Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really bad virus


  • This topic is locked This topic is locked
58 replies to this topic

#1 Terry Creighton

Terry Creighton

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 16 January 2009 - 06:30 PM

Hello there. First of all, I wasn't able to get a DDS log. I downloaded the DDS screen saver and ran it, but it closed right away and hundreds of windows came up. I recognized calculator, paint, and an onscreen keyboard. I had to reboot to get it to stop.

I tried going into safe mode and as soon as I logged in, a message came up saying that Windows was shutting down because "Windows encountered an error in safe_mode.exe and needs to close." and it gave me 5 seconds before it rebooted.

Now, a bunch of sounds are playing. Some of them sound like Windows sounds. I don't see anything that would be playing them, though.

I was able to install HijackThis and save a log from that. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:17 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
c:\prn\prn\smss.exe
c:\prn\prn\smss.exe
c:\prn\prn\lsass.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mplay32.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe cmd /c C:\WINDOWS\system32\DontDelete.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-1202660629-1563985344-1957994488-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1202660629-1563985344-1957994488-1003\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [] OSK.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] OSK.exe (User 'Default user')
O4 - S-1-5-20 Startup: Microsoft (User '?')
O4 - S-1-5-21-1202660629-1563985344-1957994488-1003 Startup: avg8 (User '?')
O4 - S-1-5-21-1202660629-1563985344-1957994488-1003 Startup: Microsoft (User '?')
O4 - S-1-5-21-1202660629-1563985344-1957994488-1003 Startup: Windows Genuine Advantage (User '?')
O4 - S-1-5-18 Startup: Microsoft (User '?')
O4 - .DEFAULT Startup: Microsoft (User 'Default user')
O4 - Startup: avg8
O4 - Startup: Microsoft
O4 - Startup: Windows Genuine Advantage
O4 - Global Startup: Gtools.url
O4 - Global Startup: Links
O4 - Global Startup: Microsoft
O4 - Global Startup: Microsoft Websites
O4 - Global Startup: Mobile Favorites
O4 - Global Startup: MSN Websites
O4 - Global Startup: MSN.com.url
O4 - Global Startup: Radio Station Guide.url
O4 - Global Startup: Vehicle Tools.url
O4 - Global Startup: Vehiclemart.com.url
O4 - Global Startup: Windows Live
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227138234363
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 4429 bytes

Thank you for your help.

Edited by Terry Creighton, 16 January 2009 - 10:21 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:20 PM

Posted 17 January 2009 - 10:41 AM

Hello Terry Creighton :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you from here on out and will need some time to look over your log.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.




Please perform the following if you can:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)





When completed please both both logs fromRSIT as well as the one from Kaspersky.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Terry Creighton

Terry Creighton
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 17 January 2009 - 03:17 PM

Wow, that was really fast! From reading around on here I figured it would take at least 5 days to get a response! You reponded right away! Thank you very much.

Before I post the results of the scans, I want to say that I forgot to mention some things in my first post. I now have like twice as many icons on my desktop than I normally do. They seem to all be there twice. Also, when I click on Start and All Programs, none of the normal stuff is there. There is usually a lot more. Also, when I started Windows this morning, I got about 6 or 7 Internet Explorer windows opening to various sites. Oh yeah, and Google Chrome won't work anymore. Any site I try going to on that says that it couldn't connect. I even uninstalled it and re-installed it and it couldn't re-install. It just gave an error that I didn't write down. I'm having to use Internet Explorer now.

Anyway, I went to that Kaspersky site and it wouldn't run at first. It kept saying that Windows couldn't verify the publisher or something. Then something told me I need to install Java, so I did and it started like you said it would. It took a long time and got to where it says Updating the database(40%)... and then the window just closed and so did the bar along the bottom of my screen and my icons went away. I could only see my background and that's it. I tried right-clicking and nothing happened. I restarted the computer and went back to the Kaspersky site and it went all the way through this time and let me scan My Computer. Here are the results:

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 17, 2009 18:16:22
Records in database: 1637846


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 19071
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 00:40:32

File name Threat name Threats count
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\01Q3CHAZ\vnc-4_1_3-x86_win32[1].exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 2

The selected area was scanned.


Next I ran the RSIT one and after I clicked Continue, it brought up an error message that said

"Line -1:

Error: Incorrect number of parameters in function call."

I tried downloading and running it more than once and it gave the same error each time.

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:20 PM

Posted 17 January 2009 - 05:40 PM

OK, we will try to work with what we have right now. :thumbup2: Since I am still training any fix that I put together has to be approved by a coach so I will get back to you as quickly as I can. Your log got picked up a little quicker due to the nature of what I saw was wrong with it. Gives me more practice in certain areas.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:20 PM

Posted 17 January 2009 - 06:34 PM

Since you were able to run HJT, try doing the following for me which will generate an uninstall list:


Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
More information with a screenshot, can be found here.



Thanks!!
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 Terry Creighton

Terry Creighton
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 17 January 2009 - 06:44 PM

Okay, here's the list

AVG Free 8.0
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Java™ 6 Update 11
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:20 PM

Posted 17 January 2009 - 07:00 PM

Can you tell me if those look like all of the programs you would think were on your machine? To me it looks like a very short list of programs unlike what I would normally see.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 Terry Creighton

Terry Creighton
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 17 January 2009 - 07:12 PM

Yeah, I guess this looks about right. I don't have a fast enough computer to really play games on here. I go on the internet a lot and use Wordpad for all my important stuff like resumes and I like to write. Google Chrome would be on there but I uninstalled it when it wouldn't work and I couldn't get it to re-install. I used to have Office but I uninstalled it to put a newer version on, then didn't have enough money and I couldn't find my old office disk to put it back on. I don't see what's so bad about wordpad though. My sister uses that all the time. I have a lot of family pictures on here, too, but I let my dad edit them on his computer because he has Photoshop.

Just now, I got an error message that said "Error: 0x80026049: Windows encountered a virus on your system." There was only an OK button. I clicked it and nothing happened.

Edited by Terry Creighton, 17 January 2009 - 07:13 PM.


#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:20 PM

Posted 20 January 2009 - 08:49 AM

Sorry for the wait. We'll get started now:


One or more of the identified infections is a backdoor worm. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the worm has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of worm, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall




I also have reason to believe you may have a keylogger on your machine. This is a program that logs all the information you type into your keyboard. These are very dangerous and can give the bad guys your passwords as well. It would be in your best interest to consider any security codes that you use for banking or other business and personal reasons to be compromised. I am going to have you upload a file to determine if it is indeed a keylogger but even it it is not the presence of the backdoor infections is cause for the actions that were talked about above.


We can still work at cleaning this machine but I can't guarantee that it will be 100% secure afterwards.

For the time being I will proceed on the assumption you wish to clean up your computer. If you do not and would rather reformat or reinstall let me know in your next reply.




Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\DontDelete.exe
Click Submit.
Please post the results of this scan to this thread.


Alternate site if Jottis' doesn't work or is too busy

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\system32\DontDelete.exe
Click Send.
Please post the results of this scan to this thread.




Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.







When completed please post the following:
  • Report from Jottis or virustotal
  • SDFix report log
  • New HJT log

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 Terry Creighton

Terry Creighton
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 20 January 2009 - 03:52 PM

I would like to clean it. I really don't want to reformat if I don't have to. I had to do that once before (well, someone else did it for me) and I didn't like it at all. I don't have very important stuff on here. It is important to me, but wouldn't be to anyone else. I don't do any banking on here.

I did what you said about those 2 sites and I got back a message from each.

From http://virusscan.jotti.org: The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
From http://www.virustotal.com: 0 bytes size received / Se ha recibido un archivo vacio

I downloaded SDFix to my desktop and disabled AVG, then ran it and it extracted and opened a notepad file. I tried to go into safe mode like it said, but I but a message right away that said

"This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by TERRY-XP\TERRY."
Time before shutdown: 00:00:05
Message
"Windows has encountered an error in safe_mode.exe and needs to close."

Then it restarted on it's own. You said to run it in either mode if safe mode won't work, so I did that and when I ran C:\SDFix\RunThis.bat it brought up a black screen and then it just went away. Following the instructions about that, I clicked Start, then Run, and then pasted %systemroot%\system32\cmd.exe /K %systemdrive%\SDFix\apps\FixPath.exe and clicked OK. It flashed a black box like RunThis.bat did and didn't prompt me to reboot like the instructions said it would. I rebooted anyway and tried RunThis.bat. It did the same thing. So, I clicked Start, then right-click on My Computer and selected properties. I clicked on the Advanced tab and then clicked on the Environment Variables. I looked under System Variables, and ComSpec points to %SystemRoot%\system32\cmd.exe.

I don't know what else to do. I enabled AVG back.

Here's the new HJT log you requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:24 PM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
c:\prn\prn\smss.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\prn\prn\lsass.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe cmd /c C:\WINDOWS\system32\DontDelete.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-1202660629-1563985344-1957994488-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1202660629-1563985344-1957994488-1003\..\Run: [Google Update] "C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-1202660629-1563985344-1957994488-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - S-1-5-20 Startup: Microsoft (User '?')
O4 - S-1-5-21-1202660629-1563985344-1957994488-1003 Startup: Microsoft (User '?')
O4 - S-1-5-21-1202660629-1563985344-1957994488-1003 Startup: Programs (User '?')
O4 - S-1-5-21-1202660629-1563985344-1957994488-1003 Startup: Windows Genuine Advantage (User '?')
O4 - Startup: Microsoft
O4 - Startup: Programs
O4 - Startup: Windows Genuine Advantage
O4 - Global Startup: History.IE5
O4 - Global Startup: index.dat
O4 - Global Startup: Microsoft
O4 - Global Startup: user@bleepingcomputer[2].txt
O4 - Global Startup: user@doubleclick[1].txt
O4 - Global Startup: user@google[1].txt
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227138234363
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5065 bytes

Edited by Terry Creighton, 20 January 2009 - 03:53 PM.


#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:20 PM

Posted 21 January 2009 - 08:40 AM

We need to try to get it to where you can run SDFix in Safe Mode, it's not going to work otherwise. Let's try the following fix for Safe Mode and then run SDFix again.


We Need to Repair Safe Mode
  • Please download Safe Boot Key Repair and save it to your desktop.
  • Open Posted Image on your desktop.
  • Copy and paste the resultant log here in your next reply.
Don't try to run it in normal mode if this won't work. Just let me know and we will go another direction.

If it does work please post the following:
  • Log from Safe Mode repair
  • SDFix report log
  • New HJT log

Edited by thewall, 21 January 2009 - 08:45 AM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 Terry Creighton

Terry Creighton
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 21 January 2009 - 12:25 PM

I downloaded it and ran it. It brought up a quick black window and then it went away. I rebooted into safe mode and then logged in as me. The message came up saying I was in safe mode and I clicked Yes. It showed my desktop and my icons and then a black window flashed up and went away and the same screen came up saying my computer was shutting down because it encountered an error in safe_mode.exe and it rebooted. Also, in case I haven't told you yet, there are a completely different set of icons on my desktop and in my start menu each time I turn on the computer.

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:20 PM

Posted 21 January 2009 - 02:42 PM

Alright we are going to try another tool:



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 Terry Creighton

Terry Creighton
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 21 January 2009 - 04:14 PM

I downloaded it to my desktop and disabled AVG, then ran ComboFix.exe. It asked me to install the recovery console, which I did and it installed successfully. Then it went through several stages, making my icons on my desktop disappear and re-appear several times, each time there were different icons on my desktop. Then, it got around stage 35 or something and my account just logged off. It didn't shut down or reboot. It just logged off and went to the welcome screen. Now it's playing a bunch of random sounds and an On-Screen Keyboard is open along with 2 small windows that say Magnifier and narrator. They are open in front of the welcome screen. I didn't know anything could open when I'm not signed on.

When I logged back on, there were a whole bunch of windows open. One of them was my HJT log. There was also a message saying "Error: 0x80032126: Windows has encountered a virus on your system." I tried closing out of things and while more things opened, then it just logged off again. More of the virus messages came up. I logged back on and all the windows were still open and I tried closing out of them and then it logged off again, so I just rebooted. It took a while to shut down.

My computer has logged off by itself once before since my issues started, so I ran ComboFix again to see if it would happen at the same spot. I had to download it again because it wasn't on my desktop anymore since there were different icons than last time. That time it got all the way past stage 50 and said it was going to reboot my computer and did. When I logged back in, it said it was preparing a log. Then it repeated a bunch of times that it couldn't do something because the file was in use and then it just closed. I turned AVG back on, then looked for C:\ComboFix.txt and it wasn't there, but there was a folder called ComboFix and inside there was a ComboFix.txt. Here is what was in that:

ComboFix 09-01-21.01 - user 2009-01-21 13:01:15.2 - NTFSx86
Running from: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\DOCUME~1\user\LOCALS~1\Temp\install_flash_player.exe
C:\Documents and Settings\All Users\templates\IconCache.db
C:\Documents and Settings\user\SendTo\SafeBootKeyRepair.exe
C:\Documents and Settings\user\Templates\amipro.sam
C:\Documents and Settings\user\Templates\excel.xls
C:\Documents and Settings\user\Templates\excel4.xls
C:\Documents and Settings\user\Templates\lotus.wk4
C:\Documents and Settings\user\Templates\powerpnt.ppt
C:\Documents and Settings\user\Templates\presenta.shw
C:\Documents and Settings\user\Templates\quattro.wb2
C:\Documents and Settings\user\Templates\sndrec.wav
C:\Documents and Settings\user\Templates\winword.doc
C:\Documents and Settings\user\Templates\winword2.doc
C:\Documents and Settings\user\Templates\wordpfct.wpd
C:\Documents and Settings\user\Templates\wordpfct.wpg

.
((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
.

2009-01-21 13:06 . 2009-01-21 13:06 <DIR> d--hs---- C:\Documents and Settings\user\Templates\Content.IE5
2009-01-21 12:56 . 2009-01-21 12:56 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2009-01-20 15:35 . 2009-01-21 11:35 754 --a------ C:\WINDOWS\WORDPAD.INI
2009-01-20 12:12 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-01-20 11:43 . 2009-01-20 11:46 <DIR> d--hs---- C:\Documents and Settings\user\Desktop\History.IE5
2009-01-20 11:13 . 2009-01-20 11:13 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2009-01-17 12:13 . 2009-01-17 12:13 <DIR> d-------- C:\rsit
2009-01-17 10:25 . 2009-01-17 10:25 <DIR> d-------- C:\WINDOWS\Sun
2009-01-17 10:25 . 2009-01-17 10:24 410,984 --a------ C:\WINDOWS\system32\deploytk.dll
2009-01-17 10:25 . 2009-01-17 10:24 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2009-01-17 10:24 . 2009-01-17 10:24 <DIR> d-------- C:\Program Files\Java
2009-01-16 11:17 . 2009-01-16 11:17 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2009-01-16 11:16 . 2009-01-20 15:37 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2009-01-16 10:43 . <DIR> \\.\prn
2009-01-15 15:14 . 2009-01-15 15:14 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2009-01-15 15:14 . 2009-01-15 15:14 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2009-01-15 15:13 . 2009-01-21 09:10 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2009-01-15 15:13 . 2009-01-15 15:13 <DIR> d-------- C:\Program Files\AVG
2009-01-15 15:13 . 2009-01-15 15:13 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2009-01-15 15:11 . 2009-01-15 15:14 8,192 --a------ C:\Documents and Settings\ADMINI~1.TER
2009-01-15 14:55 . 2009-01-15 14:55 <DIR> d-------- C:\Program Files\Trend Micro
2009-01-15 14:38 . 2009-01-15 14:38 <DIR> dr------- C:\Documents and Settings\user\Links
2009-01-15 14:38 . 2009-01-15 14:38 <DIR> dr------- C:\Documents and Settings\user\Downloads
2009-01-15 14:37 . 2009-01-15 14:37 <DIR> dr------- C:\Documents and Settings\user\Saved Games
2009-01-15 14:37 . 2009-01-15 14:37 <DIR> dr------- C:\Documents and Settings\user\Contacts
2009-01-15 14:37 . 2009-01-15 14:37 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
2009-01-15 14:36 . 2009-01-15 14:36 <DIR> d-------- C:\ZD1452
2009-01-15 14:36 . 2009-01-15 14:36 <DIR> d-------- C:\dell
2009-01-15 14:36 . 2009-01-15 14:36 <DIR> d-------- C:\AVLog
2009-01-15 14:35 . 2009-01-15 14:36 <DIR> d-------- C:\Temp\HP_WebRelease
2009-01-15 14:35 . 2009-01-15 14:35 <DIR> d-------- C:\Temp
2009-01-15 14:35 . 2009-01-15 14:35 <DIR> d-------- C:\PerfLogs
2009-01-15 14:35 . 2009-01-15 14:35 <DIR> d-------- C:\MC50
2009-01-15 14:35 . 2009-01-15 14:35 <DIR> d-------- C:\HP CLJ3550

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 10:57 333,952 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-10-23 12:36 286,720 ----a-w C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

C:\Documents and Settings\user\SendTo\
Compressed (zipped) Folder.ZFSendToTarget [2008-11-19 14:35:44 0]
Desktop (create shortcut).DeskLink [2008-11-19 14:35:23 0]
IconCache.db [2009-01-20 12:14:07 2138204]
Mail Recipient.MAPIMail [2008-11-19 14:35:23 0]
My Documents.mydocs [2008-11-19 15:35:27 0]

C:\Documents and Settings\user\SendTo\History.IE5
index.dat [2009-01-21 08:59:15 16384]

C:\Documents and Settings\user\SendTo\Microsoft\CryptnetUrlCache\Content
60E31627FDA0A46932B0E5948949F2A5 [2009-01-20 12:37:42 898]
7B2238AACCEDC3F1FFE8E7EB5F575EC9 [2009-01-20 12:37:16 552]
A8FABA189DB7D25FBA7CAC806625FD30 [2009-01-20 12:37:44 86289]

C:\Documents and Settings\user\SendTo\Microsoft\CryptnetUrlCache\MetaData
60E31627FDA0A46932B0E5948949F2A5 [2009-01-20 12:37:42 94]
7B2238AACCEDC3F1FFE8E7EB5F575EC9 [2009-01-20 12:37:16 132]
A8FABA189DB7D25FBA7CAC806625FD30 [2009-01-20 12:37:44 124]

C:\Documents and Settings\user\SendTo\Microsoft\Internet Explorer
MSIMGSIZ.DAT [2009-01-20 11:56:27 16384]

C:\Documents and Settings\user\SendTo\Microsoft\Media Player
lastplayed.wpl [2009-01-20 11:55:31 453]

C:\Documents and Settings\user\SendTo\Microsoft\Windows
UsrClass.dat [2009-01-20 12:15:56 262144]
UsrClass.dat.LOG [2009-01-20 12:15:56 1024]

C:\Documents and Settings\user\SendTo\Windows Genuine Advantage\data
data.dat [2009-01-21 12:42:02 2492]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe cmd /c C:\WINDOWS\system32\DontDelete.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"test"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R2 Idec-Run;Idec-Run; [x]
R3 Idec-Lnk;Idec-Lnk; [x]
R3 Idec-Log;Idec-Log; [x]
R3 Idec-Msg;Idec-Msg; [x]
R3 Idec-Wav;Idec-Wav; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-01-15 15:13 97928]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-01-15 15:13 875288]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-01-15 15:13 231704]
S2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-01-15 15:14 76040]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys [2001-08-17 04:19 96256]
S3 s3legacy;s3legacy;C:\WINDOWS\system32\DRIVERS\s3legacy.sys [2001-08-17 05:57 65664]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - avg8emc
*Deregistered* - avg8wd
*Deregistered* - AvgLdx86
*Deregistered* - AvgMfx86
*Deregistered* - AvgTdiX
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - LanmanServer
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1563985344-1957994488-1003.job
- C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-15 14:15]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Lnk]
"ImagePath"="cmd /d /c start /min \"_\" \"c:\prn\prn\smss\" /d /c \\.\\c:\prn\prn\com5.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Log]
"ImagePath"="cmd /d /c start cmd /d /c \\.\\c:\prn\prn\com6.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Msg]
"ImagePath"="cmd /d /c set user=user & start /min cmd /d /c \\.\\c:\prn\prn\com3.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Run]
"ImagePath"="cmd /d /c start c:\prn\prn\smss /d /c \\.\\c:\prn\prn\com1.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Wav]
"ImagePath"="cmd /d /c start c:\prn\prn\smss /d /c \\.\\c:\prn\prn\com4.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_1.1.4322]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avg8emc]
"ImagePath"="C:\PROGRA~1\AVG\AVG8\avgemc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avg8wd]
"ImagePath"="C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgLdx86]
"ImagePath"="\SystemRoot\System32\Drivers\avgldx86.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgMfx86]
"ImagePath"="\SystemRoot\System32\Drivers\avgmfx86.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AvgTdiX]
"ImagePath"="\SystemRoot\System32\Drivers\avgtdix.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]
"ServiceDll"="C:\WINDOWS\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ctlsb16]
"ImagePath"="system32\drivers\ctlsb16.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DC21x4]
"ImagePath"="system32\DRIVERS\dc21x4.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="C:\WINDOWS\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gameenum]
"ImagePath"="system32\DRIVERS\gameenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Lnk]
"ImagePath"="cmd /d /c start /min \"_\" \"c:\prn\prn\smss\" /d /c \\.\\c:\prn\prn\com5.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Log]
"ImagePath"="cmd /d /c start cmd /d /c \\.\\c:\prn\prn\com6.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Msg]
"ImagePath"="cmd /d /c set user=user & start /min cmd /d /c \\.\\c:\prn\prn\com3.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Run]
"ImagePath"="cmd /d /c start c:\prn\prn\smss /d /c \\.\\c:\prn\prn\com1.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Idec-Wav]
"ImagePath"="cmd /d /c start c:\prn\prn\smss /d /c \\.\\c:\prn\prn\com4.bat"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="C:\WINDOWS\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]
"ImagePath"="\"C:\Program Files\Java\jre6\bin\jqs.exe\" -service -config \"C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LanmanServer]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="C:\WINDOWS\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="C:\WINDOWS\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="C:\WINDOWS\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSEXESVC]
"ImagePath"="%SystemRoot%\PSEXESVC.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="C:\WINDOWS\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\s3legacy]
"ImagePath"="system32\DRIVERS\s3legacy.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="C:\WINDOWS\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{F088B08D-7309-47FC-8D77-C3659BBB2BA7}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="C:\WINDOWS\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="C:\WINDOWS\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="C:\WINDOWS\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="C:\WINDOWS\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"C:\Program Files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="C:\WINDOWS\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{5DFFB492-565F-4167-94E5-90E075FE9AE9}]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer\Security]
@DACL=(02 0000)
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
.
------------------------ Other Running Processes ------------------------
.
C:\prn\prn\smss.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\prn\prn\lsass.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-01-21 13:10:08 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2009-01-21 21:10:01

Edited by Terry Creighton, 21 January 2009 - 04:39 PM.


#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:20 PM

Posted 22 January 2009 - 03:22 PM

Alright we are going to try it again.


First thing to do is:


Go to Start > Run - type in ComboFix /u (case insensitive) >>OK


This should remove all part of ComboFix, but please do not do it again unless instructed as it can also delete things we may need if we can progress with the fix.



Now let's install ComboFix again using the same instructions as before. This time you should not have to install the Recovery Console as it will not get deleted. When you download it the program should wind up in the following location showing up in the way I put it:

This is where you want it to go>>C:/Documents and Settings\(user name)\Desktop\

This is how it will wind up after install>>C:/Documents and Settings\(user name)\Desktop\ComboFix.exe


I don't know what happened but the last one showed up in Temporary Internet Files as evidence by what I showed below that I took from the log. It could have been because you were having so much problems.


C:\Documents and Settings\user\Local Settings\Temporary Internet Files\ComboFix.exe



If you still have problems don't try to delete it and try again just let me know and we'll see what we can do from there. Also let me know what the problem was like you did before.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users