUNT
2012-04-25 09:11 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-04-24 09:21 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-22 19:27 . 2012-04-22 19:36 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-21 08:26 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 08:25 . 2012-04-21 08:25 -------- d-----w- C:\Malwarebytes
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconF7A21AF7.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconD7F16134.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconCF33A0CE.exe
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- C:\sh4ldr
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- c:\program files\Enigma Software Group
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\TestApp
2012-04-20 14:00 . 2012-04-20 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
2012-04-04 15:18 . 2012-04-04 15:18 -------- d-----w- c:\program files\Copy of WinFax
2012-04-04 14:18 . 2012-04-08 06:29 -------- d-----w- c:\program files\winfax
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2012-04-03 07:25 . 2012-04-13 17:58 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 17:58 . 2011-05-17 06:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:18 . 2010-05-05 05:48 41 ----a-w- c:\windows\WFXDEL.BAT
2012-03-11 12:48 . 2012-03-11 12:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut47_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut46_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 53248 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\ARPPRODUCTICON.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-27_15.18.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-28 07:15 . 2012-04-28 07:15 16384 c:\windows\temp\Perflib_Perfdata_2c0.dat
+ 2010-04-24 17:56 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
- 2010-04-24 17:56 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
+ 2012-04-27 16:22 . 2008-04-13 19:46 61696 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\ohci1394.sys
+ 2012-04-27 16:22 . 2008-04-13 19:51 61824 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\nic1394.sys
+ 2012-04-27 16:22 . 2008-04-13 19:51 60800 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\arp1394.sys
+ 2012-04-27 16:22 . 2008-04-13 19:46 53376 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\1394bus.sys
+ 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0151\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0151\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0150\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0150\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0149\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0149\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0148\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0148\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0147\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0147\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0146\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0146\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0145\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0145\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:21 . 2008-04-13 18:39 24576 c:\windows\system32\ReinstallBackups\0099\DriverFiles\i386\kbdclass.sys
+ 2012-04-27 16:21 . 2008-04-13 19:18 52480 c:\windows\system32\ReinstallBackups\0099\DriverFiles\i386\i8042prt.sys
+ 2012-04-27 16:15 . 2008-04-13 18:45 26368 c:\windows\system32\ReinstallBackups\0060\DriverFiles\i386\USBSTOR.SYS
+ 2012-04-27 16:19 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0058\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:20 . 2008-04-13 18:40 24960 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciidex.sys
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:14 . 2008-04-13 18:45 26368 c:\windows\system32\ReinstallBackups\0053\DriverFiles\i386\USBSTOR.SYS
+ 2012-04-27 16:19 . 2008-04-13 18:40 24960 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciidex.sys
+ 2012-04-27 16:19 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0014\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:18 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbhub.sys
- 2010-04-28 15:36 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:14 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:14 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:14 . 2008-04-13 18:45 30208 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbehci.sys
- 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 30208 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbehci.sys
- 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbui.dll
- 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbui.dll
- 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbhub.sys
- 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbhub.sys
- 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbhub.sys
- 2010-04-28 15:33 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbhub.sys
+ 2006-02-28 12:00 . 2008-04-13 18:45 20608 c:\windows\system32\drivers\usbuhci.sys
- 2006-02-28 12:00 . 2008-04-13 18:45 20608 c:\windows\system32\drivers\usbuhci.sys
+ 2006-02-28 12:00 . 2008-04-13 18:45 59520 c:\windows\system32\drivers\usbhub.sys
- 2006-02-28 12:00 . 2008-04-13 18:45 59520 c:\windows\system32\drivers\usbhub.sys
+ 2006-02-28 12:00 . 2008-04-13 18:45 30208 c:\windows\system32\drivers\usbehci.sys
- 2006-02-28 12:00 . 2008-04-13 18:45 30208 c:\windows\system32\drivers\usbehci.sys
+ 2006-02-28 12:00 . 2008-04-13 18:40 24960 c:\windows\system32\drivers\pciidex.sys
- 2006-02-28 12:00 . 2008-04-13 18:40 24960 c:\windows\system32\drivers\pciidex.sys
+ 2006-02-28 12:00 . 2008-04-13 18:46 61696 c:\windows\system32\drivers\ohci1394.sys
- 2006-02-28 12:00 . 2008-04-13 19:46 61696 c:\windows\system32\drivers\ohci1394.sys
- 2004-08-03 22:58 . 2008-04-13 19:51 61824 c:\windows\system32\drivers\nic1394.sys
+ 2004-08-03 22:58 . 2008-04-13 18:51 61824 c:\windows\system32\drivers\nic1394.sys
- 2006-02-28 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\drivers\kbdclass.sys
+ 2006-02-28 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\drivers\kbdclass.sys
- 2004-08-03 22:58 . 2008-04-13 19:51 60800 c:\windows\system32\drivers\arp1394.sys
+ 2004-08-03 22:58 . 2008-04-13 18:51 60800 c:\windows\system32\drivers\arp1394.sys
+ 2006-02-28 12:00 . 2008-04-13 18:46 53376 c:\windows\system32\drivers\1394bus.sys
- 2006-02-28 12:00 . 2008-04-13 19:46 53376 c:\windows\system32\drivers\1394bus.sys
+ 2012-04-27 16:22 . 2001-08-17 13:46 6400 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\enum1394.sys
+ 2012-04-27 16:19 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0058\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:20 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciide.sys
- 2010-04-28 10:43 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciide.sys
- 2010-04-28 10:43 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciide.sys
+ 2012-04-27 16:19 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciide.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbd.sys
- 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbd.sys
- 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbd.sys
- 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbd.sys
- 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:18 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbd.sys
- 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbd.sys
- 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:14 . 2008-04-14 00:11 7168 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\hccoin.dll
- 2010-04-28 15:36 . 2006-02-28 12:00 7168 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\hccoin.dll
+ 2012-04-27 16:12 . 2008-04-14 00:11 7168 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\hccoin.dll
- 2010-04-28 15:35 . 2006-02-28 12:00 7168 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\hccoin.dll
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbd.sys
- 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbd.sys
+ 2010-04-24 17:57 . 2001-08-17 12:46 6400 c:\windows\system32\drivers\enum1394.sys
- 2010-04-24 17:57 . 2001-08-17 13:46 6400 c:\windows\system32\drivers\enum1394.sys
+ 2012-04-27 16:21 . 2008-04-13 18:31 134400 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\halmacpi.dll
+ 2012-04-27 16:14 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:21 . 2011-10-25 12:52 2027008 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\ntkrpamp.exe
+ 2012-04-27 16:21 . 2011-10-25 13:37 2148864 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-12-16 1508408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2002-12-12 45568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"FaxTalk FaxCenter Pro 8"="c:\program files\FaxTalk\FTClCtrl.exe" [2011-09-23 120672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-12-13 190768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"nwiz"="nwiz.exe" [BU]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MagicFormation.lnk - c:\program files\Magic Formation\MagicFormation.exe [2010-4-28 454656]
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2010-4-25 794624]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-11-13 113024]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\winfax\WfxSeh32.Dll" [1998-07-27 38400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Aolpress\\Ws_ftp\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\ArcSoft\\PhotoStudio 5.5\\PhotoStudio.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 7.15\\Pmsb.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE4.0\\TwainClient.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\FaxTalk\\FTmsgsvc.exe"=
"c:\\Program Files\\FaxTalk\\fapiexe.exe"=
"c:\\Program Files\\FaxTalk\\FTclctrl.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\Dr Michael Foster\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/03/2012 13:48 56208]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 04:48 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 23:20 295248]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [07/05/2010 11:55 16048]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 18:00 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/03/2012 13:48 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/03/2012 13:48 164112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 11:25 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 67664]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [31/07/2010 20:34 162096]
R2 FaxTalk FaxCenter Pro 8;FaxTalk FaxCenter Pro 8;c:\program files\FaxTalk\FTmsgsvc.exe [23/09/2011 11:07 33120]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/04/2012 09:26 654408]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/03/2012 13:48 931640]
R2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [18/03/2009 18:08 189696]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/01/2012 06:21 737184]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 16720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/04/2012 09:26 22344]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 08:25 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28/04/2010 20:33 1691480]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [06/05/2011 15:57 13904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\DRIVERS\IntelH51.sys --> c:\windows\system32\DRIVERS\IntelH51.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [15/01/2012 08:31 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [15/01/2012 08:31 8576]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [19/07/2011 09:52 21520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:58]
.
2012-04-28 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2012-04-27 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2011-11-11 c:\windows\Tasks\debutDowngrade.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2011-11-11 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2012-04-16 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-23 07:38]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2012-01-20 c:\windows\Tasks\pixillionShakeIcon.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2011-04-02 13:28]
.
2011-11-11 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2010-08-07 14:27]
.
2011-11-11 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-07 14:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www2.prestel.co.uk/church/oosj/osj.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-28 08:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\program files\Magic Formation\MFHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\WFXSVC.EXE
c:\program files\FaxTalk\FAPIEXE.EXE
c:\windows\system32\wfxsnt40.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wudfhost.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2012-04-28 08:22:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-28 07:22
ComboFix2.txt 2012-04-27 15:23
.
Pre-Run: 107,423,932,416 bytes free
Post-Run: 107,409,145,856 bytes free
.
- - End Of File - - 4B22D7A8DE69480CD6D80DF7E2DE41F1
That looked good. How is your system running? :)
osjknights
2012-04-28, 17:51
Hi
The System seems OK, and AVG is not flashing up Trojan warnings every three seconds - however out of curiosity I ran the vagetatool one more time and it gave the same warning as before; "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection." etc.
I have yet to road run the Computer properly as I have been doing most of my essential work on my wife's machine (and accessing this forum save for when I needed to download a tool).
Also I know that the ping.exe file was trashed and that I was able to replace it - I am sure I might have lost other files - is there any easy way to re-install any missing operating files to the machine (XP sp3)?
Hi,
Please do the following:
Run TDSSKiller again and post the new log.
----------
Open OTL
In Custom Scans/Fixes put
netsvcs
/md5start
consrv.dll
/md5stop
createrestorepoint
Press the Run Scan button and post the newly made log
osjknights
2012-04-28, 21:06
Hi
I notice I have this entry in the HijackThis list;
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=*.local
I have not seen it in the past - should it be removed?
----------------------------------------
Scan results:
----------------------------------------
TDSSKiller:
19:40:39.0140 2548 TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
19:40:39.0156 2548 ============================================================
19:40:39.0156 2548 Current date / time: 2012/04/28 19:40:39.0156
19:40:39.0156 2548 SystemInfo:
19:40:39.0156 2548
19:40:39.0156 2548 OS Version: 5.1.2600 ServicePack: 3.0
19:40:39.0156 2548 Product type: Workstation
19:40:39.0156 2548 ComputerName: KNIGHTS-2EE6007
19:40:39.0156 2548 UserName: Dr Michael Foster
19:40:39.0156 2548 Windows directory: C:\WINDOWS
19:40:39.0156 2548 System windows directory: C:\WINDOWS
19:40:39.0156 2548 Processor architecture: Intel x86
19:40:39.0156 2548 Number of processors: 4
19:40:39.0156 2548 Page size: 0x1000
19:40:39.0156 2548 Boot type: Normal boot
19:40:39.0156 2548 ============================================================
19:40:40.0796 2548 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:40:41.0218 2548 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
19:40:41.0265 2548 Drive \Device\Harddisk2\DR5 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'W'
19:40:41.0312 2548 ============================================================
19:40:41.0312 2548 \Device\Harddisk0\DR0:
19:40:41.0312 2548 MBR partitions:
19:40:41.0312 2548 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
19:40:41.0312 2548 \Device\Harddisk1\DR1:
19:40:41.0312 2548 MBR partitions:
19:40:41.0312 2548 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
19:40:41.0312 2548 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x746D3800
19:40:41.0312 2548 \Device\Harddisk2\DR5:
19:40:41.0312 2548 MBR partitions:
19:40:41.0312 2548 \Device\Harddisk2\DR5\Partition0: MBR, Type 0x7, StartLBA 0xABE800, BlocksNum 0x2EE000
19:40:41.0312 2548 \Device\Harddisk2\DR5\Partition1: MBR, Type 0x7, StartLBA 0xDAC800, BlocksNum 0x1C418800
19:40:41.0312 2548 ============================================================
19:40:41.0343 2548 C: <-> \Device\Harddisk0\DR0\Partition0
19:40:41.0343 2548 E: <-> \Device\Harddisk1\DR1\Partition0
19:40:41.0359 2548 F: <-> \Device\Harddisk1\DR1\Partition1
19:40:41.0390 2548 L: <-> \Device\Harddisk2\DR5\Partition0
19:40:41.0406 2548 M: <-> \Device\Harddisk2\DR5\Partition1
19:40:41.0406 2548 ============================================================
19:40:41.0406 2548 Initialize success
19:40:41.0406 2548 ============================================================
19:40:51.0578 2804 ============================================================
19:40:51.0578 2804 Scan started
19:40:51.0578 2804 Mode: Manual; SigCheck; TDLFS;
19:40:51.0578 2804 ============================================================
19:40:52.0343 2804 !SASCORE - ok
19:40:52.0437 2804 Abiosdsk - ok
19:40:52.0437 2804 abp480n5 - ok
19:40:52.0515 2804 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:40:52.0984 2804 ACPI - ok
19:40:53.0015 2804 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:40:53.0109 2804 ACPIEC - ok
19:40:53.0109 2804 adaptecstoragemanageragent - ok
19:40:53.0218 2804 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
19:40:53.0218 2804 AdobeFlashPlayerUpdateSvc - ok
19:40:53.0234 2804 adpu160m - ok
19:40:53.0234 2804 adsexpb - ok
19:40:53.0281 2804 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:40:53.0359 2804 aec - ok
19:40:53.0406 2804 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:40:53.0437 2804 AFD - ok
19:40:53.0437 2804 Aha154x - ok
19:40:53.0437 2804 aic78u2 - ok
19:40:53.0437 2804 aic78xx - ok
19:40:53.0437 2804 alcxsens - ok
19:40:53.0484 2804 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
19:40:53.0593 2804 Alerter - ok
19:40:53.0593 2804 alertservice - ok
19:40:53.0625 2804 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
19:40:53.0656 2804 ALG - ok
19:40:53.0656 2804 AliIde - ok
19:40:53.0765 2804 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
19:40:53.0812 2804 Ambfilt - ok
19:40:53.0843 2804 amdk7 - ok
19:40:53.0843 2804 amsint - ok
19:40:53.0984 2804 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
19:40:54.0000 2804 Apple Mobile Device - ok
19:40:54.0046 2804 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
19:40:54.0109 2804 AppMgmt - ok
19:40:54.0109 2804 ar5211 - ok
19:40:54.0109 2804 arkbcfltr - ok
19:40:54.0140 2804 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:40:54.0218 2804 Arp1394 - ok
19:40:54.0218 2804 asc - ok
19:40:54.0234 2804 asc3350p - ok
19:40:54.0234 2804 asc3550 - ok
19:40:54.0328 2804 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:40:54.0343 2804 aspnet_state - ok
19:40:54.0375 2804 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:40:54.0453 2804 AsyncMac - ok
19:40:54.0500 2804 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:40:54.0609 2804 atapi - ok
19:40:54.0609 2804 Atdisk - ok
19:40:54.0609 2804 ATKGFNEXSrv - ok
19:40:54.0609 2804 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:40:54.0687 2804 Atmarpc - ok
19:40:54.0718 2804 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
19:40:54.0796 2804 AudioSrv - ok
19:40:54.0859 2804 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:40:54.0953 2804 audstub - ok
19:40:55.0218 2804 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
19:40:55.0359 2804 AVGIDSAgent - ok
19:40:55.0453 2804 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
19:40:55.0468 2804 AVGIDSDriver - ok
19:40:55.0484 2804 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
19:40:55.0500 2804 AVGIDSEH - ok
19:40:55.0515 2804 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
19:40:55.0531 2804 AVGIDSFilter - ok
19:40:55.0593 2804 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
19:40:55.0609 2804 AVGIDSShim - ok
19:40:55.0671 2804 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
19:40:55.0687 2804 Avgldx86 - ok
19:40:55.0750 2804 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
19:40:55.0750 2804 Avgmfx86 - ok
19:40:55.0765 2804 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
19:40:55.0781 2804 Avgrkx86 - ok
19:40:55.0796 2804 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
19:40:55.0812 2804 Avgtdix - ok
19:40:55.0890 2804 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
19:40:55.0906 2804 avgwd - ok
19:40:55.0906 2804 BANTExt - ok
19:40:55.0968 2804 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:40:56.0062 2804 Beep - ok
19:40:56.0062 2804 belmonitorservice - ok
19:40:56.0125 2804 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
19:40:56.0234 2804 BITS - ok
19:40:56.0250 2804 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
19:40:56.0343 2804 Browser - ok
19:40:56.0343 2804 BrUsbSer - ok
19:40:56.0375 2804 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
19:40:56.0484 2804 BthEnum - ok
19:40:56.0515 2804 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
19:40:56.0593 2804 BTHMODEM - ok
19:40:56.0625 2804 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
19:40:56.0718 2804 BthPan - ok
19:40:56.0765 2804 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
19:40:56.0796 2804 BTHPORT - ok
19:40:56.0843 2804 BthServ (f4c43c66471b87996d95db7a3a664a37) C:\WINDOWS\System32\bthserv.dll
19:40:56.0937 2804 BthServ - ok
19:40:56.0953 2804 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
19:40:57.0031 2804 BTHUSB - ok
19:40:57.0031 2804 C-Dilla - ok
19:40:57.0031 2804 catchme - ok
19:40:57.0078 2804 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:40:57.0187 2804 cbidf2k - ok
19:40:57.0187 2804 ccevtmgr - ok
19:40:57.0187 2804 cd20xrnt - ok
19:40:57.0187 2804 CdaD10BA - ok
19:40:57.0203 2804 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:40:57.0281 2804 Cdaudio - ok
19:40:57.0328 2804 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:40:57.0421 2804 Cdfs - ok
19:40:57.0453 2804 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:40:57.0546 2804 Cdrom - ok
19:40:57.0593 2804 Changer (daf1a8193b6caf0fb858cadcc5c4af4a) C:\WINDOWS\system32\drivers\Changer.sys
19:40:57.0703 2804 Changer - ok
19:40:57.0750 2804 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
19:40:57.0828 2804 CiSvc - ok
19:40:57.0875 2804 CLBStor (0252b4007a8f3a6cc61220cbe122544d) C:\WINDOWS\system32\drivers\CLBStor.sys
19:40:57.0890 2804 CLBStor - ok
19:40:57.0953 2804 CLBUDF (dc705765a170f7bd8af3632c93b03f0b) C:\WINDOWS\system32\drivers\CLBUDF.sys
19:40:57.0968 2804 CLBUDF - ok
19:40:57.0984 2804 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
19:40:58.0078 2804 ClipSrv - ok
19:40:58.0187 2804 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:40:58.0203 2804 clr_optimization_v2.0.50727_32 - ok
19:40:58.0203 2804 CmdIde - ok
19:40:58.0203 2804 CoachUsb - ok
19:40:58.0203 2804 commserver - ok
19:40:58.0203 2804 COMSysApp - ok
19:40:58.0218 2804 Cpqarray - ok
19:40:58.0296 2804 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
19:40:58.0312 2804 cpudrv - ok
19:40:58.0343 2804 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
19:40:58.0421 2804 CryptSvc - ok
19:40:58.0421 2804 cygserver - ok
19:40:58.0421 2804 dac2w2k - ok
19:40:58.0421 2804 dac960nt - ok
19:40:58.0421 2804 DC21x4 - ok
19:40:58.0468 2804 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
19:40:58.0484 2804 DcomLaunch - ok
19:40:58.0546 2804 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
19:40:58.0625 2804 Dhcp - ok
19:40:58.0656 2804 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:40:58.0765 2804 Disk - ok
19:40:58.0765 2804 dladresn - ok
19:40:58.0765 2804 dlaopiom - ok
19:40:58.0765 2804 dmadmin - ok
19:40:58.0828 2804 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:40:58.0937 2804 dmboot - ok
19:40:58.0968 2804 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:40:59.0078 2804 dmio - ok
19:40:59.0093 2804 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:40:59.0171 2804 dmload - ok
19:40:59.0203 2804 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
19:40:59.0296 2804 dmserver - ok
19:40:59.0312 2804 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:40:59.0390 2804 DMusic - ok
19:40:59.0437 2804 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
19:40:59.0453 2804 Dnscache - ok
19:40:59.0484 2804 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
19:40:59.0578 2804 Dot3svc - ok
19:40:59.0593 2804 dpti2o - ok
19:40:59.0609 2804 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:40:59.0703 2804 drmkaud - ok
19:40:59.0703 2804 EACSvrMngr - ok
19:40:59.0734 2804 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
19:40:59.0843 2804 EapHost - ok
19:40:59.0843 2804 EL90X - ok
19:40:59.0843 2804 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
19:40:59.0937 2804 ERSvc - ok
19:41:00.0015 2804 esgiguard (2407b8164e966755bc6a4242fc9de31e) C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
19:41:00.0015 2804 esgiguard - ok
19:41:00.0031 2804 EU3_USB - ok
19:41:00.0109 2804 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
19:41:00.0125 2804 Eventlog - ok
19:41:00.0187 2804 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
19:41:00.0203 2804 EventSystem - ok
19:41:00.0203 2804 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:41:00.0296 2804 Fastfat - ok
19:41:00.0343 2804 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:41:00.0359 2804 FastUserSwitchingCompatibility - ok
19:41:00.0421 2804 FaxTalk FaxCenter Pro 8 (18ef9f53f127b8758b257117983df520) C:\Program Files\FaxTalk\FTmsgsvc.exe
19:41:00.0437 2804 FaxTalk FaxCenter Pro 8 - ok
19:41:00.0453 2804 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:41:00.0531 2804 Fdc - ok
19:41:00.0546 2804 FINEPIX_PCC - ok
19:41:00.0578 2804 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:41:00.0671 2804 Fips - ok
19:41:00.0687 2804 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:41:00.0765 2804 Flpydisk - ok
19:41:00.0796 2804 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:41:00.0875 2804 FltMgr - ok
19:41:01.0046 2804 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:41:01.0062 2804 FontCache3.0.0.0 - ok
19:41:01.0062 2804 fsaa - ok
19:41:01.0109 2804 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:41:01.0187 2804 Fs_Rec - ok
19:41:01.0265 2804 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:41:01.0359 2804 Ftdisk - ok
19:41:01.0390 2804 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
19:41:01.0406 2804 GEARAspiWDM - ok
19:41:01.0406 2804 getPlusHelper - ok
19:41:01.0406 2804 giveio - ok
19:41:01.0453 2804 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:41:01.0562 2804 Gpc - ok
19:41:01.0609 2804 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
19:41:01.0625 2804 gupdate - ok
19:41:01.0625 2804 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
19:41:01.0625 2804 gupdatem - ok
19:41:01.0640 2804 ham50 - ok
19:41:01.0640 2804 hap16v2k - ok
19:41:01.0687 2804 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:41:01.0781 2804 HDAudBus - ok
19:41:01.0828 2804 helpsvc - ok
19:41:01.0828 2804 HidServ - ok
19:41:01.0875 2804 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
19:41:01.0968 2804 hkmsvc - ok
19:41:01.0968 2804 hpn - ok
19:41:02.0015 2804 HSFHWBS2 (6312dc46356df3974e88aa51b69360dc) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
19:41:02.0031 2804 HSFHWBS2 - ok
19:41:02.0093 2804 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
19:41:02.0140 2804 HSF_DPV - ok
19:41:02.0187 2804 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:41:02.0234 2804 HTTP - ok
19:41:02.0281 2804 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
19:41:02.0375 2804 HTTPFilter - ok
19:41:02.0406 2804 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
19:41:02.0484 2804 i2omgmt - ok
19:41:02.0484 2804 i2omp - ok
19:41:02.0546 2804 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:41:02.0640 2804 i8042prt - ok
19:41:02.0640 2804 icdsptsv - ok
19:41:02.0828 2804 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:41:02.0859 2804 idsvc - ok
19:41:02.0875 2804 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:41:02.0953 2804 Imapi - ok
19:41:02.0984 2804 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
19:41:03.0062 2804 ImapiService - ok
19:41:03.0062 2804 incdfs - ok
19:41:03.0078 2804 ini910u - ok
19:41:03.0078 2804 int15 - ok
19:41:03.0375 2804 IntcAzAudAddService (718f495096df8d94fb66c9c962646372) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:41:03.0562 2804 IntcAzAudAddService - ok
19:41:03.0640 2804 IntelIde - ok
19:41:03.0703 2804 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:41:03.0781 2804 intelppm - ok
19:41:03.0781 2804 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:41:03.0875 2804 Ip6Fw - ok
19:41:03.0921 2804 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:41:04.0015 2804 IpFilterDriver - ok
19:41:04.0046 2804 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:41:04.0140 2804 IpInIp - ok
19:41:04.0171 2804 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:41:04.0265 2804 IpNat - ok
19:41:04.0390 2804 iPod Service (3a6d4d8abacf64292d060c9e06d2050d) C:\Program Files\iPod\bin\iPodService.exe
19:41:04.0421 2804 iPod Service - ok
19:41:04.0437 2804 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:41:04.0531 2804 IPSec - ok
19:41:04.0562 2804 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:41:04.0609 2804 IRENUM - ok
19:41:04.0640 2804 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:41:04.0718 2804 isapnp - ok
19:41:04.0812 2804 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
19:41:04.0828 2804 JavaQuickStarterService - ok
19:41:04.0828 2804 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:41:04.0906 2804 Kbdclass - ok
19:41:04.0921 2804 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:41:05.0000 2804 kmixer - ok
19:41:05.0031 2804 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:41:05.0062 2804 KSecDD - ok
19:41:05.0109 2804 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
19:41:05.0140 2804 lanmanserver - ok
19:41:05.0156 2804 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
19:41:05.0171 2804 lanmanworkstation - ok
19:41:05.0187 2804 lbrtfdc (cc50a66548c2f285bc8a7b0b8aa578e3) C:\WINDOWS\system32\drivers\lbrtfdc.sys
19:41:05.0250 2804 lbrtfdc - ok
19:41:05.0281 2804 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
19:41:05.0375 2804 LmHosts - ok
19:41:05.0375 2804 LUsbFilt - ok
19:41:05.0375 2804 lxrsge10s - ok
19:41:05.0375 2804 mafwboot - ok
19:41:05.0484 2804 MatSvc (0cf633a54c681c65297c63106c4bc376) C:\Program Files\Microsoft Fix it Center\Matsvc.exe
19:41:05.0500 2804 MatSvc - ok
19:41:05.0531 2804 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
19:41:05.0531 2804 MBAMProtector - ok
19:41:05.0609 2804 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
19:41:05.0640 2804 MBAMService - ok
19:41:05.0750 2804 McComponentHostService (f453d1e6d881e8f8717e20ccd4199e85) C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
19:41:05.0765 2804 McComponentHostService - ok
19:41:05.0765 2804 mcdetect.exe - ok
19:41:05.0843 2804 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:41:05.0859 2804 mdmxsdk - ok
19:41:05.0890 2804 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
19:41:05.0984 2804 Messenger - ok
19:41:05.0984 2804 mf - ok
19:41:05.0984 2804 mindrepair - ok
19:41:06.0031 2804 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:41:06.0109 2804 mnmdd - ok
19:41:06.0140 2804 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
19:41:06.0234 2804 mnmsrvc - ok
19:41:06.0296 2804 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:41:06.0375 2804 Modem - ok
19:41:06.0421 2804 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:41:06.0515 2804 MODEMCSA - ok
19:41:06.0625 2804 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
19:41:06.0656 2804 Monfilt - ok
19:41:06.0718 2804 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:41:06.0812 2804 Mouclass - ok
19:41:06.0843 2804 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:41:06.0937 2804 MountMgr - ok
19:41:06.0937 2804 MR97310_USB_DUAL_CAMERA - ok
19:41:06.0953 2804 mraid35x - ok
19:41:06.0953 2804 MRV6X32P - ok
19:41:06.0968 2804 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:41:07.0078 2804 MRxDAV - ok
19:41:07.0140 2804 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:41:07.0171 2804 MRxSmb - ok
19:41:07.0171 2804 MSCamSvc - ok
19:41:07.0203 2804 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
19:41:07.0296 2804 MSDTC - ok
19:41:07.0312 2804 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:41:07.0406 2804 Msfs - ok
19:41:07.0406 2804 MSICPL - ok
19:41:07.0421 2804 MSIServer - ok
19:41:07.0421 2804 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:41:07.0515 2804 MSKSSRV - ok
19:41:07.0515 2804 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:41:07.0593 2804 MSPCLOCK - ok
19:41:07.0593 2804 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:41:07.0671 2804 MSPQM - ok
19:41:07.0718 2804 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:41:07.0796 2804 mssmbios - ok
19:41:07.0812 2804 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:41:07.0843 2804 Mup - ok
19:41:07.0843 2804 Mvc25U870_VID_1262&PID_25FD - ok
19:41:07.0859 2804 n558 - ok
19:41:07.0906 2804 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
19:41:07.0968 2804 napagent - ok
19:41:07.0984 2804 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:41:08.0078 2804 NDIS - ok
19:41:08.0125 2804 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:41:08.0156 2804 NdisTapi - ok
19:41:08.0156 2804 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:41:08.0234 2804 Ndisuio - ok
19:41:08.0250 2804 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:41:08.0312 2804 NdisWan - ok
19:41:08.0343 2804 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:41:08.0359 2804 NDProxy - ok
19:41:08.0359 2804 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:41:08.0453 2804 NetBIOS - ok
19:41:08.0484 2804 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:41:08.0562 2804 NetBT - ok
19:41:08.0578 2804 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
19:41:08.0656 2804 NetDDE - ok
19:41:08.0656 2804 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
19:41:08.0734 2804 NetDDEdsdm - ok
19:41:08.0781 2804 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:41:08.0859 2804 Netlogon - ok
19:41:08.0875 2804 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
19:41:08.0968 2804 Netman - ok
19:41:09.0140 2804 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:41:09.0140 2804 NetTcpPortSharing - ok
19:41:09.0187 2804 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:41:09.0281 2804 NIC1394 - ok
19:41:09.0328 2804 nicconfigsvc (9c454cd857b4c0ccf7a614b047616503) C:\WINDOWS\system32\SimpTcp.dll
19:41:09.0406 2804 nicconfigsvc - ok
19:41:09.0468 2804 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
19:41:09.0515 2804 Nla - ok
19:41:09.0546 2804 nmwcd (f6c40e0a565ee3ce5aeeb325e10054f2) C:\WINDOWS\system32\drivers\ccdcmb.sys
19:41:09.0593 2804 nmwcd - ok
19:41:09.0625 2804 nmwcdc (2a394e9e1fa3565e4b2fea470ffe4d6b) C:\WINDOWS\system32\drivers\ccdcmbo.sys
19:41:09.0687 2804 nmwcdc - ok
19:41:09.0718 2804 nmwcdnsu (99b224f8026cb534724aa3c408561e45) C:\WINDOWS\system32\drivers\nmwcdnsu.sys
19:41:09.0781 2804 nmwcdnsu - ok
19:41:09.0812 2804 nmwcdnsuc (d23257682d349a5e2e4507ed33decc16) C:\WINDOWS\system32\drivers\nmwcdnsuc.sys
19:41:09.0890 2804 nmwcdnsuc - ok
19:41:09.0906 2804 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:41:10.0000 2804 Npfs - ok
19:41:10.0046 2804 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:41:10.0156 2804 Ntfs - ok
19:41:10.0156 2804 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:41:10.0234 2804 NtLmSsp - ok
19:41:10.0265 2804 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
19:41:10.0375 2804 NtmsSvc - ok
19:41:10.0406 2804 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:41:10.0500 2804 Null - ok
19:41:10.0828 2804 nv (ceab17ba3e0f7de96a4649f896b35131) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:41:11.0000 2804 nv ( UnsignedFile.Multi.Generic ) - warning
19:41:11.0000 2804 nv - detected UnsignedFile.Multi.Generic (1)
19:41:11.0125 2804 NVSvc (df6fd57d6807ae459b3463fbfda02d49) C:\WINDOWS\system32\nvsvc32.exe
19:41:11.0140 2804 NVSvc ( UnsignedFile.Multi.Generic ) - warning
19:41:11.0140 2804 NVSvc - detected UnsignedFile.Multi.Generic (1)
19:41:11.0156 2804 NWHOST - ok
19:41:11.0187 2804 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:41:11.0281 2804 NwlnkFlt - ok
19:41:11.0281 2804 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:41:11.0359 2804 NwlnkFwd - ok
19:41:11.0390 2804 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:41:11.0484 2804 ohci1394 - ok
19:41:11.0484 2804 omci - ok
19:41:11.0609 2804 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
19:41:11.0609 2804 ose - ok
19:41:11.0671 2804 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
19:41:11.0765 2804 Parport - ok
19:41:11.0765 2804 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:41:11.0843 2804 PartMgr - ok
19:41:11.0890 2804 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:41:11.0984 2804 ParVdm - ok
19:41:12.0031 2804 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
19:41:12.0046 2804 pccsmcfd - ok
19:41:12.0078 2804 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:41:12.0187 2804 PCI - ok
19:41:12.0187 2804 PCIDump - ok
19:41:12.0218 2804 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:41:12.0312 2804 PCIIde - ok
19:41:12.0328 2804 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:41:12.0406 2804 Pcmcia - ok
19:41:12.0406 2804 pdlndldl - ok
19:41:12.0421 2804 perc2 - ok
19:41:12.0421 2804 perc2hib - ok
19:41:12.0421 2804 pgpsdkservice - ok
19:41:12.0421 2804 pktfilter - ok
19:41:12.0468 2804 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
19:41:12.0484 2804 PlugPlay - ok
19:41:12.0500 2804 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:41:12.0578 2804 PolicyAgent - ok
19:41:12.0609 2804 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:41:12.0687 2804 PptpMiniport - ok
19:41:12.0687 2804 procexp100 - ok
19:41:12.0687 2804 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:41:12.0765 2804 ProtectedStorage - ok
19:41:12.0765 2804 protectionservice - ok
19:41:12.0781 2804 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:41:12.0843 2804 PSched - ok
19:41:12.0890 2804 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:41:12.0984 2804 Ptilink - ok
19:41:12.0984 2804 ql1080 - ok
19:41:12.0984 2804 Ql10wnt - ok
19:41:12.0984 2804 ql12160 - ok
19:41:12.0984 2804 ql1240 - ok
19:41:13.0000 2804 ql1280 - ok
19:41:13.0000 2804 ql2100 - ok
19:41:13.0187 2804 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
19:41:13.0203 2804 RapportCerberus_34302 - ok
19:41:13.0250 2804 RapportEI (43b9aa1423bf54367c5a3de1559780e8) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
19:41:13.0265 2804 RapportEI - ok
19:41:13.0359 2804 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
19:41:13.0375 2804 RapportIaso - ok
19:41:13.0390 2804 RapportKELL (118600ab8f15fe27f2c865f3fb4efa58) C:\WINDOWS\system32\Drivers\RapportKELL.sys
19:41:13.0406 2804 RapportKELL - ok
19:41:13.0468 2804 RapportMgmtService (d9ef54568fafcb4be4637068e768409a) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
19:41:13.0484 2804 RapportMgmtService - ok
19:41:13.0515 2804 RapportPG (4af05a67b643a5190dfcbb793273e0bc) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
19:41:13.0531 2804 RapportPG - ok
19:41:13.0578 2804 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:41:13.0656 2804 RasAcd - ok
19:41:13.0687 2804 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
19:41:13.0765 2804 RasAuto - ok
19:41:13.0796 2804 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:41:13.0875 2804 Rasl2tp - ok
19:41:13.0921 2804 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
19:41:14.0000 2804 RasMan - ok
19:41:14.0046 2804 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:41:14.0140 2804 RasPppoe - ok
19:41:14.0140 2804 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:41:14.0218 2804 Raspti - ok
19:41:14.0250 2804 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:41:14.0328 2804 Rdbss - ok
19:41:14.0328 2804 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:41:14.0421 2804 RDPCDD - ok
19:41:14.0484 2804 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:41:14.0578 2804 rdpdr - ok
19:41:14.0640 2804 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
19:41:14.0671 2804 RDPWD - ok
19:41:14.0718 2804 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
19:41:14.0812 2804 RDSessMgr - ok
19:41:14.0843 2804 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:41:14.0953 2804 redbook - ok
19:41:14.0984 2804 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
19:41:15.0093 2804 RemoteAccess - ok
19:41:15.0125 2804 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
19:41:15.0203 2804 RemoteRegistry - ok
19:41:15.0250 2804 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
19:41:15.0328 2804 RFCOMM - ok
19:41:15.0546 2804 RichVideo (4d05898896ec49cf663dda61041ab096) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
19:41:15.0562 2804 RichVideo - ok
19:41:15.0562 2804 roxmediadb - ok
19:41:15.0593 2804 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
19:41:15.0671 2804 RpcLocator - ok
19:41:15.0734 2804 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
19:41:15.0750 2804 RpcSs - ok
19:41:15.0781 2804 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
19:41:15.0859 2804 RSVP - ok
19:41:15.0906 2804 RTL8023xp (69ee1e8dc0c750a5d03739e6e9429959) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
19:41:15.0937 2804 RTL8023xp ( UnsignedFile.Multi.Generic ) - warning
19:41:15.0937 2804 RTL8023xp - detected UnsignedFile.Multi.Generic (1)
19:41:15.0968 2804 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:41:16.0046 2804 rtl8139 - ok
19:41:16.0046 2804 SaiMini - ok
19:41:16.0078 2804 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:41:16.0156 2804 SamSs - ok
19:41:16.0265 2804 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
19:41:16.0265 2804 SASDIFSV - ok
19:41:16.0281 2804 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
19:41:16.0281 2804 SASKUTIL - ok
19:41:16.0343 2804 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
19:41:16.0437 2804 SCardSvr - ok
19:41:16.0453 2804 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
19:41:16.0531 2804 Schedule - ok
19:41:16.0640 2804 SdReadSpool (b9443470baae569d9a3fabbfeb35c4e7) C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe
19:41:16.0640 2804 SdReadSpool - ok
19:41:16.0671 2804 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:41:16.0734 2804 Secdrv - ok
19:41:16.0796 2804 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
19:41:16.0875 2804 seclogon - ok
19:41:16.0890 2804 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
19:41:16.0968 2804 SENS - ok
19:41:17.0031 2804 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:41:17.0109 2804 Serial - ok
19:41:17.0203 2804 ServiceLayer (f31e9531af225ca25350d5e87e999b31) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
19:41:17.0234 2804 ServiceLayer - ok
19:41:17.0234 2804 SfCtlCom - ok
19:41:17.0296 2804 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
19:41:17.0390 2804 Sfloppy - ok
19:41:17.0390 2804 sfsync04 - ok
19:41:17.0453 2804 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
19:41:17.0546 2804 SharedAccess - ok
19:41:17.0578 2804 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:41:17.0593 2804 ShellHWDetection - ok
19:41:17.0593 2804 Simbad - ok
19:41:17.0593 2804 SiRemFil - ok
19:41:17.0593 2804 smartwiservice - ok
19:41:17.0593 2804 smservaz - ok
19:41:17.0609 2804 softfax - ok
19:41:17.0609 2804 Sparrow - ok
19:41:17.0656 2804 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:41:17.0734 2804 splitter - ok
19:41:17.0750 2804 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
19:41:17.0765 2804 Spooler - ok
19:41:17.0843 2804 SpyHunter 4 Service (63f2b52947577dbb075fe646bc758a2f) C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
19:41:17.0875 2804 SpyHunter 4 Service - ok
19:41:17.0890 2804 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:41:17.0953 2804 sr - ok
19:41:18.0000 2804 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
19:41:18.0031 2804 srservice - ok
19:41:18.0093 2804 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:41:18.0140 2804 Srv - ok
19:41:18.0156 2804 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
19:41:18.0218 2804 SSDPSRV - ok
19:41:18.0265 2804 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
19:41:18.0343 2804 stisvc - ok
19:41:18.0390 2804 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:41:18.0468 2804 swenum - ok
19:41:18.0515 2804 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:41:18.0609 2804 swmidi - ok
19:41:18.0609 2804 SwPrv - ok
19:41:18.0609 2804 symc810 - ok
19:41:18.0609 2804 symc8xx - ok
19:41:18.0625 2804 symdns - ok
19:41:18.0625 2804 sym_hi - ok
19:41:18.0625 2804 sym_u3 - ok
19:41:18.0656 2804 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:41:18.0734 2804 sysaudio - ok
19:41:18.0765 2804 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
19:41:18.0859 2804 SysmonLog - ok
19:41:18.0921 2804 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
19:41:19.0031 2804 TapiSrv - ok
19:41:19.0093 2804 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:41:19.0109 2804 Tcpip - ok
19:41:19.0140 2804 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:41:19.0250 2804 TDPIPE - ok
19:41:19.0250 2804 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:41:19.0343 2804 TDTCP - ok
19:41:19.0375 2804 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:41:19.0453 2804 TermDD - ok
19:41:19.0531 2804 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
19:41:19.0609 2804 TermService - ok
19:41:19.0640 2804 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:41:19.0656 2804 Themes - ok
19:41:19.0703 2804 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
19:41:19.0734 2804 TlntSvr - ok
19:41:19.0750 2804 TosIde - ok
19:41:19.0750 2804 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
19:41:19.0843 2804 TrkWks - ok
19:41:19.0859 2804 trlokom_rmhsvc - ok
19:41:19.0859 2804 U2SP - ok
19:41:19.0859 2804 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:41:19.0937 2804 Udfs - ok
19:41:19.0937 2804 ultra - ok
19:41:20.0000 2804 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:41:20.0093 2804 Update - ok
19:41:20.0125 2804 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
19:41:20.0171 2804 upnphost - ok
19:41:20.0218 2804 upperdev (47f5f9d837d80ffd5882a14db9da0a67) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
19:41:20.0281 2804 upperdev - ok
19:41:20.0328 2804 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
19:41:20.0421 2804 UPS - ok
19:41:20.0421 2804 upsentry_smart - ok
19:41:20.0437 2804 USB11LDR - ok
19:41:20.0437 2804 USBAAPL - ok
19:41:20.0484 2804 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:41:20.0578 2804 usbehci - ok
19:41:20.0609 2804 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:41:20.0703 2804 usbhub - ok
19:41:20.0750 2804 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:41:20.0828 2804 usbprint - ok
19:41:20.0828 2804 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:41:20.0921 2804 usbscan - ok
19:41:20.0937 2804 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
19:41:21.0015 2804 usbser - ok
19:41:21.0046 2804 UsbserFilt (e44f0d17be0908b58dcc99ccb99c6c32) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
19:41:21.0093 2804 UsbserFilt - ok
19:41:21.0125 2804 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:41:21.0218 2804 USBSTOR - ok
19:41:21.0265 2804 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:41:21.0359 2804 usbuhci - ok
19:41:21.0375 2804 USBVCD - ok
19:41:21.0421 2804 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:41:21.0500 2804 VgaSave - ok
19:41:21.0500 2804 ViaIde - ok
19:41:21.0531 2804 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:41:21.0625 2804 VolSnap - ok
19:41:21.0625 2804 vrservice - ok
19:41:21.0671 2804 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
19:41:21.0703 2804 VSS - ok
19:41:21.0718 2804 w29n51 - ok
19:41:21.0750 2804 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
19:41:21.0843 2804 W32Time - ok
19:41:21.0906 2804 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:41:22.0000 2804 Wanarp - ok
19:41:22.0000 2804 wap3gx - ok
19:41:22.0062 2804 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
19:41:22.0078 2804 Wdf01000 - ok
19:41:22.0078 2804 WDICA - ok
19:41:22.0109 2804 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:41:22.0218 2804 wdmaud - ok
19:41:22.0250 2804 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
19:41:22.0343 2804 WebClient - ok
19:41:22.0375 2804 wfxsvc (be2157595c087207676ec716a6be4cce) C:\WINDOWS\system32\WFXSVC.EXE
19:41:22.0390 2804 wfxsvc ( UnsignedFile.Multi.Generic ) - warning
19:41:22.0390 2804 wfxsvc - detected UnsignedFile.Multi.Generic (1)
19:41:22.0453 2804 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
19:41:22.0484 2804 winachsf - ok
19:41:22.0593 2804 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
19:41:22.0671 2804 winmgmt - ok
19:41:22.0671 2804 winpowermanager - ok
19:41:22.0781 2804 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
19:41:22.0812 2804 WinRM - ok
19:41:22.0843 2804 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
19:41:22.0859 2804 WmdmPmSN - ok
19:41:22.0921 2804 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
19:41:22.0984 2804 Wmi - ok
19:41:23.0015 2804 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:41:23.0109 2804 WmiApSrv - ok
19:41:23.0296 2804 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
19:41:23.0343 2804 WMPNetworkSvc - ok
19:41:23.0375 2804 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
19:41:23.0375 2804 WpdUsb - ok
19:41:23.0437 2804 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:41:23.0531 2804 WS2IFSL - ok
19:41:23.0578 2804 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
19:41:23.0656 2804 wscsvc - ok
19:41:23.0703 2804 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
19:41:23.0781 2804 wuauserv - ok
19:41:23.0828 2804 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:41:23.0828 2804 WudfPf - ok
19:41:23.0859 2804 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:41:23.0875 2804 WudfRd - ok
19:41:23.0921 2804 WudfSvc (ddee3682fe97037c45f4d7ab467cb8b6) C:\WINDOWS\System32\WUDFSvc.dll
19:41:23.0937 2804 WudfSvc - ok
19:41:24.0000 2804 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
19:41:24.0109 2804 WZCSVC - ok
19:41:24.0140 2804 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
19:41:24.0218 2804 xmlprov - ok
19:41:24.0343 2804 {95808DC4-FA4A-4c74-92FE-5B863F82066B} (8098180b3f6c430a4e60333bc036f936) C:\Program Files\CyberLink\PowerDVD\000.fcl
19:41:24.0359 2804 {95808DC4-FA4A-4c74-92FE-5B863F82066B} - ok
19:41:24.0375 2804 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
19:41:24.0609 2804 \Device\Harddisk0\DR0 - ok
19:41:24.0609 2804 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk1\DR1
19:41:24.0625 2804 \Device\Harddisk1\DR1 - ok
19:41:24.0640 2804 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk2\DR5
19:41:24.0796 2804 \Device\Harddisk2\DR5 - ok
19:41:24.0812 2804 Boot (0x1200) (de17a28ffae56733026be20e47e5fe8c) \Device\Harddisk0\DR0\Partition0
19:41:24.0812 2804 \Device\Harddisk0\DR0\Partition0 - ok
19:41:24.0812 2804 Boot (0x1200) (ab81bc14f7e65a74e1d70e016623b088) \Device\Harddisk1\DR1\Partition0
19:41:24.0812 2804 \Device\Harddisk1\DR1\Partition0 - ok
19:41:24.0812 2804 Boot (0x1200) (f0463477c940dfacd8991233674ec997) \Device\Harddisk1\DR1\Partition1
19:41:24.0812 2804 \Device\Harddisk1\DR1\Partition1 - ok
19:41:24.0812 2804 Boot (0x1200) (eeec5da32dfa12e1263fca298252a021) \Device\Harddisk2\DR5\Partition0
19:41:24.0812 2804 \Device\Harddisk2\DR5\Partition0 - ok
19:41:24.0812 2804 Boot (0x1200) (8cbb6491629c9a350163059652938fd4) \Device\Harddisk2\DR5\Partition1
19:41:24.0812 2804 \Device\Harddisk2\DR5\Partition1 - ok
19:41:24.0812 2804 ============================================================
19:41:24.0812 2804 Scan finished
19:41:24.0812 2804 ============================================================
19:41:24.0937 3196 Detected object count: 4
19:41:24.0937 3196 Actual detected object count: 4
19:41:27.0640 3196 nv ( UnsignedFile.Multi.Generic ) - skipped by user
19:41:27.0640 3196 nv ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:41:27.0640 3196 NVSvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:41:27.0640 3196 NVSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:41:27.0640 3196 RTL8023xp ( UnsignedFile.Multi.Generic ) - skipped by user
19:41:27.0640 3196 RTL8023xp ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:41:27.0656 3196 wfxsvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:41:27.0656 3196 wfxsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:41:30.0796 2260 Deinitialize success
osjknights
2012-04-28, 21:07
-----------------------------------------------------
OTL Scan:
OTL logfile created on: 28/04/2012 19:43:25 - Run 2
OTL by OldTimer - Version 3.2.40.0 Folder = C:\Documents and Settings\Dr Michael Foster\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
3.00 Gb Total Physical Memory | 2.41 Gb Available Physical Memory | 80.46% Memory free
4.84 Gb Paging File | 4.32 Gb Available in Paging File | 89.16% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 99.64 Gb Free Space | 42.79% Space Free | Partition Type: NTFS
Drive E: | 100.00 Mb Total Space | 65.25 Mb Free Space | 65.25% Space Free | Partition Type: NTFS
Drive F: | 931.41 Gb Total Space | 777.05 Gb Free Space | 83.43% Space Free | Partition Type: NTFS
Drive L: | 1.46 Gb Total Space | 1.42 Gb Free Space | 97.19% Space Free | Partition Type: NTFS
Drive M: | 226.05 Gb Total Space | 225.63 Gb Free Space | 99.81% Space Free | Partition Type: NTFS
Computer Name: KNIGHTS-2EE6007 | User Name: Dr Michael Foster | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Dr Michael Foster\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
PRC - C:\Program Files\AVG\AVG2012\avgui.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe (Enigma Software Group USA, LLC.)
PRC - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
PRC - C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe (Nokia)
PRC - C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
PRC - C:\Program Files\FaxTalk\FTmsgsvc.exe (Thought Communications, Inc.)
PRC - C:\Program Files\FaxTalk\FTclctrl.exe (Thought Communications, Inc.)
PRC - C:\Program Files\FaxTalk\fapiexe.exe (Thought Communications, Inc.)
PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Magic Formation\MagicFormation.exe ()
PRC - C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe (Solid Documents, LLC)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe (ScanSoft, Inc.)
PRC - C:\Program Files\winfax\WFXMOD32.EXE (Symantec Corporation)
PRC - C:\WINDOWS\system32\WFXSNT40.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\WFXSVC.EXE (Symantec Corporation)
========== Modules (No Company Name) ==========
MOD - C:\Program Files\PC Connectivity Solution\PCCSUpdater.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\QtXml4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\QtSvg4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\QtGUI4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\QtCore4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\imageformats\qsvg4.dll ()
MOD - C:\Program Files\Nokia\Nokia PC Suite 7\imageformats\qjpeg4.dll ()
MOD - C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportMS.dll ()
MOD - C:\Program Files\Unlocker\UnlockerCOM.dll ()
MOD - C:\Program Files\Magic Formation\MagicFormation.exe ()
MOD - C:\Program Files\Magic Formation\MFHook.dll ()
MOD - C:\WINDOWS\system32\solidlocalmon.dll ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()
MOD - C:\Program Files\winfax\DCCDA32I.DLL ()
MOD - C:\Program Files\winfax\WFXVW32I.DLL ()
MOD - C:\WINDOWS\system32\spool\prtprocs\w32x86\WFXPNT40.DLL ()
MOD - C:\Program Files\winfax\SENGINE.DLL ()
MOD - C:\Program Files\winfax\DCCTBP32.DLL ()
========== Win32 Services (SafeList) ==========
SRV - (winpowermanager) -- %systemroot%\system32\oracleorahome92pagingserver.dll File not found
SRV - (wap3gx) -- %systemroot%\system32\ati2mpaa.dll File not found
SRV - (w29n51) -- %systemroot%\system32\cpqfcalm.dll File not found
SRV - (vrservice) -- %systemroot%\system32\NETw4v32.dll File not found
SRV - (USBVCD) -- %systemroot%\system32\msgsrvservice.dll File not found
SRV - (USBAAPL) -- %systemroot%\system32\stisvc.dlle File not found
SRV - (USB11LDR) -- %systemroot%\system32\olregcap.dll File not found
SRV - (upsentry_smart) -- %systemroot%\system32\RR2Vbi.dll File not found
SRV - (U2SP) -- %systemroot%\system32\rpsupdaterr.dll File not found
SRV - (trlokom_rmhsvc) -- %systemroot%\system32\iksyssec.dll File not found
SRV - (symdns) -- %systemroot%\system32\SunkFilt39.dll File not found
SRV - (softfax) -- %systemroot%\system32\beatjamupnpmusicserver.dll File not found
SRV - (smservaz) -- %systemroot%\system32\s217mgmt.dll File not found
SRV - (smartwiservice) -- %systemroot%\system32\emupia.dll File not found
SRV - (SiRemFil) -- %systemroot%\system32\backupexecnamingservice.dll File not found
SRV - (sfsync04) -- %systemroot%\system32\dcsloader.dll File not found
SRV - (SfCtlCom) -- %systemroot%\system32\djsnetcn.dll File not found
SRV - (SaiMini) -- %systemroot%\system32\webrootenterpriseupdateservice.dll File not found
SRV - (roxmediadb) -- %systemroot%\system32\motmodem.dll File not found
SRV - (ql2100) -- %systemroot%\system32\DLH5X.dll File not found
SRV - (protectionservice) -- %systemroot%\system32\PCDRSRVC.dll File not found
SRV - (procexp100) -- %systemroot%\system32\PTDCBus.dll File not found
SRV - (pktfilter) -- %systemroot%\system32\PDExchange.dll File not found
SRV - (pgpsdkservice) -- %systemroot%\system32\besclient.dll File not found
SRV - (pdlndldl) -- %systemroot%\system32\vds.dll File not found
SRV - (omci) -- %systemroot%\system32\EIO_XP.dll File not found
SRV - (NWHOST) -- %systemroot%\system32\outpostfirewall.dll File not found
SRV - (n558) -- %systemroot%\system32\iolo_srv.dll File not found
SRV - (Mvc25U870_VID_1262&PID_25FD) -- %systemroot%\system32\StickyMesger.dll File not found
SRV - (MSICPL) -- %systemroot%\system32\SaiH040B.dll File not found
SRV - (MSCamSvc) -- %systemroot%\system32\NsTrcNT.dll File not found
SRV - (MRV6X32P) -- %systemroot%\system32\n3900.dll File not found
SRV - (MR97310_USB_DUAL_CAMERA) -- %systemroot%\system32\viamraid.dllilt File not found
SRV - (mindrepair) -- %systemroot%\system32\epson_pm_rpcv2_02.dll File not found
SRV - (mf) -- %systemroot%\system32\ql2100.dll File not found
SRV - (mcdetect.exe) -- %systemroot%\system32\InterBaseGuardian.dll File not found
SRV - (mafwboot) -- %systemroot%\system32\vds.dll File not found
SRV - (lxrsge10s) -- %systemroot%\system32\snapman.dll File not found
SRV - (LUsbFilt) -- %systemroot%\system32\NwSapAgent.dll File not found
SRV - (int15) -- %systemroot%\system32\isapnp.dll File not found
SRV - (incdfs) -- %systemroot%\system32\flutilssvc.dll File not found
SRV - (icdsptsv) -- %systemroot%\system32\DS1410D.dll File not found
SRV - (HidServ) -- %SystemRoot%\System32\hidserv.dll File not found
SRV - (helpsvc) -- %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dlles\pchsvc.dll File not found
SRV - (hap16v2k) -- %systemroot%\system32\qbfcservice.dll File not found
SRV - (giveio) -- %systemroot%\system32\winachsx.dll File not found
SRV - (getPlusHelper) -- %systemroot%\system32\smserial.dll File not found
SRV - (fsaa) -- %systemroot%\system32\mxssvr.dll File not found
SRV - (FINEPIX_PCC) -- %systemroot%\system32\mail2ec.dll File not found
SRV - (EU3_USB) -- %systemroot%\system32\symwsc.dll File not found
SRV - (EL90X) -- %systemroot%\system32\sentinel.dll File not found
SRV - (EACSvrMngr) -- %systemroot%\system32\int15.sys.dll File not found
SRV - (dlaopiom) -- %systemroot%\system32\CXTUNE.dll File not found
SRV - (dladresn) -- %systemroot%\system32\crystaloutputfileserver.dll File not found
SRV - (DC21x4) -- %systemroot%\system32\RapiMgr.dll File not found
SRV - (cygserver) -- %systemroot%\system32\snapman380.dll File not found
SRV - (commserver) -- %systemroot%\system32\ndis.dll File not found
SRV - (CoachUsb) -- %systemroot%\system32\mqdmmdm.dll File not found
SRV - (C-Dilla) -- %systemroot%\system32\ONSIO.dll File not found
SRV - (CdaD10BA) -- %systemroot%\system32\ctac32k.dll File not found
SRV - (ccevtmgr) -- %systemroot%\system32\btkrnl.dll File not found
SRV - (BrUsbSer) -- %systemroot%\system32\olapserver.dll File not found
SRV - (belmonitorservice) -- %systemroot%\system32\z800mdm.dll File not found
SRV - (ATKGFNEXSrv) -- %systemroot%\system32\AIRPLUS.dll File not found
SRV - (arkbcfltr) -- %systemroot%\system32\mirrorv3.dll File not found
SRV - (ar5211) -- %systemroot%\system32\arhidfltr.dll File not found
SRV - (amdk7) -- %systemroot%\system32\niorbk.dll File not found
SRV - (alertservice) -- %systemroot%\system32\sp_clamsrv.dll File not found
SRV - (alcxsens) -- %systemroot%\system32\dbmang.dll File not found
SRV - (adsexpb) -- %systemroot%\system32\idsvc.dll File not found
SRV - (adaptecstoragemanageragent) -- %systemroot%\system32\ccproxy.dll File not found
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (RapportMgmtService) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
SRV - (SpyHunter 4 Service) -- C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe (Enigma Software Group USA, LLC.)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (FaxTalk FaxCenter Pro 8) -- C:\Program Files\FaxTalk\FTmsgsvc.exe (Thought Communications, Inc.)
SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (MatSvc) -- C:\Program Files\Microsoft Fix it Center\Matsvc.exe (Microsoft Corporation)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (SdReadSpool) -- C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe (Solid Documents, LLC)
SRV - (nicconfigsvc) -- C:\WINDOWS\system32\simptcp.dll (Microsoft Corporation)
SRV - (wfxsvc) -- C:\WINDOWS\system32\WFXSVC.EXE (Symantec Corporation)
========== Driver Services (SafeList) ==========
DRV - (WDICA) -- File not found
DRV - (PCIDump) -- File not found
DRV - (ham50) -- system32\DRIVERS\IntelH51.sys File not found
DRV - (catchme) -- C:\vagetatool\catchme.sys File not found
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys File not found
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (RapportEI) -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys (Trusteer Ltd.)
DRV - (RapportPG) -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (Trusteer Ltd.)
DRV - (RapportKELL) -- C:\WINDOWS\system32\drivers\RapportKELL.sys (Trusteer Ltd.)
DRV - (RapportCerberus_34302) -- C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys ()
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\ccdcmb.sys (Nokia)
DRV - (UsbserFilt) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys (Nokia)
DRV - (upperdev) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys (Nokia)
DRV - (nmwcdnsu) -- C:\WINDOWS\system32\drivers\nmwcdnsu.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys (Nokia)
DRV - (nmwcdnsuc) -- C:\WINDOWS\system32\drivers\nmwcdnsuc.sys (Nokia)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgrkx86) -- C:\WINDOWS\system32\drivers\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (RapportIaso) -- c:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys (Trusteer Ltd.)
DRV - (Avgtdix) -- C:\WINDOWS\system32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\drivers\AVGIDSEH.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys ()
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (cpudrv) -- C:\Program Files\SystemRequirementsLab\cpudrv.sys ()
DRV - (Monfilt) -- C:\WINDOWS\system32\drivers\Monfilt.sys (Creative Technology Ltd.)
DRV - (Ambfilt) -- C:\WINDOWS\system32\drivers\Ambfilt.sys (Creative)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (CLBStor) -- C:\WINDOWS\System32\drivers\CLBStor.sys (Cyberlink Co.,Ltd.)
DRV - (CLBUDF) -- C:\WINDOWS\System32\drivers\CLBUDF.sys (CyberLink Corporation.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - ({95808DC4-FA4A-4c74-92FE-5B863F82066B}) -- C:\Program Files\CyberLink\PowerDVD\000.fcl (Cyberlink Corp.)
DRV - (Changer) -- C:\WINDOWS\System32\drivers\changer.sys (Microsoft Corporation)
DRV - (lbrtfdc) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys (Toshiba Corp.)
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www2.prestel.co.uk/church/oosj/osj.htm
IE - HKU\S-1-5-21-746137067-1177238915-839522115-1003\..\SearchScopes,DefaultScope = {7E8B17A6-0BA8-4A61-9FB7-E2F5D8151A6E}
IE - HKU\S-1-5-21-746137067-1177238915-839522115-1003\..\SearchScopes\{7E8B17A6-0BA8-4A61-9FB7-E2F5D8151A6E}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-746137067-1177238915-839522115-1003\..\SearchScopes\{9F1DD16A-D24B-4BE4-9B4D-14C8B2F5CD65}: "URL" = http://search.avg.com/?d=4dc3cee9&i=23&tp=chrome&q={searchTerms}&lng={language}&nt=1
IE - HKU\S-1-5-21-746137067-1177238915-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-746137067-1177238915-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Musicnotes.com/Musicnotes Viewer: C:\Program Files\Musicnotes\npmusicn.dll (Musicnotes, Inc.)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+(R),version=1.6.2.91: C:\Program Files\NOS\bin\np_gp.dll File not found
FF - HKLM\Software\MozillaPlugins\@Sibelius.com/Scorch Plugin: C:\Program Files\Musicnotes\npsibelius.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG2012\Firefox\ [2012/02/01 11:12:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/01 11:12:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fe_9.0@nokia.com: C:\Program Files\Nokia\Nokia Suite\Connectors\Bookmarks Connector\FirefoxExtension_9.0 [2012/03/05 20:43:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\te_9.0@nokia.com: C:\Program Files\Nokia\Nokia Suite\Connectors\Thunderbird Connector\ThunderbirdExtension_9.0 [2012/03/05 20:43:35 | 000,000,000 | ---D | M]
========== Chrome ==========
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\Application\18.0.1025.162\gcswf32.dll
CHR - plugin: AVG Internet Security (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\plugins/avgnpss.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Musicnotes (Enabled) = C:\Program Files\Musicnotes\npmusicn.dll
CHR - plugin: ScorchPlugin (Enabled) = C:\Program Files\Musicnotes\npsibelius.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: AVG Safe Search = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.1901_0\
CHR - Extension: Gmail = C:\Documents and Settings\Dr Michael Foster\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\
O1 HOSTS File: ([2012/04/28 17:00:06 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKU\S-1-5-21-746137067-1177238915-839522115-1003\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [FaxTalk FaxCenter Pro 8] C:\Program Files\FaxTalk\FTClCtrl.exe (Thought Communications, Inc.)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NSU_agent] C:\Program Files\Nokia\Nokia Software Updater\nsu3ui_agent.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install File not found
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [WinFaxAppPortStarter] C:\WINDOWS\System32\WFXSNT40.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-21-746137067-1177238915-839522115-1003..\Run: [PC Suite Tray] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MagicFormation.lnk = C:\Program Files\Magic Formation\MagicFormation.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Outlook 2003.lnk = C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-746137067-1177238915-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O7 - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-746137067-1177238915-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Backward &Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cac&hed Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Si&milar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272219582312 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272219964125 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Windows\Win7.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Windows\Win7.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {A213B520-C6C2-11d0-AF9D-008029E1027E} - C:\Program Files\winfax\WFXSEH32.DLL (Symantec Corporation)
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/24 18:11:47 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 22:42:20 | 000,000,024 | ---- | M] () - F:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk /k:F *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dlles\pchsvc.dll File not found
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
========== Files/Folders - Created Within 30 Days ==========
[2012/04/28 17:12:38 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dr Michael Foster\Recent
[2012/04/28 17:06:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/04/28 07:54:01 | 004,477,723 | R--- | C] (Swearware) -- C:\Documents and Settings\Dr Michael Foster\Desktop\vagetatool.exe
[2012/04/27 20:21:51 | 004,477,246 | R--- | C] (Swearware) -- C:\Documents and Settings\Dr Michael Foster\Desktop\ComboFix.exe
[2012/04/26 17:38:49 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ping.exe
[2012/04/26 17:38:49 | 000,017,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ping.exe
[2012/04/26 17:35:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/04/26 17:35:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/04/26 17:35:15 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/04/26 17:35:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/04/26 08:59:31 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/04/25 19:19:42 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/04/25 17:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2012/04/25 17:31:22 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/04/24 13:06:07 | 000,092,544 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mqac.svs
[2012/04/24 10:17:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/04/24 09:53:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Start Menu\Programs\CyberLink BD Solution
[2012/04/24 09:23:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/04/24 08:58:53 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/04/22 20:27:55 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/04/22 13:34:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Start Menu\Programs\Google Chrome
[2012/04/22 08:14:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Desktop\Malware Tools
[2012/04/21 14:10:42 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dr Michael Foster\Desktop\OTL.exe
[2012/04/21 09:26:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Application Data\Malwarebytes
[2012/04/21 09:26:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/21 09:26:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/04/21 09:26:18 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/21 09:26:18 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/04/21 09:25:42 | 000,000,000 | ---D | C] -- C:\Malwarebytes
[2012/04/20 15:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Start Menu\Programs\SpyHunter
[2012/04/20 15:55:39 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/04/20 15:55:39 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012/04/20 15:51:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2012/04/20 15:51:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr Michael Foster\Application Data\TestApp
[2012/04/20 15:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/04/20 15:19:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/04/20 15:00:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
[2012/04/04 16:18:29 | 000,000,000 | ---D | C] -- C:\Program Files\Copy of WinFax
[2012/04/04 15:18:04 | 000,000,000 | ---D | C] -- C:\Program Files\winfax
[2012/04/03 08:25:03 | 000,418,464 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/04/28 19:38:10 | 000,001,026 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
[2012/04/28 19:09:10 | 000,000,908 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/28 18:58:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/28 17:14:04 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Outlook 2003.lnk
[2012/04/28 17:13:50 | 000,000,904 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/28 17:13:50 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\tasks\ConfigExec.job
[2012/04/28 17:13:46 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/28 17:00:06 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/04/28 13:38:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
[2012/04/28 12:15:36 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/28 08:41:00 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\tasks\DataUpload.job
[2012/04/28 07:31:54 | 096,425,415 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/04/27 14:26:25 | 004,477,723 | R--- | M] (Swearware) -- C:\Documents and Settings\Dr Michael Foster\Desktop\vagetatool.exe
[2012/04/27 12:32:20 | 000,000,444 | RHS- | M] () -- C:\boot.ini
[2012/04/26 18:01:20 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/26 17:38:49 | 000,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ping.exe
[2012/04/26 17:38:49 | 000,017,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ping.exe
[2012/04/26 17:33:27 | 004,477,246 | R--- | M] (Swearware) -- C:\Documents and Settings\Dr Michael Foster\Desktop\ComboFix.exe
[2012/04/25 11:49:26 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MS Office Outlook.lnk
[2012/04/24 09:51:39 | 000,000,328 | ---- | M] () -- C:\Boot.bak
[2012/04/23 16:59:51 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\MBR.dat
[2012/04/22 18:01:13 | 000,280,844 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/04/22 13:34:09 | 000,002,350 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/04/21 16:47:55 | 000,006,764 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\attach.zip
[2012/04/21 14:10:42 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dr Michael Foster\Desktop\OTL.exe
[2012/04/20 18:49:56 | 000,001,034 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\NokiaUtils.lnk
[2012/04/20 15:55:43 | 000,001,997 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\SpyHunter.lnk
[2012/04/18 20:22:30 | 000,218,311 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\cemmguidance.pdf
[2012/04/17 19:29:25 | 000,002,337 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Streetmap.co.uk.url
[2012/04/17 10:07:29 | 007,438,896 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\08 - Evacuee2.mp3
[2012/04/17 10:07:16 | 000,008,663 | -HS- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\Folder.jpg
[2012/04/17 10:07:16 | 000,002,348 | -HS- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\AlbumArtSmall.jpg
[2012/04/16 17:46:01 | 000,000,308 | ---- | M] () -- C:\WINDOWS\tasks\doxillionShakeIcon.job
[2012/04/13 18:58:09 | 000,418,464 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/04/13 18:58:09 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/04/13 08:02:28 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/04/10 17:56:26 | 001,254,622 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\LittleYellowBook.pdf
[2012/04/09 01:31:00 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/04 15:18:09 | 000,000,041 | ---- | M] () -- C:\WINDOWS\WFXDEL.BAT
[2012/04/04 13:51:10 | 000,003,654 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SAYNOTO0870.url
[2012/04/04 10:59:40 | 000,167,156 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\Fold-shapes.pdf
[2012/04/02 11:38:49 | 000,000,688 | ---- | M] () -- C:\WINDOWS\CDPHOTO.INI
[2012/04/01 14:13:34 | 000,038,674 | ---- | M] () -- C:\Documents and Settings\Dr Michael Foster\My Files\phosphine.pdf
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/04/28 12:15:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/26 17:35:15 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/04/26 17:35:15 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/04/26 17:35:15 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/04/26 17:35:15 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/04/26 17:35:15 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/04/24 10:17:39 | 000,000,328 | ---- | C] () -- C:\Boot.bak
[2012/04/24 10:17:36 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/04/22 13:34:09 | 000,002,350 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/04/22 13:33:08 | 000,001,026 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
[2012/04/22 13:33:07 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
[2012/04/22 09:58:06 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\MBR.dat
[2012/04/21 16:47:55 | 000,006,764 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\attach.zip
[2012/04/20 15:55:43 | 000,001,997 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\Desktop\SpyHunter.lnk
[2012/04/18 20:22:30 | 000,218,311 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\cemmguidance.pdf
[2012/04/17 10:07:21 | 007,438,896 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\08 - Evacuee2.mp3
[2012/04/17 10:07:16 | 000,008,663 | -HS- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\Folder.jpg
[2012/04/17 10:07:16 | 000,002,348 | -HS- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\AlbumArtSmall.jpg
[2012/04/10 17:56:26 | 001,254,622 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\LittleYellowBook.pdf
[2012/04/04 10:59:40 | 000,167,156 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\Fold-shapes.pdf
[2012/04/03 08:25:04 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/04/02 11:32:33 | 000,197,561 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\S-ILoveToHearTheStory-PipeLC-48-CAM(1).mp3
[2012/04/02 11:31:50 | 000,038,674 | ---- | C] () -- C:\Documents and Settings\Dr Michael Foster\My Files\phosphine.pdf
[2012/02/15 11:32:39 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/12/15 08:29:18 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2010/12/15 08:29:16 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2010/10/27 10:46:00 | 000,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2010/09/07 07:12:44 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2010/08/01 16:54:09 | 000,000,026 | ---- | C] () -- C:\WINDOWS\dvdSanta.INI
[2010/08/01 16:48:21 | 001,216,512 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2010/08/01 16:48:21 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2010/08/01 16:48:21 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2010/08/01 16:48:21 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2010/08/01 16:48:21 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2010/08/01 16:48:21 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2010/06/14 19:40:05 | 001,107,192 | ---- | C] () -- C:\WINDOWS\Xwmba500.dll
[2010/06/14 19:40:05 | 000,260,440 | ---- | C] () -- C:\WINDOWS\Xwmhb500.dll
[2010/06/14 19:40:05 | 000,174,352 | ---- | C] () -- C:\WINDOWS\Xwmte500.dll
[2010/06/14 19:40:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\PHAssist.ini
[2010/06/01 15:16:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WTNSETUP.INI
[2010/06/01 15:10:00 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\DCCWFP32.DLL
[2010/06/01 15:10:00 | 000,000,250 | ---- | C] () -- C:\WINDOWS\WINFAX.INI
[2010/06/01 15:09:59 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\IMPLODE.DLL
[2010/05/31 21:48:38 | 000,021,248 | ---- | C] () -- C:\WINDOWS\System32\solidlocalmon.dll
[2010/05/31 21:48:38 | 000,013,568 | ---- | C] () -- C:\WINDOWS\System32\solidlocalui.dll
[2010/05/26 12:30:18 | 000,002,220 | ---- | C] () -- C:\WINDOWS\GWSFILTR.INI
[2010/05/26 12:27:06 | 000,000,041 | ---- | C] () -- C:\WINDOWS\gwspcam.ini
[2010/05/26 12:27:04 | 000,212,992 | ---- | C] () -- C:\WINDOWS\ALCHUNIN.EXE
[2010/05/26 12:26:46 | 000,007,806 | R--- | C] () -- C:\WINDOWS\gwspro.ini
[2010/05/06 10:47:02 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2010/05/05 22:28:28 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/30 08:30:38 | 000,000,688 | ---- | C] () -- C:\WINDOWS\CDPHOTO.INI
[2010/04/30 08:30:38 | 000,000,193 | ---- | C] () -- C:\WINDOWS\EFICOLOR.INI
========== Custom Scans ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 184 bytes -> C:\Documents and Settings\Dr Michael Foster\My Files\FromHeavenYouCame-Kendrick.mid:�SummaryInformation
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\Dr Michael Foster\My Files\FromHeavenYouCame-Kendrick.mid:�DocumentSummaryInformation
< End of report >
osjknights
2012-04-28, 22:54
I have noticed that MS Word 2003 behaves strangely. I sometimes paste text up on to a document. Although the text may look OK, when it prints, html comments hidden in the document print out. I am sure that this is since the infection.
osjknights
2012-04-29, 08:07
Under Options - Print - I found the "Hidden text" box ticked. I unticked the box - and walla! Fixed.
As more than myself use the machine - it could be someone ticked the box. The family members tend to go into my study and use which ever machine is on - usually mine and not my wife's - which is only one when she needs to type up items for the Church magazine. Although they all have laptops, its laziness that prevents them from going upstairs to fetch their laptops down and boot them up - mine is up and running.
osjknights
2012-04-29, 19:40
In searching the web I have found this page;
http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99
I ran the symantec tool which listed about a dozen files in its report (but there was no way to export the report) - so I did not click the "repair" button - plus I had forgotten to switch out AVG. I then disabled AVG (15 minutes) and re-ran the scan which stated there was no infection.
Being curious I reran Vagetatool which came up with the now familar message;
"You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. If for any reason that you’re unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time".
When the Scan is complete (still running) would yu like the report?
Also I came accross this page;
http://kb.eset.com/esetkb/index?page=content&id=SOLN2895
Will the download tool be any good?
Hi,
Yes please post the new ComboFix log that you ran and let's see what is there.
osjknights
2012-04-30, 13:50
A new version of ComoFix presented itself to me when I went to run it. Below is the scan result.
In looking for stand alone tools I came accross this review on a panda tool; http://thisisudax.blogspot.co.uk/2012/03/panda-security-creates-zeroaccess.html This lead to the following page; http://www.pandasecurity.com/usa/homeusers/support/card?id=1672&idIdioma=2 I have not tired these nor the etes tool.
Scan results:
ComboFix 12-04-29.02 - Dr Michael Foster 30/04/2012 9:27.9.4 - x86
Running from: c:\documents and settings\Dr Michael Foster\Desktop\vagetatool.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-30 )))))))))))))))))))))))))))))))
.
.
2012-04-29 16:26 . 2007-05-11 06:03 6738432 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-04-29 16:05 . 2012-04-29 16:05 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\FixZeroAccess
2012-04-27 16:23 . 2012-04-27 16:23 4948 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-26 16:38 . 2012-04-26 16:38 17920 -c--a-w- c:\windows\system32\dllcache\ping.exe
2012-04-26 16:38 . 2012-04-26 16:38 17920 ----a-w- c:\windows\system32\ping.exe
2012-04-26 07:59 . 2012-04-26 07:59 -------- d-----w- c:\program files\ESET
2012-04-25 18:19 . 2012-04-25 18:19 -------- d-----w- C:\_OTL
2012-04-25 16:31 . 2012-04-25 16:31 -------- d-----w- c:\program files\ERUNT
2012-04-25 09:11 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-04-24 09:21 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-22 19:27 . 2012-04-22 19:36 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-21 08:26 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 08:25 . 2012-04-21 08:25 -------- d-----w- C:\Malwarebytes
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconF7A21AF7.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconD7F16134.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconCF33A0CE.exe
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- C:\sh4ldr
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- c:\program files\Enigma Software Group
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\TestApp
2012-04-20 14:00 . 2012-04-20 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
2012-04-04 15:18 . 2012-04-04 15:18 -------- d-----w- c:\program files\Copy of WinFax
2012-04-04 14:18 . 2012-04-08 06:29 -------- d-----w- c:\program files\winfax
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2012-04-03 07:25 . 2012-04-13 17:58 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 17:58 . 2011-05-17 06:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:18 . 2010-05-05 05:48 41 ----a-w- c:\windows\WFXDEL.BAT
2012-03-11 12:48 . 2012-03-11 12:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut47_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut46_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 53248 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\ARPPRODUCTICON.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot_2012-04-28_07.16.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-30 08:35 . 2012-04-30 08:35 16384 c:\windows\temp\Perflib_Perfdata_de0.dat
+ 2012-04-30 08:26 . 2012-04-30 08:26 16384 c:\windows\temp\Perflib_Perfdata_2e4.dat
- 2011-03-02 08:19 . 2007-05-11 06:03 81920 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvwddi.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 81920 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvwddi.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 81920 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmctray.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 81920 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmctray.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 37888 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvcod.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 37888 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvcod.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 163908 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvsvc32.exe
+ 2012-04-29 17:41 . 2007-05-11 06:03 163908 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvsvc32.exe
+ 2012-04-29 17:41 . 2007-05-11 06:03 286720 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvnt4cpl.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 286720 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvnt4cpl.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 458752 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmccssr.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 458752 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmccssr.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 188416 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmccss.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 188416 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmccss.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 229376 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmccs.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 229376 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmccs.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 352256 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvapi.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 352256 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvapi.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 2387968 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvwssr.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 2387968 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvwssr.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 2273280 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvwss.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 2273280 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvwss.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 3645440 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvvitvsr.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 3645440 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvvitvsr.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 3538944 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvvitvs.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 3538944 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvvitvs.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 1018748 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvucode.bin
- 2011-03-02 08:19 . 2007-05-11 06:03 1018748 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvucode.bin
+ 2012-04-29 17:41 . 2007-05-11 06:03 6668288 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvoglnt.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 6668288 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvoglnt.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 2854912 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmoblsr.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 2854912 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmoblsr.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 1101824 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmobls.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 1101824 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvmobls.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 3231744 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvgamesr.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 3231744 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvgamesr.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 3284992 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvgames.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 3284992 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvgames.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 5439488 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvdispsr.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 5439488 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvdispsr.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 6221824 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvdisps.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 6221824 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvdisps.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 8429568 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvcpl.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 8429568 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nvcpl.dll
+ 2012-04-29 17:41 . 2007-05-11 06:03 6738432 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nv4_mini.sys
- 2011-03-02 08:19 . 2007-05-11 06:03 6738432 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nv4_mini.sys
+ 2012-04-29 17:41 . 2007-05-11 06:03 5421312 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nv4_disp.dll
- 2011-03-02 08:19 . 2007-05-11 06:03 5421312 c:\windows\system32\ReinstallBackups\0038\DriverFiles\nv4_disp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-12-16 1508408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2002-12-12 45568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"FaxTalk FaxCenter Pro 8"="c:\program files\FaxTalk\FTClCtrl.exe" [2011-09-23 120672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-12-13 190768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"nwiz"="nwiz.exe" [BU]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MagicFormation.lnk - c:\program files\Magic Formation\MagicFormation.exe [2010-4-28 454656]
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2010-4-25 794624]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-11-13 113024]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\winfax\WfxSeh32.Dll" [1998-07-27 38400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Aolpress\\Ws_ftp\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\ArcSoft\\PhotoStudio 5.5\\PhotoStudio.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 7.15\\Pmsb.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE4.0\\TwainClient.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\FaxTalk\\FTmsgsvc.exe"=
"c:\\Program Files\\FaxTalk\\fapiexe.exe"=
"c:\\Program Files\\FaxTalk\\FTclctrl.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\Dr Michael Foster\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/03/2012 13:48 56208]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 04:48 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 23:20 295248]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [07/05/2010 11:55 16048]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 18:00 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/03/2012 13:48 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/03/2012 13:48 164112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 11:25 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 67664]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [31/07/2010 20:34 162096]
R2 FaxTalk FaxCenter Pro 8;FaxTalk FaxCenter Pro 8;c:\program files\FaxTalk\FTmsgsvc.exe [23/09/2011 11:07 33120]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/04/2012 09:26 654408]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/03/2012 13:48 931640]
R2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [18/03/2009 18:08 189696]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/01/2012 06:21 737184]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 16720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/04/2012 09:26 22344]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 08:25 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28/04/2010 20:33 1691480]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [06/05/2011 15:57 13904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\DRIVERS\IntelH51.sys --> c:\windows\system32\DRIVERS\IntelH51.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [15/01/2012 08:31 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [15/01/2012 08:31 8576]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [19/07/2011 09:52 21520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:58]
.
2012-04-30 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2012-04-30 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2011-11-11 c:\windows\Tasks\debutDowngrade.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2011-11-11 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2012-04-16 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-23 07:38]
.
2012-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2012-01-20 c:\windows\Tasks\pixillionShakeIcon.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2011-04-02 13:28]
.
2011-11-11 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2010-08-07 14:27]
.
2011-11-11 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-07 14:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www2.prestel.co.uk/church/oosj/osj.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-30 09:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-04-30 09:41:29
ComboFix-quarantined-files.txt 2012-04-30 08:41
ComboFix2.txt 2012-04-29 16:50
ComboFix3.txt 2012-04-28 16:06
ComboFix4.txt 2012-04-28 07:22
ComboFix5.txt 2012-04-30 08:20
.
Pre-Run: 107,648,704,512 bytes free
Post-Run: 107,649,994,752 bytes free
.
- - End Of File - - 0D2FFD8F99DA221BCB9F6297811AC533
osjknights
2012-04-30, 16:30
Hi Jeff
I have a beta scanner for Rootkits from Trend Micro - too may false positives to be worthwhile (legit mp3 files and legit urls to innocent web sites) but it did find these;
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
SubKey : Data
FullLength: 0x5c
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
SubKey : Data 2
FullLength: 0x5e
2 hidden registry entries found.
Do I delete these keys?
Michael.
No don't delete those.
Run a new scan with TDSSKiller and aswMBR.exe and then post the new logs to your next reply. We may be dealing with a new variant here. :(
osjknights
2012-04-30, 18:38
As I had a few moments inbetween work, I reran ComboFix, but only as far as the message "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. If for any reason that you’re unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time".
Whichleads me to suspect that the Trojan has remnants behind! What I don't understand, is why can ComboFix detect the Trojan but cannot clean it?
Hi,
ComboFix can normally clean it very well but there are instances where the infection just is not able to be cleaned. ZeroAccess is a severe infection that is normally very difficult to remove with only one infection but your system was infected by multiple ZeroAccess infections....more than I have seen on one system so far.
Like I stated when we began...
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.....right now I am not seeing the infection showing in the logs which is making it very difficult....
osjknights
2012-04-30, 20:23
I think our postings crossed so I will do the scans for which you asked. On the questioned posed it was really that obviously ComboFix has detected something on on the one part (hence the warning) but not prviding that in a report!
I will do the scans as soon as I can (maybe in 30 mins time).
Again thanks!
osjknights
2012-04-30, 21:10
My 30 mins delay was while I was completing my work for tomorrow, and at the same time waiting for a scan from a Rootkit Unhooker app which I paste up last of all. First the TDDS Killer Report:
-------------------------------------------
19:32:29.0187 0576 TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
19:32:29.0218 0576 ============================================================
19:32:29.0218 0576 Current date / time: 2012/04/30 19:32:29.0218
19:32:29.0218 0576 SystemInfo:
19:32:29.0218 0576
19:32:29.0218 0576 OS Version: 5.1.2600 ServicePack: 3.0
19:32:29.0218 0576 Product type: Workstation
19:32:29.0218 0576 ComputerName: KNIGHTS-2EE6007
19:32:29.0218 0576 UserName: Dr Michael Foster
19:32:29.0218 0576 Windows directory: C:\WINDOWS
19:32:29.0218 0576 System windows directory: C:\WINDOWS
19:32:29.0218 0576 Processor architecture: Intel x86
19:32:29.0218 0576 Number of processors: 4
19:32:29.0218 0576 Page size: 0x1000
19:32:29.0218 0576 Boot type: Normal boot
19:32:29.0218 0576 ============================================================
19:32:30.0765 0576 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:32:30.0765 0576 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
19:32:30.0765 0576 Drive \Device\Harddisk2\DR5 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'W'
19:32:30.0812 0576 ============================================================
19:32:30.0812 0576 \Device\Harddisk0\DR0:
19:32:30.0812 0576 MBR partitions:
19:32:30.0812 0576 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
19:32:30.0812 0576 \Device\Harddisk1\DR1:
19:32:30.0812 0576 MBR partitions:
19:32:30.0812 0576 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
19:32:30.0812 0576 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x746D3800
19:32:30.0812 0576 \Device\Harddisk2\DR5:
19:32:30.0812 0576 MBR partitions:
19:32:30.0812 0576 \Device\Harddisk2\DR5\Partition0: MBR, Type 0x7, StartLBA 0xABE800, BlocksNum 0x2EE000
19:32:30.0812 0576 \Device\Harddisk2\DR5\Partition1: MBR, Type 0x7, StartLBA 0xDAC800, BlocksNum 0x1C418800
19:32:30.0812 0576 ============================================================
19:32:30.0859 0576 C: <-> \Device\Harddisk0\DR0\Partition0
19:32:31.0265 0576 E: <-> \Device\Harddisk1\DR1\Partition0
19:32:31.0312 0576 F: <-> \Device\Harddisk1\DR1\Partition1
19:32:31.0328 0576 L: <-> \Device\Harddisk2\DR5\Partition0
19:32:31.0343 0576 M: <-> \Device\Harddisk2\DR5\Partition1
19:32:31.0343 0576 ============================================================
19:32:31.0343 0576 Initialize success
19:32:31.0343 0576 ============================================================
19:55:10.0187 2636 ============================================================
19:55:10.0187 2636 Scan started
19:55:10.0187 2636 Mode: Manual; SigCheck; TDLFS;
19:55:10.0187 2636 ============================================================
19:55:11.0078 2636 !SASCORE - ok
19:55:11.0171 2636 Abiosdsk - ok
19:55:11.0171 2636 abp480n5 - ok
19:55:11.0250 2636 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:55:11.0937 2636 ACPI - ok
19:55:11.0984 2636 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:55:12.0078 2636 ACPIEC - ok
19:55:12.0078 2636 adaptecstoragemanageragent - ok
19:55:12.0171 2636 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
19:55:12.0187 2636 AdobeFlashPlayerUpdateSvc - ok
19:55:12.0187 2636 adpu160m - ok
19:55:12.0203 2636 adsexpb - ok
19:55:12.0250 2636 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:55:12.0359 2636 aec - ok
19:55:12.0390 2636 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:55:12.0453 2636 AFD - ok
19:55:12.0453 2636 Aha154x - ok
19:55:12.0453 2636 aic78u2 - ok
19:55:12.0453 2636 aic78xx - ok
19:55:12.0453 2636 alcxsens - ok
19:55:12.0515 2636 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
19:55:12.0609 2636 Alerter - ok
19:55:12.0609 2636 alertservice - ok
19:55:12.0625 2636 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
19:55:12.0671 2636 ALG - ok
19:55:12.0671 2636 AliIde - ok
19:55:12.0812 2636 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
19:55:12.0890 2636 Ambfilt - ok
19:55:12.0937 2636 amdk7 - ok
19:55:12.0937 2636 amsint - ok
19:55:13.0078 2636 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
19:55:13.0078 2636 Apple Mobile Device - ok
19:55:13.0109 2636 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
19:55:13.0171 2636 AppMgmt - ok
19:55:13.0187 2636 ar5211 - ok
19:55:13.0187 2636 arkbcfltr - ok
19:55:13.0234 2636 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:55:13.0312 2636 Arp1394 - ok
19:55:13.0312 2636 asc - ok
19:55:13.0312 2636 asc3350p - ok
19:55:13.0312 2636 asc3550 - ok
19:55:13.0406 2636 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:55:13.0421 2636 aspnet_state - ok
19:55:13.0453 2636 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:55:13.0531 2636 AsyncMac - ok
19:55:13.0593 2636 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:55:13.0687 2636 atapi - ok
19:55:13.0703 2636 Atdisk - ok
19:55:13.0703 2636 ATKGFNEXSrv - ok
19:55:13.0703 2636 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:55:13.0781 2636 Atmarpc - ok
19:55:13.0843 2636 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
19:55:13.0921 2636 AudioSrv - ok
19:55:13.0984 2636 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:55:14.0078 2636 audstub - ok
19:55:14.0390 2636 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
19:55:14.0625 2636 AVGIDSAgent - ok
19:55:14.0734 2636 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
19:55:14.0750 2636 AVGIDSDriver - ok
19:55:14.0750 2636 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
19:55:14.0765 2636 AVGIDSEH - ok
19:55:14.0765 2636 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
19:55:14.0781 2636 AVGIDSFilter - ok
19:55:14.0812 2636 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
19:55:14.0828 2636 AVGIDSShim - ok
19:55:14.0906 2636 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
19:55:14.0921 2636 Avgldx86 - ok
19:55:14.0921 2636 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
19:55:14.0921 2636 Avgmfx86 - ok
19:55:14.0937 2636 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
19:55:14.0953 2636 Avgrkx86 - ok
19:55:14.0968 2636 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
19:55:14.0984 2636 Avgtdix - ok
19:55:15.0062 2636 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
19:55:15.0062 2636 avgwd - ok
19:55:15.0078 2636 BANTExt - ok
19:55:15.0125 2636 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:55:15.0218 2636 Beep - ok
19:55:15.0218 2636 belmonitorservice - ok
19:55:15.0281 2636 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
19:55:15.0421 2636 BITS - ok
19:55:15.0421 2636 BlackBox - ok
19:55:15.0468 2636 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
19:55:15.0578 2636 Browser - ok
19:55:15.0609 2636 BrUsbSer - ok
19:55:15.0625 2636 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
19:55:15.0734 2636 BthEnum - ok
19:55:15.0750 2636 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
19:55:15.0828 2636 BTHMODEM - ok
19:55:15.0843 2636 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
19:55:15.0937 2636 BthPan - ok
19:55:15.0984 2636 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
19:55:16.0031 2636 BTHPORT - ok
19:55:16.0078 2636 BthServ (f4c43c66471b87996d95db7a3a664a37) C:\WINDOWS\System32\bthserv.dll
19:55:16.0171 2636 BthServ - ok
19:55:16.0171 2636 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
19:55:16.0250 2636 BTHUSB - ok
19:55:16.0265 2636 C-Dilla - ok
19:55:16.0500 2636 catchme - ok
19:55:16.0531 2636 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:55:16.0640 2636 cbidf2k - ok
19:55:16.0640 2636 ccevtmgr - ok
19:55:16.0640 2636 cd20xrnt - ok
19:55:16.0640 2636 CdaD10BA - ok
19:55:16.0671 2636 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:55:16.0750 2636 Cdaudio - ok
19:55:16.0781 2636 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:55:16.0890 2636 Cdfs - ok
19:55:16.0906 2636 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:55:17.0015 2636 Cdrom - ok
19:55:17.0062 2636 Changer (daf1a8193b6caf0fb858cadcc5c4af4a) C:\WINDOWS\system32\drivers\Changer.sys
19:55:17.0156 2636 Changer - ok
19:55:17.0203 2636 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
19:55:17.0281 2636 CiSvc - ok
19:55:17.0343 2636 CLBStor (0252b4007a8f3a6cc61220cbe122544d) C:\WINDOWS\system32\drivers\CLBStor.sys
19:55:17.0359 2636 CLBStor - ok
19:55:17.0421 2636 CLBUDF (dc705765a170f7bd8af3632c93b03f0b) C:\WINDOWS\system32\drivers\CLBUDF.sys
19:55:17.0437 2636 CLBUDF - ok
19:55:17.0468 2636 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
19:55:17.0578 2636 ClipSrv - ok
19:55:17.0671 2636 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:55:17.0687 2636 clr_optimization_v2.0.50727_32 - ok
19:55:17.0687 2636 CmdIde - ok
19:55:17.0687 2636 CoachUsb - ok
19:55:17.0687 2636 commserver - ok
19:55:17.0687 2636 COMSysApp - ok
19:55:17.0703 2636 Cpqarray - ok
19:55:17.0796 2636 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
19:55:17.0796 2636 cpudrv - ok
19:55:17.0828 2636 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
19:55:17.0906 2636 CryptSvc - ok
19:55:17.0921 2636 cygserver - ok
19:55:17.0921 2636 dac2w2k - ok
19:55:17.0921 2636 dac960nt - ok
19:55:17.0953 2636 DC21x4 - ok
19:55:18.0015 2636 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
19:55:18.0109 2636 DcomLaunch - ok
19:55:18.0171 2636 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
19:55:18.0265 2636 Dhcp - ok
19:55:18.0312 2636 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:55:18.0406 2636 Disk - ok
19:55:18.0406 2636 dladresn - ok
19:55:18.0406 2636 dlaopiom - ok
19:55:18.0421 2636 dmadmin - ok
19:55:18.0484 2636 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:55:18.0640 2636 dmboot - ok
19:55:18.0671 2636 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:55:18.0765 2636 dmio - ok
19:55:18.0796 2636 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:55:18.0875 2636 dmload - ok
19:55:18.0890 2636 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
19:55:18.0984 2636 dmserver - ok
19:55:19.0000 2636 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:55:19.0078 2636 DMusic - ok
19:55:19.0125 2636 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
19:55:19.0171 2636 Dnscache - ok
19:55:19.0218 2636 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
19:55:19.0328 2636 Dot3svc - ok
19:55:19.0328 2636 dpti2o - ok
19:55:19.0359 2636 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:55:19.0437 2636 drmkaud - ok
19:55:19.0453 2636 EACSvrMngr - ok
19:55:19.0484 2636 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
19:55:19.0578 2636 EapHost - ok
19:55:19.0593 2636 EL90X - ok
19:55:19.0609 2636 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
19:55:19.0718 2636 ERSvc - ok
19:55:19.0796 2636 esgiguard (2407b8164e966755bc6a4242fc9de31e) C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
19:55:19.0812 2636 esgiguard - ok
19:55:19.0812 2636 EU3_USB - ok
19:55:19.0859 2636 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
19:55:19.0890 2636 Eventlog - ok
19:55:19.0937 2636 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
19:55:19.0984 2636 EventSystem - ok
19:55:20.0000 2636 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:55:20.0109 2636 Fastfat - ok
19:55:20.0156 2636 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:55:20.0203 2636 FastUserSwitchingCompatibility - ok
19:55:20.0250 2636 FaxTalk FaxCenter Pro 8 (18ef9f53f127b8758b257117983df520) C:\Program Files\FaxTalk\FTmsgsvc.exe
19:55:20.0265 2636 FaxTalk FaxCenter Pro 8 - ok
19:55:20.0281 2636 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:55:20.0375 2636 Fdc - ok
19:55:20.0375 2636 FINEPIX_PCC - ok
19:55:20.0406 2636 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:55:20.0500 2636 Fips - ok
19:55:20.0515 2636 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:55:20.0593 2636 Flpydisk - ok
19:55:20.0625 2636 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:55:20.0703 2636 FltMgr - ok
19:55:20.0875 2636 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:55:20.0890 2636 FontCache3.0.0.0 - ok
19:55:20.0890 2636 fsaa - ok
19:55:20.0937 2636 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:55:21.0046 2636 Fs_Rec - ok
19:55:21.0093 2636 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:55:21.0203 2636 Ftdisk - ok
19:55:21.0234 2636 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
19:55:21.0234 2636 GEARAspiWDM - ok
19:55:21.0234 2636 getPlusHelper - ok
19:55:21.0250 2636 giveio - ok
19:55:21.0250 2636 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:55:21.0359 2636 Gpc - ok
19:55:21.0406 2636 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
19:55:21.0421 2636 gupdate - ok
19:55:21.0421 2636 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
19:55:21.0437 2636 gupdatem - ok
19:55:21.0437 2636 ham50 - ok
19:55:21.0453 2636 hap16v2k - ok
19:55:21.0531 2636 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:55:21.0625 2636 HDAudBus - ok
19:55:21.0671 2636 helpsvc - ok
19:55:21.0671 2636 HidServ - ok
19:55:21.0718 2636 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
19:55:21.0812 2636 hkmsvc - ok
19:55:21.0812 2636 hpn - ok
19:55:21.0859 2636 HSFHWBS2 (6312dc46356df3974e88aa51b69360dc) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
19:55:21.0906 2636 HSFHWBS2 - ok
19:55:21.0968 2636 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
19:55:22.0078 2636 HSF_DPV - ok
19:55:22.0125 2636 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:55:22.0171 2636 HTTP - ok
19:55:22.0203 2636 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
19:55:22.0296 2636 HTTPFilter - ok
19:55:22.0359 2636 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
19:55:22.0437 2636 i2omgmt - ok
19:55:22.0437 2636 i2omp - ok
19:55:22.0484 2636 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:55:22.0578 2636 i8042prt - ok
19:55:22.0578 2636 icdsptsv - ok
19:55:22.0781 2636 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:55:22.0875 2636 idsvc - ok
19:55:22.0937 2636 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:55:23.0031 2636 Imapi - ok
19:55:23.0078 2636 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
19:55:23.0171 2636 ImapiService - ok
19:55:23.0187 2636 incdfs - ok
19:55:23.0187 2636 ini910u - ok
19:55:23.0187 2636 int15 - ok
19:55:23.0468 2636 IntcAzAudAddService (718f495096df8d94fb66c9c962646372) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:55:23.0671 2636 IntcAzAudAddService - ok
19:55:23.0734 2636 IntelIde - ok
19:55:23.0796 2636 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:55:23.0875 2636 intelppm - ok
19:55:23.0890 2636 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:55:24.0000 2636 Ip6Fw - ok
19:55:24.0015 2636 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:55:24.0109 2636 IpFilterDriver - ok
19:55:24.0140 2636 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:55:24.0234 2636 IpInIp - ok
19:55:24.0265 2636 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:55:24.0375 2636 IpNat - ok
19:55:24.0484 2636 iPod Service (3a6d4d8abacf64292d060c9e06d2050d) C:\Program Files\iPod\bin\iPodService.exe
19:55:24.0562 2636 iPod Service - ok
19:55:24.0625 2636 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:55:24.0718 2636 IPSec - ok
19:55:24.0750 2636 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:55:24.0796 2636 IRENUM - ok
19:55:24.0828 2636 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:55:24.0937 2636 isapnp - ok
19:55:25.0031 2636 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
19:55:25.0031 2636 JavaQuickStarterService - ok
19:55:25.0093 2636 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:55:25.0171 2636 Kbdclass - ok
19:55:25.0203 2636 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:55:25.0281 2636 kmixer - ok
19:55:25.0296 2636 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:55:25.0359 2636 KSecDD - ok
19:55:25.0406 2636 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
19:55:25.0437 2636 lanmanserver - ok
19:55:25.0468 2636 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
19:55:25.0500 2636 lanmanworkstation - ok
19:55:25.0562 2636 lbrtfdc (cc50a66548c2f285bc8a7b0b8aa578e3) C:\WINDOWS\system32\drivers\lbrtfdc.sys
19:55:25.0625 2636 lbrtfdc - ok
19:55:25.0640 2636 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
19:55:25.0718 2636 LmHosts - ok
19:55:25.0734 2636 LUsbFilt - ok
19:55:25.0734 2636 lxrsge10s - ok
19:55:25.0734 2636 mafwboot - ok
19:55:25.0781 2636 MatSvc (0cf633a54c681c65297c63106c4bc376) C:\Program Files\Microsoft Fix it Center\Matsvc.exe
19:55:25.0843 2636 MatSvc - ok
19:55:25.0875 2636 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
19:55:25.0890 2636 MBAMProtector - ok
19:55:25.0937 2636 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
19:55:25.0953 2636 MBAMService - ok
19:55:26.0109 2636 McComponentHostService (f453d1e6d881e8f8717e20ccd4199e85) C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
19:55:26.0171 2636 McComponentHostService - ok
19:55:26.0171 2636 mcdetect.exe - ok
19:55:26.0203 2636 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:55:26.0218 2636 mdmxsdk - ok
19:55:26.0250 2636 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
19:55:26.0343 2636 Messenger - ok
19:55:26.0343 2636 mf - ok
19:55:26.0359 2636 mindrepair - ok
19:55:26.0390 2636 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:55:26.0484 2636 mnmdd - ok
19:55:26.0500 2636 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
19:55:26.0609 2636 mnmsrvc - ok
19:55:26.0656 2636 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:55:26.0750 2636 Modem - ok
19:55:26.0765 2636 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:55:26.0875 2636 MODEMCSA - ok
19:55:26.0984 2636 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
19:55:27.0093 2636 Monfilt - ok
19:55:27.0156 2636 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:55:27.0250 2636 Mouclass - ok
19:55:27.0281 2636 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:55:27.0375 2636 MountMgr - ok
19:55:27.0375 2636 MR97310_USB_DUAL_CAMERA - ok
19:55:27.0375 2636 mraid35x - ok
19:55:27.0375 2636 MRV6X32P - ok
19:55:27.0421 2636 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:55:27.0515 2636 MRxDAV - ok
19:55:27.0578 2636 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:55:27.0640 2636 MRxSmb - ok
19:55:27.0640 2636 MSCamSvc - ok
19:55:27.0671 2636 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
19:55:27.0781 2636 MSDTC - ok
19:55:27.0796 2636 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:55:27.0890 2636 Msfs - ok
19:55:27.0890 2636 MSICPL - ok
19:55:27.0890 2636 MSIServer - ok
19:55:27.0890 2636 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:55:27.0968 2636 MSKSSRV - ok
19:55:27.0984 2636 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:55:28.0046 2636 MSPCLOCK - ok
19:55:28.0062 2636 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:55:28.0140 2636 MSPQM - ok
19:55:28.0187 2636 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:55:28.0281 2636 mssmbios - ok
19:55:28.0328 2636 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:55:28.0375 2636 Mup - ok
19:55:28.0375 2636 Mvc25U870_VID_1262&PID_25FD - ok
19:55:28.0375 2636 n558 - ok
19:55:28.0421 2636 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
19:55:28.0531 2636 napagent - ok
19:55:28.0531 2636 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:55:28.0625 2636 NDIS - ok
19:55:28.0687 2636 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:55:28.0718 2636 NdisTapi - ok
19:55:28.0718 2636 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:55:28.0812 2636 Ndisuio - ok
19:55:28.0812 2636 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:55:28.0890 2636 NdisWan - ok
19:55:28.0953 2636 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:55:28.0968 2636 NDProxy - ok
19:55:28.0984 2636 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:55:29.0078 2636 NetBIOS - ok
19:55:29.0109 2636 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:55:29.0187 2636 NetBT - ok
19:55:29.0250 2636 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
19:55:29.0328 2636 NetDDE - ok
19:55:29.0328 2636 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
19:55:29.0406 2636 NetDDEdsdm - ok
19:55:29.0437 2636 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:55:29.0515 2636 Netlogon - ok
19:55:29.0578 2636 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
19:55:29.0656 2636 Netman - ok
19:55:29.0828 2636 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:55:29.0843 2636 NetTcpPortSharing - ok
19:55:29.0890 2636 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:55:29.0984 2636 NIC1394 - ok
19:55:30.0031 2636 nicconfigsvc (9c454cd857b4c0ccf7a614b047616503) C:\WINDOWS\system32\SimpTcp.dll
19:55:30.0109 2636 nicconfigsvc - ok
19:55:30.0171 2636 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
19:55:30.0203 2636 Nla - ok
19:55:30.0234 2636 nmwcd (f6c40e0a565ee3ce5aeeb325e10054f2) C:\WINDOWS\system32\drivers\ccdcmb.sys
19:55:30.0375 2636 nmwcd - ok
19:55:30.0437 2636 nmwcdc (2a394e9e1fa3565e4b2fea470ffe4d6b) C:\WINDOWS\system32\drivers\ccdcmbo.sys
19:55:30.0500 2636 nmwcdc - ok
19:55:30.0562 2636 nmwcdnsu (99b224f8026cb534724aa3c408561e45) C:\WINDOWS\system32\drivers\nmwcdnsu.sys
19:55:30.0625 2636 nmwcdnsu - ok
19:55:30.0687 2636 nmwcdnsuc (d23257682d349a5e2e4507ed33decc16) C:\WINDOWS\system32\drivers\nmwcdnsuc.sys
19:55:30.0750 2636 nmwcdnsuc - ok
19:55:30.0781 2636 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:55:30.0875 2636 Npfs - ok
19:55:30.0953 2636 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:55:31.0046 2636 Ntfs - ok
19:55:31.0046 2636 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:55:31.0140 2636 NtLmSsp - ok
19:55:31.0171 2636 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
19:55:31.0281 2636 NtmsSvc - ok
19:55:31.0328 2636 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:55:31.0421 2636 Null - ok
19:55:31.0750 2636 nv (ceab17ba3e0f7de96a4649f896b35131) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:55:32.0125 2636 nv ( UnsignedFile.Multi.Generic ) - warning
19:55:32.0125 2636 nv - detected UnsignedFile.Multi.Generic (1)
19:55:32.0234 2636 NVSvc (df6fd57d6807ae459b3463fbfda02d49) C:\WINDOWS\system32\nvsvc32.exe
19:55:32.0265 2636 NVSvc ( UnsignedFile.Multi.Generic ) - warning
19:55:32.0265 2636 NVSvc - detected UnsignedFile.Multi.Generic (1)
19:55:32.0265 2636 NWHOST - ok
19:55:32.0296 2636 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:55:32.0390 2636 NwlnkFlt - ok
19:55:32.0390 2636 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:55:32.0500 2636 NwlnkFwd - ok
19:55:32.0531 2636 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:55:32.0625 2636 ohci1394 - ok
19:55:32.0625 2636 omci - ok
19:55:32.0750 2636 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
19:55:32.0765 2636 ose - ok
19:55:32.0812 2636 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
19:55:32.0906 2636 Parport - ok
19:55:32.0906 2636 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:55:32.0984 2636 PartMgr - ok
19:55:33.0015 2636 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:55:33.0125 2636 ParVdm - ok
19:55:33.0171 2636 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
19:55:33.0218 2636 pccsmcfd - ok
19:55:33.0265 2636 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:55:33.0359 2636 PCI - ok
19:55:33.0359 2636 PCIDump - ok
19:55:33.0375 2636 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:55:33.0468 2636 PCIIde - ok
19:55:33.0515 2636 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:55:33.0593 2636 Pcmcia - ok
19:55:33.0593 2636 pdlndldl - ok
19:55:33.0593 2636 perc2 - ok
19:55:33.0593 2636 perc2hib - ok
19:55:33.0625 2636 pgpsdkservice - ok
19:55:33.0625 2636 pktfilter - ok
19:55:33.0687 2636 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
19:55:33.0703 2636 PlugPlay - ok
19:55:33.0718 2636 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:55:33.0796 2636 PolicyAgent - ok
19:55:33.0828 2636 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:55:33.0937 2636 PptpMiniport - ok
19:55:33.0937 2636 procexp100 - ok
19:55:33.0937 2636 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:55:34.0015 2636 ProtectedStorage - ok
19:55:34.0015 2636 protectionservice - ok
19:55:34.0015 2636 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:55:34.0093 2636 PSched - ok
19:55:34.0125 2636 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:55:34.0218 2636 Ptilink - ok
19:55:34.0234 2636 ql1080 - ok
19:55:34.0234 2636 Ql10wnt - ok
19:55:34.0234 2636 ql12160 - ok
19:55:34.0234 2636 ql1240 - ok
19:55:34.0234 2636 ql1280 - ok
19:55:34.0250 2636 ql2100 - ok
19:55:34.0437 2636 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
19:55:34.0453 2636 RapportCerberus_34302 - ok
19:55:34.0500 2636 RapportEI (43b9aa1423bf54367c5a3de1559780e8) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
19:55:34.0515 2636 RapportEI - ok
19:55:34.0640 2636 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
19:55:34.0640 2636 RapportIaso - ok
19:55:34.0656 2636 RapportKELL (118600ab8f15fe27f2c865f3fb4efa58) C:\WINDOWS\system32\Drivers\RapportKELL.sys
19:55:34.0656 2636 RapportKELL - ok
19:55:34.0734 2636 RapportMgmtService (d9ef54568fafcb4be4637068e768409a) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
19:55:34.0765 2636 RapportMgmtService - ok
19:55:34.0796 2636 RapportPG (4af05a67b643a5190dfcbb793273e0bc) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
19:55:34.0812 2636 RapportPG - ok
19:55:34.0812 2636 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:55:34.0890 2636 RasAcd - ok
19:55:34.0937 2636 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
19:55:35.0015 2636 RasAuto - ok
19:55:35.0031 2636 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:55:35.0109 2636 Rasl2tp - ok
19:55:35.0171 2636 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
19:55:35.0250 2636 RasMan - ok
19:55:35.0296 2636 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:55:35.0390 2636 RasPppoe - ok
19:55:35.0406 2636 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:55:35.0500 2636 Raspti - ok
19:55:35.0531 2636 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:55:35.0609 2636 Rdbss - ok
19:55:35.0609 2636 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:55:35.0718 2636 RDPCDD - ok
19:55:35.0750 2636 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:55:35.0843 2636 rdpdr - ok
19:55:35.0890 2636 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
19:55:35.0953 2636 RDPWD - ok
19:55:35.0984 2636 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
19:55:36.0093 2636 RDSessMgr - ok
19:55:36.0125 2636 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:55:36.0234 2636 redbook - ok
19:55:36.0281 2636 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
19:55:36.0375 2636 RemoteAccess - ok
19:55:36.0421 2636 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
19:55:36.0515 2636 RemoteRegistry - ok
19:55:36.0531 2636 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
19:55:36.0625 2636 RFCOMM - ok
19:55:36.0859 2636 RichVideo (4d05898896ec49cf663dda61041ab096) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
19:55:36.0875 2636 RichVideo - ok
19:55:36.0875 2636 roxmediadb - ok
19:55:36.0890 2636 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
19:55:36.0968 2636 RpcLocator - ok
19:55:37.0015 2636 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
19:55:37.0046 2636 RpcSs - ok
19:55:37.0093 2636 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
19:55:37.0187 2636 RSVP - ok
19:55:37.0234 2636 RTL8023xp (69ee1e8dc0c750a5d03739e6e9429959) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
19:55:37.0265 2636 RTL8023xp ( UnsignedFile.Multi.Generic ) - warning
19:55:37.0265 2636 RTL8023xp - detected UnsignedFile.Multi.Generic (1)
19:55:37.0296 2636 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:55:37.0375 2636 rtl8139 - ok
19:55:37.0390 2636 SaiMini - ok
19:55:37.0421 2636 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:55:37.0484 2636 SamSs - ok
19:55:37.0593 2636 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
19:55:37.0593 2636 SASDIFSV - ok
19:55:37.0609 2636 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
19:55:37.0625 2636 SASKUTIL - ok
19:55:37.0640 2636 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
19:55:37.0750 2636 SCardSvr - ok
19:55:37.0796 2636 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
19:55:37.0890 2636 Schedule - ok
19:55:38.0000 2636 SdReadSpool (b9443470baae569d9a3fabbfeb35c4e7) C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe
19:55:38.0015 2636 SdReadSpool - ok
19:55:38.0046 2636 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:55:38.0109 2636 Secdrv - ok
19:55:38.0171 2636 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
19:55:38.0250 2636 seclogon - ok
19:55:38.0265 2636 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
19:55:38.0328 2636 SENS - ok
19:55:38.0390 2636 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:55:38.0468 2636 Serial - ok
19:55:38.0562 2636 ServiceLayer (f31e9531af225ca25350d5e87e999b31) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
19:55:38.0578 2636 ServiceLayer - ok
19:55:38.0593 2636 SfCtlCom - ok
19:55:38.0656 2636 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
19:55:38.0765 2636 Sfloppy - ok
19:55:38.0765 2636 sfsync04 - ok
19:55:38.0828 2636 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
19:55:38.0921 2636 SharedAccess - ok
19:55:38.0968 2636 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:55:38.0968 2636 ShellHWDetection - ok
19:55:38.0984 2636 Simbad - ok
19:55:39.0000 2636 SiRemFil - ok
19:55:39.0000 2636 smartwiservice - ok
19:55:39.0015 2636 smservaz - ok
19:55:39.0015 2636 softfax - ok
19:55:39.0015 2636 Sparrow - ok
19:55:39.0062 2636 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:55:39.0140 2636 splitter - ok
19:55:39.0171 2636 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
19:55:39.0203 2636 Spooler - ok
19:55:39.0296 2636 SpyHunter 4 Service (63f2b52947577dbb075fe646bc758a2f) C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
19:55:39.0359 2636 SpyHunter 4 Service - ok
19:55:39.0375 2636 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:55:39.0437 2636 sr - ok
19:55:39.0500 2636 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
19:55:39.0546 2636 srservice - ok
19:55:39.0593 2636 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:55:39.0640 2636 Srv - ok
19:55:39.0687 2636 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
19:55:39.0750 2636 SSDPSRV - ok
19:55:39.0796 2636 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
19:55:39.0906 2636 stisvc - ok
19:55:39.0937 2636 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:55:40.0031 2636 swenum - ok
19:55:40.0078 2636 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:55:40.0171 2636 swmidi - ok
19:55:40.0171 2636 SwPrv - ok
19:55:40.0171 2636 symc810 - ok
19:55:40.0171 2636 symc8xx - ok
19:55:40.0203 2636 symdns - ok
19:55:40.0203 2636 sym_hi - ok
19:55:40.0203 2636 sym_u3 - ok
19:55:40.0234 2636 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:55:40.0312 2636 sysaudio - ok
19:55:40.0343 2636 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
19:55:40.0437 2636 SysmonLog - ok
19:55:40.0484 2636 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
19:55:40.0593 2636 TapiSrv - ok
19:55:40.0656 2636 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:55:40.0687 2636 Tcpip - ok
19:55:40.0734 2636 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:55:40.0828 2636 TDPIPE - ok
19:55:40.0828 2636 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:55:40.0937 2636 TDTCP - ok
19:55:40.0953 2636 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:55:41.0062 2636 TermDD - ok
19:55:41.0093 2636 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
19:55:41.0171 2636 TermService - ok
19:55:41.0234 2636 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:55:41.0234 2636 Themes - ok
19:55:41.0281 2636 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
19:55:41.0328 2636 TlntSvr - ok
19:55:41.0343 2636 TosIde - ok
19:55:41.0406 2636 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
19:55:41.0484 2636 TrkWks - ok
19:55:41.0484 2636 trlokom_rmhsvc - ok
19:55:41.0500 2636 U2SP - ok
19:55:41.0531 2636 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:55:41.0625 2636 Udfs - ok
19:55:41.0625 2636 ultra - ok
19:55:41.0687 2636 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:55:41.0781 2636 Update - ok
19:55:41.0828 2636 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
19:55:41.0890 2636 upnphost - ok
19:55:41.0937 2636 upperdev (47f5f9d837d80ffd5882a14db9da0a67) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
19:55:42.0015 2636 upperdev - ok
19:55:42.0062 2636 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
19:55:42.0156 2636 UPS - ok
19:55:42.0156 2636 upsentry_smart - ok
19:55:42.0156 2636 USB11LDR - ok
19:55:42.0156 2636 USBAAPL - ok
19:55:42.0218 2636 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:55:42.0312 2636 usbehci - ok
19:55:42.0359 2636 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:55:42.0453 2636 usbhub - ok
19:55:42.0484 2636 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:55:42.0546 2636 usbprint - ok
19:55:42.0562 2636 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:55:42.0656 2636 usbscan - ok
19:55:42.0671 2636 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
19:55:42.0750 2636 usbser - ok
19:55:42.0765 2636 UsbserFilt (e44f0d17be0908b58dcc99ccb99c6c32) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
19:55:42.0812 2636 UsbserFilt - ok
19:55:42.0828 2636 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:55:42.0906 2636 USBSTOR - ok
19:55:42.0968 2636 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:55:43.0062 2636 usbuhci - ok
19:55:43.0062 2636 USBVCD - ok
19:55:43.0109 2636 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:55:43.0203 2636 VgaSave - ok
19:55:43.0203 2636 ViaIde - ok
19:55:43.0218 2636 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:55:43.0296 2636 VolSnap - ok
19:55:43.0296 2636 vrservice - ok
19:55:43.0328 2636 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
19:55:43.0390 2636 VSS - ok
19:55:43.0390 2636 w29n51 - ok
19:55:43.0421 2636 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
19:55:43.0515 2636 W32Time - ok
19:55:43.0546 2636 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:55:43.0640 2636 Wanarp - ok
19:55:43.0640 2636 wap3gx - ok
19:55:43.0703 2636 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
19:55:43.0718 2636 Wdf01000 - ok
19:55:43.0734 2636 WDICA - ok
19:55:43.0750 2636 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:55:43.0859 2636 wdmaud - ok
19:55:43.0906 2636 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
19:55:44.0031 2636 WebClient - ok
19:55:44.0078 2636 wfxsvc (be2157595c087207676ec716a6be4cce) C:\WINDOWS\system32\WFXSVC.EXE
19:55:44.0078 2636 wfxsvc ( UnsignedFile.Multi.Generic ) - warning
19:55:44.0078 2636 wfxsvc - detected UnsignedFile.Multi.Generic (1)
19:55:44.0203 2636 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
19:55:44.0281 2636 winachsf - ok
19:55:44.0390 2636 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
19:55:44.0468 2636 winmgmt - ok
19:55:44.0468 2636 winpowermanager - ok
19:55:44.0578 2636 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
19:55:44.0656 2636 WinRM - ok
19:55:44.0687 2636 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
19:55:44.0734 2636 WmdmPmSN - ok
19:55:44.0828 2636 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
19:55:44.0906 2636 Wmi - ok
19:55:44.0937 2636 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:55:45.0062 2636 WmiApSrv - ok
19:55:45.0234 2636 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
19:55:45.0343 2636 WMPNetworkSvc - ok
19:55:45.0406 2636 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
19:55:45.0437 2636 WpdUsb - ok
19:55:45.0484 2636 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:55:45.0578 2636 WS2IFSL - ok
19:55:45.0687 2636 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
19:55:45.0765 2636 wscsvc - ok
19:55:45.0812 2636 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
19:55:45.0890 2636 wuauserv - ok
19:55:45.0937 2636 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:55:45.0984 2636 WudfPf - ok
19:55:46.0015 2636 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:55:46.0046 2636 WudfRd - ok
19:55:46.0093 2636 WudfSvc (ddee3682fe97037c45f4d7ab467cb8b6) C:\WINDOWS\System32\WUDFSvc.dll
19:55:46.0109 2636 WudfSvc - ok
19:55:46.0187 2636 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
19:55:46.0312 2636 WZCSVC - ok
19:55:46.0343 2636 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
19:55:46.0468 2636 xmlprov - ok
19:55:46.0578 2636 {95808DC4-FA4A-4c74-92FE-5B863F82066B} (8098180b3f6c430a4e60333bc036f936) C:\Program Files\CyberLink\PowerDVD\000.fcl
19:55:46.0593 2636 {95808DC4-FA4A-4c74-92FE-5B863F82066B} - ok
19:55:46.0625 2636 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
19:55:46.0812 2636 \Device\Harddisk0\DR0 - ok
19:55:46.0812 2636 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk1\DR1
19:55:47.0296 2636 \Device\Harddisk1\DR1 - ok
19:55:47.0296 2636 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk2\DR5
19:55:47.0437 2636 \Device\Harddisk2\DR5 - ok
19:55:47.0453 2636 Boot (0x1200) (de17a28ffae56733026be20e47e5fe8c) \Device\Harddisk0\DR0\Partition0
19:55:47.0453 2636 \Device\Harddisk0\DR0\Partition0 - ok
19:55:47.0453 2636 Boot (0x1200) (ab81bc14f7e65a74e1d70e016623b088) \Device\Harddisk1\DR1\Partition0
19:55:47.0453 2636 \Device\Harddisk1\DR1\Partition0 - ok
19:55:47.0453 2636 Boot (0x1200) (f0463477c940dfacd8991233674ec997) \Device\Harddisk1\DR1\Partition1
19:55:47.0453 2636 \Device\Harddisk1\DR1\Partition1 - ok
19:55:47.0453 2636 Boot (0x1200) (eeec5da32dfa12e1263fca298252a021) \Device\Harddisk2\DR5\Partition0
19:55:47.0453 2636 \Device\Harddisk2\DR5\Partition0 - ok
19:55:47.0468 2636 Boot (0x1200) (8cbb6491629c9a350163059652938fd4) \Device\Harddisk2\DR5\Partition1
19:55:47.0484 2636 \Device\Harddisk2\DR5\Partition1 - ok
19:55:47.0484 2636 ============================================================
19:55:47.0484 2636 Scan finished
19:55:47.0484 2636 ============================================================
19:55:47.0578 2552 Detected object count: 4
19:55:47.0578 2552 Actual detected object count: 4
19:56:03.0953 2552 nv ( UnsignedFile.Multi.Generic ) - skipped by user
19:56:03.0953 2552 nv ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:56:03.0953 2552 NVSvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:56:03.0953 2552 NVSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:56:03.0953 2552 RTL8023xp ( UnsignedFile.Multi.Generic ) - skipped by user
19:56:03.0953 2552 RTL8023xp ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:56:03.0953 2552 wfxsvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:56:03.0953 2552 wfxsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
osjknights
2012-04-30, 21:11
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-30 19:58:44
-----------------------------
19:58:44.687 OS Version: Windows 5.1.2600 Service Pack 3
19:58:44.687 Number of processors: 4 586 0xF0B
19:58:44.687 ComputerName: KNIGHTS-2EE6007 UserName:
19:58:45.515 Initialize success
20:00:41.296 AVAST engine defs: 12043001
20:01:26.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
20:01:26.453 Disk 0 Vendor: WDC_WD2500JS-55NCB1 10.02E01 Size: 238475MB BusType: 3
20:01:26.453 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
20:01:26.453 Disk 1 Vendor: WDC_WD10EARS-00MVWB0 51.0AB51 Size: 953869MB BusType: 3
20:01:26.468 Disk 0 MBR read successfully
20:01:26.468 Disk 0 MBR scan
20:01:26.500 Disk 0 Windows XP default MBR code
20:01:26.500 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
20:01:26.500 Disk 0 scanning sectors +488376000
20:01:26.609 Disk 0 scanning C:\WINDOWS\system32\drivers
20:01:37.171 Service scanning
20:01:59.812 Modules scanning
20:02:06.546 Disk 0 trace - called modules:
20:02:06.578 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS BlackBox.SYS
20:02:06.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aeadab8]
20:02:06.578 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000077[0x8aeb8030]
20:02:06.578 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8aee6d98]
20:02:08.531 AVAST engine scan C:\WINDOWS
20:02:16.421 AVAST engine scan C:\WINDOWS\system32
20:04:53.484 AVAST engine scan C:\WINDOWS\system32\drivers
20:05:10.500 AVAST engine scan C:\Documents and Settings\Dr Michael Foster
20:06:31.843 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dr Michael Foster\Desktop\MBR.dat"
20:06:31.843 The log file has been saved successfully to "C:\Documents and Settings\Dr Michael Foster\Desktop\aswMBR.txt"
osjknights
2012-04-30, 21:12
THIS ONE ENDS WITH A WARNING OF A POSSIBLE ROOTKIT
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #4
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtAssignProcessToJobObject, Type: Address change 0x805D6642-->B594D086 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtCreateFile, Type: Address change 0x805790A8-->B594DBE4 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtCreateThread, Type: Address change 0x805D1018-->B5B915E0 [C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys]
ntkrnlpa.exe-->NtDeleteFile, Type: Address change 0x80576C50-->B594DDDC [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtDeleteKey, Type: Address change 0x8062458C-->B59515B2 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtDeleteValueKey, Type: Address change 0x8062475C-->B59515E4 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtLoadKey, Type: Address change 0x80626314-->B5951746 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtOpenFile, Type: Address change 0x8057A1A6-->B594DCFC [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x805CB440-->B5017F3C [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x805CB6CC-->B594D3F0 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Address change 0x805B841E-->B594D522 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtQueryValueKey, Type: Address change 0x80622314-->B59516BC [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtRenameKey, Type: Address change 0x80623B12-->B5951626 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtReplaceKey, Type: Address change 0x806261C4-->B5951658 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtRestoreKey, Type: Address change 0x80625AD0-->B595168A [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSetContextThread, Type: Address change 0x805D173A-->B594D02C [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSetInformationFile, Type: Address change 0x8057B034-->B594DE82 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x80622662-->B595154A [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtSuspendThread, Type: Address change 0x805D48F4-->B594CFC6 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x805D29E2-->B5017FE4 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
ntkrnlpa.exe-->NtTerminateThread, Type: Address change 0x805D2BDC-->B5018080 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Address change 0x805B43CC-->B501811C [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
==============================================
>Shadow
==============================================
win32k.sys-->NtGdiAlphaBlend, Type: Address change 0xBF831475-->B5953E54 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiBitBlt, Type: Address change 0xBF8098F2-->B5953CB4 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiGetPixel, Type: Address change 0xBF8649A1-->B5953D02 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiMaskBlt, Type: Address change 0xBF828A2A-->B5953D8E [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiPlgBlt, Type: Address change 0xBF946632-->B5953DDC [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiStretchBlt, Type: Address change 0xBF89454D-->B5953D34 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtGdiTransparentBlt, Type: Address change 0xBF895025-->B5953E18 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtUserFindWindowEx, Type: Address change 0xBF85BDAF-->B594E2DE [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0xBF89C3CB-->B501843A [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0xBF85BC6A-->B50183A6 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
win32k.sys-->NtUserGetKeyState, Type: Address change 0xBF81C550-->B50183E6 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
win32k.sys-->NtUserPrintWindow, Type: Address change 0xBF891A5E-->B5953E90 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtUserQueryWindow, Type: Address change 0xBF80A0E2-->B594E252 [C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0xBF85F5D2-->B5018338 [C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys]
==============================================
>Processes
==============================================
0x8AF36830 [4] System
0x8A56A5B0 [128] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x8A583DA0 [288] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A588BC0 [320] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x8A5905B8 [492] C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o., AVG Watchdog Service)
0x8A31E7C0 [536] C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia, ServiceLayer Module)
0x8A55EBC0 [544] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A54EDA0 [672] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java(TM) Quick Starter Service)
0x8A87D9E0 [692] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x8A52E800 [1012] C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation, Malwarebytes Anti-Malware)
0x8A7B6DA0 [1020] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x8A7B6B20 [1056] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x8A707DA0 [1112] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x8A110DA0 [1116] C:\Program Files\AVG\AVG2012\avgui.exe (AVG Technologies CZ, s.r.o., AVG User Interface)
0x8A74F5A8 [1124] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x8A15EB98 [1364] C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe (Nokia, Microsoft Bluetooth Media Server)
0x8A6EDB18 [1396] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A663020 [1468] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A64C9E0 [1512] C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd., RapportMgmtService)
0x8A4FF9E0 [1556] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 158.27)
0x8A97C470 [1580] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A998020 [1624] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A500B28 [1700] C:\Program Files\CyberLink\Shared Files\RichVideo.exe (-, RichVideo Module)
0x8A4D6458 [1824] C:\Program Files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe (Solid Documents, LLC, Solid Spool Service)
0x8A5D8818 [1872] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A5B5DA0 [1904] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A575BC0 [1996] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8A4B13D8 [2064] C:\WINDOWS\system32\WFXSVC.EXE (Symantec Corporation, Symantec WinFax PRO NT Service)
0x8A4AFAF0 [2104] C:\Program Files\winfax\WFXMOD32.EXE (Symantec Corporation, WinFax Pro Serial Modem Driver)
0x8A4E5BC0 [2132] C:\WINDOWS\system32\WFXSNT40.EXE (Microsoft Corporation, Delrina Fax Port Launcher)
0x8A492740 [2256] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp., Realtek HD Audio Control Panel)
0x8A6F5948 [2500] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x8A4869E0 [2568] C:\Program Files\FaxTalk\FTmsgsvc.exe (Thought Communications, Inc., FaxTalk Service Module)
0x8A435DA0 [2648] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
0x8A14E020 [2680] C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE (Microsoft Corporation, Microsoft Office Word)
0x8A472A10 [2752] C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe (ScanSoft, Inc., OCR Aware)
0x8A58FBD8 [2768] C:\Program Files\FaxTalk\FTclctrl.exe (Thought Communications, Inc., FaxTalk CallControl)
0x8A404B30 [2872] C:\Program Files\FaxTalk\fapiexe.exe (Thought Communications, Inc., FaxTalk FAPI Module)
0x8A420BD8 [2880] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp., PowerDVD RC Service)
0x8A418BD0 [2984] C:\Documents and Settings\Dr Michael Foster\Desktop\Malware Tools\RKUnhookerLE.EXE (UG North, RKULE, SR2 Overlord)
0x8A3DA9E8 [3196] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o., AVG Tray Monitor)
0x8A3E6320 [3248] C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation, Run a DLL as an App)
0x8A36E5C0 [3312] C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe (Nokia, Nokia Launch Application)
0x8AC63C18 [3476] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x8A465410 [3700] C:\WINDOWS\system32\WudfHost.exe (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Host Process)
0x8A3549F0 [3868] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x8A39C5B8 [3916] C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation, Windows Security Center Notification App)
0x8A2369A0 [3932] C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (Microsoft Corporation, Microsoft Office Outlook)
==============================================
>Drivers
==============================================
0xB96F9000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6742016 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 158.27 )
0xB5BEF000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6168576 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 5423104 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 158.27 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB952A000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB9477000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9E1E000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB58DC000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB93C1000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB5A76000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB4D17000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF53E000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB5A09000 C:\WINDOWS\system32\DRIVERS\avgtdix.sys 290816 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)
0xB5B0A000 C:\WINDOWS\System32\Drivers\bthport.sys 274432 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0xB963F000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 270336 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xB46C6000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB58A5000 C:\WINDOWS\system32\DRIVERS\avgldx86.sys 225280 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB5B6D000 C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys 221184 bytes
0xB941F000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB4F12000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DF1000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB4015000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB5972000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB9699000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB59E1000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB5355000 C:\WINDOWS\System32\Drivers\CLBUDF.SYS 159744 bytes (CyberLink Corporation., UDF File System Driver )
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB5A50000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB594C000 C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 155648 bytes (Trusteer Ltd., RapportPG)
0xB5331000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB5BCB000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB96C1000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB961C000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB59BF000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB599D000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xB40E0000 C:\WINDOWS\system32\DRIVERS\wudfrd.sys 135168 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB4AEF000 C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys 131072 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9DD7000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB588C000 C:\WINDOWS\system32\DRIVERS\bthpan.sys 102400 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB56BC000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9681000 C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 98304 bytes (Realtek Semiconductor Corporation, Realtek 10/100/1000 NDIS 5.1 Driver)
0xB9EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9460000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB9EAB000 WudfPf.sys 94208 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xB4ED5000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB96E5000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB5ACF000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB944F000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB5320000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xBA2D8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA278000 C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys 65536 bytes (Trusteer Ltd., RapportEI)
0xBA228000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA188000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\rfcomm.sys 61440 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0xB586C000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA208000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys 53248 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA158000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA118000 RapportKELL.sys 49152 bytes (Trusteer Ltd., RapportKE)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA288000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\bthmodem.sys 40960 bytes (Microsoft Corporation, Bluetooth Communications Driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA1E8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB40B0000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA268000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xBA258000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA488000 C:\DOCUME~1\DRMICH~1\LOCALS~1\Temp\catchme.sys 32768 bytes
0xBA3A8000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xBA4A0000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA390000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA338000 avgrkx86.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA380000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA3D8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA398000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA388000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA478000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\BthEnum.sys 20480 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0xBA480000 C:\WINDOWS\System32\Drivers\BTHUSB.sys 20480 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0xBA490000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA408000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA418000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA410000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB452B000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xBA4BC000 AVGIDSEH.Sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xB54AC000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes Anti-Malware)
0xB4D9F000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xB9DAF000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xBA59C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB518C000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB5017000 C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys 12288 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA56C000 C:\WINDOWS\System32\Drivers\CLBStor.SYS 12288 bytes (Cyberlink Co.,Ltd., Cyberlink Storage Helper Driver (WindowsNT5.x))
0xB5750000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA578000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB93A9000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB61D5000 C:\WINDOWS\system32\DRIVERS\sfloppy.sys 12288 bytes (Microsoft Corporation, SCSI Floppy Driver)
0xB61F5000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xBA5EC000 C:\Program Files\CyberLink\PowerDVD\000.fcl 8192 bytes (Cyberlink Corp., FCL Driver)
0xBA5CE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5E8000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5CA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5C2000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5D2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA622000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xBA5D6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5BE000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7AF000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA70C000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA6BE000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP9\A0004951.data
!-->[Hidden] C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP9\A0004952.data
!-->[Hidden] C:\System Volume Information\_restore{478AB6F6-415F-4FEB-AA31-13E8A304D821}\RP9\A0004953.ini
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]
[1512]RapportMgmtService.exe-->kernel32.dll+0x00001BB9, Type: Code Mismatch 0x7C801BB9 + 7097 [43 E4 25 F5]
[1512]RapportMgmtService.exe-->ntdll.dll-->KiUserApcDispatcher, Type: Inline - RelativeJump 0x7C90E450-->00414DA0 [RapportMgmtService.exe]
[1512]RapportMgmtService.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump 0x71AB2A6F-->71A00022 [unknown_code_page]
[1512]RapportMgmtService.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump 0x71AB5355-->71A90022 [unknown_code_page]
[320]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[320]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[320]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[320]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[320]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[320]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[320]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[320]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
osjknights
2012-04-30, 21:34
On the last report (Rootkit Unhooker) I set it going - was able to begin my work for tomorrow, have dinner, come back and read your reply, as I sent my note (which crossed yours) and still wait another 30 mins, but I hope it yealded some useful info - as a novice I cannot make head nor tail of it!
Again thanks for your patience and time - much appreciated. Although I am beginning to think it may be time to copy all my data to the second hard drive (I also have a third hard drive hooked up and completely empty). AND wipe the drive and reinstall XP! However if the Trojan can be detected it my be helpful in terms of learning how to solve this particular variant.
I was using Google Images as a fast way of identifying items to purchase. I clicked on one, and a fraud spyware scanner popped up - I went to kill it using the Task Manager to discover it was disabled. I even download a program "Spy Hunter" which claimed to be able to deal with this and paid for it ($47) to discover it failed - and insult to injury found the blighters had set up a reaccuring payment for $47 every sixth months on my paypal account - so I cancelled the reaccuring payments.
The system is more stable and I AVG does not keep popping up Trojan warnings anymore, but for safety I disconnect the network cable - which means my network printer cannot be used by the infected machine.
Ah such are the challenges of life.
Hi,
I still don't see anything that is bad though that is showing up. :confused:
In my opinion...if this were my computer...I would format and reinstall. With the backdoor capabilities and the number of advanced infections that are on the system, I would not hesitate to just save my files and start from scratch because I could never know for sure that the infection is still not in there hiding and waiting and possibly stealing information of mine.
I can't guarantee that it is a new variant so much as the fact that there were multiple ZeroAccess infections and if we aren't able to hit everything at once than we won't be able to kill it.
osjknights
2012-05-01, 08:37
I have noticed from the Rootkit Unhooker report that the Rapport entires have been messed with. Rapport (I am sure you know) is a untility to prevent your passwords being passed on to fraudulant sites and came with my Internet Banking from HSBC.
I am in the slow business of transferring my data files to Drive F. - is there any chance I can unwittingly transfer the Trojan over - I have AVG running?
osjknights
2012-05-01, 08:39
Hi
When the data is safely on F, I will remove rapport from the system (via add-remove progs) but did not want to disturb it as yet - or should I?
Hi,
If you are moving everything are you just going to format the drive and reinstall Windows? If that is what I am understanding than you should be fine to move over personal files like music, pictures, documents and the like. The infection was all over your system so I would be careful with what you transfer other than those I mentioned. If it were me, I would save my music, pictures and documents and that is it...just start over. It is actually a lot faster and you will have the peace of mind that the infection is gone.
osjknights
2012-05-01, 14:41
I am in the middle of moving all my data. I will scan the files once they are on the second disk to make sure they are OK. Then I will reformat and reinstall - However, before that once my data is safely out of the way, I will remove rapport and rerun ComboFix to see if it gives me the error again - it could be that the fact that these files were moved, before the Trojan's were wiped, and the fact that the evidence is that these were moved may be the source of the report of Trojan activity.
I have now run every stand alone ZeroAccess Tool going (Symantec, AVG, Panda - all reporting no infection) - with the exception of ComboFix and ZeroAccess Unhooker. Just out of interest!
osjknights
2012-05-02, 01:04
Hi.
I have now save all my essential files on my second hard disk, and scanned them for malware. I have found an Xp instalation disk and printed out my key code for XP (Thanks to the Belarch untility).
I removed Rapport from the system but ComboFix still reported ZeroAccess activity.
Is there any web site which can instruct me how to format the XP drive, and how to install the system once again?
Hi,
I am getting with one of the techs that work with that to give you the best information on how to do it. I will return as quickly as I can. :)
osjknights
2012-05-02, 18:39
Hi.
I have a network printer installed via a USB Port - is there any way I can save the driver to my spare drive, and then copy back to a newly formatted C Drive? It will save me hunting for one on the Internet - I an using a Konica Minolta bizhun C250, and last time I had to find a driver it took me some time to install it.
Michael.
osjknights
2012-05-02, 19:40
Hi.
I have read in the past that you can do a reinstall of XP from the disk which will keep the data intact plus some settings - what is your opinion, or that of your colleagues on that option - it should replace all the operating system and hopefully overwrite the corrupted files?
Hi,
I have a network printer installed via a USB Port - is there any way I can save the driver to my spare drive, and then copy back to a newly formatted C Drive?I think that should be fine as long as you are sure that is the driver. Now that you have everything backed up please do the following to format/reinstall your Windows Operating System:
If your system is listed here then there is a restore to factory settings function. The links are clickable
DELL (http://support.dell.com/support/topics/global.aspx/support/dsn/en/document?c=us&l=en&s=gen&dn=1090151)
LENOVO (IBM) (http://www.pc.ibm.com/us/think/thinkvantagetech/rescuerecovery.html)
ACER (ftp://ftp.work.acer-euro.com/desktop/empowering_technology/eRecovery%201.2.15.1.zip) This will download the E-Recovery Zip file. Unzip then run
So you are going to reformat and re-install Windows ?
Preparation is the secret to success so we shall start there :
PREPARATION
1. Ensure you have the following discs
A. Operating System disc or Manufacturers recovery disc.
B. Windows KEY found either in the disc holder for the Windows CD or in a sticker on the side of your system
C. Motherboard drivers disc.
D ISP disc with Modem/DSL drivers and setup.
E. Programme installation discs (i.e. Word, Photo editing etc.) If you have no discs but downloaded them from the Internet then see below.
If you cannot find your windows key on your computer or paperwork , then do the following :
To get your XP Key download to your desktop keyfinder.zip (http://sourceforge.net/project/downloading.php?groupname=keyfinder&filename=keyfinder.2.0.1.zip&use_mirror=heanet) Extract the files and run Keyfinder this will then locate and display the registration number, either print it out or copy it down ensuring that the details are correct
2. Things to back up for an easy transition. First create a BACKUP folder on your desktop with the following subfolders :
MAIL
VIDEOS/MUSIC/PICTURES
DOCS
LICENCES
PROGRAMMES
To create one on your desktop right click a blank space > select NEW > select FOLDER. To create subfolders open the backup folder and on the file menu select new folder
How to back up Outlook Express items
Step 1: Copy message files to the backup folder
Step A: Locate the Store folder
1. Start Outlook Express.
2. Click Tools, and then click Options.
3. On the Maintenance tab, click Store Folder.
4. In the Store Location dialog box, copy the store location. To do this, follow these steps:
a. Put the mouse pointer at one end of the box under the Your personal message store is located in the following folder box.
b. Press and hold the left mouse button, and then drag the mouse pointer across the Your personal message store is located in the following folder box.
c. Press CTRL+C to copy the location.
5. Click Cancel, and then click Cancel again to close the dialog box.
Step B: Copy the contents of the Store folder
1. Click Start, click Run, press CTRL+V, and then click OK.
2. On the Edit menu, click Select All.
3. On the Edit menu, click Copy, and then close the window.
Step C: Paste the contents of the Store folder into the backup folder
1. Double-click the Mail Backup folder to open it.
2. Right-click inside the Mail Backup folder window, and then click Paste.
Step 2: Export the Address Book to a .csv file
Important Make sure that you follow this step if you use multiple identities in Outlook Express.
Microsoft Outlook Express 5.x and Microsoft Outlook Express 6.0 use a Windows Address Book (.wab) file to store Address Book data. The individual data for each identity is stored in a folder by user name within the .wab file that is used.
The only way to separate the Address Book data for different identities is to export the data to a .csv file while you are logged in as a specific identity. If the .wab file becomes dissociated from the user identities, the data can be exported only as one total. In this case, the data cannot be exported folder by folder.
There is another reason to export the .wab file to a .csv file. If the .wab file not exported to a .csv file, but the .wab file is shared with Microsoft Outlook, the addresses are stored in the personal folders (.pst) file in Outlook. When you export the file to a .csv file by using the File menu in Outlook Express, the correct contacts are exported. However, if the Address Book is shared with Outlook, you cannot use the File menu option to export from the Address Book. This option is unavailable.
To export the Address Book to a .csv file, follow these steps:
1. On the File menu, click Export, and then click Address Book.
2. Click Text File (Comma Separated Values), and then click Export.
3. Click Browse.
4. Select the Mail Backup folder that you created.
5. In the File Name box, type address book backup, and then click Save.
6. Click Next.
7. Click to select the check boxes for the fields that you want to export, and then click Finish.
8. Click OK, and then click Close.
Step 3: Export the mail account to a file
1. On the Tools menu, click Accounts.
2. On the Mail tab, click the mail account that you want to export, and then click Export.
3. In the Save In box, select the Mail Backup folder, and then click Save.
4. Repeat these steps for each mail account that you want to export.
5. Click Close.
Step 4: Export the newsgroup account to a file
1. On the Tools menu, click Accounts.
2. On the News tab, click the news account that you want to export, and then click Export.
3. In the Save In box, select the Mail Backup folder, and then click Save.
4. Repeat these steps for each news account that you want to export.
5. Click Close.
Favorites/Bookmarks
To export the Favorites folder, follow these steps:
1. Start Internet Explorer
2. On the File menu, click Import and Export, and then click Next.
3. Click Export Favorites and then click Next.
4. Click Favorites and then click Next.
5. Type the name of the file that you want to export the favorites to. By default, the export file is named Bookmark.htm.
6. Select the folder to backup in as your newly created one
7. Click Next and then click Finish.
Personal Documents
1. Open your document processing programme
2. Select options
3. Generally there will be the option to select your save folder
4. Change this to the backup subfolder
5. Save all your files to this location
Videos/Pictures
1. Right click your music file folder(s) and select copy
2. Right click the backup folder and select paste
3. Repeat until all folders are copied to the backup folder
Licence numbers from installed software
1. Start each programme that you have a licence for
2. In the main menu select HELP > ABOUT
3. Generally this is where you will find your licence key
4. Copy the key to a text file along with the programme name and save to the backup folder
http://img360.imageshack.us/img360/1669/licenceam3.th.jpg
Latest version of your Anti-virus and Firewall
Download the latest version from the website and save to your backup folder
Download all installed programs that you wish to keep and do not have disc for
Download the latest version from the website and save to your backup folder
Now you have completed that you will need to copy the entire contents of your new folder to one of the following : USB stick or CD/DVD disc
To do this right click the backup folder and select copy
Then right click the drive (CD or USB) that you are saving to and select paste
FORMATTING PARTITIONING AND INSTALLING
This will totally wipe your hard drive and re-install a fresh copy of Windows. Depending on the original version you have you may need to download SP2, and you will definitely need all the windows updates. To this end you will need to install your Antivirus and Firewall before even attempting to go online.
1. Insert the Windows XP CD into your computer and restart your computer.
2. If prompted to start from the CD, press SPACEBAR. If you miss the prompt (it only appears for a few seconds), restart your computer to try again.
3. Windows XP Setup begins. During this portion of setup, your mouse will not work, so you must use the keyboard and it should preferebly be a PS2 keyboard s your USB ports may not be operational.
4. On the Welcome to Setup page, press ENTER.
5. On the Windows XP Licensing Agreement page, read the licensing agreement. Press the PAGE DOWN key to scroll to the bottom of the agreement. Then press F8.
http://img64.imageshack.us/img64/8004/xpsetup2windowsxplicenkz1.th.jpg
6. This page enables you to select the hard disk drive on which Windows XP will be installed. Once you complete this step, all data on your hard disk drive will be removed and cannot be recovered. This will initially show your current Windows installation. Press D to delete the partion , and then press L when prompted. This deletes your existing data.
http://img212.imageshack.us/img212/535/xpsetup3partitiondz0.th.jpg
7. This page will be where you now format your hard drive after the deletion of old Windows. Select the option shown
http://img212.imageshack.us/img212/4711/xpsetup4formatlg2.th.jpg
8. You will now see a progress bar as the disc is formated, go for a cup of tea as this will take a while.
http://img236.imageshack.us/img236/9625/xpsetup5formatprogresspu9.th.jpg
9. Now you will need to set up your keyboard for the right language and currency
http://img212.imageshack.us/img212/8195/xpsetup7regionalandlanjg8.th.jpg
10. This is where you will enter your product key. This will be with the install disc or on a sticker on the side of your system
http://img236.imageshack.us/img236/3554/xpsetup9yourproductkeyae1.th.jpg
11.When you reach this stage then say activate later as we do not wish to go online yet.
http://img236.imageshack.us/img236/9586/xpsetup19readytoactivabz4.th.jpg
12. Again leave this one for now we will register later
http://img104.imageshack.us/img104/6481/xpsetup20readytoregistye8.th.jpg
13. On this page set up the users that will be on your system
http://img179.imageshack.us/img179/1359/xpsetup22whowillusethfy8.th.jpg
14. The system will now continue to load and you now have a clean system
PREPARATION FOR FIRST USE
1. If you need SP2 then insert the disc and install now, following the prompts
2. From your backup disc install the following:
a. Antivirus
b. Firewall
You will need to reboot for both programmes.
3. Install any required motherboard drivers (e.g. wireless etc.)
4. Install any required programmes from Disc or the backup folder.
5. Install your ISP disc if that is required to get you online.
6. Go online and Update :
a. Your Antivirus
b. Windows
NOW REINSTALL YOUR E_MAIL SETTINGS
How to restore Outlook Express items
Note To restore items when you use multiple identities in Outlook Express, you may have to re-create the identities before you follow these steps. Repeat each step as needed for each identity.
Step 1: Import messages from the backup folder
1. On the File menu, point to Import, and then click Messages.
2. In the Select an e-mail program to import from box, click Microsoft Outlook Express 5 or Microsoft Outlook Express 6, and then click Next.
3. Click Import mail from an OE5 store directory or Import mail from an OE6 store directory, and then click OK.
4. Click Browse, and then click the Mail Backup folder.
5. Click OK, and then click Next.
6. Click All folders, click Next, and then click Finish.
Step 2: Import the Address Book file
1. On the File menu, click Import, and then click Other Address Book.
2. Click Text File (Comma Separated Values), and then click Import.
3. Click Browse.
4. Select the Mail Backup folder, click the address book backup.csv file, and then click Open.
5. Click Next, and then click Finish.
6. Click OK, and then click Close.
Step 3: Import the mail account file
1. On the Tools menu, click Accounts.
2. On the Mail tab, click Import.
3. In the Look In box, select the Mail Backup folder.
4. Click the mail account that you want to import, and then click Open.
5. Repeat these steps for each mail account that you want to import.
6. Click Close.
Step 4: Import the newsgroup account file
1. On the Tools menu, click Accounts.
2. On the News tab, click Import.
3. In the Look In box, select the Mail Backup folder.
4. Click the news account that you want to import, and then click Open.
5. Repeat these steps for each news account that you want to import.
6. Click Close.
Import Favorites to Internet Explorer
1. In Internet Explorer, click File , and then click Import.....Export
2. In the Import/Export Wizard, click Next.
3. Select Import Favorites, and then click Next.
Note By default, Internet Explorer creates a Bookmark.htm file in your Documents folder. However, you can import favorites that are saved under another name. To do this, click Browse, select a file or type a location and file name, and then click Next. Alternatively, click Browse, and then click Next to accept the default.
4. Select the folder where you want to put the imported bookmarks, and then click Next.
5. Click Finish.
osjknights
2012-05-03, 11:14
Hi
Work has taken its demands of my time, and I can snatch a moment of two between jobs - however before I take the plunge, there is an XP wizard which can save both files and settings to another drive or set of disks (FAST - files and settings transfer) found under Programs/Accessories/System Tools. As I would like to preserve the settings - will I risk transferring the Trojan using this wizard?
Hi,
No problem. I have been fighting with final exams this week myself. :)
Well...I can't give you any guarantees that the infection won't transfer using that tool. The tool may unintentionally pick up a file that it believes is good and move it even though the file is infected.
Your system was one of the most heavily infected systems I have seen and I think that your best course of action would be to manually save your pictures, personal files and music to a USB drive or CD. Once you have that, follow the instructions to format and reinstall your system that I have provided. :)
osjknights
2012-05-03, 22:12
I will have to get a clear run, but will get back with a Report when the deed is done. I guess Monday.
I trust you will do well in your exams and you deserve to get on. Gosh it take me back 32 years to when I face my finals.
With my prayers and good wishes.
Michael.
Thank you so much. :bigthumb:
osjknights
2012-05-04, 20:18
Now when I reboot, I am getting the "NTLDR is missing" error, and although I can access the BIOS boot menu (ESP) and choose the hard disk - which it duly boots into, whenever I choose the CD Rom Drive, it does pick Setup and simply returns the "NTLDR is missing" error thus I cannot even to begin a fresh install! Are there and colleagues who could help with this?
osjknights
2012-05-05, 10:17
I by passed the problems of the missing NTLDR by booting into Windows via the Bios Boot Menu, put the CD into the Drive clicked set up - and I am on my way! I will let you know the progress.
Again hope all goes well the the exams - no need to reply just cram a few more moments of revision!
Everything going well? :)
osjknights
2012-05-07, 15:47
Hi Jeff
I tried to short cut the task by doing a repair install. My XP Disk is SP2. My system was SP3. Well it installed OK - but problem was that ie6 was now installed and would not work (mismatch of files some new, and the reinstall consisted of older old - this gives 'Ordinal not found error'). Installed ie7. Did not work. Rolled back to ie6 - installed various fixes from the internet - a shortcut worked (linking to the ie folder in the Program Files directory) - but on clicking the Desk Top icon, it simply created an i.e. (non working) short cut - but no i.e. coming to life. Click it again, and another short cut is created - and so on. I am not the first to have seen this - again tried all manner of fixes but still the problem remained. The workaround is to ignore the Desktop icon (remove it) and work from the shortcut.
Out of curiosity I ran combofix - and lo and behold a familiar message "You are infected with Rootkit.ZeroAccess! etc)!
Well the moral of this story - is forget about any i.e. worries - the rootkit Trojan is still in place, and only a format and fresh install will work. I have opted for a full format - (rather than the quick format - belt and braces approach); so at this very moment I am looking a the progress line for the format 55% thus far.
Will post updates as and when.
The help required is post reinstallation. What is the best trojan defence? AVG failed me - is there a program that would have stopped the infection in its tracks?
I hope your exams are going well - what is your subject?
Hi,
only a format and fresh install will work.Unfortunately with this infection, sometimes that is the only choice. I think you are making the right decision. :)
What is the best trojan defence? AVG failed me - is there a program that would have stopped the infection in its tracks?I use Avast antivirus which in my opinion is very good. I also like Microsoft Security Essentials, but be sure to only use one of these. Using two active antivirus programs can seriously degrade the performance of a computer.
You can look over them at the following links:
Microsoft Security Essentials (http://www.microsoft.com/security/pc-security/mse.aspx)
Avast (http://www.avast.com/en-au/free-antivirus-download)
Were you able to get everything sorted? :)
osjknights
2012-05-09, 16:56
The install went OK - however the tick boxes in the "Choose updates to download and install" in the Automatic Updates are greyed out and already ticked which means I cannot choose to refuse an update - its all or nothing! So I am installing them one by one via the MS Update Website usinng the Belarc Adviser to inform me of the missing updates - a slow business - but that way I can get to choose which update to download.
How are the exams going?
osjknights
2012-05-09, 18:06
I downloaded KB898461 Package Installer for Windows and on a reboot the update choices were all there.
Also the missing NTLDR was solved. In the Bios there is a boot order - Removable media, CD, HDD in that Order - however there is another screen which lists the HDDs and the first on the list was the second slave drive which lack an operating system. I modified that to make the Disk on C drive the first and rebooted straight in Windows Xp.
So I guess the case is closed - and many many thanks for your assistance.
I just have to reinstall all my programs and data!:thanks:
:bigthumb: You are more than welcome. I know you made the right choice with your system.
-----------
Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.
If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
----------