Page 6 of 10 FirstFirst ... 2345678910 LastLast
Results 51 to 60 of 100

Thread: IDP & Crypt AQLW Trojan DDS Log pasted.

  1. #51
    Member
    Join Date
    Apr 2012
    Posts
    66

    Default Scan now halted

    It could be that AVG has kicked in - and is throwing a spanner in the works - As there is no way to halt AVG for more than 15 minutes - do I need to remove AVG and start again?

  2. #52
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    We need to uninstall AVG. Please uninstall AVG by going to Start >> Control Panel >> Add/Remove Programs. We need to make sure that it doesn't interfere. We will reinstall it later.

    I appreciate your patience with this. Your system was extremely infected and we are still dealing with the infection.
    --------

    Please boot into Safe Mode and attempt to run vagetatool again and hopefully it will run through. If the log is created post that to your next reply.

  3. #53
    Member
    Join Date
    Apr 2012
    Posts
    66

    Default Scan complete - finally

    Ran Vagetatool without ditching AVG. I kept the machine booting into safe mode which did the trick. I had taken the network cable out for safety. On each reboot the machine sought to dial out as the DUN kept popping up (I have a modem on board for some old freebie dialup accounts, just in case my broadband has a problem (in this rural area every so often) - so something is going on in the background. Also when Vagetatool had done its thing, it ended up with my display drivers removed, so I restored these. Here is the Report;

    ComboFix 12-04-27.01 - Dr Michael Foster 27/04/2012 16:04:39.5.4 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2791 [GMT 1:00]
    Running from: c:\documents and settings\Dr Michael Foster\Desktop\vagetatool.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\windows\system32\urttemp
    c:\windows\system32\urttemp\regtlib.exe
    .
    Infected copy of c:\windows\system32\drivers\nv4_mini.sys was found and disinfected
    Restored copy from - The cat found it
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-27 14:59 . 2004-08-03 21:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2012-04-26 16:38 . 2012-04-26 16:38 17920 -c--a-w- c:\windows\system32\dllcache\ping.exe
    2012-04-26 16:38 . 2012-04-26 16:38 17920 ----a-w- c:\windows\system32\ping.exe
    2012-04-26 07:59 . 2012-04-26 07:59 -------- d-----w- c:\program files\ESET
    2012-04-25 18:19 . 2012-04-25 18:19 -------- d-----w- C:\_OTL
    2012-04-25 16:31 . 2012-04-25 16:31 -------- d-----w- c:\program files\ERUNT
    2012-04-25 09:11 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
    2012-04-24 09:21 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-04-22 19:27 . 2012-04-22 19:36 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\Malwarebytes
    2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-21 08:26 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-21 08:25 . 2012-04-21 08:25 -------- d-----w- C:\Malwarebytes
    2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconF7A21AF7.exe
    2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconD7F16134.exe
    2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconCF33A0CE.exe
    2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- C:\sh4ldr
    2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- c:\program files\Enigma Software Group
    2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\TestApp
    2012-04-20 14:00 . 2012-04-20 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
    2012-04-04 15:18 . 2012-04-04 15:18 -------- d-----w- c:\program files\Copy of WinFax
    2012-04-04 14:18 . 2012-04-08 06:29 -------- d-----w- c:\program files\winfax
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2012-04-03 07:25 . 2012-04-13 17:58 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-13 17:58 . 2011-05-17 06:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-04 14:18 . 2010-05-05 05:48 41 ----a-w- c:\windows\WFXDEL.BAT
    2012-03-11 12:48 . 2012-03-11 12:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut47_74B9CE5DF1F4447F982DCA29A461B529.exe
    2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut46_74B9CE5DF1F4447F982DCA29A461B529.exe
    2012-03-05 19:27 . 2012-03-05 19:27 53248 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\ARPPRODUCTICON.exe
    2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
    2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
    2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
    2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-12-16 1508408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinFaxAppPortStarter"="wfxsnt40.exe" [2002-12-12 45568]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
    "RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
    "FaxTalk FaxCenter Pro 8"="c:\program files\FaxTalk\FTClCtrl.exe" [2011-09-23 120672]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-12-13 190768]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MagicFormation.lnk - c:\program files\Magic Formation\MagicFormation.exe [2010-4-28 454656]
    Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2010-4-25 794624]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "EditLevel"= 0 (0x0)
    "NoCommonGroups"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-11-13 113024]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\winfax\WfxSeh32.Dll" [1998-07-27 38400]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Aolpress\\Ws_ftp\\WS_FTP95.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
    "c:\\Program Files\\ArcSoft\\PhotoStudio 5.5\\PhotoStudio.exe"=
    "c:\\Program Files\\NewSoft\\Presto! PageManager 7.15\\Pmsb.exe"=
    "c:\\Program Files\\ScanSoft\\OmniPageSE4.0\\TwainClient.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\FaxTalk\\FTmsgsvc.exe"=
    "c:\\Program Files\\FaxTalk\\fapiexe.exe"=
    "c:\\Program Files\\FaxTalk\\FTclctrl.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    "c:\\Documents and Settings\\Dr Michael Foster\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
    R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [07/05/2010 11:55 16048]
    S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/03/2012 13:48 56208]
    S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 04:48 230608]
    S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 23:20 295248]
    S1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 18:00 228208]
    S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/03/2012 13:48 71440]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/03/2012 13:48 164112]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 11:25 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 67664]
    S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
    S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
    S2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [31/07/2010 20:34 162096]
    S2 FaxTalk FaxCenter Pro 8;FaxTalk FaxCenter Pro 8;c:\program files\FaxTalk\FTmsgsvc.exe [23/09/2011 11:07 33120]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/04/2012 09:26 654408]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/03/2012 13:48 931640]
    S2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [18/03/2009 18:08 189696]
    S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/01/2012 06:21 737184]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 08:25 253088]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28/04/2010 20:33 1691480]
    S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134608]
    S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24272]
    S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 16720]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
    S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [06/05/2011 15:57 13904]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
    S3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\DRIVERS\IntelH51.sys --> c:\windows\system32\DRIVERS\IntelH51.sys [?]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/04/2012 09:26 22344]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [15/01/2012 08:31 137600]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [15/01/2012 08:31 8576]
    S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [19/07/2011 09:52 21520]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    NETSVCS REQUIRES REPAIRS - current entries shown
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    fsaa
    pgpsdkservice
    omci
    mindrepair
    SfCtlCom
    dladresn
    alertservice
    ADSMService
    avpnnic
    websenseclientdeployservice
    symdns
    EACSvrMngr
    arkbcfltr
    protectionservice
    pdlndldl
    adaptecstoragemanageragent
    upsentry_smart
    trackcam4
    giveio
    ccevtmgr
    {eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc}
    int15
    scsiaccess
    icdsptsv
    ppped
    C-Dilla
    belmonitorservice
    Packet
    rtl8023
    osanbm
    NWHOST
    pca
    navapel
    btcsrusb
    fuj02b1
    smstsmgr
    NMSCFG
    MRV6X32P
    pop3d32
    trlokom_rmhsvc
    mf
    procexp100
    adsexpb
    TSHWMDTCP
    sqlagent$pinnaclesys
    NeroMediaHomeService.4
    3combootp
    atiavaiw
    eloggersvc6
    SGHIDI
    savrt
    W700obex
    iviregmgr
    prism_a02
    mi-raysat_3dsMax2008_32
    Cap7134
    wdm_au8820
    ctprxy2k
    spbbcsvc
    IWCA
    pshost
    omniusb
    acmservice
    EUSBMSD
    adfs
    btwdndis
    ipsraidn
    l8042pr2
    cygserver
    ood2000
    QWAVEDRV
    EL90X
    backupclientsvc
    service1
    TeamViewer
    DNE
    MSCamSvc
    mafwboot
    smartwiservice
    LUsbFilt
    winpowermanager
    ZDPNDIS5
    mcdetect.exe
    CAM1210
    incdfs
    se45bus
    SaiMini
    s116mdm
    ATKGFNEXSrv
    wap3gx
    dlaopiom
    n558
    CXAVXBAR
    MSICPL
    lxce_device
    pktfilter
    sfsync04
    pav_service
    mssql$sqlexpress
    was
    lxct_device
    wlsetupsvc
    vrservice
    USA49W
    infrastructure
    SQLAgent$MICROSOFTBCM
    surveyor
    Mvc25U870_VID_1262&PID_25FD
    bobo
    RalinkRegistryWriter
    usb20l
    SimpTcp
    imap4d32
    kodakccs
    JGOGO
    forcewarewebinterface
    scan
    nicconfigsvc
    NVR0FLASHDev
    w70n51
    ikfileflt
    s716nd5
    ZDPSp50
    lxbs_device
    sfsync02
    generichidservice
    alcxsens
    NWSIPX32
    curtainssyssvc
    wmccds
    cmbatt
    pdlnepkt
    PGPwded
    Si3114r5
    RTL8169
    DS1410D
    susbser
    GoProto
    ql2100
    vaiomediaplatform-integratedserver-appserver
    nchssvad
    atimtag
    SiRemFil
    roxmediadb9
    dptrackerd
    UxTuneUp
    EU3_USB
    CoachUsb
    USBAAPL
    CdaD10BA
    FINEPIX_PCC
    MR97310_USB_DUAL_CAMERA
    softfax
    roxmediadb
    U2SP
    w29n51
    getPlusHelper
    superproserver
    BrUsbSer
    lxrsge10s
    USB11LDR
    smservaz
    commserver
    amdk7
    ar5211
    hap16v2k
    DC21x4
    USBVCD
    Rasman
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    napagent
    hkmsvc
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:58]
    .
    2012-04-27 c:\windows\Tasks\ConfigExec.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
    .
    2012-04-27 c:\windows\Tasks\DataUpload.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
    .
    2011-11-11 c:\windows\Tasks\debutDowngrade.job
    - c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
    .
    2011-11-11 c:\windows\Tasks\debutShakeIcon.job
    - c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
    .
    2012-04-16 c:\windows\Tasks\doxillionShakeIcon.job
    - c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-23 07:38]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
    - c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
    - c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
    .
    2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
    .
    2012-01-20 c:\windows\Tasks\pixillionShakeIcon.job
    - c:\program files\NCH Software\Pixillion\pixillion.exe [2011-04-02 13:28]
    .
    2011-11-11 c:\windows\Tasks\prismShakeIcon.job
    - c:\program files\NCH Software\Prism\prism.exe [2010-08-07 14:27]
    .
    2011-11-11 c:\windows\Tasks\videopadShakeIcon.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-07 14:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www2.prestel.co.uk/church/oosj/osj.htm
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-WFXSwtch - c:\progra~1\winfax\WFXSWTCH.exe
    HKLM-Run-nwiz - nwiz.exe
    SafeBoot-48309816.sys
    SafeBoot-55688713.sys
    SafeBoot-69944965.sys
    SafeBoot-75860562.sys
    SafeBoot-79782063.sys
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    SafeBoot-WinDefend
    AddRemove-A to B Britain - c:\program files\AtoB4\Uninst.isu
    AddRemove-WinFax - c:\program files\winfax\WFXUNIST.ISU
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-27 16:18
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(256)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\l3codeca.acm
    .
    Completion time: 2012-04-27 16:23:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-27 15:23
    .
    Pre-Run: 107,584,679,936 bytes free
    Post-Run: 107,540,197,376 bytes free
    .
    - - End Of File - - F515367D4109A49104AEA989306E2C32

  4. #54
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    Okie dokie....

    Next I would like you to take the following steps:
    • Click Start then Run type Notepad and click Ok
    • Copy and Paste the contents of the Code box below into Notepad

      Code:
      REGEDIT4
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
      "netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\
        76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\
        65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\
        00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
        62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\
        49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\
        57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\
        6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\
        61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\
        52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\
        75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\
        63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\
        68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\
        56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\
        73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,6e,61,70,61,67,65,6e,74,00,68,6b,\
        6d,73,76,63,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,68,65,6c,6c,48,\
        57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,76,63,00,00
    • Save as regfix.reg to your Desktop
    • Make sure to save file type as All Files
    • Now right-click regfix.reg and select Merge

    ----------

    Now reboot your system and run a new scan with ComboFix and post the newly made log.

  5. #55
    Member
    Join Date
    Apr 2012
    Posts
    66

    Default Continue in the morning

    I have just finished work. I have merge the reg file, and will rescan early tomorrow. Then Saturday after early am (from 9am thru to afternoon) is written off - but I will continue early sunday morning for an hour, but am working mid morning. Thanks for you assistance - and it is good that I have my wife's machine on which to continue my work, and catch up with your help. Thanks.

  6. #56
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    Hi,

    No problem...take your time.

  7. #57
    Member
    Join Date
    Apr 2012
    Posts
    66

    Default Just started the rescan

    On running the app again this message appears;
    "You are infected with Rootkit.ZeroAccess!
    It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.
    If for any reason that you’re unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time"

    I guess I will get time to complete the scan but will post on my return home (have to go out). I might be able to post later today, but I will have a an early slot tommorrow.

    Again thanks

  8. #58
    Member
    Join Date
    Apr 2012
    Posts
    66

    Default Scan results from Vagetatool

    ComboFix 12-04-27.01 - Dr Michael Foster 28/04/2012 8:02.6.4 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2788 [GMT 1:00]
    Running from: c:\documents and settings\Dr Michael Foster\Desktop\vagetatool.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Infected copy of c:\windows\system32\drivers\nv4_mini.sys was found and disinfected
    Restored copy from - The cat found it
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-28 06:57 . 2004-08-03 21:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2012-04-27 16:23 . 2012-04-27 16:23 4948 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2012-04-26 16:38 . 2012-04-26 16:38 17920 -c--a-w- c:\windows\system32\dllcache\ping.exe
    2012-04-26 16:38 . 2012-04-26 16:38 17920 ----a-w- c:\windows\system32\ping.exe
    2012-04-26 07:59 . 2012-04-26 07:59 -------- d-----w- c:\program files\ESET
    2012-04-25 18:19 . 2012-04-25 18:19 -------- d-----w- C:\_OTL
    2012-04-25 16:31 . 2012-04-25 16:31 -------- d-----w- c:\program files\ERUNT
    2012-04-25 09:11 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
    2012-04-24 09:21 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2012-04-22 19:27 . 2012-04-22 19:36 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\Malwarebytes
    2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-04-21 08:26 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-04-21 08:25 . 2012-04-21 08:25 -------- d-----w- C:\Malwarebytes
    2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconF7A21AF7.exe
    2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconD7F16134.exe
    2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconCF33A0CE.exe
    2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- C:\sh4ldr
    2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- c:\program files\Enigma Software Group
    2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
    2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\TestApp
    2012-04-20 14:00 . 2012-04-20 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
    2012-04-04 15:18 . 2012-04-04 15:18 -------- d-----w- c:\program files\Copy of WinFax
    2012-04-04 14:18 . 2012-04-08 06:29 -------- d-----w- c:\program files\winfax
    2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2012-04-03 07:25 . 2012-04-13 17:58 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-13 17:58 . 2011-05-17 06:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-04-04 14:18 . 2010-05-05 05:48 41 ----a-w- c:\windows\WFXDEL.BAT
    2012-03-11 12:48 . 2012-03-11 12:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut47_74B9CE5DF1F4447F982DCA29A461B529.exe
    2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut46_74B9CE5DF1F4447F982DCA29A461B529.exe
    2012-03-05 19:27 . 2012-03-05 19:27 53248 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\ARPPRODUCTICON.exe
    2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
    2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
    2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2012-03-01 11:01 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2012-03-01 11:01 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
    2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
    2012-02-29 12:17 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
    2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-04-27_15.18.06 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-04-28 07:15 . 2012-04-28 07:15 16384 c:\windows\temp\Perflib_Perfdata_2c0.dat
    + 2010-04-24 17:56 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
    - 2010-04-24 17:56 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
    + 2012-04-27 16:22 . 2008-04-13 19:46 61696 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\ohci1394.sys
    + 2012-04-27 16:22 . 2008-04-13 19:51 61824 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\nic1394.sys
    + 2012-04-27 16:22 . 2008-04-13 19:51 60800 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\arp1394.sys
    + 2012-04-27 16:22 . 2008-04-13 19:46 53376 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\1394bus.sys
    + 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0151\DriverFiles\i386\storprop.dll
    + 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0151\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0150\DriverFiles\i386\storprop.dll
    + 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0150\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0149\DriverFiles\i386\storprop.dll
    + 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0149\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0148\DriverFiles\i386\storprop.dll
    + 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0148\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0147\DriverFiles\i386\storprop.dll
    + 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0147\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0146\DriverFiles\i386\storprop.dll
    + 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0146\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0145\DriverFiles\i386\storprop.dll
    + 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0145\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:21 . 2008-04-13 18:39 24576 c:\windows\system32\ReinstallBackups\0099\DriverFiles\i386\kbdclass.sys
    + 2012-04-27 16:21 . 2008-04-13 19:18 52480 c:\windows\system32\ReinstallBackups\0099\DriverFiles\i386\i8042prt.sys
    + 2012-04-27 16:15 . 2008-04-13 18:45 26368 c:\windows\system32\ReinstallBackups\0060\DriverFiles\i386\USBSTOR.SYS
    + 2012-04-27 16:19 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0058\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:20 . 2008-04-13 18:40 24960 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciidex.sys
    + 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:14 . 2008-04-13 18:45 26368 c:\windows\system32\ReinstallBackups\0053\DriverFiles\i386\USBSTOR.SYS
    + 2012-04-27 16:19 . 2008-04-13 18:40 24960 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciidex.sys
    + 2012-04-27 16:19 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0014\DriverFiles\i386\storprop.dll
    + 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys
    + 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:18 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbhub.sys
    - 2010-04-28 15:36 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:14 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:14 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:14 . 2008-04-13 18:45 30208 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbehci.sys
    - 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:12 . 2008-04-13 18:45 30208 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbehci.sys
    - 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbuhci.sys
    + 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbui.dll
    - 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbuhci.sys
    + 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbui.dll
    - 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbuhci.sys
    + 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbhub.sys
    - 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbuhci.sys
    + 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbhub.sys
    - 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbuhci.sys
    + 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbhub.sys
    - 2010-04-28 15:33 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbui.dll
    + 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbuhci.sys
    + 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbhub.sys
    + 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbhub.sys
    + 2006-02-28 12:00 . 2008-04-13 18:45 20608 c:\windows\system32\drivers\usbuhci.sys
    - 2006-02-28 12:00 . 2008-04-13 18:45 20608 c:\windows\system32\drivers\usbuhci.sys
    + 2006-02-28 12:00 . 2008-04-13 18:45 59520 c:\windows\system32\drivers\usbhub.sys
    - 2006-02-28 12:00 . 2008-04-13 18:45 59520 c:\windows\system32\drivers\usbhub.sys
    + 2006-02-28 12:00 . 2008-04-13 18:45 30208 c:\windows\system32\drivers\usbehci.sys
    - 2006-02-28 12:00 . 2008-04-13 18:45 30208 c:\windows\system32\drivers\usbehci.sys
    + 2006-02-28 12:00 . 2008-04-13 18:40 24960 c:\windows\system32\drivers\pciidex.sys
    - 2006-02-28 12:00 . 2008-04-13 18:40 24960 c:\windows\system32\drivers\pciidex.sys
    + 2006-02-28 12:00 . 2008-04-13 18:46 61696 c:\windows\system32\drivers\ohci1394.sys
    - 2006-02-28 12:00 . 2008-04-13 19:46 61696 c:\windows\system32\drivers\ohci1394.sys
    - 2004-08-03 22:58 . 2008-04-13 19:51 61824 c:\windows\system32\drivers\nic1394.sys
    + 2004-08-03 22:58 . 2008-04-13 18:51 61824 c:\windows\system32\drivers\nic1394.sys
    - 2006-02-28 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\drivers\kbdclass.sys
    + 2006-02-28 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\drivers\kbdclass.sys
    - 2004-08-03 22:58 . 2008-04-13 19:51 60800 c:\windows\system32\drivers\arp1394.sys
    + 2004-08-03 22:58 . 2008-04-13 18:51 60800 c:\windows\system32\drivers\arp1394.sys
    + 2006-02-28 12:00 . 2008-04-13 18:46 53376 c:\windows\system32\drivers\1394bus.sys
    - 2006-02-28 12:00 . 2008-04-13 19:46 53376 c:\windows\system32\drivers\1394bus.sys
    + 2012-04-27 16:22 . 2001-08-17 13:46 6400 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\enum1394.sys
    + 2012-04-27 16:19 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0058\DriverFiles\i386\usbd.sys
    + 2012-04-27 16:20 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciide.sys
    - 2010-04-28 10:43 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciide.sys
    - 2010-04-28 10:43 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciide.sys
    + 2012-04-27 16:19 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciide.sys
    + 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbd.sys
    - 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbd.sys
    - 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbd.sys
    + 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbd.sys
    + 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbd.sys
    - 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbd.sys
    - 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbd.sys
    + 2012-04-27 16:18 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbd.sys
    - 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbd.sys
    + 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbd.sys
    + 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbd.sys
    - 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbd.sys
    + 2012-04-27 16:14 . 2008-04-14 00:11 7168 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\hccoin.dll
    - 2010-04-28 15:36 . 2006-02-28 12:00 7168 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\hccoin.dll
    + 2012-04-27 16:12 . 2008-04-14 00:11 7168 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\hccoin.dll
    - 2010-04-28 15:35 . 2006-02-28 12:00 7168 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\hccoin.dll
    + 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbd.sys
    - 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbd.sys
    + 2010-04-24 17:57 . 2001-08-17 12:46 6400 c:\windows\system32\drivers\enum1394.sys
    - 2010-04-24 17:57 . 2001-08-17 13:46 6400 c:\windows\system32\drivers\enum1394.sys
    + 2012-04-27 16:21 . 2008-04-13 18:31 134400 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\halmacpi.dll
    + 2012-04-27 16:14 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbport.sys
    + 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbport.sys
    + 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbport.sys
    + 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbport.sys
    + 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbport.sys
    + 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbport.sys
    + 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbport.sys
    + 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbport.sys
    + 2012-04-27 16:21 . 2011-10-25 12:52 2027008 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\ntkrpamp.exe
    + 2012-04-27 16:21 . 2011-10-25 13:37 2148864 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\ntkrnlmp.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-12-16 1508408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinFaxAppPortStarter"="wfxsnt40.exe" [2002-12-12 45568]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
    "RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
    "FaxTalk FaxCenter Pro 8"="c:\program files\FaxTalk\FTClCtrl.exe" [2011-09-23 120672]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-12-13 190768]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
    "nwiz"="nwiz.exe" [BU]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MagicFormation.lnk - c:\program files\Magic Formation\MagicFormation.exe [2010-4-28 454656]
    Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2010-4-25 794624]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "EditLevel"= 0 (0x0)
    "NoCommonGroups"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-11-13 113024]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\winfax\WfxSeh32.Dll" [1998-07-27 38400]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Aolpress\\Ws_ftp\\WS_FTP95.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
    "c:\\Program Files\\ArcSoft\\PhotoStudio 5.5\\PhotoStudio.exe"=
    "c:\\Program Files\\NewSoft\\Presto! PageManager 7.15\\Pmsb.exe"=
    "c:\\Program Files\\ScanSoft\\OmniPageSE4.0\\TwainClient.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\FaxTalk\\FTmsgsvc.exe"=
    "c:\\Program Files\\FaxTalk\\fapiexe.exe"=
    "c:\\Program Files\\FaxTalk\\FTclctrl.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    "c:\\Documents and Settings\\Dr Michael Foster\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/03/2012 13:48 56208]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 04:48 230608]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 23:20 295248]
    R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [07/05/2010 11:55 16048]
    R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 18:00 228208]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/03/2012 13:48 71440]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/03/2012 13:48 164112]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 11:25 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 67664]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
    R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [31/07/2010 20:34 162096]
    R2 FaxTalk FaxCenter Pro 8;FaxTalk FaxCenter Pro 8;c:\program files\FaxTalk\FTmsgsvc.exe [23/09/2011 11:07 33120]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/04/2012 09:26 654408]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/03/2012 13:48 931640]
    R2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [18/03/2009 18:08 189696]
    R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/01/2012 06:21 737184]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 16720]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/04/2012 09:26 22344]
    S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 08:25 253088]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28/04/2010 20:33 1691480]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
    S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [06/05/2011 15:57 13904]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
    S3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\DRIVERS\IntelH51.sys --> c:\windows\system32\DRIVERS\IntelH51.sys [?]
    S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
    S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [15/01/2012 08:31 137600]
    S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [15/01/2012 08:31 8576]
    S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [19/07/2011 09:52 21520]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:58]
    .
    2012-04-28 c:\windows\Tasks\ConfigExec.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
    .
    2012-04-27 c:\windows\Tasks\DataUpload.job
    - c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
    .
    2011-11-11 c:\windows\Tasks\debutDowngrade.job
    - c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
    .
    2011-11-11 c:\windows\Tasks\debutShakeIcon.job
    - c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
    .
    2012-04-16 c:\windows\Tasks\doxillionShakeIcon.job
    - c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-23 07:38]
    .
    2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
    .
    2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
    .
    2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
    - c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
    .
    2012-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
    - c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
    .
    2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
    .
    2012-01-20 c:\windows\Tasks\pixillionShakeIcon.job
    - c:\program files\NCH Software\Pixillion\pixillion.exe [2011-04-02 13:28]
    .
    2011-11-11 c:\windows\Tasks\prismShakeIcon.job
    - c:\program files\NCH Software\Prism\prism.exe [2010-08-07 14:27]
    .
    2011-11-11 c:\windows\Tasks\videopadShakeIcon.job
    - c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-07 14:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www2.prestel.co.uk/church/oosj/osj.htm
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    TCP: DhcpNameServer = 192.168.1.254
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-28 08:16
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1060)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(3008)
    c:\windows\system32\WININET.dll
    c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Magic Formation\MFHook.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
    c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
    c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
    c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\windows\system32\WFXSVC.EXE
    c:\program files\FaxTalk\FAPIEXE.EXE
    c:\windows\system32\wfxsnt40.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\rundll32.exe
    c:\program files\PC Connectivity Solution\ServiceLayer.exe
    c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\System32\wudfhost.exe
    c:\windows\system32\taskmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-28 08:22:05 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-28 07:22
    ComboFix2.txt 2012-04-27 15:23
    .
    Pre-Run: 107,423,932,416 bytes free
    Post-Run: 107,409,145,856 bytes free
    .
    - - End Of File - - 4B22D7A8DE69480CD6D80DF7E2DE41F1

  9. #59
    Emeritus
    Join Date
    Apr 2011
    Location
    USA
    Posts
    1,038

    Default

    That looked good. How is your system running?

  10. #60
    Member
    Join Date
    Apr 2012
    Posts
    66

    Default System seems OK but!!

    Hi

    The System seems OK, and AVG is not flashing up Trojan warnings every three seconds - however out of curiosity I ran the vagetatool one more time and it gave the same warning as before; "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection." etc.

    I have yet to road run the Computer properly as I have been doing most of my essential work on my wife's machine (and accessing this forum save for when I needed to download a tool).

    Also I know that the ping.exe file was trashed and that I was able to replace it - I am sure I might have lost other files - is there any easy way to re-install any missing operating files to the machine (XP sp3)?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •