Hi there,
Okay I used defogger and disabled cd emulation software. I'm not sure if there was any since it did not ask to restart my computer but I restarted it anyway.
Then I ran a scan of combo fix and it successfully installed the recovery console. I will post the log below.
Then I started the gmer program. In the middle of running the gmer scan the program stopped and gave me a blue screen indicating that a problem was detected and windows was shut down to prevent damage. It had an entry showing: Driver IRQL Not Less or Equal. Then it showed a memory dump. I wrote down the Stop location in case you needed that number. So then I tried to run the gmer scan in safe mode and it too crashed with the same blue screen page as before. So then I started the computer back up and I ran Gmer this time from a previous download I did a couple days ago rather than from the download link that you sent me. It ran for a while and had many many entries in the window, but then it froze the program and the computer while scanning. However, this time I pressed the save log button before it ever started scanning and it did capture and save the log. So I am also including it here.
HERE IS MY COMBO FIX LOGComboFix 10-02-03.06 - Gabrielle 02/10/2010 3:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1556 [GMT -10:00]
Running from: c:\documents and settings\Gabrielle\Desktop\Combofix\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.
2010-02-04 14:35 . 2010-02-05 17:05 -------- d-----w- C:\found.000
2010-02-04 14:21 . 2010-02-04 14:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-02 16:16 . 2010-02-02 16:16 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-02 14:51 . 2010-02-05 17:08 -------- d-----w- c:\program files\Sophos
2010-02-02 14:13 . 2009-08-07 05:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-01 18:47 . 2010-02-01 18:47 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-02-01 18:46 . 2010-02-01 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-01-21 05:20 . 2010-01-21 05:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-21 05:15 . 2010-01-21 05:16 -------- d-----w- c:\documents and settings\Gabrielle\Local Settings\Application Data\Temp
2010-01-21 05:15 . 2010-01-21 05:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 16:39 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\SiteClasses
2010-02-08 16:27 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Sites
2010-02-05 18:38 . 2008-07-10 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-05 18:33 . 2009-05-20 12:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 04:12 . 2008-11-13 08:40 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\U3
2010-02-03 13:19 . 2009-08-03 05:29 -------- d-----w- c:\program files\Ahead
2010-02-02 06:53 . 2009-06-24 11:02 -------- d-----w- c:\program files\Exterminate It!
2010-02-01 17:47 . 2008-09-05 21:50 99624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 09:53 . 2009-04-03 06:19 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Skype
2010-02-01 07:00 . 2008-05-14 20:49 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\AdobeUM
2010-01-21 05:16 . 2008-05-13 19:12 -------- d-----w- c:\program files\Google
2010-01-18 13:13 . 2008-05-13 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-09 21:53 . 2009-10-31 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 21:52 . 2009-12-04 23:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 02:07 . 2009-10-31 12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 02:07 . 2009-10-31 12:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2004-08-04 10:56 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 00:42 . 2010-01-10 07:08 872960 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-17 00:42 . 2010-01-10 07:08 43008 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-17 00:42 . 2010-01-10 07:08 340480 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-17 00:41 . 2010-01-10 07:08 346624 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 13:36 . 2009-12-16 13:36 -------- d-----w- c:\program files\MIG Bank Trading Station
2009-12-15 16:23 . 2009-03-20 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 10:11 . 2009-12-15 10:11 -------- d-----w- c:\program files\NP Meter
2009-12-14 18:39 . 2009-12-14 18:39 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-21 15:51 . 2004-08-04 10:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-26 11:25 . 2009-10-26 11:25 216 ----a-w- c:\program files\3G80FNLF.bat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-13 20:07 . 2008-05-13 20:01 24 --sh--w- c:\windows\S7E4EA38E.tmp
2008-09-08 10:40 . 2008-09-08 10:40 2 --shatr- c:\windows\winstart.bat
2008-05-15 05:59 . 2008-05-15 05:59 88 --sha-r- c:\windows\system32\F20FB882EC.sys
2008-05-15 06:56 . 2008-05-15 05:59 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-14 198160]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 03:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-27 20:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-21 01:46 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 11:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-14 03:47 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Userinit]
2008-04-14 00:12 26112 ------w- c:\windows\system32\userinit.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\PDF Professional 5\Ereg\Ereg.ini"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PDF5 Registry Controller"=c:\program files\Nuance\PDF Professional 5\RegistryController.exe
"PDFHook"=c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe
"RTHDCPL"=RTHDCPL.EXE
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"nwiz"=nwiz.exe /install
"SkyTel"=SkyTel.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"RTHDCPL.EXE"=c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [5/18/2009 07:29 PM 18432]
S1 SDManager;SDManager; [x]
S3 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/2/2008 02:20 AM 144672]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/20/2010 07:15 PM 135664]
S4 LMIInfo;LogMeIn Kernel Information Provider; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\lmirfsdriver.sys [5/18/2009 04:10 AM 47640]
S4 MEMSWEEP2;MEMSWEEP2; [x]
S4 StatsJunky_ERService;StatsJunky_ERService;c:\program files\StatsJunky\StatsJunky_ERService.exe [3/8/2009 05:40 AM 282624]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
FF - ProfilePath - c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-02-10 03:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A57E900]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8a57e900
\Driver\atapi -> atapi.sys @ 0xb9ef1852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x89569330
PacketIndicateHandler -> NDIS.sys @ 0xb9dcda21
SendHandler -> NDIS.sys @ 0xb9dab87b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-10 03:11:51
ComboFix-quarantined-files.txt 2010-02-10 13:11
ComboFix2.txt 2010-02-04 16:05
Pre-Run: 20,145,627,136 bytes free
Post-Run: 20,097,159,168 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - A3A6CD200C0464EC7231BF2CC2B33241
HERE IS MY GMER LOG - It never did finish running since it froze in the middle.
GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-02-10 04:06:26
Windows 5.1.2600 Service Pack 3
Running: nth39gwh.exe; Driver: C:\DOCUME~1\GABRIE~1\LOCALS~1\Temp\fwrdqpog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcess [0xB2FB1C1C]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcessEx [0xB2FB1C36]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwOpenKey [0xB2FB1C6A]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwTerminateProcess [0xB2FB1C50]
---- Devices - GMER 1.0.15 ----
Device \Driver\ACPI \Device\00000060 8997C6E8
Device \Driver\ACPI \Device\00000061 8997C6E8
Device \Driver\ACPI \Device\00000055 8997C6E8
Device \Driver\ACPI \Device\00000056 8997C6E8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
Device \Driver\ACPI \Device\00000071 8997C6E8
Device \Driver\ACPI \Device\00000058 8997C6E8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
Device \Driver\ACPI \Device\00000074 8997C6E8
Device \Driver\ACPI \Device\00000075 8997C6E8
Device \Driver\ACPI \Device\00000069 8997C6E8
Device \Driver\ACPI \Device\00000078 8997C6E8
Device \Driver\ACPI \Device\00000079 8997C6E8
Device \Driver\ACPI \Device\0000005a 8997C6E8
Device \Driver\ACPI \Device\0000005b 8997C6E8
Device \Driver\ACPI \Device\0000005c 8997C6E8
Device \Driver\ACPI \Device\0000005e 8997C6E8
Device \Driver\ACPI \Device\0000006c 8997C6E8
Device \Driver\ACPI \Device\0000007a 8997C6E8
Device \Driver\ACPI \Device\0000006d 8997C6E8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Thank you for your help with this problem. It looks like a nasty one.
Gabrielle
Hi there,
Okay I used defogger and disabled cd emulation software. I'm not sure if there was any since it did not ask to restart my computer but I restarted it anyway.
Then I ran a scan of combo fix and it successfully installed the recovery console. I will post the log below.
Then I started the gmer program. In the middle of running the gmer scan the program stopped and gave me a blue screen indicating that a problem was detected and windows was shut down to prevent damage. It had an entry showing: Driver IRQL Not Less or Equal. Then it showed a memory dump. I wrote down the Stop location in case you needed that number. So then I tried to run the gmer scan in safe mode and it too crashed with the same blue screen page as before. So then I started the computer back up and I ran Gmer this time from a previous download I did a couple days ago rather than from the download link that you sent me. It ran for a while and had many many entries in the window, but then it froze the program and the computer while scanning. However, this time I pressed the save log button before it ever started scanning and it did capture and save the log. So I am also including it here.
HERE IS MY COMBO FIX LOGComboFix 10-02-03.06 - Gabrielle 02/10/2010 3:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1556 [GMT -10:00]
Running from: c:\documents and settings\Gabrielle\Desktop\Combofix\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.
2010-02-04 14:35 . 2010-02-05 17:05 -------- d-----w- C:\found.000
2010-02-04 14:21 . 2010-02-04 14:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-02 16:16 . 2010-02-02 16:16 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-02 14:51 . 2010-02-05 17:08 -------- d-----w- c:\program files\Sophos
2010-02-02 14:13 . 2009-08-07 05:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-01 18:47 . 2010-02-01 18:47 -------- d-----w- c:\program files\Microsoft Easy Assist
2010-02-01 18:46 . 2010-02-01 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-01-21 05:20 . 2010-01-21 05:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-21 05:15 . 2010-01-21 05:16 -------- d-----w- c:\documents and settings\Gabrielle\Local Settings\Application Data\Temp
2010-01-21 05:15 . 2010-01-21 05:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 16:39 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\SiteClasses
2010-02-08 16:27 . 2008-09-02 00:44 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Sites
2010-02-05 18:38 . 2008-07-10 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-05 18:33 . 2009-05-20 12:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 04:12 . 2008-11-13 08:40 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\U3
2010-02-03 13:19 . 2009-08-03 05:29 -------- d-----w- c:\program files\Ahead
2010-02-02 06:53 . 2009-06-24 11:02 -------- d-----w- c:\program files\Exterminate It!
2010-02-01 17:47 . 2008-09-05 21:50 99624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-01 09:53 . 2009-04-03 06:19 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\Skype
2010-02-01 07:00 . 2008-05-14 20:49 -------- d-----w- c:\documents and settings\Gabrielle\Application Data\AdobeUM
2010-01-21 05:16 . 2008-05-13 19:12 -------- d-----w- c:\program files\Google
2010-01-18 13:13 . 2008-05-13 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-09 21:53 . 2009-10-31 12:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-09 21:52 . 2009-12-04 23:04 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 02:07 . 2009-10-31 12:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 02:07 . 2009-10-31 12:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 19:14 . 2004-08-04 10:56 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 00:42 . 2010-01-10 07:08 872960 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-17 00:42 . 2010-01-10 07:08 43008 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-17 00:42 . 2010-01-10 07:08 340480 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-17 00:41 . 2010-01-10 07:08 346624 ----a-w- c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 13:36 . 2009-12-16 13:36 -------- d-----w- c:\program files\MIG Bank Trading Station
2009-12-15 16:23 . 2009-03-20 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 10:11 . 2009-12-15 10:11 -------- d-----w- c:\program files\NP Meter
2009-12-14 18:39 . 2009-12-14 18:39 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-11-21 15:51 . 2004-08-04 10:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-26 11:25 . 2009-10-26 11:25 216 ----a-w- c:\program files\3G80FNLF.bat
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-05-13 20:07 . 2008-05-13 20:01 24 --sh--w- c:\windows\S7E4EA38E.tmp
2008-09-08 10:40 . 2008-09-08 10:40 2 --shatr- c:\windows\winstart.bat
2008-05-15 05:59 . 2008-05-15 05:59 88 --sha-r- c:\windows\system32\F20FB882EC.sys
2008-05-15 06:56 . 2008-05-15 05:59 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-14 198160]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Gabrielle^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 03:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-27 20:03 13684736 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-21 01:46 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 11:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-14 03:47 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Userinit]
2008-04-14 00:12 26112 ------w- c:\windows\system32\userinit.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"Nuance PDF Professional 5-reminder"="c:\program files\Nuance\PDF Professional 5\Ereg\Ereg.exe" -r "c:\documents and settings\All Users\Application Data\Nuance\PDF Professional 5\Ereg\Ereg.ini"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"Alcmtr"=ALCMTR.EXE
"CTHelper"=CTHELPER.EXE
"CTxfiHlp"=CTXFIHLP.EXE
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe"
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"PDF5 Registry Controller"=c:\program files\Nuance\PDF Professional 5\RegistryController.exe
"PDFHook"=c:\program files\Nuance\PDF Professional 5\pdfpro5hook.exe
"RTHDCPL"=RTHDCPL.EXE
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"nwiz"=nwiz.exe /install
"SkyTel"=SkyTel.EXE
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
"RTHDCPL.EXE"=c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
R1 prcmondrv;prcmondrv;c:\windows\system32\drivers\prcmondrv1041.sys [5/18/2009 07:29 PM 18432]
S1 SDManager;SDManager; [x]
S3 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 5\PDFProFiltSrv.exe [2/2/2008 02:20 AM 144672]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/20/2010 07:15 PM 135664]
S4 LMIInfo;LogMeIn Kernel Information Provider; [x]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\lmirfsdriver.sys [5/18/2009 04:10 AM 47640]
S4 MEMSWEEP2;MEMSWEEP2; [x]
S4 StatsJunky_ERService;StatsJunky_ERService;c:\program files\StatsJunky\StatsJunky_ERService.exe [3/8/2009 05:40 AM 282624]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
FF - ProfilePath - c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Gabrielle\Application Data\Mozilla\Firefox\Profiles\feu3dl6s.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-02-10 03:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer,
http://www.gmer.netdevice: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A57E900]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8a57e900
\Driver\atapi -> atapi.sys @ 0xb9ef1852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce 10/100 Mbps Ethernet -> SendCompleteHandler -> 0x89569330
PacketIndicateHandler -> NDIS.sys @ 0xb9dcda21
SendHandler -> NDIS.sys @ 0xb9dab87b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x03A384C41
malicious code @ sector 0x03A384C44 !
PE file found in sector at 0x03A384C5A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-10 03:11:51
ComboFix-quarantined-files.txt 2010-02-10 13:11
ComboFix2.txt 2010-02-04 16:05
Pre-Run: 20,145,627,136 bytes free
Post-Run: 20,097,159,168 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - A3A6CD200C0464EC7231BF2CC2B33241
HERE IS MY GMER LOG - It never did finish running since it froze in the middle.
GMER 1.0.15.15281 -
http://www.gmer.netRootkit scan 2010-02-10 04:06:26
Windows 5.1.2600 Service Pack 3
Running: nth39gwh.exe; Driver: C:\DOCUME~1\GABRIE~1\LOCALS~1\Temp\fwrdqpog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcess [0xB2FB1C1C]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwCreateProcessEx [0xB2FB1C36]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwOpenKey [0xB2FB1C6A]
SSDT \??\C:\WINDOWS\system32\drivers\prcmondrv1041.sys (Process Monitor driver/Igor Nys) ZwTerminateProcess [0xB2FB1C50]
---- Devices - GMER 1.0.15 ----
Device \Driver\ACPI \Device\00000060 8997C6E8
Device \Driver\ACPI \Device\00000061 8997C6E8
Device \Driver\ACPI \Device\00000055 8997C6E8
Device \Driver\ACPI \Device\00000056 8997C6E8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
Device \Driver\ACPI \Device\00000071 8997C6E8
Device \Driver\ACPI \Device\00000058 8997C6E8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
Device \Driver\ACPI \Device\00000074 8997C6E8
Device \Driver\ACPI \Device\00000075 8997C6E8
Device \Driver\ACPI \Device\00000069 8997C6E8
Device \Driver\ACPI \Device\00000078 8997C6E8
Device \Driver\ACPI \Device\00000079 8997C6E8
Device \Driver\ACPI \Device\0000005a 8997C6E8
Device \Driver\ACPI \Device\0000005b 8997C6E8
Device \Driver\ACPI \Device\0000005c 8997C6E8
Device \Driver\ACPI \Device\0000005e 8997C6E8
Device \Driver\ACPI \Device\0000006c 8997C6E8
Device \Driver\ACPI \Device\0000007a 8997C6E8
Device \Driver\ACPI \Device\0000006d 8997C6E8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Thank you for your help with this problem. It looks like a nasty one.
Gabrielle