Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internal window:svchost.exe - application error


  • This topic is locked This topic is locked
42 replies to this topic

#1 sreez

sreez

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:05 AM

Posted 08 January 2010 - 12:31 PM

Hi there,

I have clients laptop which gives me this error.

The exception privileged instruction.
(Oxc0000096) occured in the application at location 0x4d510afc.

Click Ok or terminate.

After that I get window saying Generic host process for Win32 services encountered a problem and needs to close. Sorry for inconvience.

Once we click for them, the system doesnot respond, none of the icons or anything is accessible.

I was able to scan using MBAM and it came with the clean system. I was not able to run online scanners like Eset or Trendmicro House call as they just crash the IE.

Here is the DDS log for it.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 17:18:25.21 on 08/01/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1586 [GMT 0:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Enterprise Suite *On-access scanning enabled* (Updated) {8C341646-C3D0-4B45-8959-08AD347057A3}
FW: Enterprise Suite *enabled* {B4185A1B-1127-44A9-8726-942320C98CE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Digital Line Detect\DLG.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\toolbar\SZSG.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: UrlHelper Class: {474597c5-ab09-49d6-a4d5-2e8d7341384e} - c:\program files\imesh applications\imesh\iMeshIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\program files\imeshmediabartb\iMeshMediaBarDx.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1008.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1008.0\msneshellx.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\toolbar\SZSG.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: MediaBar: {abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f} - c:\program files\imeshmediabartb\iMeshMediaBarDx.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 iteraid;iteraid;c:\windows\system32\drivers\iteraid.sys [2008-1-9 25423]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-9-14 58856]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-9-14 333928]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-26 55656]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-28 54752]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-12-21 583640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-9-14 967912]
S1 avgio;avgio;\??\c:\program files\avira\antivir desktop\avgio.sys --> c:\program files\avira\antivir desktop\avgio.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler; [x]
S4 AntiVirService;Avira AntiVir Guard; [x]
S4 gupdate1ca437b886cb246;Google Update Service (gupdate1ca437b886cb246);c:\program files\google\update\GoogleUpdate.exe [2009-10-2 133104]

=============== Created Last 30 ================

2010-01-08 15:41:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 15:41:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 15:41:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 15:40:19 0 d-----w- c:\docume~1\alluse~1\applic~1\13BB
2009-12-21 20:40:58 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2009-12-21 20:40:58 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2009-12-21 20:40:58 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2009-12-15 20:09:49 0 d-----w- c:\windows\pss
2009-12-11 18:02:31 0 d-----w- c:\windows\system32\drivers\NSS

==================== Find3M ====================

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:58 102912 ----a-w- c:\windows\system32\occache.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\SET2B.tmp
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 17:18:49.96 ===============

I didnt attach.txt. If required please let me know.

Thanks

Edited by sreez, 08 January 2010 - 12:32 PM.

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 08 January 2010 - 01:22 PM

Hi sreez,

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Though the infection is known let's do it properly. Post the Attach.txt too. Also please either follow the Preparation guide and post the RR log or post a GMER log.

#3 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:05 AM

Posted 11 January 2010 - 07:15 AM

Hi Farbar,

Thanks a lot for the reply. Yes I agree with you in not running any fixes unless suggested by you.

Can I attach this system to my office network or is it seriously infected that I cant(though I dont this so, but double checking). At the moment I copying everything via pen drive to that laptop.

Ok here attach.txt and the RR log, also if you dont mind please give me little training about how you trace those infections( Also I have to tell you we have less time as the client might need her laptop soon)


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/11 12:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6175000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE02000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8528000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\owner\application data\skype\bella.reehal\etilqs_p4mjfhgwz859jhifbvlm
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\owner\application data\skype\bella.reehal\etilqs_7ozhlaohdyijocugxwhl
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Core.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.ISOImage.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.ISOImage.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Interop.IWshRuntimeLibrary.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Interop.IWshRuntimeLibrary.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\stdole.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\stdole.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Xceed.Compression.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Xceed.Compression.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\DellDriverDownloadManager.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\DellDriverDownloadManager.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\DellDriverDownloadManager.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\DellDriverDownloadManager.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Apps\2.0\1METP8H2.OV7\AE3RPVEB.G6N\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6219cea

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621a3e6

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xbafae2ce

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbafae2c4

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621a532

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xbafae2d3

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xbafae2dd

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xbafae2e2

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621a496

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbafae2b0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbafae2b5

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621a142

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621dae8

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621da52

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xbafae2ec

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xbafae2e7

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6219c98

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621a592

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xbafae2d8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6219c3c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbafae2bf

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb6219be0

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621f24e

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621f29c

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621a8ba

#: 477 Function Name: NtUserPrintWindow
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621f2f6

#: 483 Function Name: NtUserQueryWindow
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb621a82e

==EOF==

Attached Files


LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 11 January 2010 - 12:38 PM

No problem connecting this to the network. We need internet connection to Run ComboFix.

Unfortunately this open forum is not the right place for training.

Avira is not properly uninstalled. We need to uninstall the remnants later on.
  1. Go to Add/Remove programs and uninstall this adware/spyware related application: iMesh

    Also remove this folder: c:\program files\imesh applications

  2. Go to start > Run copy and paste the following lines one by one in the run box and click OK after each line:

    CODE
    cmd /c reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /v Debugger /f
    cmd /c reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe" /f


    A window flashes it is normal.

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#5 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:05 AM

Posted 11 January 2010 - 01:27 PM

Hello Farbar,

I was able to uninstall Imesh and deleted those registry keys.

When I was installed and combo fix and running it, It asked me to disable Avira. Therefore I checked if I can find a way to do it, but as its not installed properly its hard now. Like the Avira folder is program files is empty sad.gif

Therefore I am struck there. Anyideas to go around it or should I continue ignoring the warning by combox fix.

Thanks,

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 11 January 2010 - 02:05 PM


Go to start > Run copy and paste the following line and click OK:

sc config avgntflt start= disabled

A window flashes it is normal.

Now reboot and go ahead ignoring any warning concerning Avira.

#7 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:05 AM

Posted 11 January 2010 - 02:56 PM

Farbar,

I left the office for the day, we update you tomorrow about it.

Cheers,
Sreez

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 11 January 2010 - 03:25 PM

Okay sreez. thumbup2.gif

#9 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:05 AM

Posted 12 January 2010 - 11:31 AM

Hello farbar,

Here is combo fix log. I think you already still there error message is same and when I close it, it freezes the desktop and dont let me do anything.

ComboFix 10-01-11.01 - Owner 12/01/2010 16:17:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1605 [GMT 0:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Enterprise Suite *On-access scanning enabled* (Updated) {8C341646-C3D0-4B45-8959-08AD347057A3}
FW: Enterprise Suite *enabled* {B4185A1B-1127-44A9-8726-942320C98CE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\PAV
c:\program files\Common Files\Uninstall

.
((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-11 12:01 . 2010-01-11 12:01 0 ----a-w- c:\documents and settings\Owner\settings.dat
2010-01-08 15:41 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 15:41 . 2010-01-08 15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 15:41 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 15:40 . 2009-12-30 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\13BB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 18:51 . 2009-10-29 12:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-08 16:13 . 2009-01-27 17:22 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-06 15:12 . 2009-03-22 17:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-01-06 12:50 . 2009-07-06 16:20 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-12-21 21:00 . 2009-11-27 13:57 -------- d-----w- c:\program files\RegCure
2009-12-21 20:40 . 2009-10-29 12:07 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-15 20:23 . 2009-01-27 17:29 -------- d-----w- c:\program files\Google
2009-12-12 15:39 . 2009-08-21 17:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-11 18:02 . 2009-08-12 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-11 18:02 . 2009-02-17 10:41 -------- d-----w- c:\program files\Norton Security Scan
2009-12-11 18:02 . 2009-08-12 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-03 18:41 . 2009-12-03 18:41 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-12-03 17:53 . 2009-12-03 17:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-12-03 17:53 . 2009-12-03 17:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-30 13:07 . 2009-11-25 18:39 -------- d-sh--w- c:\documents and settings\All Users\Application Data\7bb7563
2009-11-27 14:09 . 2009-11-27 14:09 -------- d-----w- c:\documents and settings\Owner\Application Data\ParetoLogic
2009-11-27 14:09 . 2009-11-27 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-11-27 14:09 . 2009-11-27 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-11-27 13:57 . 2009-11-27 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-11-27 13:51 . 2009-05-26 20:24 -------- d-----w- c:\program files\Avira
2009-11-25 18:40 . 2009-11-25 18:40 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WEBOSNRPHPS
2009-11-23 19:42 . 2009-11-23 19:42 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-23 19:41 . 2009-01-27 17:30 -------- d-----w- c:\program files\Windows Live
2009-10-29 07:46 . 2008-06-09 18:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2008-06-09 17:59 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2008-06-09 17:59 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-27 22:53 . 2009-10-28 13:39 55232 ----a-w- c:\documents and settings\All Users\Application Data\LGMOBILEAX\LGMLauncher.exe
2009-10-27 22:53 . 2009-10-28 13:39 1030080 ----a-w- c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\LGUserCSTool.exe
2009-10-27 05:28 . 2009-10-28 13:39 90112 ----a-w- c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\LGMobileDL.dll
2009-10-27 05:28 . 2009-10-28 13:39 483328 ----a-w- c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\LGMUpgradeDL.dll
2009-10-21 05:38 . 2008-06-09 18:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-06-09 17:59 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
2009-07-31 11:58 91568 ----a-w- c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\program files\iMeshMediabarTb\iMeshMediaBarDx.dll" [2009-07-31 91568]

[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-11-25 3176408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-01 13508608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-02 198160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-10-29 24576]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2009-12-01 18:38 122880 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1ca437b886cb246"=2 (0x2)
"PCTAVSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\Phone\\Skype.exe"=

R0 iteraid;iteraid;c:\windows\system32\drivers\iteraid.sys [09/01/2008 17:40 25423]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [14/09/2009 19:38 58856]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [14/09/2009 19:38 333928]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [28/07/2009 16:19 54752]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [21/12/2009 20:40 583640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [14/09/2009 19:38 967912]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 22:48 704864]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler; [x]
S4 gupdate1ca437b886cb246;Google Update Service (gupdate1ca437b886cb246);c:\program files\Google\Update\GoogleUpdate.exe [02/10/2009 16:15 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-01-11 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2010-01-11 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]

2009-12-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 16:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1016)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-12 16:22:56
ComboFix-quarantined-files.txt 2010-01-12 16:22

Pre-Run: 80,129,196,032 bytes free
Post-Run: 80,229,908,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5FFA36463B07D49B57D950C9DD93676E

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 12 January 2010 - 02:35 PM

Did you uninstall iMesh?

Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt



#11 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:05 AM

Posted 12 January 2010 - 04:49 PM

Sorry farbar,

Left the office will update you tomorrow sad.gif

Cheers

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 12 January 2010 - 05:12 PM

Since we have the limitations I try to see if we can do this faster.

Please tell me about Imesh uninstall.

Instead of DDS do the following:
  1. Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Click the "Scan All Users" checkbox.
    • Under Output select "Standard Output" checkbox.
    • Set Services, Drivers and Standard Registry to All.
    • Click Run Scan button.
    • Two reports will open, copy and paste them to your reply:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized

  2. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


#13 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:05 AM

Posted 13 January 2010 - 08:11 AM

Hi farbar,

I have uninstalled the imesh following your suggestion. Still I have those messages popping up.

I have run the OTL and GMER as per requests.

OTL logfile created on: 13/01/2010 12:13:35 - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 73.75 Gb Free Space | 79.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 244.84 Mb Total Space | 52.87 Mb Free Space | 21.59% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BELLA
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/13 12:03:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2009/11/25 15:42:18 | 00,583,640 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
PRC - [2009/10/02 16:16:51 | 00,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/09/14 19:38:34 | 01,422,568 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2009/09/14 19:38:32 | 00,967,912 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2009/09/08 20:09:42 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/08 20:09:30 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/19 10:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/01/27 17:23:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 04:42:20 | 00,180,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dwwin.exe
PRC - [2008/03/01 13:17:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/11/03 10:01:16 | 00,319,488 | ---- | M] (PixArt Imaging Incorporation) -- C:\WINDOWS\PixArt\PAC7302\Monitor.exe
PRC - [2003/10/29 02:06:00 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe


========== Modules (SafeList) ==========

MOD - [2010/01/13 12:03:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2009/09/14 19:38:40 | 00,341,224 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2009/09/14 19:38:36 | 00,632,040 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Trusteer\Rapport\bin\msvcr80.dll


========== Win32 Services (All) ==========

SRV - File not found [Disabled | Stopped] -- -- (AntiVirService)
SRV - File not found [Disabled | Stopped] -- -- (AntiVirSchedulerService)
SRV - [2009/11/25 15:42:18 | 00,583,640 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2009/10/02 16:15:13 | 00,133,104 | ---- | M] (Google Inc.) [Disabled | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca437b886cb246) Google Update Service (gupdate1ca437b886cb246)
SRV - [2009/09/14 19:38:32 | 00,967,912 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2009/09/08 20:09:30 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/05 22:48:42 | 00,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/06/10 06:14:49 | 00,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)
SRV - [2009/05/19 10:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/05/01 16:15:11 | 00,182,768 | ---- | M] (Google) [Disabled | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/02/09 12:10:48 | 00,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2009/02/09 12:10:48 | 00,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs) Remote Procedure Call (RPC)
SRV - [2009/02/09 12:10:48 | 00,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (DcomLaunch)
SRV - [2009/02/06 11:11:05 | 00,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2009/02/06 11:11:05 | 00,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2009/01/27 17:23:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/07/07 20:26:58 | 00,253,952 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\es.dll -- (EventSystem)
SRV - [2008/06/20 17:46:57 | 00,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla) Network Location Awareness (NLA)
SRV - [2008/04/14 04:51:44 | 00,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2008/04/14 04:42:42 | 00,126,464 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\wbem\wmiapsrv.exe -- (WmiApSrv)
SRV - [2008/04/14 04:42:40 | 00,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/14 04:42:40 | 00,073,216 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\tlntsvr.exe -- (TlntSvr)
SRV - [2008/04/14 04:42:40 | 00,018,432 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ups.exe -- (UPS)
SRV - [2008/04/14 04:42:38 | 00,057,856 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/14 04:42:38 | 00,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\svchost.exe -- (HidServ)
SRV - [2008/04/14 04:42:36 | 00,141,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\sessmgr.exe -- (RDSessMgr)
SRV - [2008/04/14 04:42:36 | 00,089,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\smlogsvc.exe -- (SysmonLog)
SRV - [2008/04/14 04:42:34 | 00,095,744 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\scardsvr.exe -- (SCardSvr)
SRV - [2008/04/14 04:42:30 | 00,111,104 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDEdsdm)
SRV - [2008/04/14 04:42:30 | 00,111,104 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\netdde.exe -- (NetDDE)
SRV - [2008/04/14 04:42:30 | 00,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/14 04:42:28 | 00,006,144 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\msdtc.exe -- (MSDTC)
SRV - [2008/04/14 04:42:26 | 00,075,264 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\locator.exe -- (RpcLocator) Remote Procedure Call (RPC)
SRV - [2008/04/14 04:42:26 | 00,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mnmsrvc.exe -- (mnmsrvc)
SRV - [2008/04/14 04:42:26 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2008/04/14 04:42:26 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/14 04:42:26 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/14 04:42:26 | 00,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (NtLmSsp)
SRV - [2008/04/14 04:42:26 | 00,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/14 04:42:24 | 00,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/14 04:42:18 | 00,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/14 04:42:18 | 00,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/14 04:42:18 | 00,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (COMSysApp)
SRV - [2008/04/14 04:42:16 | 00,033,280 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\clipsrv.exe -- (ClipSrv)
SRV - [2008/04/14 04:42:16 | 00,005,632 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\cisvc.exe -- (CiSvc)
SRV - [2008/04/14 04:42:14 | 00,044,544 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2008/04/14 04:42:12 | 00,129,024 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\xmlprov.dll -- (xmlprov)
SRV - [2008/04/14 04:42:12 | 00,080,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2008/04/14 04:42:12 | 00,006,656 | ---- | M] (Microsoft Corporation) [Auto | Start_Pending] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/14 04:42:10 | 00,333,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc) Windows Image Acquisition (WIA)
SRV - [2008/04/14 04:42:10 | 00,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\upnphost.dll -- (upnphost)
SRV - [2008/04/14 04:42:10 | 00,175,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\w32time.dll -- (W32Time)
SRV - [2008/04/14 04:42:10 | 00,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2008/04/14 04:42:10 | 00,068,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\webclnt.dll -- (WebClient)
SRV - [2008/04/14 04:42:10 | 00,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/14 04:42:08 | 00,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2008/04/14 04:42:08 | 00,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/14 04:42:08 | 00,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/14 04:42:08 | 00,096,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (LanmanServer)
SRV - [2008/04/14 04:42:08 | 00,090,112 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\trkwks.dll -- (TrkWks)
SRV - [2008/04/14 04:42:08 | 00,071,680 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\ssdpsrv.dll -- (SSDPSRV)
SRV - [2008/04/14 04:42:06 | 00,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/14 04:42:06 | 00,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/14 04:42:06 | 00,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/14 04:42:06 | 00,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/14 04:42:06 | 00,059,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\regsvc.dll -- (RemoteRegistry)
SRV - [2008/04/14 04:42:06 | 00,039,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\sens.dll -- (SENS)
SRV - [2008/04/14 04:42:06 | 00,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/14 04:42:04 | 00,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/14 04:42:04 | 00,409,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2008/04/14 04:42:04 | 00,291,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qagentrt.dll -- (napagent)
SRV - [2008/04/14 04:42:04 | 00,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2008/04/14 04:42:04 | 00,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/14 04:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/04/14 04:42:02 | 00,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/04/14 04:42:00 | 00,033,792 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\msgsvc.dll -- (Messenger)
SRV - [2008/04/14 04:41:58 | 00,061,440 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\kmsvc.dll -- (hkmsvc)
SRV - [2008/04/14 04:41:58 | 00,053,248 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\mprdim.dll -- (RemoteAccess)
SRV - [2008/04/14 04:41:58 | 00,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/14 04:41:56 | 00,331,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS)
SRV - [2008/04/14 04:41:54 | 00,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/14 04:41:54 | 00,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2008/04/14 04:41:54 | 00,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2008/04/14 04:41:54 | 00,023,552 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/14 04:41:54 | 00,023,040 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ersvc.dll -- (ERSvc)
SRV - [2008/04/14 04:41:52 | 00,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2008/04/14 04:41:52 | 00,077,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/14 04:41:52 | 00,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/14 04:41:52 | 00,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/14 04:41:50 | 00,167,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\appmgmts.dll -- (AppMgmt)
SRV - [2008/04/14 04:41:50 | 00,017,408 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\alrsvc.dll -- (Alerter)
SRV - [2008/03/01 13:17:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2006/10/18 21:47:16 | 00,027,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\mspmsnsv.dll -- (WmdmPmSN)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/09/28 18:56:14 | 00,055,808 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\WudfSvc.dll -- (WudfSvc)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)
SRV - [2001/08/23 12:00:00 | 00,132,608 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rsvp.exe -- (RSVP)


========== Driver Services (All) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ultra)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (UIUSys)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (i2omp)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (dac960nt)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
DRV - File not found [Kernel | System | Stopped] -- -- (avgio)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] -- -- (Abiosdsk)
DRV - [2009/10/20 16:20:16 | 00,265,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\http.sys -- (HTTP)
DRV - [2009/09/14 19:38:40 | 00,333,928 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2009/09/14 19:38:40 | 00,058,856 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys -- (RapportKELL)
DRV - [2009/08/28 18:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/08/05 22:48:42 | 00,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/08/05 15:02:18 | 00,055,656 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/06/24 11:18:41 | 00,092,928 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ksecdd.sys -- (KSecDD)
DRV - [2009/06/09 17:06:30 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/03/30 09:33:07 | 00,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2008/12/11 10:57:09 | 00,333,952 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\srv.sys -- (Srv)
DRV - [2008/10/24 11:21:09 | 00,455,296 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\mrxsmb.sys -- (MRxSmb)
DRV - [2008/09/12 13:32:56 | 00,327,192 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2008/08/14 10:04:36 | 00,138,496 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\afd.sys -- (AFD)
DRV - [2008/06/20 11:51:12 | 00,361,600 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip.sys -- (Tcpip)
DRV - [2008/04/14 05:43:22 | 00,040,840 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\termdd.sys -- (TermDD)
DRV - [2008/04/14 04:51:44 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 04:51:44 | 00,080,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\parport.sys -- (Parport)
DRV - [2008/04/14 04:51:44 | 00,079,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sdbus.sys -- (sdbus)
DRV - [2008/04/14 04:51:44 | 00,061,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nic1394.sys -- (NIC1394)
DRV - [2008/04/14 04:51:44 | 00,060,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\arp1394.sys -- (Arp1394)
DRV - [2008/04/14 04:51:44 | 00,042,112 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\imapi.sys -- (Imapi)
DRV - [2008/04/14 04:51:44 | 00,036,352 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\intelppm.sys -- (intelppm)
DRV - [2008/04/14 04:51:44 | 00,030,080 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\modem.sys -- (Modem)
DRV - [2008/04/14 04:51:44 | 00,023,040 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mouclass.sys -- (Mouclass)
DRV - [2008/04/14 04:51:44 | 00,015,488 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mssmbios.sys -- (mssmbios)
DRV - [2008/04/14 04:51:44 | 00,014,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndisuio.sys -- (Ndisuio)
DRV - [2008/04/14 04:51:44 | 00,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tunmp.sys -- (tunmp)
DRV - [2008/04/14 04:51:44 | 00,004,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\swenum.sys -- (swenum)
DRV - [2008/04/14 04:43:24 | 00,139,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rdpwd.sys -- (RDPWD)
DRV - [2008/04/14 04:43:22 | 00,021,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdtcp.sys -- (TDTCP)
DRV - [2008/04/14 04:43:22 | 00,012,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdpipe.sys -- (TDPIPE)
DRV - [2008/04/14 00:47:20 | 00,083,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdmaud.sys -- (wdmaud)
DRV - [2008/04/14 00:45:56 | 00,060,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sysaudio.sys -- (sysaudio)
DRV - [2008/04/14 00:15:40 | 00,026,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBSTOR.SYS -- (USBSTOR)
DRV - [2008/04/14 00:15:38 | 00,059,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbhub.sys -- (usbhub)
DRV - [2008/04/14 00:15:36 | 00,020,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbuhci.sys -- (usbuhci)
DRV - [2008/04/14 00:15:14 | 00,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\drmkaud.sys -- (drmkaud)
DRV - [2008/04/14 00:15:10 | 00,172,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\kmixer.sys -- (kmixer)
DRV - [2008/04/14 00:15:10 | 00,056,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swmidi.sys -- (swmidi)
DRV - [2008/04/14 00:15:08 | 00,006,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\splitter.sys -- (splitter)
DRV - [2008/04/14 00:15:02 | 00,052,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DMusic.sys -- (DMusic)
DRV - [2008/04/14 00:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2008/04/14 00:10:28 | 00,057,600 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\redbook.sys -- (redbook)
DRV - [2008/04/14 00:09:54 | 00,007,552 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MSKSSRV.sys -- (MSKSSRV)
DRV - [2008/04/14 00:09:52 | 00,005,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MSPCLOCK.sys -- (MSPCLOCK)
DRV - [2008/04/14 00:09:52 | 00,004,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MSPQM.sys -- (MSPQM)
DRV - [2008/04/14 00:06:46 | 00,068,224 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pci.sys -- (PCI)
DRV - [2008/04/14 00:06:42 | 00,037,248 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\isapnp.sys -- (isapnp)
DRV - [2008/04/14 00:06:40 | 00,008,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\wmiacpi.sys -- (WmiAcpi)
DRV - [2008/04/14 00:06:38 | 00,013,952 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CmBatt.sys -- (CmBatt)
DRV - [2008/04/14 00:06:38 | 00,010,240 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\compbatt.sys -- (Compbatt)
DRV - [2008/04/14 00:02:52 | 00,196,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rdpdr.sys -- (rdpdr)
DRV - [2008/04/13 23:58:40 | 00,175,744 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\rdbss.sys -- (Rdbss)
DRV - [2008/04/13 23:51:02 | 00,162,816 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2008/04/13 23:50:44 | 00,091,520 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndiswan.sys -- (NdisWan)
DRV - [2008/04/13 23:50:38 | 00,182,656 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ndis.sys -- (NDIS)
DRV - [2008/04/13 23:49:50 | 00,048,384 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspptp.sys -- (PptpMiniport) WAN Miniport (PPTP)
DRV - [2008/04/13 23:49:44 | 00,075,264 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ipsec.sys -- (IPSec)
DRV - [2008/04/13 23:49:44 | 00,051,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rasl2tp.sys -- (Rasl2tp) WAN Miniport (L2TP)
DRV - [2008/04/13 23:48:02 | 00,052,480 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\i8042prt.sys -- (i8042prt)
DRV - [2008/04/13 23:47:06 | 00,105,344 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\mup.sys -- (Mup)
DRV - [2008/04/13 23:45:54 | 00,574,976 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\ntfs.sys -- (Ntfs)
DRV - [2008/04/13 23:45:46 | 00,064,512 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\serial.sys -- (Serial)
DRV - [2008/04/13 23:44:30 | 00,143,744 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\fastfat.sys -- (Fastfat)
DRV - [2008/04/13 23:44:22 | 00,063,744 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\cdfs.sys -- (Cdfs)
DRV - [2008/04/13 23:27:34 | 00,041,472 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspppoe.sys -- (RasPppoe)
DRV - [2008/04/13 23:27:30 | 00,040,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndproxy.sys -- (NDProxy)
DRV - [2008/04/13 23:27:28 | 00,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\asyncmac.sys -- (AsyncMac)
DRV - [2008/04/13 23:27:28 | 00,010,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ndistapi.sys -- (NdisTapi)
DRV - [2008/04/13 23:27:22 | 00,034,560 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wanarp.sys -- (Wanarp)
DRV - [2008/04/13 23:27:16 | 00,152,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipnat.sys -- (IpNat)
DRV - [2008/04/13 23:27:08 | 00,020,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipinip.sys -- (IpInIp)
DRV - [2008/04/13 23:26:40 | 00,069,120 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psched.sys -- (PSched)
DRV - [2008/04/13 23:26:34 | 00,035,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\msgpc.sys -- (Gpc)
DRV - [2008/04/13 23:26:04 | 00,034,688 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\netbios.sys -- (NetBIOS)
DRV - [2008/04/13 23:24:30 | 00,011,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irenum.sys -- (IRENUM)
DRV - [2008/04/13 23:23:36 | 00,036,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ip6fw.sys -- (Ip6Fw)
DRV - [2008/04/13 23:21:26 | 00,059,904 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atmarpc.sys -- (Atmarpc)
DRV - [2008/04/13 23:17:38 | 00,025,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbprint.sys -- (usbprint)
DRV - [2008/04/13 23:16:26 | 00,085,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NABTSFEC.sys -- (NABTSFEC)
DRV - [2008/04/13 23:16:26 | 00,019,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WSTCODEC.SYS -- (WSTCODEC)
DRV - [2008/04/13 23:16:24 | 00,017,024 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CCDECODE.sys -- (CCDECODE)
DRV - [2008/04/13 23:16:24 | 00,011,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SLIP.sys -- (SLIP)
DRV - [2008/04/13 23:16:24 | 00,010,880 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NdisIP.sys -- (NdisIP)
DRV - [2008/04/13 23:16:22 | 00,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\StreamIP.sys -- (streamip)
DRV - [2008/04/13 23:16:20 | 00,061,696 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ohci1394.sys -- (ohci1394)
DRV - [2008/04/13 23:15:40 | 00,032,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbccgp.sys -- (usbccgp)
DRV - [2008/04/13 23:15:36 | 00,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbehci.sys -- (usbehci)
DRV - [2008/04/13 23:14:50 | 00,799,744 | ---- | M] (Microsoft Corp., Veritas Software) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\dmboot.sys -- (dmboot)
DRV - [2008/04/13 23:14:48 | 00,153,344 | ---- | M] (Microsoft Corp., Veritas Software) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\dmio.sys -- (dmio)
DRV - [2008/04/13 23:14:42 | 00,020,992 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\vga.sys -- (VgaSave)
DRV - [2008/04/13 23:11:02 | 00,052,352 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\volsnap.sys -- (VolSnap)
DRV - [2008/04/13 23:10:50 | 00,019,712 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\partmgr.sys -- (PartMgr)
DRV - [2008/04/13 23:10:50 | 00,011,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\sfloppy.sys -- (Sfloppy)
DRV - [2008/04/13 23:10:48 | 00,062,976 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrom.sys -- (Cdrom)
DRV - [2008/04/13 23:10:48 | 00,036,352 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\disk.sys -- (Disk)
DRV - [2008/04/13 23:10:26 | 00,027,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\fdc.sys -- (Fdc)
DRV - [2008/04/13 23:10:26 | 00,020,480 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\flpydisk.sys -- (Flpydisk)
DRV - [2008/04/13 23:09:52 | 00,005,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MSTEE.sys -- (MSTEE)
DRV - [2008/04/13 23:09:48 | 00,384,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\update.sys -- (Update)
DRV - [2008/04/13 23:09:48 | 00,042,368 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mountmgr.sys -- (MountMgr)
DRV - [2008/04/13 23:09:48 | 00,024,576 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\kbdclass.sys -- (Kbdclass)
DRV - [2008/04/13 23:06:54 | 00,073,472 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sr.sys -- (sr)
DRV - [2008/04/13 23:06:44 | 00,120,192 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\pcmcia.sys -- (Pcmcia)
DRV - [2008/04/13 23:06:36 | 00,187,776 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ACPI.sys -- (ACPI)
DRV - [2008/04/13 23:03:30 | 00,044,544 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fips.sys -- (Fips)
DRV - [2008/04/13 23:03:00 | 00,129,792 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\fltMgr.sys -- (FltMgr)
DRV - [2008/04/13 23:02:46 | 00,180,608 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mrxdav.sys -- (MRxDAV)
DRV - [2008/04/13 23:02:40 | 00,030,848 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\npfs.sys -- (Npfs)
DRV - [2008/04/13 23:02:40 | 00,019,072 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\msfs.sys -- (Msfs)
DRV - [2008/04/13 23:02:38 | 00,066,048 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\udfs.sys -- (Udfs)
DRV - [2008/04/13 22:09:24 | 00,142,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aec.sys -- (aec)
DRV - [2008/04/13 21:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/03/13 02:25:36 | 02,530,176 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2008/03/01 13:17:00 | 06,658,592 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/09/10 07:50:56 | 00,457,984 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PAC7302.SYS -- (PAC7302)
DRV - [2007/07/06 04:33:04 | 00,021,568 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2007/05/10 10:24:34 | 01,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/01/30 11:12:06 | 00,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2007/01/16 13:06:19 | 00,100,992 | ---- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\viamraid.sys -- (viamraid)
DRV - [2006/09/28 19:00:34 | 00,082,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WudfRd.sys -- (WudfRd)
DRV - [2006/09/28 18:55:50 | 00,077,568 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WudfPf.sys -- (WudfPf)
DRV - [2005/12/01 01:40:56 | 00,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 01:40:12 | 00,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 01:40:08 | 00,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/10/04 23:57:08 | 00,012,544 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/07/14 18:58:14 | 00,028,544 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2005/07/14 17:28:38 | 00,307,968 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/07/12 19:00:30 | 00,051,328 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2005/03/17 15:00:00 | 00,025,423 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2005/03/04 13:34:00 | 00,025,424 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2001/08/23 12:00:00 | 00,125,056 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftdisk.sys -- (Ftdisk)
DRV - [2001/08/23 12:00:00 | 00,032,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipfltdrv.sys -- (IpFilterDriver)
DRV - [2001/08/23 12:00:00 | 00,032,512 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkfwd.sys -- (NwlnkFwd)
DRV - [2001/08/23 12:00:00 | 00,018,688 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\cdaudio.sys -- (Cdaudio)
DRV - [2001/08/23 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/23 12:00:00 | 00,016,512 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\raspti.sys -- (Raspti)
DRV - [2001/08/23 12:00:00 | 00,013,952 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\cbidf2k.sys -- (cbidf2k)
DRV - [2001/08/23 12:00:00 | 00,012,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nwlnkflt.sys -- (NwlnkFlt)
DRV - [2001/08/23 12:00:00 | 00,012,032 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\ws2ifsl.sys -- (WS2IFSL)
DRV - [2001/08/23 12:00:00 | 00,011,648 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\acpiec.sys -- (ACPIEC)
DRV - [2001/08/23 12:00:00 | 00,008,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rasacd.sys -- (RasAcd)
DRV - [2001/08/23 12:00:00 | 00,006,784 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\parvdm.sys -- (ParVdm)
DRV - [2001/08/23 12:00:00 | 00,005,888 | ---- | M] (Microsoft Corp., Veritas Software.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\dmload.sys -- (dmload)
DRV - [2001/08/23 12:00:00 | 00,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\rdpcdd.sys -- (RDPCDD)
DRV - [2001/08/23 12:00:00 | 00,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mnmdd.sys -- (mnmdd)
DRV - [2001/08/23 12:00:00 | 00,004,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\beep.sys -- (Beep)
DRV - [2001/08/23 12:00:00 | 00,002,944 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\null.sys -- (Null)
DRV - [2001/08/17 13:59:44 | 00,003,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\audstub.sys -- (audstub)
DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1) Sony USB Filter Driver (SONYPVU1)
DRV - [2001/08/17 13:51:52 | 00,003,328 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\pciide.sys -- (PCIIde)


========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-57989841-861567501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-57989841-861567501-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-57989841-861567501-1417001333-1003\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-57989841-861567501-1417001333-1003\S-1-5-21-57989841-861567501-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-57989841-861567501-1417001333-1003\S-1-5-21-57989841-861567501-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-57989841-861567501-1417001333-500\S-1-5-21-57989841-861567501-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/27 17:23:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 18:26:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext [2009/10/02 16:17:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{780044d1-e8c0-488f-8059-4522ddbfc2ea}: C:\Program Files\Stopzilla!\Toolbar\Extension [2009/10/29 11:05:22 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.17\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/10/02 16:17:28 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.17\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009/10/02 18:52:57 | 00,000,000 | ---D | M]

[2009/09/03 15:50:41 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/27 17:23:53 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
[2009/01/27 17:23:42 | 00,410,976 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2007/03/22 19:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2008/10/14 21:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2009/08/06 16:10:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/08/06 16:10:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/08/06 16:10:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/08/06 16:10:55 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/08/06 16:10:55 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/08/06 16:10:55 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/08/06 16:10:55 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

O1 HOSTS File: (341600 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11700 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (ZILLAbar Browser Helper Object) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\Toolbar\SZSG.dll (iS3, Inc)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O2 - BHO: (MediaBar) - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMeshMediabarTb\iMeshMediaBarDx.dll ()
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1008.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1008.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (STOPzilla) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\Toolbar\SZSG.dll (iS3, Inc)
O3 - HKLM\..\Toolbar: (MediaBar) - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMeshMediabarTb\iMeshMediaBarDx.dll ()
O3 - HKU\S-1-5-21-57989841-861567501-1417001333-1003\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-57989841-861567501-1417001333-1003\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-57989841-861567501-1417001333-1003\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-57989841-861567501-1417001333-500\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-57989841-861567501-1417001333-1003..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-57989841-861567501-1417001333-1003..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-57989841-861567501-1417001333-1003..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
O4 - HKU\S-1-5-21-57989841-861567501-1417001333-500..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-57989841-861567501-1417001333-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-57989841-861567501-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-57989841-861567501-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-57989841-861567501-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-57989841-861567501-1417001333-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-57989841-861567501-1417001333-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-57989841-861567501-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-57989841-861567501-1417001333-500\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} http://game.zylom.com/activex/zylomgamesplayer.cab (Zylom Games Player)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_10)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.24.1.2 172.24.1.3
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/27 16:56:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/06/05 14:29:16 | 00,000,182 | -H-- | M] () - E:\Autorun.inf -- [ FAT ]
O33 - MountPoints2\{134ea122-fc6c-11de-a8ec-0019b95c2d93}\Shell\AutoRun\command - "" = Recycled.exe
O33 - MountPoints2\{134ea122-fc6c-11de-a8ec-0019b95c2d93}\Shell\open\Command - "" = Recycled.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/13 12:11:44 | 00,544,256 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/12 16:16:02 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2010/01/12 16:14:34 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/01/12 16:14:34 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/01/12 16:14:34 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/01/12 16:14:34 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/01/12 16:14:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/01/12 16:14:06 | 00,000,000 | ---D | C] -- C:\ComboFix
[2010/01/11 18:08:35 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/11 12:02:13 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2010/01/08 15:41:17 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/08 15:41:15 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/08 15:41:15 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/08 15:40:51 | 05,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2009/12/30 15:40:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\13BB
[2009/12/21 20:40:58 | 01,101,824 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBox210.ocx
[2009/12/21 20:40:58 | 00,880,640 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBox10.ocx
[2009/12/21 20:40:58 | 00,212,992 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBoxVB12.ocx
[2009/12/21 20:40:55 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2009/12/21 18:49:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2009/12/15 21:20:21 | 00,000,000 | ---D | C] -- C:\Config.Msi
[2009/12/15 20:09:49 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/10/03 09:37:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/10/02 16:15:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/08/01 13:13:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/05/16 09:55:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/04/20 15:49:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/02/06 17:45:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/02/06 17:44:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/01/27 16:56:01 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/13 12:11:43 | 00,052,659 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/01/13 12:06:24 | 00,293,376 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ux9h92x6.exe
[2010/01/13 12:05:59 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/13 12:03:59 | 00,170,199 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/13 12:03:57 | 00,000,438 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2010/01/13 12:03:57 | 00,000,378 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Startup.job
[2010/01/13 12:03:53 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/13 12:03:52 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/13 12:03:48 | 21,458,45248 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/13 12:03:12 | 08,388,608 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/01/13 12:03:12 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/01/13 12:03:10 | 00,544,256 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/01/13 12:03:06 | 04,834,296 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/01/13 11:46:56 | 00,010,752 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Word Document.doc
[2010/01/13 11:43:41 | 00,002,497 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Word 2003.lnk
[2010/01/12 16:21:11 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/01/12 16:16:07 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2010/01/11 18:05:34 | 03,820,564 | R--- | M] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/01/11 12:04:30 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Owner\Desktop\RootRepeal.exe
[2010/01/11 12:02:20 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/01/11 12:01:22 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\settings.dat
[2010/01/08 17:17:18 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/01/08 16:13:18 | 00,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/01/08 15:33:34 | 05,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/06 12:52:36 | 00,000,314 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\WorldClient.url
[2010/01/06 12:50:34 | 00,002,254 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/01/04 12:05:18 | 00,002,495 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Excel 2003.lnk
[2010/01/04 12:04:37 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Natwest.xls
[2009/12/24 19:17:51 | 00,000,000 | ---- | M] () -- C:\testwma.raw
[2009/12/22 10:52:39 | 00,000,372 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2009/12/21 21:08:18 | 00,526,284 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/12/21 21:08:18 | 00,444,676 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/12/21 21:08:18 | 00,072,552 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/12/21 21:00:50 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2009/12/21 20:52:08 | 00,000,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/12/21 17:29:22 | 00,003,425 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/15 20:55:14 | 00,000,740 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/15 20:55:14 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/12/14 13:56:11 | 00,073,216 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Merc%20Personal%20prop%20form[1].doc
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/13 12:12:42 | 00,293,376 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ux9h92x6.exe
[2010/01/13 12:01:12 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\dds.scr
[2010/01/13 11:46:56 | 00,010,752 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\New Microsoft Word Document.doc
[2010/01/12 16:16:07 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2010/01/12 16:16:03 | 00,260,272 | ---- | C] () -- C:\cmldr
[2010/01/12 16:14:34 | 00,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/01/12 16:14:34 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/01/12 16:14:34 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/01/12 16:14:34 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/01/12 16:14:34 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/01/11 18:08:08 | 03,820,564 | R--- | C] () -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
[2010/01/11 12:02:20 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\settings.dat
[2010/01/11 12:01:22 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\settings.dat
[2009/12/22 10:52:34 | 21,458,45248 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/21 21:00:29 | 00,000,438 | ---- | C] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2009/12/21 21:00:29 | 00,000,378 | ---- | C] () -- C:\WINDOWS\tasks\RegCure Startup.job
[2009/12/21 21:00:29 | 00,000,372 | ---- | C] () -- C:\WINDOWS\tasks\RegCure.job
[2009/12/21 20:40:59 | 00,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2009/12/14 13:56:11 | 00,073,216 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Merc%20Personal%20prop%20form[1].doc
[2009/10/29 11:01:51 | 00,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/10/29 11:01:51 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2009/10/29 11:01:51 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll
[2009/10/29 11:01:51 | 00,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2009/10/28 13:39:13 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\CommonDL.dll
[2009/10/28 13:39:13 | 00,002,412 | ---- | C] () -- C:\WINDOWS\System32\lgAxconfig.ini
[2009/08/25 16:29:40 | 00,076,407 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Smiley.ico
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/06 16:01:04 | 00,000,768 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2009/03/01 18:30:29 | 00,008,192 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/28 19:02:06 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/06 17:33:32 | 00,006,445 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/01/27 17:36:01 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/27 17:28:04 | 00,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/01/27 17:28:03 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/07/27 19:51:52 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/07/27 19:51:51 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/07/27 19:51:51 | 01,482,752 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/07/27 19:51:51 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/01/09 17:36:51 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/03/20 15:44:02 | 00,000,566 | ---- | C] () -- C:\WINDOWS\System32\SP7302.ini
[2005/04/28 04:22:38 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/28 04:22:34 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/28 04:22:34 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >



OTL Extras logfile created on: 13/01/2010 12:13:35 - Run 1
OTL by OldTimer - Version 3.1.24.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 73.75 Gb Free Space | 79.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 244.84 Mb Total Space | 52.87 Mb Free Space | 21.59% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BELLA
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Documents and Settings\Owner\My Documents\Downloads\Plugin Manager\skypePM.exe" = C:\Documents and Settings\Owner\My Documents\Downloads\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)
"C:\Documents and Settings\Owner\My Documents\Downloads\Phone\Skype.exe" = C:\Documents and Settings\Owner\My Documents\Downloads\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 10
"{2D6ED011-055B-4041-B198-BB903827EBFB}" = Safari
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37888B36-58B5-41C6-BE67-B846BB4809FF}" = iS3 STOPzilla Toolbar
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6CF914E7-5CC3-4E2D-BB8F-410BC1FECD3E}" = MSN Toolbar
"{73C2BB36-ABE5-4E02-A043-E6C0F91A3E2C}" = PC VGA Camer@ Plus
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.4
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3ABE126-2BB2-4246-BFE1-6797679B3579}" = LG USB Modem Driver
"{C82185E8-C27B-4EF4-2007-3333BC2C2B6D}" = Microsoft AutoRoute 2007
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E0E400F5-422B-4540-A14F-B0739D71FEE7}" = Microsoft Reader Text-to-Speech for English
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EC2A8F27-4FBF-4E41-B27B-FE822511B761}" = iTunes
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"AC3Filter" = AC3Filter (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Alt-N ComAgent" = Alt-N ComAgent
"Bejeweled 2 Deluxe 1.1.3.2523" = Bejeweled 2 Deluxe 1.1.3.2523
"Bejeweled Deluxe 1.87" = Bejeweled Deluxe 1.87
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"imeshmediabartb" = MediaBar
"InstallShield_{73C2BB36-ABE5-4E02-A043-E6C0F91A3E2C}" = PC VGA Camer@ Plus
"Jalbum_0" = Jalbum 8.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Thunderbird (2.0.0.17)" = Mozilla Thunderbird (2.0.0.17)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NSS" = Norton Security Scan
"NVIDIA Drivers" = NVIDIA Drivers
"oggcodecs" = oggcodecs 0.71.0946
"Outlook Connector for MDaemon Plug-in" = Outlook Connector for MDaemon Plug-in
"RealPlayer 12.0" = RealPlayer
"RegCure" = RegCure 2.0.0.0
"Registry Mechanic_is1" = Registry Mechanic 9.0
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1" = Xvid 1.1.3 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-57989841-861567501-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/01/2010 14:04:35 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module winhttp.dll, version 5.1.2600.5868, fault address 0x00020afc.

Error - 11/01/2010 14:05:01 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module winhttp.dll, version 5.1.2600.5868, fault address 0x00020afc.

Error - 11/01/2010 14:40:11 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 11/01/2010 14:41:41 | Computer Name = BELLA | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 12/01/2010 13:18:01 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 12/01/2010 13:19:07 | Computer Name = BELLA | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 13/01/2010 07:37:11 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module winhttp.dll, version 5.1.2600.5868, fault address 0x00020afc.

Error - 13/01/2010 08:00:28 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 13/01/2010 08:00:32 | Computer Name = BELLA | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 13/01/2010 08:04:07 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module winhttp.dll, version 5.1.2600.5868, fault address 0x00020afc.

[ Application Events ]
Error - 11/01/2010 14:04:35 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module winhttp.dll, version 5.1.2600.5868, fault address 0x00020afc.

Error - 11/01/2010 14:05:01 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16945, faulting
module winhttp.dll, version 5.1.2600.5868, fault address 0x00020afc.

Error - 11/01/2010 14:40:11 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 11/01/2010 14:41:41 | Computer Name = BELLA | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 12/01/2010 13:18:01 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 12/01/2010 13:19:07 | Computer Name = BELLA | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 13/01/2010 07:37:11 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module winhttp.dll, version 5.1.2600.5868, fault address 0x00020afc.

Error - 13/01/2010 08:00:28 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 13/01/2010 08:00:32 | Computer Name = BELLA | Source = Application Error | ID = 1004
Description = Faulting application svchost.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 13/01/2010 08:04:07 | Computer Name = BELLA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module winhttp.dll, version 5.1.2600.5868, fault address 0x00020afc.

[ System Events ]
Error - 12/01/2010 12:20:51 | Computer Name = BELLA | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system
without first being prepared for removal.

Error - 12/01/2010 12:21:53 | Computer Name = BELLA | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 12/01/2010 13:19:53 | Computer Name = BELLA | Source = Service Control Manager | ID = 7022
Description = The Automatic Updates service hung on starting.

Error - 12/01/2010 13:19:53 | Computer Name = BELLA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
avgio

Error - 13/01/2010 07:35:23 | Computer Name = BELLA | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 13/01/2010 07:40:16 | Computer Name = BELLA | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056

Error - 13/01/2010 08:02:20 | Computer Name = BELLA | Source = Service Control Manager | ID = 7022
Description = The Automatic Updates service hung on starting.

Error - 13/01/2010 08:02:20 | Computer Name = BELLA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
avgio

Error - 13/01/2010 08:05:59 | Computer Name = BELLA | Source = Service Control Manager | ID = 7022
Description = The Automatic Updates service hung on starting.

Error - 13/01/2010 08:05:59 | Computer Name = BELLA | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
avgio


< End of report >




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-13 12:53:00
Windows 5.1.2600 Service Pack 3
Running: ux9h92x6.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uxtdqpod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xB61E9CEA]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xB61EA3E6]
SSDT BAF24576 ZwCreateKey
SSDT BAF2456C ZwCreateThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xB61EA532]
SSDT BAF2457B ZwDeleteKey
SSDT BAF24585 ZwDeleteValueKey
SSDT BAF2458A ZwLoadKey
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xB61EA496]
SSDT BAF24558 ZwOpenProcess
SSDT BAF2455D ZwOpenThread
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xB61EA142]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xB61EDAE8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xB61EDA52]
SSDT BAF24594 ZwReplaceKey
SSDT BAF2458F ZwRestoreKey
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xB61E9C98]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xB61EA592]
SSDT BAF24580 ZwSetValueKey
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xB61E9C3C]
SSDT BAF24567 ZwTerminateProcess
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xB61E9BE0]

INT 0x93 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys (RapportKE/Trusteer Ltd.) BA98D7A0

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 13 January 2010 - 07:03 PM

Hi sreez,

Please make sure the steps are done fully in the order they are written.
  1. There is still some iMesh entries left. Please go to Add/Remove programs and uninstall: MediaBar

  2. Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      CODE
      :Processes
      :Services
      AntiVirService
      AntiVirSchedulerService
      avgio
      :otl
      O2 - BHO: (no name) - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - No CLSID value found.
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
      O2 - BHO: (MediaBar) - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMeshMediabarTb\iMeshMediaBarDx.dll ()
      O3 - HKLM\..\Toolbar: (MediaBar) - {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - C:\Program Files\iMeshMediabarTb\iMeshMediaBarDx.dll ()
      O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
      :files
      c:\program files\iMeshMediabarTb
      c:\program files\avira
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "UserFaultCheck"=-

    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.

  3. Go to Start > Run and type in Notepad
    Make sure that under Format menu Word Wrap is unchecked. Copy/paste the following text inside the code box into a new notepad document.

    CODE
    @ECHO OFF
    dir /a C:\WINDOWS\system32\wuauserv.dll >look1.txt 2>&1
    regedit /e look2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost"
    regedit /e look3.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv"
    sc config wuauserv start= disabled
    ping 1.1.1.1 -n 1 -w 2000>nul
    type look?.txt >log.txt
    start log.txt
    del look?.txt
    • Go to the File menu at the top of the Notepad and select Save as.
    • Select save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save
    • Close the Notepad.
    • Locate and double-click look.bat on the desktop. It should look like this:
    • Notepad will open (log.txt) with some txt in it. Attach the contents to your next reply.

  4. Now reboot and tell me if you still get the error at startup.


#15 sreez

sreez
  • Topic Starter

  • Members
  • 634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai(UAE)
  • Local time:02:05 AM

Posted 14 January 2010 - 08:16 AM

Hello farbar,

I have followed the instructions, uninstalled Mediabar and the rest steps mentioned. I think we did a little improvement. thumbup2.gif

After rebooting the system I have the

Internal window:svchost.exe - application error

The exception privileged instruction.
(Oxc0000096) occured in the application at location 0x4d510afc.

Click Ok or terminate. or Cancel. If click OK again it freezes the system.

But I didnt get this Generic host process for Win32 services encountered a problem and needs to close. Sorry for inconvience.

Also I have noticed that IE or other browser crashes the browsers(Home page website is good, I can click on other links on it) but when I surf the internet, it gives normal error saying the IE got some error and has to close now. Therefore all these steps I have been doing using the USB.Also the wireless networks always shows no networks available. Sorry if I had to mention this earlier.

Anyways here is the logs

========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
Service AntiVirService stopped successfully!
Service AntiVirService deleted successfully!
Service AntiVirSchedulerService stopped successfully!
Service AntiVirSchedulerService deleted successfully!
Service avgio stopped successfully!
Service avgio deleted successfully!
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{474597C5-AB09-49d6-A4D5-2E8D7341384E}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}\ deleted successfully.
File C:\Program Files\iMeshMediabarTb\iMeshMediaBarDx.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}\ not found.
File C:\Program Files\iMeshMediabarTb\iMeshMediaBarDx.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
========== FILES ==========
File\Folder c:\program files\iMeshMediabarTb not found.
c:\program files\Avira folder moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck not found.

OTL by OldTimer - Version 3.1.24.0 log created on 01142010_125707



Volume in drive C has no label.
Volume Serial Number is FCB7-5056

Directory of C:\WINDOWS\system32

14/04/2008 04:42 6,656 wuauserv.dll
1 File(s) 6,656 bytes
0 Dir(s) 79,522,889,728 bytes free
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"HTTPFilter"=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
00,00,00,00,00
"LocalService"=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService"=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
00,00
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,\
00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,6e,00,\
61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,00,73,00,76,\
00,63,00,00,00,42,00,49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,00,\
65,00,72,00,76,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,\
00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,00,\
73,00,76,00,63,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,00,\
00,00,00
"DcomLaunch"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"eapsvcs"=hex(7):65,00,61,00,70,00,68,00,6f,00,73,00,74,00,00,00,00,00
"dot3svc"=hex(7):64,00,6f,00,74,00,33,00,73,00,76,00,63,00,00,00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00
"WudfServiceGroup"=hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,\
00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\dot3svc]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\eapsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]
"CoInitializeSecurityParam"=dword:00000002
"AuthenticationCapabilities"=dword:00000040

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Automatic Updates"
"ObjectName"="LocalSystem"
"Description"="Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,75,00,\
61,00,75,00,73,00,65,00,72,00,76,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,00,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,9d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,ff,01,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum]
"0"="Root\\LEGACY_WUAUSERV\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Cheers,
Sreez



LIFE is so simple, if you know the reason of your existence at certain place. Treat every step as first one and trust god, friends, relatives and everyone.

 

Its a simple magic trick given to me by one friend also and I am at this stage  :love4u:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users