It could be that AVG has kicked in - and is throwing a spanner in the works - As there is no way to halt AVG for more than 15 minutes - do I need to remove AVG and start again?
Scan now halted
It could be that AVG has kicked in - and is throwing a spanner in the works - As there is no way to halt AVG for more than 15 minutes - do I need to remove AVG and start again?
Hi,
We need to uninstall AVG. Please uninstall AVG by going to Start >> Control Panel >> Add/Remove Programs. We need to make sure that it doesn't interfere. We will reinstall it later.
I appreciate your patience with this. Your system was extremely infected and we are still dealing with the infection.
--------
Please boot into Safe Mode and attempt to run vagetatool again and hopefully it will run through. If the log is created post that to your next reply.
Scan complete - finally
Ran Vagetatool without ditching AVG. I kept the machine booting into safe mode which did the trick. I had taken the network cable out for safety. On each reboot the machine sought to dial out as the DUN kept popping up (I have a modem on board for some old freebie dialup accounts, just in case my broadband has a problem (in this rural area every so often) - so something is going on in the background. Also when Vagetatool had done its thing, it ended up with my display drivers removed, so I restored these. Here is the Report;
ComboFix 12-04-27.01 - Dr Michael Foster 27/04/2012 16:04:39.5.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2791 [GMT 1:00]
Running from: c:\documents and settings\Dr Michael Foster\Desktop\vagetatool.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\urttemp
c:\windows\system32\urttemp\regtlib.exe
.
Infected copy of c:\windows\system32\drivers\nv4_mini.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 14:59 . 2004-08-03 21:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-04-26 16:38 . 2012-04-26 16:38 17920 -c--a-w- c:\windows\system32\dllcache\ping.exe
2012-04-26 16:38 . 2012-04-26 16:38 17920 ----a-w- c:\windows\system32\ping.exe
2012-04-26 07:59 . 2012-04-26 07:59 -------- d-----w- c:\program files\ESET
2012-04-25 18:19 . 2012-04-25 18:19 -------- d-----w- C:\_OTL
2012-04-25 16:31 . 2012-04-25 16:31 -------- d-----w- c:\program files\ERUNT
2012-04-25 09:11 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-04-24 09:21 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-22 19:27 . 2012-04-22 19:36 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-21 08:26 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 08:25 . 2012-04-21 08:25 -------- d-----w- C:\Malwarebytes
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconF7A21AF7.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconD7F16134.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconCF33A0CE.exe
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- C:\sh4ldr
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- c:\program files\Enigma Software Group
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\TestApp
2012-04-20 14:00 . 2012-04-20 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
2012-04-04 15:18 . 2012-04-04 15:18 -------- d-----w- c:\program files\Copy of WinFax
2012-04-04 14:18 . 2012-04-08 06:29 -------- d-----w- c:\program files\winfax
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2012-04-03 07:25 . 2012-04-13 17:58 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 17:58 . 2011-05-17 06:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:18 . 2010-05-05 05:48 41 ----a-w- c:\windows\WFXDEL.BAT
2012-03-11 12:48 . 2012-03-11 12:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut47_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut46_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 53248 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\ARPPRODUCTICON.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-12-16 1508408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2002-12-12 45568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"FaxTalk FaxCenter Pro 8"="c:\program files\FaxTalk\FTClCtrl.exe" [2011-09-23 120672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-12-13 190768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MagicFormation.lnk - c:\program files\Magic Formation\MagicFormation.exe [2010-4-28 454656]
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2010-4-25 794624]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-11-13 113024]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\winfax\WfxSeh32.Dll" [1998-07-27 38400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Aolpress\\Ws_ftp\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\ArcSoft\\PhotoStudio 5.5\\PhotoStudio.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 7.15\\Pmsb.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE4.0\\TwainClient.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\FaxTalk\\FTmsgsvc.exe"=
"c:\\Program Files\\FaxTalk\\fapiexe.exe"=
"c:\\Program Files\\FaxTalk\\FTclctrl.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\Dr Michael Foster\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [07/05/2010 11:55 16048]
S0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/03/2012 13:48 56208]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 04:48 230608]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 23:20 295248]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 18:00 228208]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/03/2012 13:48 71440]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/03/2012 13:48 164112]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 11:25 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 67664]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
S2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [31/07/2010 20:34 162096]
S2 FaxTalk FaxCenter Pro 8;FaxTalk FaxCenter Pro 8;c:\program files\FaxTalk\FTmsgsvc.exe [23/09/2011 11:07 33120]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/04/2012 09:26 654408]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/03/2012 13:48 931640]
S2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [18/03/2009 18:08 189696]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/01/2012 06:21 737184]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 08:25 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28/04/2010 20:33 1691480]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 16720]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [06/05/2011 15:57 13904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\DRIVERS\IntelH51.sys --> c:\windows\system32\DRIVERS\IntelH51.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/04/2012 09:26 22344]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [15/01/2012 08:31 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [15/01/2012 08:31 8576]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [19/07/2011 09:52 21520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
fsaa
pgpsdkservice
omci
mindrepair
SfCtlCom
dladresn
alertservice
ADSMService
avpnnic
websenseclientdeployservice
symdns
EACSvrMngr
arkbcfltr
protectionservice
pdlndldl
adaptecstoragemanageragent
upsentry_smart
trackcam4
giveio
ccevtmgr
{eda5f5d3-9e0f-4f4d-8a13-1d1cf469c9cc}
int15
scsiaccess
icdsptsv
ppped
C-Dilla
belmonitorservice
Packet
rtl8023
osanbm
NWHOST
pca
navapel
btcsrusb
fuj02b1
smstsmgr
NMSCFG
MRV6X32P
pop3d32
trlokom_rmhsvc
mf
procexp100
adsexpb
TSHWMDTCP
sqlagent$pinnaclesys
NeroMediaHomeService.4
3combootp
atiavaiw
eloggersvc6
SGHIDI
savrt
W700obex
iviregmgr
prism_a02
mi-raysat_3dsMax2008_32
Cap7134
wdm_au8820
ctprxy2k
spbbcsvc
IWCA
pshost
omniusb
acmservice
EUSBMSD
adfs
btwdndis
ipsraidn
l8042pr2
cygserver
ood2000
QWAVEDRV
EL90X
backupclientsvc
service1
TeamViewer
DNE
MSCamSvc
mafwboot
smartwiservice
LUsbFilt
winpowermanager
ZDPNDIS5
mcdetect.exe
CAM1210
incdfs
se45bus
SaiMini
s116mdm
ATKGFNEXSrv
wap3gx
dlaopiom
n558
CXAVXBAR
MSICPL
lxce_device
pktfilter
sfsync04
pav_service
mssql$sqlexpress
was
lxct_device
wlsetupsvc
vrservice
USA49W
infrastructure
SQLAgent$MICROSOFTBCM
surveyor
Mvc25U870_VID_1262&PID_25FD
bobo
RalinkRegistryWriter
usb20l
SimpTcp
imap4d32
kodakccs
JGOGO
forcewarewebinterface
scan
nicconfigsvc
NVR0FLASHDev
w70n51
ikfileflt
s716nd5
ZDPSp50
lxbs_device
sfsync02
generichidservice
alcxsens
NWSIPX32
curtainssyssvc
wmccds
cmbatt
pdlnepkt
PGPwded
Si3114r5
RTL8169
DS1410D
susbser
GoProto
ql2100
vaiomediaplatform-integratedserver-appserver
nchssvad
atimtag
SiRemFil
roxmediadb9
dptrackerd
UxTuneUp
EU3_USB
CoachUsb
USBAAPL
CdaD10BA
FINEPIX_PCC
MR97310_USB_DUAL_CAMERA
softfax
roxmediadb
U2SP
w29n51
getPlusHelper
superproserver
BrUsbSer
lxrsge10s
USB11LDR
smservaz
commserver
amdk7
ar5211
hap16v2k
DC21x4
USBVCD
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:58]
.
2012-04-27 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2012-04-27 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2011-11-11 c:\windows\Tasks\debutDowngrade.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2011-11-11 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2012-04-16 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-23 07:38]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2012-01-20 c:\windows\Tasks\pixillionShakeIcon.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2011-04-02 13:28]
.
2011-11-11 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2010-08-07 14:27]
.
2011-11-11 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-07 14:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www2.prestel.co.uk/church/oosj/osj.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-WFXSwtch - c:\progra~1\winfax\WFXSWTCH.exe
HKLM-Run-nwiz - nwiz.exe
SafeBoot-48309816.sys
SafeBoot-55688713.sys
SafeBoot-69944965.sys
SafeBoot-75860562.sys
SafeBoot-79782063.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-WinDefend
AddRemove-A to B Britain - c:\program files\AtoB4\Uninst.isu
AddRemove-WinFax - c:\program files\winfax\WFXUNIST.ISU
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-27 16:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(256)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
.
Completion time: 2012-04-27 16:23:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-27 15:23
.
Pre-Run: 107,584,679,936 bytes free
Post-Run: 107,540,197,376 bytes free
.
- - End Of File - - F515367D4109A49104AEA989306E2C32
Hi,
Okie dokie....
Next I would like you to take the following steps:
- Click Start then Run type Notepad and click Ok
- Copy and Paste the contents of the Code box below into Notepad
Code:REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\ 76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\ 65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\ 00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\ 62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\ 49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\ 57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\ 6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\ 61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\ 52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\ 75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\ 63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\ 68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\ 56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\ 73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,6e,61,70,61,67,65,6e,74,00,68,6b,\ 6d,73,76,63,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,68,65,6c,6c,48,\ 57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,76,63,00,00- Save as regfix.reg to your Desktop
- Make sure to save file type as All Files
- Now right-click regfix.reg and select Merge
----------
Now reboot your system and run a new scan with ComboFix and post the newly made log.
Continue in the morning
I have just finished work. I have merge the reg file, and will rescan early tomorrow. Then Saturday after early am (from 9am thru to afternoon) is written off - but I will continue early sunday morning for an hour, but am working mid morning. Thanks for you assistance - and it is good that I have my wife's machine on which to continue my work, and catch up with your help. Thanks.
Hi,
No problem...take your time.
Just started the rescan
On running the app again this message appears;
"You are infected with Rootkit.ZeroAccess!
It has inserted itself into the tcp/ip stack. This is a particularly difficult infection.
If for any reason that you’re unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time"
I guess I will get time to complete the scan but will post on my return home (have to go out). I might be able to post later today, but I will have a an early slot tommorrow.
Again thanks
Scan results from Vagetatool
ComboFix 12-04-27.01 - Dr Michael Foster 28/04/2012 8:02.6.4 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2788 [GMT 1:00]
Running from: c:\documents and settings\Dr Michael Foster\Desktop\vagetatool.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\nv4_mini.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((( Files Created from 2012-03-28 to 2012-04-28 )))))))))))))))))))))))))))))))
.
.
2012-04-28 06:57 . 2004-08-03 21:29 1897408 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2012-04-27 16:23 . 2012-04-27 16:23 4948 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-26 16:38 . 2012-04-26 16:38 17920 -c--a-w- c:\windows\system32\dllcache\ping.exe
2012-04-26 16:38 . 2012-04-26 16:38 17920 ----a-w- c:\windows\system32\ping.exe
2012-04-26 07:59 . 2012-04-26 07:59 -------- d-----w- c:\program files\ESET
2012-04-25 18:19 . 2012-04-25 18:19 -------- d-----w- C:\_OTL
2012-04-25 16:31 . 2012-04-25 16:31 -------- d-----w- c:\program files\ERUNT
2012-04-25 09:11 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-04-24 09:21 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-22 19:27 . 2012-04-22 19:36 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-21 08:26 . 2012-04-21 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-21 08:26 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-21 08:25 . 2012-04-21 08:25 -------- d-----w- C:\Malwarebytes
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconF7A21AF7.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconD7F16134.exe
2012-04-20 14:55 . 2012-04-20 14:55 110080 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{4E0C6314-A8B8-4026-AC15-084E8B63AFB5}\IconCF33A0CE.exe
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- C:\sh4ldr
2012-04-20 14:55 . 2012-04-20 14:55 -------- d-----w- c:\program files\Enigma Software Group
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-04-20 14:51 . 2012-04-20 14:51 -------- d-----w- c:\documents and settings\Dr Michael Foster\Application Data\TestApp
2012-04-20 14:00 . 2012-04-20 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\B7E8587A4FE3ECF660BFD1C8D151FC4E
2012-04-04 15:18 . 2012-04-04 15:18 -------- d-----w- c:\program files\Copy of WinFax
2012-04-04 14:18 . 2012-04-08 06:29 -------- d-----w- c:\program files\winfax
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2012-04-03 07:25 . 2012-04-13 17:58 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 17:58 . 2011-05-17 06:05 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-04 14:18 . 2010-05-05 05:48 41 ----a-w- c:\windows\WFXDEL.BAT
2012-03-11 12:48 . 2012-03-11 12:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut47_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 73728 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut46_74B9CE5DF1F4447F982DCA29A461B529.exe
2012-03-05 19:27 . 2012-03-05 19:27 53248 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\ARPPRODUCTICON.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
2012-03-05 19:27 . 2012-03-05 19:27 49152 ----a-r- c:\documents and settings\Dr Michael Foster\Application Data\Microsoft\Installer\{889D48DA-457F-4C8B-9095-6458F2793B12}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2012-02-03 09:22 . 2006-02-28 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-27_15.18.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-28 07:15 . 2012-04-28 07:15 16384 c:\windows\temp\Perflib_Perfdata_2c0.dat
+ 2010-04-24 17:56 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
- 2010-04-24 17:56 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll
+ 2012-04-27 16:22 . 2008-04-13 19:46 61696 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\ohci1394.sys
+ 2012-04-27 16:22 . 2008-04-13 19:51 61824 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\nic1394.sys
+ 2012-04-27 16:22 . 2008-04-13 19:51 60800 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\arp1394.sys
+ 2012-04-27 16:22 . 2008-04-13 19:46 53376 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\1394bus.sys
+ 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0151\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0151\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0150\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0150\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:21 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0149\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:21 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0149\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0148\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0148\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0147\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0147\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0146\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0146\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0145\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0145\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:21 . 2008-04-13 18:39 24576 c:\windows\system32\ReinstallBackups\0099\DriverFiles\i386\kbdclass.sys
+ 2012-04-27 16:21 . 2008-04-13 19:18 52480 c:\windows\system32\ReinstallBackups\0099\DriverFiles\i386\i8042prt.sys
+ 2012-04-27 16:15 . 2008-04-13 18:45 26368 c:\windows\system32\ReinstallBackups\0060\DriverFiles\i386\USBSTOR.SYS
+ 2012-04-27 16:19 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0058\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:20 . 2008-04-13 18:40 24960 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciidex.sys
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:14 . 2008-04-13 18:45 26368 c:\windows\system32\ReinstallBackups\0053\DriverFiles\i386\USBSTOR.SYS
+ 2012-04-27 16:19 . 2008-04-13 18:40 24960 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciidex.sys
+ 2012-04-27 16:19 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:20 . 2008-04-14 00:12 74752 c:\windows\system32\ReinstallBackups\0014\DriverFiles\i386\storprop.dll
+ 2012-04-27 16:20 . 2008-04-13 18:40 96512 c:\windows\system32\ReinstallBackups\0014\DriverFiles\i386\atapi.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:18 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbhub.sys
- 2010-04-28 15:36 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:14 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:14 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:14 . 2008-04-13 18:45 30208 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbehci.sys
- 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 30208 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbehci.sys
- 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbui.dll
- 2010-04-28 15:35 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:12 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbui.dll
- 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:12 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbhub.sys
- 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbhub.sys
- 2010-04-28 15:34 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbhub.sys
- 2010-04-28 15:33 . 2004-08-03 23:56 74240 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-14 00:12 74240 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbui.dll
+ 2012-04-27 16:11 . 2008-04-13 18:45 20608 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbuhci.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbhub.sys
+ 2012-04-27 16:17 . 2008-04-13 18:45 59520 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbhub.sys
+ 2006-02-28 12:00 . 2008-04-13 18:45 20608 c:\windows\system32\drivers\usbuhci.sys
- 2006-02-28 12:00 . 2008-04-13 18:45 20608 c:\windows\system32\drivers\usbuhci.sys
+ 2006-02-28 12:00 . 2008-04-13 18:45 59520 c:\windows\system32\drivers\usbhub.sys
- 2006-02-28 12:00 . 2008-04-13 18:45 59520 c:\windows\system32\drivers\usbhub.sys
+ 2006-02-28 12:00 . 2008-04-13 18:45 30208 c:\windows\system32\drivers\usbehci.sys
- 2006-02-28 12:00 . 2008-04-13 18:45 30208 c:\windows\system32\drivers\usbehci.sys
+ 2006-02-28 12:00 . 2008-04-13 18:40 24960 c:\windows\system32\drivers\pciidex.sys
- 2006-02-28 12:00 . 2008-04-13 18:40 24960 c:\windows\system32\drivers\pciidex.sys
+ 2006-02-28 12:00 . 2008-04-13 18:46 61696 c:\windows\system32\drivers\ohci1394.sys
- 2006-02-28 12:00 . 2008-04-13 19:46 61696 c:\windows\system32\drivers\ohci1394.sys
- 2004-08-03 22:58 . 2008-04-13 19:51 61824 c:\windows\system32\drivers\nic1394.sys
+ 2004-08-03 22:58 . 2008-04-13 18:51 61824 c:\windows\system32\drivers\nic1394.sys
- 2006-02-28 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\drivers\kbdclass.sys
+ 2006-02-28 12:00 . 2008-04-13 18:39 24576 c:\windows\system32\drivers\kbdclass.sys
- 2004-08-03 22:58 . 2008-04-13 19:51 60800 c:\windows\system32\drivers\arp1394.sys
+ 2004-08-03 22:58 . 2008-04-13 18:51 60800 c:\windows\system32\drivers\arp1394.sys
+ 2006-02-28 12:00 . 2008-04-13 18:46 53376 c:\windows\system32\drivers\1394bus.sys
- 2006-02-28 12:00 . 2008-04-13 19:46 53376 c:\windows\system32\drivers\1394bus.sys
+ 2012-04-27 16:22 . 2001-08-17 13:46 6400 c:\windows\system32\ReinstallBackups\0153\DriverFiles\i386\enum1394.sys
+ 2012-04-27 16:19 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0058\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:20 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciide.sys
- 2010-04-28 10:43 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0055\DriverFiles\i386\pciide.sys
- 2010-04-28 10:43 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciide.sys
+ 2012-04-27 16:19 . 2001-08-17 12:51 3328 c:\windows\system32\ReinstallBackups\0019\DriverFiles\i386\pciide.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbd.sys
- 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0017\DriverFiles\i386\usbd.sys
- 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0015\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbd.sys
- 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0013\DriverFiles\i386\usbd.sys
- 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:18 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0012\DriverFiles\i386\usbd.sys
- 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbd.sys
- 2010-04-28 15:39 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\usbd.sys
+ 2012-04-27 16:14 . 2008-04-14 00:11 7168 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\hccoin.dll
- 2010-04-28 15:36 . 2006-02-28 12:00 7168 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\hccoin.dll
+ 2012-04-27 16:12 . 2008-04-14 00:11 7168 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\hccoin.dll
- 2010-04-28 15:35 . 2006-02-28 12:00 7168 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\hccoin.dll
+ 2012-04-27 16:17 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbd.sys
- 2010-04-28 15:40 . 2001-08-17 13:03 4736 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\usbd.sys
+ 2010-04-24 17:57 . 2001-08-17 12:46 6400 c:\windows\system32\drivers\enum1394.sys
- 2010-04-24 17:57 . 2001-08-17 13:46 6400 c:\windows\system32\drivers\enum1394.sys
+ 2012-04-27 16:21 . 2008-04-13 18:31 134400 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\halmacpi.dll
+ 2012-04-27 16:14 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:12 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:11 . 2008-04-13 18:45 143872 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\usbport.sys
+ 2012-04-27 16:21 . 2011-10-25 12:52 2027008 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\ntkrpamp.exe
+ 2012-04-27 16:21 . 2011-10-25 13:37 2148864 c:\windows\system32\ReinstallBackups\0152\DriverFiles\i386\ntkrnlmp.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2011-12-16 1508408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2002-12-12 45568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-11 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-06 19523104]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"FaxTalk FaxCenter Pro 8"="c:\program files\FaxTalk\FTClCtrl.exe" [2011-09-23 120672]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NSU_agent"="c:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe" [2011-12-13 190768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"nwiz"="nwiz.exe" [BU]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-11 81920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
MagicFormation.lnk - c:\program files\Magic Formation\MagicFormation.exe [2010-4-28 454656]
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe [2010-4-25 794624]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-11-13 113024]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\winfax\WfxSeh32.Dll" [1998-07-27 38400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Aolpress\\Ws_ftp\\WS_FTP95.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\ArcSoft\\PhotoStudio 5.5\\PhotoStudio.exe"=
"c:\\Program Files\\NewSoft\\Presto! PageManager 7.15\\Pmsb.exe"=
"c:\\Program Files\\ScanSoft\\OmniPageSE4.0\\TwainClient.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\FaxTalk\\FTmsgsvc.exe"=
"c:\\Program Files\\FaxTalk\\fapiexe.exe"=
"c:\\Program Files\\FaxTalk\\FTclctrl.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Documents and Settings\\Dr Michael Foster\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 16:27 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 04:48 32592]
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [11/03/2012 13:48 56208]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 04:48 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [09/11/2010 23:20 295248]
R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [07/05/2010 11:55 16048]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys [15/12/2011 18:00 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [11/03/2012 13:48 71440]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/03/2012 13:48 164112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2010 11:25 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 67664]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 06:09 192776]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [31/07/2010 20:34 162096]
R2 FaxTalk FaxCenter Pro 8;FaxTalk FaxCenter Pro 8;c:\program files\FaxTalk\FTmsgsvc.exe [23/09/2011 11:07 33120]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/04/2012 09:26 654408]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/03/2012 13:48 931640]
R2 SdReadSpool;SolidPDFCreatorReadSpool;c:\program files\SolidDocuments\SolidPDFCreator\SPC\SolidPdfService.exe [18/03/2009 18:08 189696]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [18/01/2012 06:21 737184]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 21:42 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 21:42 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 21:42 16720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/04/2012 09:26 22344]
S2 !SASCORE;SAS Core Service;"c:\program files\SUPERAntiSpyware\SASCORE.EXE" --> c:\program files\SUPERAntiSpyware\SASCORE.EXE [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 07:25 4433248]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [03/04/2012 08:25 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [28/04/2010 20:33 1691480]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 11336]
S3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [06/05/2011 15:57 13904]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/07/2010 12:31 136176]
S3 ham50;Intel V92 HaM Data Fax Voice;c:\windows\system32\DRIVERS\IntelH51.sys --> c:\windows\system32\DRIVERS\IntelH51.sys [?]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [15/01/2012 08:31 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [15/01/2012 08:31 8576]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\28896\RapportIaso.sys [19/07/2011 09:52 21520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [28/02/2006 13:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 17:58]
.
2012-04-28 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2012-04-27 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2010-04-10 16:05]
.
2011-11-11 c:\windows\Tasks\debutDowngrade.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2011-11-11 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2010-08-07 17:31]
.
2012-04-16 c:\windows\Tasks\doxillionShakeIcon.job
- c:\program files\NCH Software\Doxillion\doxillion.exe [2011-03-23 07:38]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-14 11:31]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003Core.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1177238915-839522115-1003UA.job
- c:\documents and settings\Dr Michael Foster\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-22 15:04]
.
2012-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
2012-01-20 c:\windows\Tasks\pixillionShakeIcon.job
- c:\program files\NCH Software\Pixillion\pixillion.exe [2011-04-02 13:28]
.
2011-11-11 c:\windows\Tasks\prismShakeIcon.job
- c:\program files\NCH Software\Prism\prism.exe [2010-08-07 14:27]
.
2011-11-11 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-08-07 14:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www2.prestel.co.uk/church/oosj/osj.htm
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-28 08:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\ieframe.dll
c:\program files\Magic Formation\MFHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\WFXSVC.EXE
c:\program files\FaxTalk\FAPIEXE.EXE
c:\windows\system32\wfxsnt40.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wudfhost.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2012-04-28 08:22:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-28 07:22
ComboFix2.txt 2012-04-27 15:23
.
Pre-Run: 107,423,932,416 bytes free
Post-Run: 107,409,145,856 bytes free
.
- - End Of File - - 4B22D7A8DE69480CD6D80DF7E2DE41F1
That looked good. How is your system running?
System seems OK but!!
Hi
The System seems OK, and AVG is not flashing up Trojan warnings every three seconds - however out of curiosity I ran the vagetatool one more time and it gave the same warning as before; "You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection." etc.
I have yet to road run the Computer properly as I have been doing most of my essential work on my wife's machine (and accessing this forum save for when I needed to download a tool).
Also I know that the ping.exe file was trashed and that I was able to replace it - I am sure I might have lost other files - is there any easy way to re-install any missing operating files to the machine (XP sp3)?
Posting Permissions
