Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumundo, smitfraud, and other adware


  • This topic is locked This topic is locked
12 replies to this topic

#1 mistermoo32

mistermoo32

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 19 May 2009 - 04:05 AM

hey, im new here so im sorry if i break any rules, i am not completely new to the removal of viruses but this one has me stumped, im using malwarebytes and spybot, ive tried running the smitfraudfix and vundofix to no avail, and anything the scanners remove seems to re appear on system reboot as speicifed by the scanners, symptoms im experiencing are brower redirects, which i have a readily available screenshot of though sometimes its not a search im directed to, its some airsoft gun site or other random things, even yellowpages.com once though it may have been a fake version of it, also, here are my logs, any help would be greeeatly appreciated!





DDS (Ver_09-05-14.01) - NTFSx86
Run by Robby at 0:09:10.73 on Tue 05/19/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1486 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\CachemanXP\CachemanXP.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robby\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} -
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [autochk] rundll32.exe c:\docume~1\robby\protect.dll,_IWMPEvents@16
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [SYS32DLL] SYS32DLL
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\robby\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\robby\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08b0e5c0-4fcb-11cf-aaa5-00401c608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236572710093
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {cafeefac-0016-0000-0007-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LMIinit - LMIinit.dll
Notify: __c008b1c4 - c:\windows\system32\__c008B1C4.dat
LSA: Notification Packages = scecli c:\windows\system32\yodejetu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robby\applic~1\mozilla\firefox\profiles\3nz327w5.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");
============= SERVICES / DRIVERS ===============

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-9 130936]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachemanxp\CachemanXP.exe [2009-4-28 355840]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-4-28 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-16 24652]
S0 rqez;rqez; [x]
S3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\drivers\fetnd6v.sys [2008-9-22 43520]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-4-28 209152]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-9 348752]
S3 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-5-9 1095560]
S3 Video3D;ASUS Video3D Service; [x]
S4 npggsvc;nProtect GameGuard Service; [x]
S4 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\uniblue\diskrescue\UBDiskRescueSrv.exe [2008-9-10 229648]

=============== Created Last 30 ================

2009-05-18 23:21 28,672 a------- c:\windows\system32\lmn_setup.exe
2009-05-18 23:09 55 a------- C:\xcrashdump.dat
2009-05-18 18:02 439 a------- c:\windows\system32\win32hlp.cnf
2009-05-18 18:00 23,552 a--sh--- c:\documents and settings\robby\protect.dll
2009-05-18 16:37 23,552 a--sh--- c:\windows\system32\autochk.dll
2009-05-18 16:22 28,160 a------- c:\windows\system32\__c008B1C4.dat
2009-05-18 16:22 37,376 a------- c:\windows\system32\glsetup.exe
2009-05-15 04:00 13,824 a------- c:\windows\system32\SYS32DLL.exe
2009-05-15 03:59 190 a------- C:\43214354.bat
2009-05-12 03:00 1,156 a------- c:\windows\system32\tmp.reg
2009-05-12 01:11 1,247 a------- c:\windows\wininit.ini
2009-05-11 23:27 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-11 23:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-09 09:41 244 a---h--- C:\sqmnoopt19.sqm
2009-05-09 09:41 232 a---h--- C:\sqmdata19.sqm
2009-05-09 09:39 244 a---h--- C:\sqmnoopt18.sqm
2009-05-09 09:39 232 a---h--- C:\sqmdata18.sqm
2009-05-09 09:36 244 a---h--- C:\sqmnoopt17.sqm
2009-05-09 09:36 232 a---h--- C:\sqmdata17.sqm
2009-05-09 09:35 244 a---h--- C:\sqmnoopt16.sqm
2009-05-09 09:35 232 a---h--- C:\sqmdata16.sqm
2009-05-09 09:33 244 a---h--- C:\sqmnoopt15.sqm
2009-05-09 09:33 232 a---h--- C:\sqmdata15.sqm
2009-05-09 09:32 244 a---h--- C:\sqmnoopt14.sqm
2009-05-09 09:32 232 a---h--- C:\sqmdata14.sqm
2009-05-09 09:30 244 a---h--- C:\sqmnoopt13.sqm
2009-05-09 09:30 232 a---h--- C:\sqmdata13.sqm
2009-05-09 09:29 244 a---h--- C:\sqmnoopt12.sqm
2009-05-09 09:29 232 a---h--- C:\sqmdata12.sqm
2009-05-09 09:28 244 a---h--- C:\sqmnoopt11.sqm
2009-05-09 09:28 232 a---h--- C:\sqmdata11.sqm
2009-05-09 09:26 244 a---h--- C:\sqmnoopt10.sqm
2009-05-09 09:26 232 a---h--- C:\sqmdata10.sqm
2009-05-09 09:22 244 a---h--- C:\sqmnoopt09.sqm
2009-05-09 09:22 232 a---h--- C:\sqmdata09.sqm
2009-05-09 09:21 244 a---h--- C:\sqmnoopt08.sqm
2009-05-09 09:21 232 a---h--- C:\sqmdata08.sqm
2009-05-09 09:19 244 a---h--- C:\sqmnoopt07.sqm
2009-05-09 09:19 232 a---h--- C:\sqmdata07.sqm
2009-05-09 09:19 244 a---h--- C:\sqmnoopt06.sqm
2009-05-09 09:19 232 a---h--- C:\sqmdata06.sqm
2009-05-09 09:16 244 a---h--- C:\sqmnoopt05.sqm
2009-05-09 09:16 232 a---h--- C:\sqmdata05.sqm
2009-05-09 09:13 244 a---h--- C:\sqmnoopt04.sqm
2009-05-09 09:13 232 a---h--- C:\sqmdata04.sqm
2009-05-09 09:10 244 a---h--- C:\sqmnoopt03.sqm
2009-05-09 09:10 232 a---h--- C:\sqmdata03.sqm
2009-05-09 09:07 244 a---h--- C:\sqmnoopt02.sqm
2009-05-09 09:07 232 a---h--- C:\sqmdata02.sqm
2009-05-09 09:05 244 a---h--- C:\sqmnoopt01.sqm
2009-05-09 09:05 232 a---h--- C:\sqmdata01.sqm
2009-05-09 09:02 244 a---h--- C:\sqmnoopt00.sqm
2009-05-09 09:02 232 a---h--- C:\sqmdata00.sqm
2009-05-09 03:31 <DIR> --d----- C:\temp
2009-05-09 01:39 <DIR> --d----- c:\program files\WinClamAVShield
2009-05-09 01:28 142,592 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-05-09 01:28 <DIR> --d----- c:\docume~1\robby\applic~1\Spyware Terminator
2009-05-09 01:28 <DIR> --d----- c:\program files\Spyware Terminator
2009-05-09 01:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-05-09 01:04 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-09 01:03 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-09 01:03 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-09 01:03 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-09 01:03 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-09 01:03 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-09 01:03 <DIR> --d----- c:\docume~1\robby\applic~1\PC Tools
2009-05-09 01:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-08 23:55 <DIR> --d----- C:\VundoFix Backups
2009-05-04 01:58 61,440 a------- c:\windows\system32\drivers\xrrova.sys
2009-04-29 20:24 100,860 a------- c:\windows\system32\drivers\e3946957.sys
2009-04-29 20:24 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-29 20:23 577,024 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-28 16:10 <DIR> --d----- c:\program files\Ventrilo
2009-04-28 16:10 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-28 00:29 <DIR> --d----- c:\program files\CachemanXP
2009-04-27 22:01 104,960 ac------ c:\windows\system32\dllcache\userinit.exe
2009-04-27 20:39 <DIR> --d----- c:\program files\Audacity
2009-04-21 13:39 65,536 a------- c:\windows\system32\camcodec.dll
2009-04-21 13:39 1,461 a------- c:\windows\system32\drivers\camcodec.inf
2009-04-21 13:38 <DIR> --d----- c:\program files\CamStudio

==================== Find3M ====================

2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-04-29 20:24 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-29 20:23 577,024 a------- c:\windows\system32\user32.DLL
2009-04-27 22:00 104,960 a------- c:\windows\system32\userinit.exe
2009-04-23 04:28 51,712 a--sh--- c:\windows\system32\nawewuti.exe
2009-04-12 19:24 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-29 12:38 21,840 a------- c:\windows\system32\SIntfNT.dll
2009-03-29 12:38 17,212 a------- c:\windows\system32\SIntf32.dll
2009-03-29 12:38 12,067 a------- c:\windows\system32\SIntf16.dll
2009-03-21 16:44 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-21 16:44 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

============= FINISH: 0:09:39.06 ===============



Malwarebytes' Anti-Malware 1.36
Database version: 2072
Windows 5.1.2600 Service Pack 2

5/19/2009 1:18:10 AM
mbam-log-2009-05-19 (01-18-04).txt

Scan type: Full Scan (C:\|D:\|E:\|G:\|)
Objects scanned: 130946
Time elapsed: 15 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 1
Registry Values Infected: 14
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c008B1C4.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\msb.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c008b1c4 (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb5147 (Trojan.TDSS) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1998 (Trojan.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga2073 (Trojan.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc6826 (Trojan.TDSS) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb8458 (Trojan.TDSS) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1371 (Trojan.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga1722 (Trojan.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc9271 (Trojan.TDSS) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb8395 (Trojan.TDSS) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd438 (Trojan.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga5334 (Trojan.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc9958 (Trojan.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ovfsthewqskofnvympytpkcsmqsnrocboyelyx.dll_old (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\ovfsthrxtlrymtfsbuxcfspjitcwkmcayowaje.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\ovfsthvkcjdwqbonblhvmnbghlejoxkmtrffgh.dll_old (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Robby\protect.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Robby\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\__c008B1C4.dat (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Robby\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Robby\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\msb.dll (Trojan.FakeAlert) -> No action taken.



--- Search result list ---
Virtumonde.sdn: [SBI $147E178B] Autorun settings (autochk) (Registry value, nothing done)
HKEY_USERS\.default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk

Virtumonde.sdn: [SBI $147E178B] Autorun settings (autochk) (Registry value, nothing done)
HKEY_USERS\s-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk

Virtumonde.sdn: [SBI $B1A14C09] Library (File, nothing done)
C:\Documents and Settings\Robby\protect.dll
Properties.size=23552
Properties.md5=6E0A1BCAD8D2BA341E22081C84FA1ABA
Properties.filedate=1242724695
Properties.filedatetext=2009-05-19 01:18:14

Win32.TDSS.rtk: [SBI $05E456BF] File (File, nothing done)
C:\WINDOWS\system32\ovfsthrxtlrymtfsbuxcfspjitcwkmcayowaje.dll
Properties.size=0
Properties.md5=42CB8125BAB8199B232ED96570927173

Win32.TDSS.rtk: [SBI $DB1744B9] File (File, nothing done)
C:\WINDOWS\system32\drivers\ovfsthmbklrnibrrqrdlsxdmtibveyddpgtrpp.sys
Properties.size=0
Properties.md5=653FA464ED4A41C2F4A7F38ACF9DFDEF


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-05-11 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-03-25 Includes\Adware.sbi (*)
2009-05-05 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-03-31 Includes\Dialer.sbi (*)
2009-05-05 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-04-21 Includes\Hijackers.sbi (*)
2009-05-05 Includes\HijackersC.sbi (*)
2009-05-05 Includes\Keyloggers.sbi (*)
2009-05-05 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-05 Includes\Malware.sbi (*)
2009-05-05 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-05-05 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-05-05 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-05-05 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-04-28 Includes\Trojans.sbi (*)
2009-05-05 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB898461)


--- Startup entries list ---
Located: HK_LM:Run, autochk
command: rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
file: C:\WINDOWS\system32\autochk.dll
size: 23552
MD5: 6E0A1BCAD8D2BA341E22081C84FA1ABA

Located: HK_LM:RunOnce, Malwarebytes Anti-Malware (reboot)
command: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
size: 1277584
MD5: ED6262C9951D00CA106A301F80AAB8B1

Located: HK_CU:Run, autochk
where: .default...
command: rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16
file: C:\DOCUME~1\LOCALS~1\protect.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, msnmsgr
where: .default...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C

Located: HK_CU:Run, MySpaceIM
where: .default...
command: C:\Program Files\MySpace\IM\MySpaceIM.exe
file: C:\Program Files\MySpace\IM\MySpaceIM.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, SYS32DLL
where: .default...
command: SYS32DLL
file: C:\WINDOWS\system32\SYS32DLL.exe
size: 13824
MD5: 49313ED7D0F9B30EA182636F3DA12A52

Located: HK_CU:Run, autochk
where: s-1-5-21-1177238915-1770027372-725345543-1007...
command: rundll32.exe C:\DOCUME~1\Robby\protect.dll,_IWMPEvents@16
file: C:\DOCUME~1\Robby\protect.dll
size: 23552
MD5: 6E0A1BCAD8D2BA341E22081C84FA1ABA

Located: HK_CU:Run, SpybotSD TeaTimer
where: s-1-5-21-1177238915-1770027372-725345543-1007...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, autochk
where: s-1-5-18...
command: rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16
file: C:\DOCUME~1\LOCALS~1\protect.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, msnmsgr
where: s-1-5-18...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C

Located: HK_CU:Run, MySpaceIM
where: s-1-5-18...
command: C:\Program Files\MySpace\IM\MySpaceIM.exe
file: C:\Program Files\MySpace\IM\MySpaceIM.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, SYS32DLL
where: s-1-5-18...
command: SYS32DLL
file: C:\WINDOWS\system32\SYS32DLL.exe
size: 13824
MD5: 49313ED7D0F9B30EA182636F3DA12A52

Located: Startup (user), ChkDisk.lnk
where: C:\Documents and Settings\Robby\Start Menu\Programs\Startup...
command: C:\WINDOWS\system32\rundll32.exe
file: C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF

Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
file: C:\PROGRA~1\MICROS~2\Office10\OSA.EXE
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (disabled), REALTEK USB Wireless LAN Utility (DISABLED)
command: C:\PROGRA~1\REALTE~1\RtWLan.exe /H
file: C:\PROGRA~1\REALTE~1\RtWLan.exe
size: 786432
MD5: DD25DD032B39A4BAFE84BDF0665C658F

Located: Startup (disabled), TrayMin200.exe (DISABLED)
command: C:\PROGRA~1\Philips\SPC200~1\TRAYMI~1.EXE
file: C:\PROGRA~1\Philips\SPC200~1\TRAYMI~1.EXE
size: 278528
MD5: 6481B92378C9DCF486B9CAE7C06715E1

Located: Startup (disabled), ChkDisk (DISABLED)
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (disabled), ChkDisk (DISABLED)
command: C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\Robby\STARTM~1\Programs\Startup\ChkDisk.dll,_IWMPEvents@16
file: C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, LMIinit
command: LMIinit.dll
file: LMIinit.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, __c008b1c4
command: C:\WINDOWS\system32\__c008B1C4.dat
file: C:\WINDOWS\system32\__c008B1C4.dat
size: 28160
MD5: 6404BB465099C417A56EA2A3D765C71E



--- Browser helper object list ---
{02478D38-C3F9-4efb-9B51-7695ECA05670} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein

{c2ba40a1-74f3-42bd-f434-12345a2c8953} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:



--- ActiveX list ---
{48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control)
DPF name:
CLSID name: MySpace Uploader Control
Installer: C:\WINDOWS\Downloaded Program Files\MySpaceUploader.inf
Codebase: http://lads.myspace.com/upload/MySpaceUploader1006.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MySpaceUploader.ocx
Short name: MYSPAC~1.OCX
Date (created): 2/1/2008 3:17:04 AM
Date (last access): 4/12/2009 12:16:16 PM
Date (last write): 2/1/2008 3:17:04 AM
Filesize: 2637440
Attributes: archive
MD5: 2245B3CAE09AF148D983F88F62153628
CRC32: A47295FA
Version: 1.0.0.6

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/...b?1236572710093
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 1/16/2008 1:27:24 AM
Date (last access): 4/12/2009 12:13:04 PM
Date (last write): 10/16/2008 2:12:24 PM
Filesize: 202776
Attributes: archive
MD5: 0006DE8037F5A562F96B461B3C557C3C
CRC32: 9B107DED
Version: 7.2.6001.788

{67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object)
DPF name:
CLSID name: DivXBrowserPlugin Object
Installer: C:\WINDOWS\Downloaded Program Files\DivXPlugin.inf
Codebase: http://go.divx.com/plugin/DivXBrowserPlugin.cab
description:
classification: Legitimate
known filename: npdivx32.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\DivX\DivX Web Player\
Long name: npdivx32.dll
Short name:
Date (created): 2/24/2009 11:34:14 AM
Date (last access): 4/12/2009 12:04:40 PM
Date (last write): 2/24/2009 11:34:14 AM
Filesize: 1337648
Attributes: archive
MD5: 2135BD9615F6FCAA160E390F88F0956D
CRC32: 657BB13F
Version: 1.4.3.4

{8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 1:32:34 AM
Date (last access): 4/12/2009 12:05:10 PM
Date (last write): 6/10/2008 3:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{cafeefac-0016-0000-0007-abcdeffedcba} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 1:32:34 AM
Date (last access): 4/12/2009 12:05:10 PM
Date (last write): 6/10/2008 3:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{cafeefac-ffff-ffff-ffff-abcdeffedcba} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 1:32:34 AM
Date (last access): 4/12/2009 12:05:10 PM
Date (last write): 6/10/2008 3:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwa...ash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash10b.ocx
Short name:
Date (created): 2/2/2009 6:07:18 PM
Date (last access): 4/12/2009 11:58:00 AM
Date (last write): 2/2/2009 6:07:18 PM
Filesize: 3866528
Attributes: readonly archive
MD5: 8AFC17155ED5AB60B7C52D7F553D579C
CRC32: 0FBC13F3
Version: 10.0.22.87



--- Process list ---
PID: 0 ( 0) [System]
PID: 628 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 676 ( 628) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 708 ( 628) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 752 ( 708) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 768 ( 708) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 924 ( 752) C:\WINDOWS\system32\Ati2evxx.exe
size: 585728
MD5: FCE2918D8DC01E02BCCB64F06FE91D45
PID: 936 ( 752) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1032 ( 752) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1124 ( 752) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1252 ( 708) C:\WINDOWS\system32\Ati2evxx.exe
size: 585728
MD5: FCE2918D8DC01E02BCCB64F06FE91D45
PID: 1296 ( 752) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1584 ( 752) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: 7435B108B935E42EA92CA94F59C8E717
PID: 1880 (1836) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 2016 ( 752) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 140 ( 752) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 132424
MD5: A8AA9D47F971570A5162B862B80F87E8
PID: 204 ( 752) C:\WINDOWS\ATKKBService.exe
size: 258048
MD5: ED20773E018D10699929230BD822FD92
PID: 216 ( 752) C:\Program Files\Bonjour\mDNSResponder.exe
size: 238888
MD5: 3F56903E124E820AEECE6D471583C6C1
PID: 252 (1880) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 264 ( 752) C:\PROGRA~1\CachemanXP\CachemanXP.exe
size: 355840
MD5: A8EA117FFFE18B27704CC5886738D744
PID: 1072 ( 752) C:\Program Files\Viewpoint\Common\ViewpointService.exe
size: 24652
MD5: 5F974FDE801C73952770736BECDE11E7
PID: 1284 (1124) C:\WINDOWS\system32\wscntfy.exe
size: 13824
MD5: 49911DD39E023BB6C45E4E436CFBD297
PID: 468 ( 752) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2060 (1880) C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
size: 4347120
MD5: BF7F70A930CEFF0124CB70BFB0055E8F
PID: 2100 ( 936) C:\WINDOWS\System32\wbem\wmiprvse.exe
size: 218112
MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 2328 (1880) C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C
PID: 2580 ( 752) C:\Program Files\Windows Live\Messenger\usnsvc.exe
size: 98328
MD5: 9D19B042A4FD5C02195071EA2FE0C821
PID: 2760 (2300) \\?\globalroot\systemroot\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 1604 ( 752) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1420 (1880) C:\Program Files\Mozilla Firefox\firefox.exe
size: 307704
MD5: CA2AC84AA6C67F742D9785E553848927
PID: 1732 (1880) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 5/19/2009 2:05:44 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1B7BBF4F-2441-47C4-A67E-46189C6F27C3}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1B7BBF4F-2441-47C4-A67E-46189C6F27C3}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98EBEDE-5591-4F7A-99C2-57DF5972D978}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D98EBEDE-5591-4F7A-99C2-57DF5972D978}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FAF1563F-E622-45C9-8B17-082B762064F3}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FAF1563F-E622-45C9-8B17-082B762064F3}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DC9503F9-E795-4018-AA3A-EAE53ACD084F}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DC9503F9-E795-4018-AA3A-EAE53ACD084F}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9679DAA1-B151-4DA9-8713-6ECFA9C00482}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9679DAA1-B151-4DA9-8713-6ECFA9C00482}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A812099D-4D9C-49C1-AFB9-6CB9AA7F8C39}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A812099D-4D9C-49C1-AFB9-6CB9AA7F8C39}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP



--- Uninstall list ---
(AddressBook)

Adobe AIR 1.0.4990 (Adobe AIR)
install location: C:\
uninstall cmd: C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
publisher: Adobe Systems Inc.

Adobe Flash Player 10 ActiveX 10.0.22.87 (Adobe Flash Player ActiveX)
uninstall cmd: C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
publisher: Adobe Systems Incorporated
help link: http://www.adobe.com/go/flashplayer_support/

Adobe Flash Player 10 Plugin 10.0.12.36 (Adobe Flash Player Plugin)
uninstall cmd: C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
publisher: Adobe Systems Incorporated

Adobe Shockwave Player 11 (Adobe Shockwave Player)
version (major): 11
install location: C:\WINDOWS\system32\Adobe\
uninstall cmd: C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
publisher: Adobe Systems, Inc.
help link: http://www.adobe.com/support/shockwave

AimOne Video Converter 2.03 (AimOne Video Converter_is1)
install location: C:\Program Files\AimOne Video Converter\
publisher: AimOneSoft, Inc.
help link: http://www.aimonesoft.com

ATI - Software Uninstall Utility 6.14.10.1022 (All ATI Software)
install location: C:\Program Files\ATI Technologies\UninstallAll
uninstall cmd: C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe

(AOL Diagnostics_N)

ATI Display Driver 8.552-081028a-070226C-ATI (ATI Display Driver)
uninstall cmd: rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

Audacity 1.2.6 (Audacity_is1)
install location: C:\Program Files\Audacity\
uninstall cmd: "C:\Program Files\Audacity\unins000.exe"
help link: http://audacity.sourceforge.net

BitLord 1.1 1.1 (BitLord)
uninstall cmd: C:\Program Files\BitLord\uninst.exe
publisher: www.bitlord.com

(Branding)

CachemanXP 1.8.1.2 1.81 (CachemanXP 1.8.1.2)
uninstall cmd: C:\PROGRA~1\CachemanXP\Uninstall\UNWISE.EXE C:\PROGRA~1\CachemanXP\Uninstall\install.log
publisher: Outertech
comments: Improve Windows performance and stability

CamStudio Lossless Codec (camcodec)
uninstall cmd: rundll.exe setupx.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\system32\DRIVERS\camcodec.inf

CamStudio (CamStudio)
uninstall cmd: C:\Program Files\CamStudio\uninstall.exe

(Connection Manager)

(DirectAnimation)

(DirectDrawEx)

(DXM_Runtime)

FINAL FANTASY VIII (FINAL FANTASY VIII)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"c:\documents and settings\robby\desktop\final fantasy viii\Uninst.isu"

(Fontcore)

GoldWave v5.25 (GoldWave v5.25)
uninstall cmd: "C:\Program Files\GoldWave\unstall.exe" "GoldWave v5.25" "C:\Program Files\GoldWave\unstall.log"

ijji - Gunz (Gunz)
uninstall cmd: C:\ijji\ENGLISH\Gunz\Uninstall.exe

HyperCam 2 (HyperCam 2)
uninstall cmd: "C:\Program Files\HyCam2\UnHyCam2.exe"

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

(ijjiSetup)

(InstallShield Uninstall Information)

(InstallShield_{90415EA5-3856-4402-B566-53160813421B})

(KB884016)

High Definition Audio Driver Package - KB888111 20040219.000000 (KB888111WXPSP2)
uninstall cmd: "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=KB888111

Windows Genuine Advantage Validation Tool (KB892130) (KB892130)
install date: 20090309
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=892130

(KB893803)

Windows Installer 3.1 (KB893803) 3.1 (KB893803v2)
uninstall cmd: "C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://go.microsoft.com/fwlink/?LinkId=42467

Update for Windows XP (KB898461) 1 (KB898461)
uninstall cmd: "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=898461

K-Lite Codec Pack 4.1.0 (Full) 4.1.0 (KLiteCodecPack_is1)
install date: 20090320
install location: C:\Program Files\K-Lite Codec Pack\
uninstall cmd: "C:\Program Files\K-Lite Codec Pack\unins000.exe"

LADSPA_plugins-win-0.4.15 (LADSPA_plugins-win_is1)
install location: C:\Program Files\Audacity\Plug-Ins\
uninstall cmd: "C:\Program Files\Audacity\Plug-Ins\unins000.exe"
publisher: Audacity Team
help link: http://audacity.sourceforge.net

LimeWire PRO 4.16.6 4.16.6 (LimeWire)
uninstall cmd: "C:\Program Files\LimeWire\uninstall.exe"
publisher: Lime Wire, LLC
help link: http://www.limewire.com/support

Malwarebytes' Anti-Malware (malwarebytes' anti-malware_is1)
install date: 20090503
install location: C:\Program Files\Malwarebytes' Anti-Malware\
uninstall cmd: "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
publisher: Malwarebytes Corporation
help link: http://www.malwarebytes.org

(Microsoft NetShow Player 2.0)

Microsoft .NET Framework Client Profile - PREVIEW 3.5 (Microsoft.Net.Client.3.5)
version (major): 3
version (minor): 5
estimated size: 106477
install date: 20090411
uninstall cmd: C:\AHCache\All Users\Microsoft.Net.Client.3.5\setup.exe /remove "Microsoft.Net.Client.3.5"

(MobileOptionPack)

MobMap 3.20 (MobMap_is1)
install date: 20090415
install location: C:\Program Files\World of Warcraft\Interface\AddOns\MobMapUpdater\
uninstall cmd: "C:\Program Files\World of Warcraft\Interface\AddOns\MobMapUpdater\unins000.exe"
publisher: Slarti on EU-Blackhand
help link: http://www.mobmap.de

Mozilla Firefox (3.0.10) 3.0.10 (en-US) (mozilla firefox (3.0.10))
install location: C:\Program Files\Mozilla Firefox
uninstall cmd: C:\Program Files\Mozilla Firefox\uninstall\helper.exe
publisher: Mozilla
comments: Mozilla Firefox

MP3 Converter Simple MP3 Converter Simple (MP3 Converter Simple)
uninstall cmd: C:\PROGRA~1\MP3CON~1\UNWISE.EXE C:\PROGRA~1\MP3CON~1\INSTALL.LOG
publisher: audio-converter.com
comments: Convert MP3, WAV, OGG
contact: support@audio-converter.com
help link: mp3convert.chm

(MPlayer2)

(MSI30-Beta1)

(MSI30-Beta2)

(MSI30-KB884016)

(MSI30-RC1)

(MSI30-RC2)

(MSI30a-KB884016)

(MSI31-Beta)

(MSI31-RC1)

(NetMeeting)

(OutlookExpress)

(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

(RealJukebox 1.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0

RealOne Player (RealPlayer 6.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0

(SchedulingAgent)

(Shockwave)

Spyware Doctor 6.0 6.0 (spyware doctor)
install location: C:\Program Files\Spyware Doctor\
uninstall cmd: C:\Program Files\Spyware Doctor\unins000.exe /LOG
publisher: PC Tools
help link: http://www.pctools.com/en/contact/support/...ctor-antivirus/

Spyware Terminator 2.5.6.316 (spyware terminator_is1)
install date: 20090509
install location: C:\Program Files\Spyware Terminator\
uninstall cmd: "C:\Program Files\Spyware Terminator\unins000.exe"
publisher: Crawler Inc.
help link: http://www.crawler.com/faqs.aspx

Source SDK Base 2007 (Steam App 218)
install location: c:\program files\steam\steamapps\hizgrayc\source sdk base 2007
uninstall cmd: "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/218
publisher: Valve
help link: http://support.steampowered.com/

Counter-Strike: Source (Steam App 240)
install location: c:\program files\steam\steamapps\hizgrayc\counter-strike source
uninstall cmd: "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/240
publisher: Valve
help link: http://support.steampowered.com/

Day of Defeat: Source (Steam App 300)
install location: c:\program files\steam\steamapps\hizgrayc\day of defeat source
uninstall cmd: "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/300
publisher: Valve
help link: http://support.steampowered.com/

Half-Life 2: Deathmatch (Steam App 320)
install location: c:\program files\steam\steamapps\hizgrayc\half-life 2 deathmatch
uninstall cmd: "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/320
publisher: Valve
help link: http://support.steampowered.com/

Half-Life 2: Lost Coast (Steam App 340)
install location: c:\program files\steam\steamapps\hizgrayc\half-life 2 lostcoast
uninstall cmd: "C:\PROGRA~1\Steam\steam.exe" steam://uninstall/340
publisher: Valve
help link: http://support.steampowered.com/

Uniblue DiskRescue 2009 (Uniblue DiskRescue 2009)
install location: C:\Program Files\Uniblue\DiskRescue
uninstall cmd: "C:\Documents and Settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.exe" REMOVE=TRUE MODIFY=FALSE
publisher: Uniblue
comments: All rights reserved
contact: Uniblue
help link: http://www.uniblue.com/

Uniblue DriverScanner 2009 (Uniblue DriverScanner 2009)
install location: C:\Program Files\Uniblue\DriverScanner
uninstall cmd: "C:\Documents and Settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe" REMOVE=TRUE MODIFY=FALSE
publisher: Uniblue Systems Ltd.
comments: FALSE
contact: FALSE
help link: http://www.uniblue.com/

Uniblue RegistryBooster 2009 (Uniblue RegistryBooster 2009)
install location: C:\Program Files\Uniblue\RegistryBooster
uninstall cmd: "C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}\Uniblue RegistryBooster.exe" REMOVE=TRUE MODIFY=FALSE
publisher: Uniblue Systems
comments: All rights reserved
contact: Uniblue Systems
help link: http://www.uniblue.com/

Uniblue SpeedUpMyPC 2009 (Uniblue SpeedUpMyPC 2009)
install location: C:\Program Files\Uniblue\SpeedUpMyPC
uninstall cmd: "C:\Documents and Settings\All Users\Application Data\{D994735B-8DC6-4AEE-B720-704A4EC0402E}\SpeedUpMyPC.exe" REMOVE=TRUE MODIFY=FALSE
publisher: Uniblue Systems Ltd.
comments: All rights reserved
contact: Uniblue Systems Ltd.
help link: http://www.uniblue.com/

Viewpoint Media Player (ViewpointMediaPlayer)
uninstall cmd: C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u

VideoLAN VLC media player 0.8.6d 0.8.6d (VLC media player)
uninstall cmd: C:\Program Files\VideoLAN\VLC\uninstall.exe
publisher: VideoLAN Team

VIA Rhine Family Fast Ethernet Adapter (VN_VUIns_Rhine_VIA)
uninstall cmd: Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA

Warhammer Online - Age of Reckoning (warhammer online - age of reckoning)
uninstall cmd: C:\Program Files\Electronic Arts\Warhammer Online - Age of Reckoning\uninst2.exe
publisher: Electronic Arts

(Wdf01000)

(Wdf01001)

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 (Wdf01005)
install date: 20090322
uninstall cmd: "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
publisher: Microsoft Corporation

Windows Genuine Advantage Validation Tool (KB892130) 1.7.0069.2 (WGA)
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=892130

Windows Imaging Component 3.0.0.0 (WIC)
install date: 20090411
uninstall cmd: "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
publisher: Microsoft Corporation

Windows XP Service Pack 2 20040803.231319 (Windows XP Service Pack)
uninstall cmd: C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=811113

WinRAR archiver (WinRAR archiver)
uninstall cmd: C:\Program Files\WinRAR\uninstall.exe

World of Warcraft (World of Warcraft)
install location: C:\Program Files\World of Warcraft\
install source: C:\Program Files\World of Warcraft\
uninstall cmd: C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
publisher: Blizzard Entertainment

Yahoo! Browser Services (Yahoo! Extras)
uninstall cmd: C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S

Yahoo! Messenger (Yahoo! Messenger)
uninstall cmd: C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
publisher: Yahoo! Inc.

Adobe AIR 1.0.8.4990 ({00203668-8170-44A0-BE44-B632FA4D780F})
version: 16777224
version (major): 1
estimated size: 24847
install date: 20081203
install source: C:\Documents and Settings\Megan\Local Settings\Application Data\nos\Adobe AIR Installer\
uninstall cmd: MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
publisher: Adobe Systems Inc.

ASUS GameLiveShow 1.00.0001 ({04726714-8286-43B8-AFD6-2DF92EC49995})
version: 16777217
version (major): 1
estimated size: 9280
install date: 20080116
install location: C:\Program Files\ASUS\GameLiveShow\
install source: E:\Utility\GameLiveShow\
publisher: ASUSTeK Computer Inc.
contact: Technical Support Department
help link: http://www.asus.com
help telephone: +886-2-2894-3447

Steam™ 1.0.0.0 ({048298C9-A4D3-490B-9FF9-AB023A9238F3})
version: 16777216
version (major): 1
estimated size: 16975
install date: 20080126
install source: E:\
uninstall cmd: MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
publisher: Valve
comments: Steam
help link: http://support.steampowered.com/

Bonjour 1.0.106 ({07287123-B8AC-41CE-8346-3D777245C35B})
version: 16777322
version (major): 1
estimated size: 493
install date: 20090224
install location: C:\Program Files\Bonjour\
install source: C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple\Apple Software Update\
uninstall cmd: MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
publisher: Apple Inc.
contact: AppleCare Support
help link: http://www.apple.com/support/
help telephone: 1-800-275-2273

ATI Control Panel 6.14.10.5155 ({0BEDBD4E-2D34-47B5-9973-57E62B29307C})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"

Uniblue DiskRescue 2009 1.0.0 ({0C35EAE4-A535-46B7-B4BF-68952BD94E68})
version: 16777216
version (major): 1
estimated size: 6766
install date: 20090412
install location: C:\Program Files\Uniblue\DiskRescue
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\mia1\
uninstall cmd: C:\Documents and Settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}\Uniblue DiskRescue.exe
publisher: Uniblue Systems

Microsoft .NET Framework 3.0 Client Service Pack 2 3.5.30729 ({1185566F-12ED-3EF0-89CC-38866DCE1EEE})
version: 50690057
version (major): 3
version (minor): 5
estimated size: 136492
install date: 20090411
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\
uninstall cmd: MsiExec.exe /I{1185566F-12ED-3EF0-89CC-38866DCE1EEE}
publisher: Microsoft

ijji Auto Installer 1.00.0000 ({1DCC7418-2089-4BDD-B321-3771956160FC})
version: 16777216
install date: 20090310
install location: C:\Program Files\NHN USA\ijji Auto Installer
install source: C:\Documents and Settings\Robby\Local Settings\Temporary Internet Files\Content.IE5\W1IZKTE3\ijjiAutoInstaller[1].exe
uninstall cmd: "C:\Program Files\InstallShield Installation Information\{1DCC7418-2089-4BDD-B321-3771956160FC}\setup.exe" -runfromtemp -l0x0009 -removeonly
publisher: NHN USA

QuickTime 7.60.92.0 ({216AB108-2AE1-4130-B3D5-20B2C4C80F8F})
version: 121372764
version (major): 7
version (minor): 60
estimated size: 76137
install date: 20090307
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\IXP846.TMP\
uninstall cmd: MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
publisher: Apple Inc.
contact: AppleCare Support
help link: http://www.apple.com/support/
help telephone: 1-800-275-2273

Uniblue SpeedUpMyPC 2009 4.0 ({23C3F5C0-566B-478B-AAB6-197ADAD0C945})
version: 67108864
version (major): 4
estimated size: 4230
install date: 20090412
install location: C:\Program Files\Uniblue\SpeedUpMyPC
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\mia1\
uninstall cmd: C:\Documents and Settings\All Users\Application Data\{D994735B-8DC6-4AEE-B720-704A4EC0402E}\SpeedUpMyPC.exe
publisher: Uniblue Systems Ltd.

Philips SPC 200NC PC Camera ({2A2646FB-7BAC-451B-BF90-4889C4429C5E})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A2646FB-7BAC-451B-BF90-4889C4429C5E}\Setup.exe" -l0x9

ASUS Enhanced Display Driver 6.14.10.0116 ({315ACD04-BCEB-478B-9B1D-5431D0E6CB11})
version: 101580810
install location: C:\Program Files\ASUSTeK COMPUTER INC.\ASUS Enhanced Display Driver
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}\setup.exe" -l0x9

Java™ 6 Update 7 1.6.0.70 ({3248F0A8-6813-11D6-A77B-00B0D0160070})
version: 17170432
version (major): 1
version (minor): 6
estimated size: 117050
install date: 20080714
install source: http://javadl.sun.com/webapps/download/Get...6/windows-i586/
uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
publisher: Sun Microsystems, Inc.
contact: http://java.com
help link: http://java.com
readme: C:\Program Files\Java\jre1.6.0_07\README.txt

WebFldrs XP 9.50.5318 ({350C97B0-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154277062
version (major): 9
version (minor): 50
estimated size: 2444
install date: 20080116
install source: C:\WINDOWS\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

Palm Desktop 4.1.0300 ({4D8314D2-11FE-4397-A7CC-7015CFF50BCE})
version: 67174700
version (major): 4
version (minor): 1
estimated size: 37257
install date: 20080120
install source: E:\Palm Desktop\
uninstall cmd: MsiExec.exe /X{4D8314D2-11FE-4397-A7CC-7015CFF50BCE}
publisher: Palm, Inc.
comments: For troubleshooting help try the Palm Knowledge Finder at www.palm.com/support.
contact: Palm Customer Support
help link: http://www.palm.com/support
help telephone: None
readme: Readme_eng.txt

Windows Live Messenger 8.5.1302.1018 ({508CE775-4BA4-4748-82DF-FE28DA9F03B0})
version: 134546710
version (major): 8
version (minor): 5
estimated size: 32769
install date: 20090308
install source: C:\Program Files\Common Files\WindowsLiveInstaller\MsiSources\
uninstall cmd: MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
publisher: Microsoft Corporation

Apple Software Update 2.1.1.116 ({6956856F-B6B3-4BE0-BA0B-8F495BE32033})
version: 33619969
version (major): 2
version (minor): 1
estimated size: 2208
install date: 20080804
install location: C:\Program Files\Apple Software Update\
install source: C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple\Apple Software Update\
uninstall cmd: MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
publisher: Apple Inc.
contact: AppleCare Support
help link: http://www.apple.com/support/
help telephone: 1-800-275-2273

Microsoft Visual C++ 2005 Redistributable 8.0.56336 ({7299052b-02a4-4627-81f2-1818da5d550d})
version: 134274064
version (major): 8
estimated size: 5330
install date: 20081124
install source: C:\DOCUME~1\Megan\LOCALS~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
publisher: Microsoft Corporation

VC80CRTRedist - 8.0.50727.762 1.0.0 ({767CC44C-9BBC-438D-BAD3-FD4595DD148B})
version: 16777216
version (major): 1
estimated size: 1641
install date: 20090406
install source: C:\Program Files\Common Files\DivX Shared\
uninstall cmd: MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
publisher: DivX, Inc
comments: Install VC80 C++ Runtimes
contact: DivX, Inc

Ventrilo Client 3.0.1 ({789289CA-F73A-4A16-A331-54D498CE069F})
version: 50331649
version (major): 3
estimated size: 3760
install date: 20090428
install source: C:\Program Files\Common Files\Wise Installation Wizard\
uninstall cmd: MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
publisher: Flagship Industries, Inc.
help link: http://www.ventrilo.com

Palm VersaMail™ 2.61.1100 ({7B0ADD54-01D9-45E7-964A-B4A334F12034})
version: 37553228
version (major): 2
version (minor): 61
estimated size: 3959
install date: 20080120
install source: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\_is3\
publisher: Palm, Inc.
comments: Palm VersaMail™ Setup
contact: Customer Support Department
help link: http://www.palm.com/support
help telephone: 1-847-262-7256
readme:

ASUS ATI Driver 2.00.0000 ({90415EA5-3856-4402-B566-53160813421B})
version: 33554432
version (major): 2
install date: 20080116
install location: C:\Program Files\My Company Name\My Product Name\
install source: E:\Driver\
publisher: ASUSTek

Microsoft Application Error Reporting 12.0.6012.5000 ({95120000-00b9-0409-0000-0000000ff1ce})
version: 201332604
version (major): 12
estimated size: 8935
install date: 20090503
install source: C:\Program Files\Microsoft Windows OneCare Live\Staging\
publisher: Microsoft Corporation
help link: http://support.microsoft.com

Brother MFL-Pro Suite 1.00 ({9A912C12-A7DA-44D7-BD57-5CA85E2F33E1})
version: 16777216
install date: 20080301
install location: C:\Program Files\Brother\Brmfl06a
install source: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\{5C45E142-98C1-433C-AC0B-6842AD4B188B}\{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}\Setup.exe" -l0x9 Brunin03.dll -removeonly
publisher: Brother Industries, Ltd.

Windows Live installer 12.0.1471.1025 ({A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320})
version: 201328063
version (major): 12
estimated size: 3012
install date: 20090308
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\{22449026-67D7-409A-AABA-D705553DE33D}\
uninstall cmd: MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
publisher: Microsoft Corporation
help link: http://get.live.com

Adobe Reader 9 9.0.0 ({AC76BA86-7AD7-1033-7B44-A90000000001})
version: 150994944
version (major): 9
estimated size: 209362
install date: 20081203
install location: C:\Program Files\Adobe\Reader 9.0\Reader\
install source: C:\Documents and Settings\Megan\Local Settings\Application Data\Adobe\Reader 9.0\Setup Files\READER9\
uninstall cmd: MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
publisher: Adobe Systems Incorporated
comments:
contact: Customer Support
help link: http://www.adobe.com/support/main.html
readme: C:\Program Files\Adobe\Reader 9.0\Readme.htm

Windows Live Sign-in Assistant 4.200.520.1 ({AFA4E5FD-ED70-4D92-99D0-162FD56DC986})
version: 80216584
version (major): 4
version (minor): 200
estimated size: 1333
install date: 20090308
install source: C:\Program Files\Common Files\WindowsLiveInstaller\MsiSources\
uninstall cmd: MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
publisher: Microsoft Corporation

Spybot - Search & Destroy 1.6.2 ({b4092c6d-e886-4cb2-ba68-fe5a88d31de6}_is1)
install date: 20090511
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited
help link: http://www.safer-networking.org/index.php?page=support

DivX Web Player 1.4.3 ({B7050CBDB2504B34BC2A9CA0A692CC29})
install location: C:\Program Files\DivX\DivX Web Player
uninstall cmd: C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
publisher: DivX,Inc.

({BB8B979E-E336-47E7-96BC-1031C1B94561})

REALTEK USB Wireless LAN Driver and Utility 3.00 ({BE686891-3C56-4714-AFEF-341A7867BA80})
version: 16777216
install date: 20080428
install location: C:\Program Files\REALTEK USB Wireless LAN Driver and Utility
install source: C:\DOCUME~1\Megan\LOCALS~1\Temp\RarSFX0\
uninstall cmd: C:\Program Files\InstallShield Installation Information\{BE686891-3C56-4714-AFEF-341A7867BA80}\SETUP.EXE -v"ISSCRIPTCMDLINE=\"-d -zREMOVE\"" -l0x0009 -removeonly
publisher: REALTEK Semiconductor Corp.
comments: REALTEK USB Wireless LAN Utility
contact: nicfae@realtek.com.tw
help link: www.realtek.com.tw

Uniblue DriverScanner 2009 2.0.0.1 ({C427E746-4EC9-4E3C-AACB-C6BB1F714D7F})
version: 33554432
version (major): 2
estimated size: 29681
install date: 20090412
install location: C:\Program Files\Uniblue\DriverScanner
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\mia1\
uninstall cmd: C:\Documents and Settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
publisher: Uniblue Systems Ltd.

Microsoft .NET Framework 2.0 Client Service Pack 2 3.5.30729 ({CAAFB8F9-F8D1-3D27-9AAA-6301A4429440})
version: 50690057
version (major): 3
version (minor): 5
estimated size: 131295
install date: 20090411
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\
uninstall cmd: MsiExec.exe /I{CAAFB8F9-F8D1-3D27-9AAA-6301A4429440}
publisher: Microsoft

Microsoft .NET Framework 3.5 Client Service Pack 1 3.5.30729 ({D617A4DC-C915-3F25-BE43-57E5FD99B441})
version: 50690057
version (major): 3
version (minor): 5
estimated size: 13139
install date: 20090411
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\
uninstall cmd: MsiExec.exe /I{D617A4DC-C915-3F25-BE43-57E5FD99B441}
publisher: Microsoft

Uniblue RegistryBooster 2009 3.0 ({E63E34A7-E552-412B-9E40-FD6FC5227ABA})
version: 50331648
version (major): 3
estimated size: 10386
install date: 20090412
install location: C:\Program Files\Uniblue\RegistryBooster
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\mia1\
uninstall cmd: C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}\Uniblue RegistryBooster.exe
publisher: Uniblue Systems

Apple Mobile Device Support 2.1.2.7 ({EC4455AB-F155-4CC1-A4C5-88F3777F9886})
version: 33619970
version (major): 2
version (minor): 1
estimated size: 39733
install date: 20090307
install location: C:\Program Files\Common Files\Apple\Mobile Device Support\
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\IXP846.TMP\
uninstall cmd: MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
publisher: Apple Inc.
contact: AppleCare Support
help link: http://www.apple.com/support/
help telephone: 1-800-275-2273

Realtek High Definition Audio Driver 5.10.0.5497 ({F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC})
version: 36765696
install date: 20080429
install location: C:\Program Files\Realtek\Audio\InstallShield\
install source: C:\Documents and Settings\Christopher\Desktop\setup(2)\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
publisher: Realtek Semiconductor Corp.

iTunes 8.0.2.20 ({F5C63795-2708-4D15-BF18-5ABBFF7DFFC8})
version: 134217730
version (major): 8
estimated size: 106344
install date: 20090307
install location: C:\Program Files\iTunes\
install source: C:\DOCUME~1\Robby\LOCALS~1\Temp\IXP846.TMP\
uninstall cmd: MsiExec.exe /I{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}
publisher: Apple Inc.
contact: AppleCare Support
help link: http://www.apple.com/support/
help telephone: 1-800-275-2273

Realtek AC'97 Audio 5.23 ({FB08F381-6533-4108-B7DD-039E11FBC27E})
version: 85393408
install date: 20081111
install location: C:\Program Files\Realtek AC97\
install source: C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\WZSE0.TMP\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
publisher: Realtek Semiconductor Corp.

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 9.0.21022 ({FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4})
version: 151015966
version (major): 9
estimated size: 6844
install date: 20090411
install source: c:\27f0b30827ea93d6b3b3d642be3f203b\
uninstall cmd: MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
publisher: Microsoft Corporation



--- System Services ---
Service (registry key): .NET CLR Data
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NET CLR Networking
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NET Data Provider for SqlServer
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): .NETFramework
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): Abiosdsk
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 0

Service (registry key): abp480n5
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): acap2000
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): ACPI
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft ACPI Driver
Image path: System32\DRIVERS\ACPI.sys
Image size: 187776
Image MD5: A10C7534F7223F4A73A948967D00E69B
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): ACPIEC
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): adpu160m
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): aec
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Kernel Acoustic Echo Canceller
Image path: system32\drivers\aec.sys
Image size: 142464
Image MD5: 841F385C6CFAF66B58FBD898722BB4F0
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): AegisP
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: AEGIS Protocol (IEEE 802.1x) v3.4.5.0
Description: AEGIS Protocol (IEEE 802.1x) v3.4.5.0
Image path: system32\DRIVERS\AegisP.sys
Image size: 21035
Image MD5: 30BB1BDE595CA65FD5549462080D94E5
Control Set: CurrentControlSet
Start: 2
Type: 1
Error Control: 1

Service (registry key): AFD
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: AFD Networking Support Environment
Description: AFD Networking Support Environment
Image path: \SystemRoot\System32\drivers\afd.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): Aha154x
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): aic78u2
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): aic78xx
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): Alerter
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Alerter
Description: Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\svchost.exe -k LocalService
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation

Service (registry key): ALG
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Application Layer Gateway Service
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\alg.exe
Image size: 44544
Image MD5: F1958FBF86D5C004CF19A5951A9514B7
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1

Service (registry key): AliIde
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): amsint
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): Apple Mobile Device
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Apple Mobile Device
Description: Provides the interface to Apple mobile devices.
Object name: LocalSystem
Image path: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
Image size: 132424
Image MD5: A8AA9D47F971570A5162B862B80F87E8
Control Set: CurrentControlSet
Start: 2
Type: 16
Error Control: 1
Depends On services: Tcpip

Service (registry key): AppMgmt
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Application Management
Description: Provides software installation services such as Assign, Publish, and Remove.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1

Service (registry key): asc
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): asc3350p
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): asc3550
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): asuskbnt
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Enhanced Display Driver Helper Service
Image path: system32\drivers\atkkbnt.sys
Image size: 23040
Image MD5: 3744DBF2C31CF16DF43EAAB0AE943328
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): AsyncMac
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: RAS Asynchronous Media Driver
Description: RAS Asynchronous Media Driver
Image path: System32\DRIVERS\asyncmac.sys
Image size: 14336
Image MD5: 02000ABF34AF4C218C35D257024807D6
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): atapi
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Standard IDE/ESDI Hard Disk Controller
Image path: System32\DRIVERS\atapi.sys
Image size: 95360
Image MD5: CDFE4411A69C224BD1D11B2DA92DAC51
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): Atdisk
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 0

Service (registry key): Ati HotKey Poller
Registry path: \SYSTEM\CurrentControlSet\Services\
Object name: LocalSystem
Image path: %SystemRoot%\system32\Ati2evxx.exe
Image size: 585728
Image MD5: FCE2918D8DC01E02BCCB64F06FE91D45
Control Set: CurrentControlSet
Start: 2
Type: 272
Error Control: 1

Service (registry key): ATI Smart
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: ATI Smart
Object name: LocalSystem
Image path: C:\WINDOWS\system32\ati2sgag.exe
Image size: 593920
Image MD5: 5B867F6D5331D7DF70B70E18586F8D0F
Control Set: CurrentControlSet
Start: 2
Type: 272
Error Control: 1

Service (registry key): ati2mtag
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: system32\DRIVERS\ati2mtag.sys
Image size: 3341824
Image MD5: 067FCA861588B18399555412A456DE12
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): Atierecord
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): ATKKeyboardService
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: ATK Keyboard Service
Object name: LocalSystem
Image path: C:\WINDOWS\ATKKBService.exe
Image size: 258048
Image MD5: ED20773E018D10699929230BD822FD92
Control Set: CurrentControlSet
Start: 2
Type: 272
Error Control: 1

Service (registry key): Atmarpc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: ATM ARP Client Protocol
Description: ATM ARP Client Protocol
Image path: System32\DRIVERS\atmarpc.sys
Image size: 59904
Image MD5: EC88DA854AB7D7752EC8BE11A741BB7F
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): AudioSrv
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Audio
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: PlugPlay,RpcSs

Service (registry key): audstub
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Audio Stub Driver
Image path: System32\DRIVERS\audstub.sys
Image size: 3072
Image MD5: D9F724AA26C010A217C97606B160ED68
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): BattC
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): Beep
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): BITS
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Background Intelligent Transfer Service
Description: Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
Object name: LocalSystem
Image path: %fystemRoot%\System32\svchost.exe -k netsvcs
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: Rpcss

Service (registry key): Bonjour Service
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Bonjour Service
Description: Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour, any network service that explicitly depends on it will fail to start.
Object name: LocalSystem
Image path: "C:\Program Files\Bonjour\mDNSResponder.exe"
Image size: 238888
Image MD5: 3F56903E124E820AEECE6D471583C6C1
Control Set: CurrentControlSet
Start: 2
Type: 16
Error Control: 1
Depends On services: Tcpip

Service (registry key): Browser
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Computer Browser
Description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation,LanmanServer

Service (registry key): BrScnUsb
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Brother USB Still Image driver
Image path: system32\DRIVERS\BrScnUsb.sys
Image size: 15295
Image MD5: 92A964547B96D697E5E9ED43B4297F5A
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): CachemanXPService
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: CachemanXP
Description: CachemanXP Tray Icons and Cache Control.
Object name: LocalSystem
Image path: C:\PROGRA~1\CachemanXP\CachemanXP.exe
Image size: 355840
Image MD5: A8EA117FFFE18B27704CC5886738D744
Control Set: CurrentControlSet
Start: 2
Type: 272
Error Control: 1

Service (registry key): cbidf2k
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): CCDECODE
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Closed Caption Decoder
Image path: system32\DRIVERS\CCDECODE.sys
Image size: 17024
Image MD5: 6163ED60B684BAB19D3352AB22FC48B2
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): cd20xrnt
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): Cdaudio
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0

Service (registry key): Cdfs
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 2
Error Control: 1
Depends On group: "SCSI CDROM Class"

Service (registry key): Cdrom
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: CD-ROM Driver
Image path: System32\DRIVERS\cdrom.sys
Image size: 49536
Image MD5: AF9C19B3100FE010496B1A27181FBF72
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1
Depends On group: "SCSI miniport"

Service (registry key): Changer
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0

Service (registry key): cisvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Indexing Service
Description: Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
Object name: LocalSystem
Image path: C:\WINDOWS\System32\cisvc.exe
Image size: 5632
Image MD5: 3192BD04D032A9C4A85A3278C268A13A
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): ClipSrv
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: ClipBook
Description: Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\system32\clipsrv.exe
Image size: 33280
Image MD5: C8DEC22C4137D7A90F8BDF41CA4B82AE
Control Set: CurrentControlSet
Start: 4
Type: 16
Error Control: 1
Depends On services: NetDDE

Service (registry key): clr_optimization_v2.0.50727_32
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: .NET Runtime Optimization Service v2.0.50727_X86
Description: Microsoft .NET Framework NGEN
Object name: LocalSystem
Image path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Image size: 69632
Image MD5: 7FA87325900183197BC9710D1CE4C9FA
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 0

Service (registry key): CmdIde
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): COMSysApp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: COM+ System Application
Description: Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Image size: 5120
Image MD5: DD87DB7387B9EB441C5674888A0D840C
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Depends On services: rpcss

Service (registry key): ContentFilter
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): ContentIndex
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): Cpqarray
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): CryptSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Cryptographic Services
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): dac2w2k
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 0

Service (registry key): dac960nt
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): DcomLaunch
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: DCOM Server Process Launcher
Description: Provides launch functionality for DCOM services.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost -k DcomLaunch
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1

Service (registry key): Dhcp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: DHCP Client
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: Tcpip,Afd,NetBT

Service (registry key): Disk
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Disk Driver
Image path: System32\DRIVERS\disk.sys
Image size: 36352
Image MD5: 00CA44E4534865F8A3B64F7C0984BFF0
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1
Depends On group: "SCSI miniport"

Service (registry key): dmadmin
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Logical Disk Manager Administrative Service
Description: Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
Object name: LocalSystem
Image path: %SystemRoot%\System32\dmadmin.exe /com
Image size: 224768
Image MD5: 554C7CB178FE3BD12450B81AD63ADBC3
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs,PlugPlay,DmServer

Service (registry key): dmboot
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: System32\drivers\dmboot.sys
Image size: 799744
Image MD5: C0FBB516E06E243F0CF31F597E7EBF7D
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): dmio
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Logical Disk Manager Driver
Image path: System32\drivers\dmio.sys
Image size: 153344
Image MD5: F5E7B358A732D09F4BCF2824B88B9E28
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): dmload
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: System32\drivers\dmload.sys
Image size: 5888
Image MD5: E9317282A63CA4D188C0DF5E09C6AC5F
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): dmserver
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Logical Disk Manager
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: RpcSs,PlugPlay

Service (registry key): DMusic
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Kernel DLS Syntheiszer
Image path: system32\drivers\DMusic.sys
Image size: 52864
Image MD5: A6F881284AC1150E37D9AE47FF601267
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Dnscache
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: DNS Client
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\NetworkService
Image path: %SystemRoot%\System32\svchost.exe -k NetworkService
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: Tcpip

Service (registry key): dpti2o
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): drmkaud
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Kernel DRM Audio Descrambler
Image path: system32\drivers\drmkaud.sys
Image size: 2944
Image MD5: 1ED4DBBAE9F5D558DBBA4CC450E3EB2E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): e3946957
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): EAPPkt
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Realtek EAPPkt Protocol
Description: Realtek EAPPkt Protocol
Image path: system32\DRIVERS\EAPPkt.sys
Image size: 38144
Image MD5: D82414EC520453EFE2EBA936F6A9115A
Control Set: CurrentControlSet
Start: 2
Type: 1
Error Control: 1

Service (registry key): EIO
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: EIO
Image path: \??\C:\WINDOWS\system32\drivers\EIO.sys
Image size: 11264
Image MD5: 10D0CA0AF295F49C365A2EE7BF820315
Control Set: CurrentControlSet
Start: 2
Type: 1
Error Control: 1

Service (registry key): ERSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Error Reporting Service
Description: Allows error reporting for services and applictions running in non-standard environments.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 0
Depends On services: RpcSs

Service (registry key): Eventlog
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Event Log
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Object name: LocalSystem
Image path: %SystemRoot%\system32\services.exe
Image size: 108032
Image MD5: C6CE6EEC82F187615D1002BB3BB50ED4
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1

Service (registry key): EventSystem
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: COM+ Event System
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): Fastfat
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 2
Error Control: 1

Service (registry key): FastUserSwitchingCompatibility
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Fast User Switching Compatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: TermService

Service (registry key): Fdc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Floppy Disk Controller Driver
Image path: System32\DRIVERS\fdc.sys
Image size: 27392
Image MD5: CED2E8396A8838E59D8FD529C680E02C
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): FETND6V
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: VIA Rhine Family Fast Ethernet Adapter Driver
Image path: system32\DRIVERS\fetnd6v.sys
Image size: 43520
Image MD5: 403BEDAD0226653BA8D05AEFC3F04A0C
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): FETNDIS
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver
Image path: system32\DRIVERS\fetnd5.sys
Image size: 27165
Image MD5: E9648254056BCE81A85380C0C3647DC4
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Fips
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): Flpydisk
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Floppy Disk Driver
Image path: system32\DRIVERS\flpydisk.sys
Image size: 20480
Image MD5: 0DD1DE43115B93F4D85E889D7A86F548
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): FltMgr
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: FltMgr
Description: File System Filter Manager Driver
Image path: system32\drivers\fltmgr.sys
Image size: 124800
Image MD5: 157754F0DF355A9E0A6F54721914F9C6
Control Set: CurrentControlSet
Start: 0
Type: 2
Error Control: 1

Service (registry key): FontCache3.0.0.0
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Presentation Foundation Font Cache 3.0.0.0
Description: Optimizes performance of Windows Presentation Foundation (WPF) applications by caching commonly used font data. WPF applications will start this service if it is not already running. It can be disabled, though doing so will degrade the performance of WPF applications.
Object name: NT AUTHORITY\LocalService
Image path: C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
Image size: 46104
Image MD5: 8BA7C024070F2B7FDD98ED8A4BA41789
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1

Service (registry key): Fs_Rec
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 8
Error Control: 0

Service (registry key): Ftdisk
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Volume Manager Driver
Image path: System32\DRIVERS\ftdisk.sys
Image size: 125056
Image MD5: 6AC26732762483366C3969C9E4D2259D
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): GEARAspiWDM
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: GEAR ASPI Filter Driver
Image path: System32\Drivers\GEARAspiWDM.sys
Image size: 15464
Image MD5: AB8A6A87D9D7255C3884D5B9541A6E80
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Gpc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Generic Packet Classifier
Description: Generic Packet Classifier
Image path: System32\DRIVERS\msgpc.sys
Image size: 35072
Image MD5: C0F1D4A21DE5A415DF8170616703DEBF
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): HDAudBus
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft UAA Bus Driver for High Definition Audio
Image path: system32\DRIVERS\HDAudBus.sys
Image size: 138752
Image MD5: 3FCC124B6E08EE0E9351F717DD136939
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): helpsvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Help and Support
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): HidServ
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: HID Input Service
Description: Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): hidusb
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft HID Class Driver
Image path: System32\DRIVERS\hidusb.sys
Image size: 9600
Image MD5: 1DE6783B918F540149AA69943BDFEBA8
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): hpn
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): hpt3xx
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): HTTP
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: HTTP
Description: This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start.
Image path: System32\Drivers\HTTP.sys
Image size: 263040
Image MD5: C19B522A9AE0BBC3293397F3055E80A1
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): HTTPFilter
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: HTTP SSL
Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k HTTPFilter
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: HTTP

Service (registry key): i2omgmt
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): i2omp
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): i8042prt
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: i8042 Keyboard and PS/2 Mouse Port Driver
Image path: System32\DRIVERS\i8042prt.sys
Image size: 52736
Image MD5: 5502B58EEF7486EE6F93F3F164DCB808
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): ikfilesec
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): iksysflt
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): Imapi
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: CD-Burning Filter Driver
Image path: system32\DRIVERS\imapi.sys
Image size: 41856
Image MD5: F8AA320C6A0409C0380E5D8A99D76EC6
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): ImapiService
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IMAPI CD-Burning COM Service
Description: Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: C:\WINDOWS\System32\imapi.exe
Image size: 150016
Image MD5: FA788520BCAC0F5D9D5CDE5615C0D931
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1

Service (registry key): inetaccs
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): ini910u
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): Inport
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): IntcAzAudAddService
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Service for Realtek HD Audio (WDM)
Image path: system32\drivers\RtkHDAud.sys
Image size: 4615168
Image MD5: C464CF7A58C011A70188602B55C64E99
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): IntelIde
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): intelppm
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Intel Processor Driver
Image path: System32\DRIVERS\intelppm.sys
Image size: 36096
Image MD5: 279FB78702454DFF2BB445F238C048D2
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): ip6fw
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IPv6 Windows Firewall Driver
Description: Provides intrusion prevention service for a home or small office network.
Image path: system32\drivers\ip6fw.sys
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): IpFilterDriver
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IP Traffic Filter Driver
Description: IP Traffic Filter Driver
Image path: System32\DRIVERS\ipfltdrv.sys
Image size: 32896
Image MD5: 731F22BA402EE4B62748ADAF6363C182
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): IpInIp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IP in IP Tunnel Driver
Description: IP in IP Tunnel Driver
Image path: System32\DRIVERS\ipinip.sys
Image size: 20992
Image MD5: E1EC7F5DA720B640CD8FB8424F1B14BB
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): IpNat
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IP Network Address Translator
Description: IP Network Address Translator
Image path: System32\DRIVERS\ipnat.sys
Image size: 134912
Image MD5: B5A8E215AC29D24D60B4D1250EF05ACE
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): iPod Service
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: iPod Service
Description: iPod hardware management services
Object name: LocalSystem
Image path: "C:\Program Files\iPod\bin\iPodService.exe"
Image size: 536872
Image MD5: 62937A89470AF8FF172F0980CA8AEFC9
Control Set: CurrentControlSet
Start: 4
Type: 16
Error Control: 1
Depends On services: RpcSs

Service (registry key): IPSec
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IPSEC driver
Description: IPSEC driver
Image path: System32\DRIVERS\ipsec.sys
Image size: 74752
Image MD5: 64537AA5C003A6AFEEE1DF819062D0D1
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): IRENUM
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IR Enumerator Service
Image path: System32\DRIVERS\irenum.sys
Image size: 11264
Image MD5: 50708DAA1B1CBB7D6AC1CF8F56A24410
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): ISAPISearch
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): isapnp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: PnP ISA/EISA Bus Driver
Image path: System32\DRIVERS\isapnp.sys
Image size: 35840
Image MD5: E504F706CCB699C2596E9A3DA1596E87
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 3

Service (registry key): ivmdbj
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: system32\drivers\twwi.sys
Image size: 61440
Image MD5: 589312A3B46721C5A751E4D5222A89BE
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): Kbdclass
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Keyboard Class Driver
Image path: System32\DRIVERS\kbdclass.sys
Image size: 24576
Image MD5: EBDEE8A2EE5393890A1ACEE971C4C246
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): kbdhid
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Keyboard HID Driver
Image path: System32\DRIVERS\kbdhid.sys
Image size: 14848
Image MD5: E182FA8E49E8EE41B4ADC53093F3C7E6
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0

Service (registry key): kmixer
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Kernel Wave Audio Mixer
Image path: system32\drivers\kmixer.sys
Image size: 171776
Image MD5: D93CAD07C5683DB066B0B2D2D3790EAD
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): KSecDD
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): lanmanserver
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Server
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1

Service (registry key): lanmanworkstation
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Workstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1

Service (registry key): lbrtfdc
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0

Service (registry key): ldap
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): LicenseService
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): LmHosts
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: TCP/IP NetBIOS Helper
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\svchost.exe -k LocalService
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: NetBT,Afd

Service (registry key): Messenger
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Messenger
Description: Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation,NetBIOS,PlugPlay,RpcSS

Service (registry key): mnmdd
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0

Service (registry key): mnmsrvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: NetMeeting Remote Desktop Sharing
Description: Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: C:\WINDOWS\System32\mnmsrvc.exe
Image size: 32768
Image MD5: F6415361201915B9FE3896B0E4E724FF
Control Set: CurrentControlSet
Start: 4
Type: 272
Error Control: 1

Service (registry key): Modem
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): Mouclass
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Mouse Class Driver
Image path: System32\DRIVERS\mouclass.sys
Image size: 23040
Image MD5: 34E1F0031153E491910E12551400192C
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): mouhid
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Mouse HID Driver
Image path: System32\DRIVERS\mouhid.sys
Image size: 12160
Image MD5: B1C303E17FB9D46E87A98E4BA6769685
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): MountMgr
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Mount Point Manager
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): mraid35x
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): MRxDAV
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: WebDav Client Redirector
Description: WebDav Client Redirector
Image path: System32\DRIVERS\mrxdav.sys
Image size: 181248
Image MD5: 46EDCC8F2DB2F322C24F48785CB46366
Control Set: CurrentControlSet
Start: 3
Type: 2
Error Control: 1

Service (registry key): MRxSmb
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: MRXSMB
Description: MRXSMB
Image path: System32\DRIVERS\mrxsmb.sys
Image size: 451456
Image MD5: 1FD607FC67F7F7C633C3DA65BFC53D18
Control Set: CurrentControlSet
Start: 1
Type: 2
Error Control: 1

Service (registry key): MSDTC
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Distributed Transaction Coordinator
Description: Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\NetworkService
Image path: C:\WINDOWS\System32\msdtc.exe
Image size: 6144
Image MD5: C7C3D89EB0A6F3DBA622EA737FA335B1
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Depends On services: RPCSS,SamSS

Service (registry key): Msfs
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 2
Error Control: 1

Service (registry key): MSIServer
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Windows Installer
Description: Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\msiexec.exe /V
Image size: 78848
Image MD5: F5F0146580E7023ADB963879840777F8
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): MSKSSRV
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Streaming Service Proxy
Image path: system32\drivers\MSKSSRV.sys
Image size: 7552
Image MD5: AE431A8DD3C1D0D0610CDBAC16057AD0
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): MSPCLOCK
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Streaming Clock Proxy
Image path: system32\drivers\MSPCLOCK.sys
Image size: 5376
Image MD5: 13E75FEF9DFEB08EEDED9D0246E1F448
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): MSPQM
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Streaming Quality Manager Proxy
Image path: system32\drivers\MSPQM.sys
Image size: 4992
Image MD5: 1988A33FF19242576C3D0EF9CE785DA7
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): mssmbios
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft System Management BIOS Driver
Image path: System32\DRIVERS\mssmbios.sys
Image size: 15488
Image MD5: 469541F8BFD2B32659D5D463A6714BCE
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): MSTEE
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft Streaming Tee/Sink-to-Sink Converter
Image path: system32\drivers\MSTEE.sys
Image size: 5504
Image MD5: BF13612142995096AB084F2DB7F40F77
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Mup
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Mup
Control Set: CurrentControlSet
Start: 0
Type: 2
Error Control: 1

Service (registry key): NABTSFEC
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: NABTS/FEC VBI Codec
Image path: system32\DRIVERS\NABTSFEC.sys
Image size: 85376
Image MD5: 5C8DC6429C43DC6177C1FA5B76290D1A
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): NDIS
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: NDIS System Driver
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): NdisIP
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Microsoft TV/Video Connection
Image path: system32\DRIVERS\NdisIP.sys
Image size: 10880
Image MD5: 520CE427A8B298F54112857BCF6BDE15
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): NdisTapi
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Access NDIS TAPI Driver
Description: Remote Access NDIS TAPI Driver
Image path: System32\DRIVERS\ndistapi.sys
Image size: 9600
Image MD5: 08D43BBDACDF23F34D79E44ED35C1B4C
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Ndisuio
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: NDIS Usermode I/O Protocol
Description: NDIS Usermode I/O Protocol
Image path: System32\DRIVERS\ndisuio.sys
Image size: 12928
Image MD5: 34D6CD56409DA9A7ED573E1C90A308BF
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): NdisWan
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Access NDIS WAN Driver
Description: Remote Access NDIS WAN Driver
Image path: System32\DRIVERS\ndiswan.sys
Image size: 91776
Image MD5: 0B90E255A9490166AB368CD55A529893
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): NDProxy
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): NetBIOS
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: NetBIOS Interface
Description: NetBIOS Interface
Image path: System32\DRIVERS\netbios.sys
Image size: 34560
Image MD5: 3A2ACA8FC1D7786902CA434998D7CEB4
Control Set: CurrentControlSet
Start: 1
Type: 2
Error Control: 1

Service (registry key): NetBT
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: NetBios over Tcpip
Description: NetBios over Tcpip
Image path: System32\DRIVERS\netbt.sys
Image size: 162816
Image MD5: 0C80E410CD2F47134407EE7DD19CC86B
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): NetDDE
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Network DDE
Description: Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\system32\netdde.exe
Image size: 111104
Image MD5: 05AFB5AD06462257BEA7495283C86D50
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: NetDDEDSDM

Service (registry key): NetDDEdsdm
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Network DDE DSDM
Description: Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\system32\netdde.exe
Image size: 111104
Image MD5: 05AFB5AD06462257BEA7495283C86D50
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1

Service (registry key): Netlogon
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Net Logon
Description: Supports pass-through authentication of account logon events for computers in a domain.
Object name: LocalSystem
Image path: %SystemRoot%\System32\lsass.exe
Image size: 13312
Image MD5: 84885F9B82F4D55C6146EBF6065D75D2
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation

Service (registry key): Netman
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Network Connections
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 288
Error Control: 1
Depends On services: RpcSs

Service (registry key): Nla
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Network Location Awareness (NLA)
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: Tcpip,Afd

Service (registry key): Npfs
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 2
Error Control: 1

Service (registry key): npggsvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: nProtect GameGuard Service
Description: nProtect GameGuard Service
Object name: LocalSystem
Control Set: CurrentControlSet
Start: 4
Type: 272
Error Control: 1

Service (registry key): Ntfs
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 2
Error Control: 1

Service (registry key): NtLmSsp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: NT LM Security Support Provider
Description: Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
Object name: LocalSystem
Image path: %SystemRoot%\System32\lsass.exe
Image size: 13312
Image MD5: 84885F9B82F4D55C6146EBF6065D75D2
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1

Service (registry key): NtmsSvc
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Removable Storage
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RpcSs

Service (registry key): Null
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): nv
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: system32\DRIVERS\nv4_mini.sys
Image size: 1897408
Image MD5: 2B298519EDBFCF451D43E0F1E8F1006D
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): NwlnkFlt
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IPX Traffic Filter Driver
Description: IPX Traffic Filter Driver
Image path: System32\DRIVERS\nwlnkflt.sys
Image size: 12416
Image MD5: B305F3FAD35083837EF46A0BBCE2FC57
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Depends On services: NwlnkFwd

Service (registry key): NwlnkFwd
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IPX Traffic Forwarder Driver
Description: IPX Traffic Forwarder Driver
Image path: System32\DRIVERS\nwlnkfwd.sys
Image size: 32512
Image MD5: C99B3415198D1AAB7227F2C88FD664B9
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Parport
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Parallel port driver
Image path: System32\DRIVERS\parport.sys
Image size: 80128
Image MD5: 29744EB4CE659DFE3B4122DEB45BC478
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Parport
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Parallel port driver
Image path: System32\DRIVERS\parport.sys
Image size: 80128
Image MD5: 29744EB4CE659DFE3B4122DEB45BC478
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): PartMgr
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Partition Manager
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): ParVdm
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 2
Type: 1
Error Control: 0
Depends On services: Parport
Depends On group: "Parallel arbitrator"

Service (registry key): PCI
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: PCI Bus Driver
Image path: System32\DRIVERS\pci.sys
Image size: 68224
Image MD5: 8086D9979234B603AD5BC2F5D890B234
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): PCIDump
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0

Service (registry key): PCIIde
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: System32\DRIVERS\pciide.sys
Image size: 3328
Image MD5: CCF5F451BB1A5A2A522A76E670000FF0
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): Pcmcia
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): pctcore
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: PCTools KDS
Image path: system32\drivers\PCTCore.sys
Image size: 130936
Image MD5: AA9CFA67850893FBB168B9C4E4C86952
Control Set: CurrentControlSet
Start: 0
Type: 2
Error Control: 1
Depends On services: FltMgr

Service (registry key): PDCOMP
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): PDFRAME
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): PDRELI
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): PDRFRAME
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): perc2
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): perc2hib
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): PerfDisk
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): PerfNet
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): PerfOS
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): PerfProc
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): PlugPlay
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Plug and Play
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Object name: LocalSystem
Image path: %SystemRoot%\system32\services.exe
Image size: 108032
Image MD5: C6CE6EEC82F187615D1002BB3BB50ED4
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1

Service (registry key): PolicyAgent
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: IPSEC Services
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Object name: LocalSystem
Image path: %SystemRoot%\System32\lsass.exe
Image size: 13312
Image MD5: 84885F9B82F4D55C6146EBF6065D75D2
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: RPCSS,Tcpip,IPSec

Service (registry key): PptpMiniport
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: WAN Miniport (PPTP)
Description: WAN Miniport (PPTP)
Image path: System32\DRIVERS\raspptp.sys
Image size: 48384
Image MD5: 1C5CC65AAC0783C344F16353E60B72AC
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Processor
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Processor Driver
Image path: System32\DRIVERS\processr.sys
Image size: 35328
Image MD5: 0D97D88720A4087EC93AF7DBB303B30A
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): ProtectedStorage
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Protected Storage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Object name: LocalSystem
Image path: %SystemRoot%\system32\lsass.exe
Image size: 13312
Image MD5: 84885F9B82F4D55C6146EBF6065D75D2
Control Set: CurrentControlSet
Start: 2
Type: 288
Error Control: 1
Depends On services: RpcSs

Service (registry key): PSched
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: QoS Packet Scheduler
Description: QoS Packet Scheduler
Image path: System32\DRIVERS\psched.sys
Image size: 69120
Image MD5: 48671F327553DCF1D27F6197F622A668
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1
Depends On services: Gpc

Service (registry key): Ptilink
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Direct Parallel Link Driver
Description: Direct Parallel Link Driver
Image path: System32\DRIVERS\ptilink.sys
Image size: 17792
Image MD5: 80D317BD1C3DBC5D4FE7B1678C60CADD
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): ql1080
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): Ql10wnt
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): ql12160
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): ql1240
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): ql1280
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 4
Type: 1
Error Control: 1

Service (registry key): RasAcd
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Access Auto Connection Driver
Description: Remote Access Auto Connection Driver
Image path: System32\DRIVERS\rasacd.sys
Image size: 8832
Image MD5: FE0D99D6F31E4FAD8159F690D68DED9C
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): RasAuto
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Access Auto Connection Manager
Description: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: RasMan,Tapisrv

Service (registry key): Rasl2tp
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: WAN Miniport (L2TP)
Description: WAN Miniport (L2TP)
Image path: System32\DRIVERS\rasl2tp.sys
Image size: 51328
Image MD5: 98FAEB4A4DCF812BA1C6FCA4AA3E115C
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): RasMan
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Access Connection Manager
Description: Creates a network connection.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 1
Depends On services: Tapisrv

Service (registry key): RasPppoe
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Access PPPOE Driver
Description: Remote Access PPPOE Driver
Image path: System32\DRIVERS\raspppoe.sys
Image size: 41472
Image MD5: 7306EEED8895454CBED4669BE9F79FAA
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Raspti
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Direct Parallel
Description: Direct Parallel
Image path: System32\DRIVERS\raspti.sys
Image size: 16512
Image MD5: FDBB1D60066FCFBB7452FD8F9829B242
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): Rdbss
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Rdbss
Description: Rdbss
Image path: System32\DRIVERS\rdbss.sys
Image size: 176512
Image MD5: 29D66245ADBA878FFF574CD66ABD2884
Control Set: CurrentControlSet
Start: 1
Type: 2
Error Control: 1

Service (registry key): RDPCDD
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: System32\DRIVERS\RDPCDD.sys
Image size: 4224
Image MD5: 4912D5B403614CE99C28420F75353332
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 0

Service (registry key): RDPDD
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): rdpdr
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Terminal Server Device Redirector Driver
Image path: System32\DRIVERS\rdpdr.sys
Image size: 196864
Image MD5: A2CAE2C60BC37E0751EF9DDA7CEAF4AD
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): RDPNP
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): RDPWD
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 0

Service (registry key): RDSessMgr
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Desktop Help Session Manager
Description: Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
Object name: LocalSystem
Image path: C:\WINDOWS\system32\sessmgr.exe
Image size: 140800
Image MD5: 729798E0933076B8FCFCD9934698F164
Control Set: CurrentControlSet
Start: 4
Type: 16
Error Control: 1
Depends On services: RPCSS

Service (registry key): redbook
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Digital CD Audio Playback Filter Driver
Image path: System32\DRIVERS\redbook.sys
Image size: 57472
Image MD5: B31B4588E4086D8D84ADBF9845C2402B
Control Set: CurrentControlSet
Start: 1
Type: 1
Error Control: 1

Service (registry key): RemoteAccess
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Routing and Remote Access
Description: Offers routing services to businesses in local area and wide area network environments.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: RpcSS
Depends On group: NetBIOSGroup

Service (registry key): RemoteRegistry
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Registry
Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 4
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): RpcLocator
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Procedure Call (RPC) Locator
Description: Manages the RPC name service database.
Object name: NT AUTHORITY\NetworkService
Image path: %SystemRoot%\System32\locator.exe
Image size: 75264
Image MD5: 793F04A09B15E7C6C11DBDFFAF06C0AB
Control Set: CurrentControlSet
Start: 4
Type: 16
Error Control: 1
Depends On services: LanmanWorkstation

Service (registry key): RpcSs
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Remote Procedure Call (RPC)
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Object name: NT Authority\NetworkService
Image path: %SystemRoot%\system32\svchost -k rpcss
Image size: 0
Image MD5: D41D8CD98F00B204E9800998ECF8427E
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1

Service (registry key): rqez
Registry path: \SYSTEM\CurrentControlSet\Services\
Control Set: CurrentControlSet
Start: 0
Type: 1
Error Control: 1

Service (registry key): RSVP
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: QoS RSVP
Description: Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
Object name: LocalSystem
Image path: %SystemRoot%\System32\rsvp.exe
Image size: 132608
Image MD5: 471B3F9741D762ABE75E9DEEA4787E47
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1
Depends On services: TcpIp,Afd,RpcSs

Service (registry key): RTL8187B
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter
Image path: system32\DRIVERS\RTL8187B.sys
Image size: 209152
Image MD5: 1C5CCCC1493E01728DA837F1F74D7FA9
Control Set: CurrentControlSet
Start: 3
Type: 1
Error Control: 1

Service (registry key): SamSs
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Security Accounts Manager
Description: Stores security information for local user accounts.
Object name: LocalSystem
Image path: %SystemRoot%\system32\lsass.exe
Image size: 13312
Image MD5: 84885F9B82F4D55C6146EBF6065D75D2
Control Set: CurrentControlSet
Start: 2
Type: 32
Error Control: 1
Depends On services: RPCSS

Service (registry key): SCardSvr
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Smart Card
Description: Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\SCardSvr.exe
Image size: 95744
Image MD5: 25D8DE134DF108E3DBC8D7D23B1AA58E
Control Set: CurrentControlSet
Start: 3
Type: 32
Error Control: 0
Depends On services: PlugPlay

Service (registry key): Schedule
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: Task Scheduler
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Control Set: CurrentControlSet
Start: 2
Type: 288
Error Control: 1
Depends On services: RpcSs

Service (registry key): ScsiPort
Registry path: \SYSTEM\CurrentControlSet\Services\
Image path: %SystemRoot%\system32\drivers\scsiport.sys
Image size: 96256
Image MD5: D7FD0FF761E28AC0EA35AD71E0CD67E9
Control Set: CurrentControlSet
Start: 0
Type: 0
Error Control: 0

Service (registry key): sdauxservice
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: PC Tools Auxiliary Service
Description: Provides auxiliary PC Tools Security services. If this service is disabled spyware protection will be reduced.
Object name: LocalSystem
Image path: C:\Program Files\Spyware Doctor\pctsAuxs.exe
Image size: 348752
Image MD5: 2881D5C135D076BCF52B0F5AD3D8DC0B
Control Set: CurrentControlSet
Start: 3
Type: 16
Error Control: 1

Service (registry key): sdcoreservice
Registry path: \SYSTEM\CurrentControlSet\Services\
Display name: PC Tools Security Service
Description: Provides spyware and malware protection for the system. If this service is disabled spyware protection will be disabled.
Object name: LocalSystem
Image path: C:\Program Files\Spyware Doctor\pctsSvc.exe%

Attached Files


Edited by mistermoo32, 19 May 2009 - 05:34 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:59 PM

Posted 20 May 2009 - 11:51 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 mistermoo32

mistermoo32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 20 May 2009 - 07:33 PM

thanks, this is the combofix log

ComboFix 09-05-20.09 - Robby 05/20/2009 16:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1715 [GMT -8:00]
Running from: c:\documents and settings\Robby\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\916653139.exe
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\Robby\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Robby\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\install.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\AshEvtSvc.exe
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\e3946957.sys
c:\windows\system32\drivers\ovfsthmbklrnibrrqrdlsxdmtibveyddpgtrpp.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lmn_setup.exe
c:\windows\system32\nawewuti.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\ovfsthbfrqoapjtqjxxquuulkdiooenlgankat.dat
c:\windows\system32\ovfsthewqskofnvympytpkcsmqsnrocboyelyx.dll
c:\windows\system32\ovfsthlgbflkojvgyburcdknmogpmkydujjbxy.dat
c:\windows\system32\ovfsthrxtlrymtfsbuxcfspjitcwkmcayowaje.dll
c:\windows\system32\ovfsthvkcjdwqbonblhvmnbghlejoxkmtrffgh.dll
c:\windows\system32\Process.exe
c:\windows\system32\sft.res
c:\windows\system32\SrchSTS.exe
c:\windows\system32\stfa.dll
c:\windows\system32\SYS32DLL.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WS2Fix.exe
c:\windows\Temp\2961357956.exe
c:\windows\Temp\2973701706.exe
c:\windows\Temp\3152920456.exe
c:\windows\Temp\596256220.exe
C:\xcrashdump.dat

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :thumbup2:

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthctmjyubfrmomujgmydevoayypavyefgv
-------\Legacy_ashevtsvc
-------\Service_ashevtsvc
-------\Service_e3946957


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-20 14:22 . 2009-05-20 14:22 32768 ----a-w c:\windows\system32\service-466.exe
2009-05-19 00:22 . 2009-05-19 00:22 37376 ----a-w c:\windows\system32\glsetup.exe
2009-05-15 11:59 . 2009-05-15 11:59 190 ----a-w C:\43214354.bat
2009-05-12 07:27 . 2009-05-12 10:23 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-12 07:27 . 2009-05-12 08:33 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-09 11:31 . 2009-05-09 11:31 -------- d-----w C:\temp
2009-05-09 09:39 . 2009-05-09 09:40 -------- d-----w c:\program files\WinClamAVShield
2009-05-09 09:28 . 2009-05-09 09:28 142592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-05-09 09:28 . 2009-05-09 09:28 -------- d-----w c:\documents and settings\Robby\Application Data\Spyware Terminator
2009-05-09 09:28 . 2009-05-09 10:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-09 09:28 . 2009-05-09 10:42 -------- d-----w c:\program files\Spyware Terminator
2009-05-09 09:04 . 2008-12-11 16:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-09 09:03 . 2009-04-03 19:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-09 09:03 . 2008-12-18 20:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-09 09:03 . 2009-05-09 09:06 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-09 09:03 . 2008-12-10 19:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-09 09:03 . 2009-05-09 09:03 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-09 09:03 . 2009-05-09 09:03 -------- d-----w c:\documents and settings\Robby\Application Data\PC Tools
2009-05-09 09:03 . 2009-05-09 09:07 -------- d-----w c:\program files\Spyware Doctor
2009-05-09 07:55 . 2009-05-09 09:35 -------- d-----w C:\VundoFix Backups
2009-05-09 05:45 . 2009-05-09 05:45 -------- d-----w c:\documents and settings\Robby\Local Settings\Application Data\Help
2009-05-04 09:58 . 2009-05-04 09:58 61440 ----a-w c:\windows\system32\drivers\xrrova.sys
2009-05-04 08:47 . 2009-05-04 08:47 -------- d-----w c:\program files\Electronic Arts
2009-04-30 04:23 . 2009-05-21 00:56 577024 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\documents and settings\Robby\Application Data\Ventrilo
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\program files\Ventrilo
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 08:29 . 2009-04-28 08:30 -------- d-----w c:\program files\CachemanXP
2009-04-28 05:24 . 2009-04-28 05:24 -------- d-sh--w c:\documents and settings\Robby\Local Settings\Application Data\.#
2009-04-28 04:39 . 2009-04-28 04:40 -------- d-----w c:\program files\Audacity
2009-04-21 21:39 . 2008-10-01 03:35 65536 ----a-w c:\windows\system32\camcodec.dll
2009-04-21 21:38 . 2009-04-21 22:44 -------- d-----w c:\program files\CamStudio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 00:56 . 2001-08-23 19:00 577024 ----a-w c:\windows\system32\user32.dll
2009-05-21 00:53 . 2001-08-23 19:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-19 22:37 . 2008-02-03 20:44 -------- d-----w c:\program files\World of Warcraft
2009-05-09 10:47 . 2008-01-18 09:50 -------- d-----w c:\program files\Java
2009-05-04 04:03 . 2009-03-13 03:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 08:12 . 2008-01-25 04:33 -------- d-----w c:\program files\Steam
2009-04-28 07:50 . 2009-04-11 09:47 773392 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-13 18:32 . 2009-04-13 18:32 -------- d-----w c:\program files\EidosNet
2009-04-13 03:26 . 2009-04-13 03:26 -------- d-----w c:\program files\DAEMON Tools Lite
2009-04-13 03:24 . 2009-04-13 03:24 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-13 01:56 . 2009-04-13 01:56 -------- d-----w c:\program files\Delta
2009-04-12 22:31 . 2009-04-12 22:31 0 ----a-w c:\windows\ativpsrm.bin
2009-04-12 21:27 . 2009-04-11 09:50 -------- d-----w c:\program files\Uniblue
2009-04-12 21:26 . 2008-01-16 09:58 -------- d-----w c:\program files\ATI Technologies
2009-04-12 21:26 . 2008-01-16 09:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-12 20:58 . 2009-04-10 11:27 -------- d-----w c:\program files\7-Zip
2009-04-12 19:56 . 2009-04-06 08:20 -------- d-----w c:\program files\Google
2009-04-12 19:56 . 2009-04-11 10:47 -------- d-----w c:\program files\Game Cam XPress
2009-04-11 10:47 . 2009-03-07 03:15 38296 ----a-w c:\documents and settings\Robby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 09:47 . 2009-04-11 09:47 -------- d-----w c:\program files\Reference Assemblies
2009-04-07 08:31 . 2009-04-07 08:30 -------- d-----w c:\program files\BitLord
2009-04-06 23:32 . 2009-03-13 03:46 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 23:32 . 2009-03-13 03:46 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 08:20 . 2009-04-06 08:20 -------- d-----w c:\program files\DivX
2009-04-06 08:20 . 2009-04-06 08:20 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 05:04 . 2009-04-05 05:03 -------- d-----w c:\program files\LimeWire
2009-03-29 20:38 . 2009-03-29 20:38 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-03-29 20:38 . 2009-03-29 20:38 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-03-29 20:38 . 2009-03-29 20:38 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-03-25 00:13 . 2009-03-25 00:13 -------- d-----w c:\program files\MP3 Converter Simple
2009-03-24 23:52 . 2009-03-24 23:52 -------- d-----w c:\program files\GoldWave
2009-03-24 23:50 . 2009-03-24 23:49 -------- d-----w c:\program files\HyCam2
2009-03-24 07:50 . 2008-01-21 05:59 -------- d-----w c:\program files\Yahoo!
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-16 02:46 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REALTEK USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk
backup=c:\windows\pss\REALTEK USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin200.exe.lnk]
backup=c:\windows\pss\TrayMin200.exe.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^robby^start menu^programs^startup^chkdisk.dll]

[HKLM\~\startupfolder\c:^documents and settings^robby^start menu^programs^startup^chkdisk.lnk]
backup=c:\windows\pss\ChkDisk.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"Uniblue DiskRescue"=2 (0x2)
"sp_rssrv"=2 (0x2)
"iPod Service"=3 (0x3)
"npggsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Steam\\SteamApps\\perromuerto8\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.3.7799-to-2.4.0.8089-enUS-downloader.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2009 1:03 AM 130936]
R2 CachemanXPService;CachemanXP;c:\progra~1\CachemanXP\CachemanXP.exe [4/28/2009 12:29 AM 355840]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [4/28/2008 11:05 AM 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2008 1:19 AM 24652]
S0 rqez;rqez; [x]
S3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\drivers\fetnd6v.sys [9/22/2008 11:20 AM 43520]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [4/28/2008 11:05 AM 209152]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/9/2009 1:03 AM 348752]
S4 npggsvc;nProtect GameGuard Service; [x]
S4 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 7:22 AM 229648]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oimvbgdv
.
Contents of the 'Scheduled Tasks' folder

2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-12 c:\windows\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]
.
- - - - ORPHANS REMOVED - - - -

BHO-{56bb6d01-7bd5-4458-a4ae-f03df643d6ee} - stfa.dll
BHO-{c2ba40a1-74f3-42bd-f434-12345a2c8953} - (no file)
HKU-Default-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
Notify-__c008b1c4 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Robby\Application Data\Mozilla\Firefox\Profiles\3nz327w5.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 16:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-21 17:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 01:02

Pre-Run: 65,709,166,592 bytes free
Post-Run: 65,636,401,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

393

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:59 PM

Posted 21 May 2009 - 09:03 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\service-466.exe
c:\windows\system32\glsetup.exe
C:\43214354.bat
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


==================



Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

==================


Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 mistermoo32

mistermoo32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 21 May 2009 - 03:09 PM

ComboFix 09-05-20.A1 - Robby 05/21/2009 13:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1654 [GMT -8:00]
Running from: c:\documents and settings\Robby\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robby\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FILE ::
C:\43214354.bat
c:\windows\system32\glsetup.exe
c:\windows\system32\service-466.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\43214354.bat
c:\windows\system32\glsetup.exe
c:\windows\system32\service-466.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-12 07:27 . 2009-05-12 10:23 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-12 07:27 . 2009-05-12 08:33 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-09 11:31 . 2009-05-09 11:31 -------- d-----w C:\temp
2009-05-09 09:39 . 2009-05-09 09:40 -------- d-----w c:\program files\WinClamAVShield
2009-05-09 09:28 . 2009-05-09 09:28 142592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-05-09 09:28 . 2009-05-09 09:28 -------- d-----w c:\documents and settings\Robby\Application Data\Spyware Terminator
2009-05-09 09:28 . 2009-05-09 10:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-09 09:28 . 2009-05-09 10:42 -------- d-----w c:\program files\Spyware Terminator
2009-05-09 09:04 . 2008-12-11 16:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-09 09:03 . 2009-04-03 19:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-09 09:03 . 2008-12-18 20:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-09 09:03 . 2009-05-09 09:06 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-09 09:03 . 2008-12-10 19:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-09 09:03 . 2009-05-09 09:03 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-09 09:03 . 2009-05-09 09:03 -------- d-----w c:\documents and settings\Robby\Application Data\PC Tools
2009-05-09 09:03 . 2009-05-09 09:07 -------- d-----w c:\program files\Spyware Doctor
2009-05-09 07:55 . 2009-05-09 09:35 -------- d-----w C:\VundoFix Backups
2009-05-09 05:45 . 2009-05-09 05:45 -------- d-----w c:\documents and settings\Robby\Local Settings\Application Data\Help
2009-05-04 09:58 . 2009-05-04 09:58 61440 ----a-w c:\windows\system32\drivers\xrrova.sys
2009-05-04 08:47 . 2009-05-04 08:47 -------- d-----w c:\program files\Electronic Arts
2009-04-30 04:23 . 2009-05-21 00:56 577024 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\documents and settings\Robby\Application Data\Ventrilo
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\program files\Ventrilo
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 08:29 . 2009-04-28 08:30 -------- d-----w c:\program files\CachemanXP
2009-04-28 05:24 . 2009-04-28 05:24 -------- d-sh--w c:\documents and settings\Robby\Local Settings\Application Data\.#
2009-04-28 04:39 . 2009-04-28 04:40 -------- d-----w c:\program files\Audacity
2009-04-21 21:39 . 2008-10-01 03:35 65536 ----a-w c:\windows\system32\camcodec.dll
2009-04-21 21:38 . 2009-04-21 22:44 -------- d-----w c:\program files\CamStudio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 00:56 . 2001-08-23 19:00 577024 ----a-w c:\windows\system32\user32.dll
2009-05-21 00:53 . 2001-08-23 19:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-19 22:37 . 2008-02-03 20:44 -------- d-----w c:\program files\World of Warcraft
2009-05-09 10:47 . 2008-01-18 09:50 -------- d-----w c:\program files\Java
2009-05-04 04:03 . 2009-03-13 03:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-28 08:12 . 2008-01-25 04:33 -------- d-----w c:\program files\Steam
2009-04-28 07:50 . 2009-04-11 09:47 773392 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-13 18:32 . 2009-04-13 18:32 -------- d-----w c:\program files\EidosNet
2009-04-13 03:26 . 2009-04-13 03:26 -------- d-----w c:\program files\DAEMON Tools Lite
2009-04-13 03:24 . 2009-04-13 03:24 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-13 01:56 . 2009-04-13 01:56 -------- d-----w c:\program files\Delta
2009-04-12 22:31 . 2009-04-12 22:31 0 ----a-w c:\windows\ativpsrm.bin
2009-04-12 21:27 . 2009-04-11 09:50 -------- d-----w c:\program files\Uniblue
2009-04-12 21:26 . 2008-01-16 09:58 -------- d-----w c:\program files\ATI Technologies
2009-04-12 21:26 . 2008-01-16 09:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-12 20:58 . 2009-04-10 11:27 -------- d-----w c:\program files\7-Zip
2009-04-12 19:56 . 2009-04-06 08:20 -------- d-----w c:\program files\Google
2009-04-12 19:56 . 2009-04-11 10:47 -------- d-----w c:\program files\Game Cam XPress
2009-04-11 10:47 . 2009-03-07 03:15 38296 ----a-w c:\documents and settings\Robby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 09:47 . 2009-04-11 09:47 -------- d-----w c:\program files\Reference Assemblies
2009-04-07 08:31 . 2009-04-07 08:30 -------- d-----w c:\program files\BitLord
2009-04-06 23:32 . 2009-03-13 03:46 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 23:32 . 2009-03-13 03:46 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 08:20 . 2009-04-06 08:20 -------- d-----w c:\program files\DivX
2009-04-06 08:20 . 2009-04-06 08:20 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 05:04 . 2009-04-05 05:03 -------- d-----w c:\program files\LimeWire
2009-03-29 20:38 . 2009-03-29 20:38 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-03-29 20:38 . 2009-03-29 20:38 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-03-29 20:38 . 2009-03-29 20:38 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-03-25 00:13 . 2009-03-25 00:13 -------- d-----w c:\program files\MP3 Converter Simple
2009-03-24 23:52 . 2009-03-24 23:52 -------- d-----w c:\program files\GoldWave
2009-03-24 23:50 . 2009-03-24 23:49 -------- d-----w c:\program files\HyCam2
2009-03-24 07:50 . 2008-01-21 05:59 -------- d-----w c:\program files\Yahoo!
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-21_00.59.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 10:14 . 2009-05-21 10:14 16384 c:\windows\Temp\Perflib_Perfdata_8c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-16 02:46 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c008b1c4]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REALTEK USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk
backup=c:\windows\pss\REALTEK USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin200.exe.lnk]
backup=c:\windows\pss\TrayMin200.exe.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^robby^start menu^programs^startup^chkdisk.dll]

[HKLM\~\startupfolder\c:^documents and settings^robby^start menu^programs^startup^chkdisk.lnk]
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"Uniblue DiskRescue"=2 (0x2)
"sp_rssrv"=2 (0x2)
"iPod Service"=3 (0x3)
"npggsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Steam\\SteamApps\\perromuerto8\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.3.7799-to-2.4.0.8089-enUS-downloader.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2009 1:03 AM 130936]
R2 CachemanXPService;CachemanXP;c:\progra~1\CachemanXP\CachemanXP.exe [4/28/2009 12:29 AM 355840]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [4/28/2008 11:05 AM 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2008 1:19 AM 24652]
S0 rqez;rqez; [x]
S3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\drivers\fetnd6v.sys [9/22/2008 11:20 AM 43520]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [4/28/2008 11:05 AM 209152]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/9/2009 1:03 AM 348752]
S4 npggsvc;nProtect GameGuard Service; [x]
S4 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 7:22 AM 229648]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oimvbgdv
.
Contents of the 'Scheduled Tasks' folder

2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-12 c:\windows\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Robby\Application Data\Mozilla\Firefox\Profiles\3nz327w5.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 13:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2009-05-21 13:06
ComboFix-quarantined-files.txt 2009-05-21 21:06
ComboFix2.txt 2009-05-21 01:02

Pre-Run: 65,625,714,688 bytes free
Post-Run: 65,611,657,216 bytes free

331



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 21, 2009 21:14:26
Records in database: 2211602
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 59713
Threat name: 12
Infected objects: 34
Suspicious objects: 0
Duration of the scan: 01:30:10


File name / Threat name / Threats count
C:\Documents and Settings\Robby\Desktop\Music\Rock-Pop-Techno\Michelle Branch - Find your way back.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Robby\Desktop\Music\Vengaboys - Better world.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Robby\Desktop\Music\Vengaboys - We like to Party (The Vengabus).mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir Infected: Virus.Win32.Protector.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthmbklrnibrrqrdlsxdmtibveyddpgtrpp.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_e3946957_.sys.zip Infected: Backdoor.Win32.NewRest.z 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\glsetup.exe.vir Infected: Trojan.Win32.Monder.chce 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lmn_setup.exe.vir Infected: Trojan-Dropper.Win32.Agent.apgo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nawewuti.exe.vir Infected: Packed.Win32.Krap.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\stfa.dll.vir Infected: Trojan.Win32.Agent.cbpp 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\2961357956.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\2973701706.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\3152920456.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\596256220.exe.vir Infected: Trojan-Downloader.Win32.Suurch.rc 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002020.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002042.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002046.exe Infected: Trojan-Dropper.Win32.Agent.apgo 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002050.dll Infected: Trojan.Win32.Agent.cbpp 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002058.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002059.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002074.sys Infected: Virus.Win32.Protector.b 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002075.exe Infected: Packed.Win32.Krap.q 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002078.sys Infected: Virus.Win32.Protector.b 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002097.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002098.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002100.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002101.dll Infected: Trojan.Win32.Tdss.aald 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002102.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP12\A0002103.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\System Volume Information\_restore{79F9EBBC-FE84-4C1A-ACD5-0AD002CC0F5F}\RP13\A0002481.exe Infected: Trojan.Win32.Monder.chce 1

The selected area was scanned.

Edited by mistermoo32, 21 May 2009 - 05:35 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:59 PM

Posted 22 May 2009 - 03:04 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
rqez
npggsvc

File::
C:\Documents and Settings\Robby\Desktop\Music\Rock-Pop-Techno\Michelle Branch - Find your way back.mp3 
C:\Documents and Settings\Robby\Desktop\Music\Vengaboys - Better world.mp3 
C:\Documents and Settings\Robby\Desktop\Music\Vengaboys - We like to Party (The Vengabus).mp3

Registry::
[-HKLM\~\startupfolder\c:^documents and settings^robby^start menu^programs^startup^chkdisk.dll]
[-HKLM\~\startupfolder\c:^documents and settings^robby^start menu^programs^startup^chkdisk.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c008b1c4]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 mistermoo32

mistermoo32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 22 May 2009 - 05:08 PM

ComboFix 09-05-22.04 - Robby 05/22/2009 14:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1564 [GMT -8:00]
Running from: c:\documents and settings\Robby\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robby\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FILE ::
c:\documents and settings\Robby\Desktop\Music\Rock-Pop-Techno\Michelle Branch - Find your way back.mp3
c:\documents and settings\Robby\Desktop\Music\Vengaboys - Better world.mp3
c:\documents and settings\Robby\Desktop\Music\Vengaboys - We like to Party (The Vengabus).mp3
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Robby\Desktop\Music\Rock-Pop-Techno\Michelle Branch - Find your way back.mp3
c:\documents and settings\Robby\Desktop\Music\Vengaboys - Better world.mp3
c:\documents and settings\Robby\Desktop\Music\Vengaboys - We like to Party (The Vengabus).mp3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npggsvc
-------\Service_rqez


((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-21 21:19 . 2009-05-21 21:19 57344 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-40742ea6-n\Decora-SSE.dll
2009-05-21 21:19 . 2009-05-21 21:19 24064 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-3c8f077c-n\Decora-D3D.dll
2009-05-21 21:19 . 2009-05-21 21:19 499712 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5b4d6190-n\msvcp71.dll
2009-05-21 21:19 . 2009-05-21 21:19 499712 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5b4d6190-n\jmc.dll
2009-05-21 21:19 . 2009-05-21 21:19 348160 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5b4d6190-n\msvcr71.dll
2009-05-21 21:19 . 2009-05-21 21:19 315392 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-22f7991b-n\jogl.dll
2009-05-21 21:19 . 2009-05-21 21:19 20480 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-22f7991b-n\jogl_awt.dll
2009-05-21 21:19 . 2009-05-21 21:19 20480 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-49d8ec3a-n\gluegen-rt.dll
2009-05-21 21:19 . 2009-05-21 21:19 114688 ----a-w c:\documents and settings\Robby\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-22f7991b-n\jogl_cg.dll
2009-05-21 21:18 . 2009-05-21 21:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-21 21:16 . 2009-05-21 21:17 -------- d-----w c:\documents and settings\Robby\.SunDownloadManager
2009-05-12 07:27 . 2009-05-12 10:23 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-12 07:27 . 2009-05-12 08:33 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-09 11:31 . 2009-05-09 11:31 -------- d-----w C:\temp
2009-05-09 09:39 . 2009-05-09 09:40 -------- d-----w c:\program files\WinClamAVShield
2009-05-09 09:28 . 2009-05-09 09:28 6144 ----a-w c:\documents and settings\All Users\Application Data\Spyware Terminator\sp_rsdel.exe
2009-05-09 09:28 . 2009-05-09 09:28 5632 ----a-w c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys
2009-05-09 09:28 . 2009-05-09 09:28 -------- d-----w c:\documents and settings\Robby\Application Data\Spyware Terminator
2009-05-09 09:28 . 2009-05-09 09:28 142592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-05-09 09:28 . 2009-05-09 10:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-09 09:28 . 2009-05-09 10:42 -------- d-----w c:\program files\Spyware Terminator
2009-05-09 09:04 . 2008-12-11 16:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-09 09:03 . 2009-04-03 19:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-09 09:03 . 2008-12-18 20:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-09 09:03 . 2009-05-09 09:06 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-09 09:03 . 2008-12-10 19:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-09 09:03 . 2009-05-09 09:07 -------- d-----w c:\program files\Spyware Doctor
2009-05-09 09:03 . 2009-05-09 09:03 -------- d-----w c:\documents and settings\Robby\Application Data\PC Tools
2009-05-09 09:03 . 2009-05-09 09:03 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-09 07:55 . 2009-05-09 09:35 -------- d-----w C:\VundoFix Backups
2009-05-09 05:45 . 2009-05-09 05:45 -------- d-----w c:\documents and settings\Robby\Local Settings\Application Data\Help
2009-05-04 09:58 . 2009-05-04 09:58 61440 ----a-w c:\windows\system32\drivers\xrrova.sys
2009-05-04 08:47 . 2009-05-04 08:47 -------- d-----w c:\program files\Electronic Arts
2009-04-30 04:23 . 2009-05-21 00:56 577024 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\documents and settings\Robby\Application Data\Ventrilo
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\program files\Ventrilo
2009-04-29 00:10 . 2009-04-29 00:10 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-28 08:29 . 2009-04-28 08:30 -------- d-----w c:\program files\CachemanXP
2009-04-28 05:24 . 2009-04-28 05:24 -------- d-sh--w c:\documents and settings\Robby\Local Settings\Application Data\.#
2009-04-28 04:39 . 2009-04-28 04:40 -------- d-----w c:\program files\Audacity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 21:18 . 2008-01-18 09:50 -------- d-----w c:\program files\Java
2009-05-21 00:56 . 2001-08-23 19:00 577024 ----a-w c:\windows\system32\user32.dll
2009-05-21 00:53 . 2001-08-23 19:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-19 22:37 . 2008-02-03 20:44 -------- d-----w c:\program files\World of Warcraft
2009-05-12 04:59 . 2009-03-25 05:28 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-04 04:03 . 2009-03-13 03:46 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-04 04:03 . 2009-03-13 03:46 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-28 08:12 . 2008-01-25 04:33 -------- d-----w c:\program files\Steam
2009-04-28 07:50 . 2009-04-11 09:47 773392 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-21 22:44 . 2009-04-21 21:38 -------- d-----w c:\program files\CamStudio
2009-04-15 23:16 . 2009-04-15 23:16 311936 ----a-w c:\documents and settings\Robby\Application Data\MobMapUpdater\MobMapUpdaterExternals.dll
2009-04-15 23:16 . 2009-04-15 23:16 -------- d-----w c:\documents and settings\Robby\Application Data\MobMapUpdater
2009-04-13 18:32 . 2009-04-13 18:32 -------- d-----w c:\program files\EidosNet
2009-04-13 03:52 . 2009-04-13 03:52 -------- d-----w c:\documents and settings\Robby\Application Data\vlc
2009-04-13 03:26 . 2009-04-13 03:26 -------- d-----w c:\program files\DAEMON Tools Lite
2009-04-13 03:24 . 2009-04-13 03:24 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-13 03:23 . 2009-04-13 03:23 -------- d-----w c:\documents and settings\Robby\Application Data\DAEMON Tools
2009-04-13 01:56 . 2009-04-13 01:56 -------- d-----w c:\program files\Delta
2009-04-12 22:31 . 2009-04-12 22:31 0 ----a-w c:\windows\ativpsrm.bin
2009-04-12 21:29 . 2009-04-11 09:55 -------- d-----w c:\documents and settings\Robby\Application Data\uniblue
2009-04-12 21:27 . 2009-04-12 21:27 -------- dc-h--w c:\documents and settings\All Users\Application Data\{8A09CD83-59E1-4DB1-AAFC-E25174FC6706}
2009-04-12 21:27 . 2009-04-11 09:50 -------- d-----w c:\program files\Uniblue
2009-04-12 21:26 . 2008-01-16 09:58 -------- d-----w c:\program files\ATI Technologies
2009-04-12 21:26 . 2008-01-16 09:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-12 21:21 . 2009-04-12 21:21 2091784 ----a-w c:\documents and settings\Robby\Application Data\uniblue\DriverScanner\Download\monitor_hwp05021_0_0_1.exe
2009-04-12 21:20 . 2009-04-12 21:19 -------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-04-12 21:19 . 2009-04-12 21:18 -------- dc-h--w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-12 21:09 . 2009-04-12 21:09 -------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-04-12 20:58 . 2009-04-10 11:27 -------- d-----w c:\program files\7-Zip
2009-04-12 20:50 . 2009-04-12 20:50 -------- dc-h--w c:\documents and settings\All Users\Application Data\{D994735B-8DC6-4AEE-B720-704A4EC0402E}
2009-04-12 19:56 . 2009-04-06 08:20 -------- d-----w c:\program files\Google
2009-04-12 19:56 . 2009-04-11 10:47 -------- d-----w c:\program files\Game Cam XPress
2009-04-11 10:47 . 2009-03-07 03:15 38296 ----a-w c:\documents and settings\Robby\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 09:47 . 2009-04-11 09:47 -------- d-----w c:\program files\Reference Assemblies
2009-04-07 08:31 . 2009-04-07 08:30 -------- d-----w c:\program files\BitLord
2009-04-07 08:27 . 2009-04-05 05:04 -------- d-----w c:\documents and settings\Robby\Application Data\LimeWire
2009-04-06 23:32 . 2009-03-13 03:46 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 23:32 . 2009-03-13 03:46 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 08:20 . 2009-04-06 08:20 -------- d-----w c:\program files\DivX
2009-04-06 08:20 . 2009-04-06 08:20 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 05:04 . 2009-04-05 05:03 -------- d-----w c:\program files\LimeWire
2009-03-29 20:38 . 2009-03-29 20:38 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-03-29 20:38 . 2009-03-29 20:38 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-03-29 20:38 . 2009-03-29 20:38 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-03-25 00:13 . 2009-03-25 00:13 -------- d-----w c:\program files\MP3 Converter Simple
2009-03-24 23:52 . 2009-03-24 23:52 -------- d-----w c:\program files\GoldWave
2009-03-24 23:50 . 2009-03-24 23:49 -------- d-----w c:\program files\HyCam2
2009-03-24 07:50 . 2008-01-21 05:59 -------- d-----w c:\program files\Yahoo!
2009-03-10 16:04 . 2009-03-10 16:04 220926964 ----a-w c:\documents and settings\Robby\Application Data\ijjigame\U_GUNZ_setup.exe
2009-03-10 16:02 . 2009-03-10 16:02 480688 ----a-w c:\documents and settings\Robby\Application Data\ijjigame\ijjistarter2.exe
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-21_00.59.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-22 20:49 . 2009-05-22 20:49 16384 c:\windows\Temp\Perflib_Perfdata_ef0.dat
+ 2009-05-22 22:22 . 2009-05-22 22:22 16384 c:\windows\Temp\Perflib_Perfdata_5a4.dat
+ 2009-05-22 22:22 . 2009-05-22 22:22 16384 c:\windows\Temp\Perflib_Perfdata_448.dat
+ 2009-05-21 21:18 . 2009-05-21 21:18 148888 c:\windows\system32\javaws.exe
+ 2009-05-21 21:18 . 2009-05-21 21:18 144792 c:\windows\system32\javaw.exe
+ 2009-05-21 21:18 . 2009-05-21 21:18 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-16 02:46 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c008b1c4]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnet3[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx30SP1setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx35[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3setup[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx3_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\dotnetfx[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP1_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx20SP2_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx30SP1_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_ia64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx35_x86[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64.exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64[1].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\NetFx64[2].exe]
"Debugger"=c:\windows\Microsoft.NET\Framework\v2.0.50727\DotNetFxInstallBlock.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REALTEK USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk
backup=c:\windows\pss\REALTEK USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin200.exe.lnk]
backup=c:\windows\pss\TrayMin200.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"Uniblue DiskRescue"=2 (0x2)
"sp_rssrv"=2 (0x2)
"iPod Service"=3 (0x3)
"npggsvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Steam\\SteamApps\\perromuerto8\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\hizgrayc\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.3.3.7799-to-2.4.0.8089-enUS-downloader.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2009 1:03 AM 130936]
R2 CachemanXPService;CachemanXP;c:\progra~1\CachemanXP\CachemanXP.exe [4/28/2009 12:29 AM 355840]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [4/28/2008 11:05 AM 38144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/16/2008 1:19 AM 24652]
S3 FETND6V;VIA Rhine Family Fast Ethernet Adapter Driver;c:\windows\system32\drivers\fetnd6v.sys [9/22/2008 11:20 AM 43520]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [4/28/2008 11:05 AM 209152]
S3 sdauxservice;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/9/2009 1:03 AM 348752]
S4 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 7:22 AM 229648]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oimvbgdv
.
Contents of the 'Scheduled Tasks' folder

2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-12 c:\windows\Tasks\Uniblue DiskRescue 2009.job
- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\Robby\Application Data\Mozilla\Firefox\Profiles\3nz327w5.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF15.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 14:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-22 14:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 22:25
ComboFix2.txt 2009-05-21 21:06
ComboFix3.txt 2009-05-21 01:02

Pre-Run: 65,294,925,824 bytes free
Post-Run: 65,392,922,624 bytes free

384

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:59 PM

Posted 23 May 2009 - 01:31 PM

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 mistermoo32

mistermoo32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 23 May 2009 - 11:10 PM

definatley better, im not noticing any redirects anymore, hah, should i run malwarebytes and see if it comes up clean?

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:59 PM

Posted 24 May 2009 - 10:38 AM

Sounds good! Yeah, let's see what Malwarebytes can turn up.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 mistermoo32

mistermoo32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:59 PM

Posted 25 May 2009 - 03:36 PM

sorry for the slow response, net died yesterday, ironically while i was typing my response... anywho, even after a reboot, malwarebytes came up clean! :thumbup2: thanks so much for your help, ill be sure to return here should any other problems surface

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:59 PM

Posted 26 May 2009 - 10:37 AM

Great to hear! :)


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbup2: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:59 PM

Posted 24 June 2009 - 09:12 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users