Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i am infected


  • This topic is locked This topic is locked
17 replies to this topic

#1 peterp150

peterp150

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 29 September 2010 - 10:48 AM

Have attempted to fix the problem by running rkill in safe mode. the process itself is stopped immediately after it starts, also tried renaming it as suggested. mbam will run for a few seconds, but halts and the mbam directory in program files has had its premissions changed get an 'acess denied' error if i try to run it again. if mbam is re-intallled it will run with same results as above. any other anti-maware product does the same thing. i.e. hijack this, kaspersky virus removal tool, etc. all run once, terminate, then get an 'access denied' message if i attempt to run again (unless removed & re-installed) windows xp sp3. the system in question can no longer access the internet with a web broswer, but commands like ping & nslookup function.

gmer runs for about 30 minutes and the system crashes, have run it several times with the same result. I do have a bitmap image of what is displayed in the RootKit/Malware screen of gmer prior to the system crash. tried cropping to fit as an attachment, still to large. no log is generated.


DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Administrator at 0:04:40.82 on Wed 09/29/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1764 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSsystem32svchost.exe -k netsvcs
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSexplorer.exe
C:Documents and SettingsAdministratorDesktopdds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:windowssystem32Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:program fileskaspersky labkaspersky anti-virus 2010ievkbd.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:program filescanoneasy-webprintEWPBrowseLoader.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_07binssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:program filescanoneasy-webprintToolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRunOnce: [SYMNRT] c:program filesinternet exploreriexplore.exe http://www.symantec.com/techsupp/servlet/P...00010f.000004b3
mRun: [UserFaultCheck] %systemroot%system32dumprep 0 -u
mRun: [type32] "c:program filesmicrosoft intellitype protype32.exe"
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [PRONoMgrWired] c:program filesintelprosetwiredncsprosetPRONoMgr.exe
mRun: [PivotSoftware] "c:program filesportrait displayspivot softwarewpctrl.exe"
mRun: [OpwareSE2] "c:program filesscansoftomnipagese2.0OpwareSE2.exe"
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [DT ACR] c:program filescommon filesportrait displayssharedDT_startup.exe -ACR
mRun: [ATIPTA] c:program filesati technologiesati control panelatiptaxx.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 9.0readerReader_sl.exe"
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVP] "c:program fileskaspersky labkaspersky anti-virus 2010avp.exe"
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
mRunOnce: [Malwarebytes' Anti-Malware] c:program filesmalwarebytes' anti-malwarembamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:progra~1common~1micros~1dwdwtrig20.exe" -t
dRun: [CTFMON.EXE] c:windowssystem32ctfmon.exe
dRunOnce: [SWHelper] "c:windowssystem32macromedshockwave 10PostUpdate.exe" 1010011
dRunOnce: [tscuninstall] %systemroot%system32tscupgrd.exe
StartupFolder: c:docume~1admini~1startm~1programsstartupsetup_~1.lnk - c:documents and settingsadministratordesktopvirus removal toolsetup_9.0.0.722_28.09.2010_04-29startup.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_07binnpjpi160_07.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:program filesati multimediatvEXPLBAR.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:program fileskaspersky labkaspersky anti-virus 2010klwtbbho.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142550407406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38126.7054861111
DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} - hxxp://kdx.kontiki.com/kdx/Client403/kdx.cab
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
TCP: NameServer = 93.188.163.75,93.188.166.110
TCP: {F0D00B89-6D57-4743-B451-C5E61F64C589} = 93.188.163.75,93.188.166.110
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:program filesbelarcadvisorsystemBAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:program fileshphpcoretechcomphpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:windowssystem32klogon.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:progra~1kasper~1kasper~1mzvkbd.dll,c:progra~1kasper~1kasper~1mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 04080392;04080392 Boot Guard Driver;c:windowssystem32drivers04080392.sys [2010-9-27 37392]
R0 09810122;09810122 Boot Guard Driver;c:windowssystem32drivers09810122.sys [2010-9-28 37392]
R0 38617172;38617172 Boot Guard Driver;c:windowssystem32drivers38617172.sys [2010-9-28 37392]
R0 51914252;51914252 Boot Guard Driver;c:windowssystem32drivers51914252.sys [2010-9-28 37392]
R3 mvb35316;mvb35316;c:windowssystem32driversmvb35316.sys [2001-8-23 12800]
S0 kl1;Kl1;c:windowssystem32driverskl1.sys [2009-6-15 128016]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:windowssystem32driversklbg.sys [2008-12-15 33808]
S1 04080391;04080391;c:windowssystem32drivers04080391.sys [2010-9-27 128016]
S1 09810121;09810121;c:windowssystem32drivers09810121.sys [2010-9-28 128016]
S1 38617171;38617171;c:windowssystem32drivers38617171.sys [2010-9-28 128016]
S1 51914251;51914251;c:windowssystem32drivers51914251.sys [2010-9-28 128016]
S1 KLIF;Kaspersky Lab Driver;c:windowssystem32driversklif.sys [2010-9-27 296976]
S1 setup_9.0.0.722_28.09.2010_04-29drv;setup_9.0.0.722_28.09.2010_04-29drv;c:windowssystem32drivers0981012.sys [2010-9-28 315408]
S2 AVP;Kaspersky Anti-Virus;c:program fileskaspersky labkaspersky anti-virus 2010avp.exe [2009-7-3 303376]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-2-1 135664]
S2 LMIInfo;LogMeIn Kernel Information Provider;??c:program fileslogmeinx86rainfo.sys --> c:program fileslogmeinx86RaInfo.sys [?]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:windowssystem32driversLMIRfsDriver.sys [2008-12-7 47640]
S2 mrtRate;mrtRate; [x]
S2 PdiService;Portrait Displays SDK Service;c:program filescommon filesportrait displaysdriverspdisrvc.exe [2010-1-24 90112]
S2 TomTomHOMEService;TomTomHOMEService;c:program filestomtom home 2TomTomHOMEService.exe [2010-6-24 92008]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [2009-5-13 31760]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:windowssystem32driversklmouflt.sys [2009-5-16 19472]
S3 ute3mjk4;AVZ Kernel Driver;c:windowssystem32driversute3mjk4.sys [2010-9-28 7168]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-09-28 18:30:40 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-09-28 18:30:39 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-09-28 18:30:39 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-09-28 17:52:41 1507328 ----a-w- C:ffastunT.ffl
2010-09-28 13:56:36 37392 ----a-w- c:windowssystem32drivers09810122.sys
2010-09-28 13:56:36 315408 ----a-w- c:windowssystem32drivers0981012.sys
2010-09-28 13:56:36 128016 ----a-w- c:windowssystem32drivers09810121.sys
2010-09-28 07:29:27 7168 ----a-w- c:windowssystem32driversute3mjk4.sys
2010-09-28 07:27:13 37392 ----a-w- c:windowssystem32drivers51914252.sys
2010-09-28 07:27:13 315408 ----a-w- c:windowssystem32drivers5191425.sys
2010-09-28 07:27:13 128016 ----a-w- c:windowssystem32drivers51914251.sys
2010-09-28 04:13:10 37392 ----a-w- c:windowssystem32drivers38617172.sys
2010-09-28 04:13:09 315408 ----a-w- c:windowssystem32drivers3861717.sys
2010-09-28 04:13:09 128016 ----a-w- c:windowssystem32drivers38617171.sys
2010-09-28 04:09:27 8704 --sha-w- c:windowsThumbs.db
2010-09-28 04:08:24 4096 --sha-w- C:Thumbs.db
2010-09-28 01:52:19 37392 ----a-w- c:windowssystem32drivers04080392.sys
2010-09-28 01:52:19 128016 ----a-w- c:windowssystem32drivers04080391.sys
2010-09-28 01:52:18 315408 ----a-w- c:windowssystem32drivers0408039.sys
2010-09-28 00:09:02 604140 --sha-w- c:windowssystem32driversISwift3.dat
2010-09-28 00:05:29 94643 ----a-w- c:windowssystem32driversklick.dat
2010-09-28 00:05:29 105395 ----a-w- c:windowssystem32driversklin.dat
2010-09-28 00:04:07 0 d-----w- c:program filesKaspersky Lab
2010-09-28 00:04:07 0 d-----w- c:docume~1alluse~1applic~1Kaspersky Lab
2010-09-27 22:38:46 79872 -c----w- c:windowssystem32dllcachemsxml6r.dll
2010-09-27 22:38:46 1306624 -c----w- c:windowssystem32dllcachemsxml6.dll
2010-09-27 22:33:00 19569 ----a-w- c:windows005908_.tmp
2010-09-27 22:10:18 81920 ------w- c:windowssystem32ieencode.dll
2010-09-27 22:10:17 380416 ------w- c:windowssystem32irprops.cpl
2010-09-27 22:10:16 162304 ------w- c:windowssystem32wuaucpl.cpl
2010-09-27 22:08:21 0 d-----w- c:windowsServicePackFiles
2010-09-27 22:05:23 19528 ----a-w- c:windows002672_.tmp
2010-09-27 20:56:22 42 ----a-w- c:windowssystem32AK083E209605E394C.lie
2010-09-27 20:37:59 9728 -c--a-w- c:windowssystem32dllcachequery.exe
2010-09-27 20:36:59 838144 -c--a-w- c:windowssystem32dllcachechtbrkr.dll
2010-09-27 20:31:22 488 ---ha-r- c:windowssystem32logonui.exe.manifest
2010-09-27 20:31:15 749 ---ha-r- c:windowsWindowsShell.Manifest
2010-09-27 20:31:15 749 ---ha-r- c:windowssystem32wuaucpl.cpl.manifest
2010-09-27 20:31:15 749 ---ha-r- c:windowssystem32sapi.cpl.manifest
2010-09-27 20:31:15 749 ---ha-r- c:windowssystem32ncpa.cpl.manifest
2010-09-27 20:26:41 52864 ----a-w- c:windowssystem32driversdmusic.sys
2010-09-27 20:26:38 6272 ----a-w- c:windowssystem32driverssplitter.sys
2010-09-27 20:25:26 57600 ----a-w- c:windowssystem32driversredbook.sys
2010-09-27 20:25:14 0 d-----w- c:windowssystem32ReinstallBackups
2010-09-27 20:23:39 40840 ----a-w- c:windowssystem32driverstermdd.sys
2010-09-27 20:21:57 8574 -c--a-w- c:windowssystem32dllcacheIASNT4.CAT
2010-09-27 20:21:57 797189 -c--a-w- c:windowssystem32dllcacheNT5IIS.CAT
2010-09-27 20:21:57 7382 -c--a-w- c:windowssystem32dllcacheOEMBIOS.CAT
2010-09-27 20:21:57 399645 -c--a-w- c:windowssystem32dllcacheMAPIMIG.CAT
2010-09-27 20:21:57 37484 -c--a-w- c:windowssystem32dllcacheMW770.CAT
2010-09-27 20:21:57 13472 -c--a-w- c:windowssystem32dllcacheHPCRDP.CAT
2010-09-27 20:21:52 13608 ----a-r- c:windowsSET133.tmp
2010-09-27 20:21:49 1085913 ----a-r- c:windowsSET127.tmp
2010-09-27 16:12:42 2145386496 ----a-w- c:windowsMEMORY.DMP
2010-09-27 16:12:42 0 d-----w- c:windowsmsapps
2010-09-27 03:42:24 391 ----a-w- C:PPT12.pcb
2010-09-27 03:41:50 37814 ----a-w- C:MSO1033.acl
2010-09-27 03:30:48 0 d-----w- c:program filesTrend Micro
2010-09-27 02:56:40 0 d-----w- c:docume~1admini~1applic~1Malwarebytes
2010-09-27 02:13:06 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2010-09-26 06:45:54 0 d--h--w- C:$AVG
2010-09-25 23:58:50 0 d-----w- c:docume~1alluse~1applic~1Kaspersky Lab Setup Files
2010-09-25 23:30:47 12936 ----a-w- c:windowssetupapi.old
2010-09-25 21:33:39 6424 ----a-w- C:QDATA.QTX
2010-09-25 21:33:39 369664 ----a-w- C:QDATA.QEL
2010-09-25 21:33:39 1202594 ----a-w- C:QDATA.IDX
2010-09-25 21:33:39 112481 ----a-w- C:QDATA.QPH
2010-09-25 21:33:38 8844912 ----a-w- C:QDATA.QDF
2010-09-25 16:31:38 0 d-----w- c:docume~1admini~1applic~1Tific
2010-09-25 16:16:35 0 d-sh--w- c:documents and settingsadministratorIETldCache
2010-09-23 22:17:05 0 d-----w- C:downloads
2010-09-16 16:23:31 0 dc-h--w- c:windowsie8
2010-09-16 16:08:00 16883056 ----a-w- C:IE8-WindowsXP-x86-ENU.exe
2010-09-16 16:06:13 15452536 ----a-w- C:IE7-WindowsXP-x86-enu.exe

==================== Find3M ====================

2010-09-27 20:30:14 23348 ----a-w- c:windowssystem32emptyregdb.dat
2010-07-22 05:57:20 5120 ----a-w- c:windowssystem32xpsp4res.dll
2006-10-28 19:46:41 4 -c--a-w- c:program filescommon filesCvtaqlog.dat
2008-07-12 00:12:13 32768 -csha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008071120080712index.dat

============= FINISH: 0:05:36.09 ===============

Have downloaded and attempt to run Trend Micro's command line anti virus/malware package 'Sysclean'. This is the only piece of software that has not terminated after a few seconds, and when run again failed to due 'access denied' message. Howver, many files are being skipped with an error code of -94, which means 'unable to access'. these files include ,mp3's .wma's, bunch of executables, which I assume have been infected with something. Is there a way of resetting permissions on everything so my anit-virus tools can successfully scan them ? I hope in safe mode as admin, the permissions will not be changed by whatever is in causing this mess. Thank you in advance.

Have run 'secedit' to reset permissions on windows. many of the access denied errors have ceased, but any anti virus package, ie mbam, syscleaner, kaspersky, all halt within a few seconds of running. attempting to run again get the 'access denied' message unless package is re-installed.

have also run sfc to replace any corupt system files.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 30 September 2010 - 04:04 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:06 PM

Posted 03 October 2010 - 02:51 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 peterp150

peterp150
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 04 October 2010 - 08:48 PM

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xA8A32000 C:\WINDOWS\system32\DRIVERS\04080391.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xA8F52000 C:\WINDOWS\system32\DRIVERS\09810121.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xA9472000 C:\WINDOWS\system32\DRIVERS\38617171.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xA9992000 C:\WINDOWS\system32\DRIVERS\51914251.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF080000 C:\WINDOWS\System32\ati3duag.dll 1892352 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBA61F000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 815104 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF24E000 C:\WINDOWS\System32\ativvaxx.dll 520192 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xBA3ED000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 466944 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xA9EB2000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBA367000 C:\WINDOWS\system32\drivers\ALCXSENS.SYS 401408 bytes (Sensaura Ltd, Sensaura WDM 3D Audio Driver)
0xBA2E1000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA9FBD000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA8450000 C:\WINDOWS\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xAA168000 C:\WINDOWS\system32\DRIVERS\0981012.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wnet_x86])
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA84F2000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAA108000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 262144 bytes (Roxio, CD-UDF NT Filesystem Driver)
0xBF048000 C:\WINDOWS\System32\ati2cqag.dll 229376 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 221184 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xAA063000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 217088 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA8623000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7408000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA7928000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA9F22000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA9F95000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA9F6F000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAA0AA000 C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS 147456 bytes (Roxio, DVDVR XP Filesystem Reader Driver)
0xA7A1E000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xBA3C9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xBA5C8000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xBA4F4000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA9F4D000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7471000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xBA5EC000 C:\WINDOWS\System32\DRIVERS\e1000325.sys 126976 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.1 deserialized driver)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBA4D7000 C:\WINDOWS\System32\Drivers\pwd_2k.SYS 118784 bytes (Roxio, Win2000 Framework for Packet Write Driver)
0xF787D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74C0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA8902000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7491000 C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7448000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xBA350000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF74A9000 SI3114R.sys 94208 bytes (Silicon Image, Inc, SATARAID miniport driver (PRE-RELEASE))
0xA8053000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xBA60B000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA016000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7435000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF745F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xBA517000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 69632 bytes (Roxio, CDR4_XP CDR Helper)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xBA33F000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA598000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7577000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76D7000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7607000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA780000 C:\WINDOWS\System32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7547000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7567000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA80C8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA7B0000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7617000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF76A7000 04080392.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7697000 09810122.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7687000 38617172.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7677000 51914252.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7657000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7587000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7537000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA568000 C:\WINDOWS\System32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF7637000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7517000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7667000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xBA5B8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7557000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7627000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7527000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xA8838000 C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)
0xBA7F0000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76F7000 C:\WINDOWS\System32\drivers\pivot.sys 40960 bytes (Portrait Displays, Inc., Pivot Software Miniport Driver)
0xF74F7000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7647000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7507000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA770000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA81E0000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF76E7000 C:\WINDOWS\System32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA790000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA477000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA497000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF775F000 C:\WINDOWS\System32\DRIVERS\atinmdxx.sys 28672 bytes (ATI Technologies Inc., ATI Specialized MVD VBI Codec RT2)
0xF778F000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA4A7000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7767000 C:\WINDOWS\System32\Drivers\mvb35316.SYS 28672 bytes
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF780F000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF77BF000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)
0xF7777000 C:\WINDOWS\System32\Drivers\dvd_2K.SYS 24576 bytes (Roxio, DVD-RAM AddOn Driver)
0xF77D7000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF77A7000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF779F000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF777F000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA49F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7797000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xBA487000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7817000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF771F000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7807000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77E7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789F000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA72C000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA87C0000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAA031000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7947000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA734000 C:\WINDOWS\System32\Drivers\PdiPorts.sys 12288 bytes (Portrait Displays, Inc., PdiPorts Device Driver)
0xBA730000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF78A3000 SiWinAcc.sys 12288 bytes (Silicon Image, Inc., Windows Accelerator Driver)
0xF799F000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A01000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF799B000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79B3000 C:\WINDOWS\System32\Drivers\MCSTRM.SYS 8192 bytes (RealNetworks, Inc., RealNetworks Virtual Path Manager®)
0xF79A3000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79A7000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7991000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7997000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6EC000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7ABA000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xF7A9C000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A90000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x05570000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x899715D0 ] PID: 1564, 1077248 bytes
0x05510000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x899715D0 ] PID: 1564, 126976 bytes
0x05CC0000 Hidden Image-->Intuit.Spc.Esd.Client.BusinessLogic.dll [ EPROCESS 0x899715D0 ] PID: 1564, 135168 bytes
0x03EB0000 Hidden Image-->Intuit.Spc.Esd.Client.DataAccess.dll [ EPROCESS 0x899715D0 ] PID: 1564, 135168 bytes
0x05C60000 Hidden Image-->Intuit.Spc.Esd.Client.DataAccess.dll [ EPROCESS 0x899715D0 ] PID: 1564, 135168 bytes
0x03F40000 Hidden Image-->Intuit.Spc.Esd.Client.BusinessLogic.dll [ EPROCESS 0x899715D0 ] PID: 1564, 143360 bytes
0x03290000 Hidden Image-->System.XML.dll [ EPROCESS 0x899715D0 ] PID: 1564, 2060288 bytes
0x00EA0000 Hidden Image-->Intuit.Spc.Esd.Core.dll [ EPROCESS 0x899715D0 ] PID: 1564, 258048 bytes
0x04660000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x899715D0 ] PID: 1564, 266240 bytes
0x043B0000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x899715D0 ] PID: 1564, 270336 bytes
0x05920000 Hidden Image-->log4net.dll [ EPROCESS 0x899715D0 ] PID: 1564, 282624 bytes
0x00C40000 Hidden Image-->Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll [ EPROCESS 0x899715D0 ] PID: 1564, 28672 bytes
0x05850000 Hidden Image-->Intuit.Spc.Esd.Core.dll [ EPROCESS 0x899715D0 ] PID: 1564, 290816 bytes
0x04040000 Hidden Image-->System.Data.dll [ EPROCESS 0x899715D0 ] PID: 1564, 2961408 bytes
0x04C00000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x899715D0 ] PID: 1564, 307200 bytes
0x034B0000 Hidden Image-->System.dll [ EPROCESS 0x899715D0 ] PID: 1564, 3190784 bytes
0x00A00000 Hidden Image-->Intuit.Spc.Esd.WinClient.Application.UpdateService.dll [ EPROCESS 0x899715D0 ] PID: 1564, 36864 bytes
0x00EF0000 Hidden Image-->Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll [ EPROCESS 0x899715D0 ] PID: 1564, 36864 bytes
0x058B0000 Hidden Image-->Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll [ EPROCESS 0x899715D0 ] PID: 1564, 36864 bytes
0x03C10000 Hidden Image-->Intuit.Spc.Esd.WinClient.Api.Net.dll [ EPROCESS 0x899715D0 ] PID: 1564, 421888 bytes
0x06370000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x899715D0 ] PID: 1564, 421888 bytes
0x03220000 Hidden Image-->System.configuration.dll [ EPROCESS 0x899715D0 ] PID: 1564, 438272 bytes
0x05BC0000 Hidden Image-->Intuit.Spc.Esd.WinClient.Api.Net.dll [ EPROCESS 0x899715D0 ] PID: 1564, 438272 bytes
0x03020000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x899715D0 ] PID: 1564, 471040 bytes
0x044A0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x899715D0 ] PID: 1564, 479232 bytes
0x05F70000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x899715D0 ] PID: 1564, 479232 bytes
0x04E50000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x899715D0 ] PID: 1564, 5033984 bytes
0x00F10000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x899715D0 ] PID: 1564, 53248 bytes
0x00E00000 Hidden Image-->Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll [ EPROCESS 0x899715D0 ] PID: 1564, 61440 bytes
0x057A0000 Hidden Image-->Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll [ EPROCESS 0x899715D0 ] PID: 1564, 61440 bytes
0x05390000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x899715D0 ] PID: 1564, 634880 bytes
0x00FD0000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x899715D0 ] PID: 1564, 77824 bytes
0x03F70000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x899715D0 ] PID: 1564, 778240 bytes
0x00E40000 Hidden Image-->Intuit.Spc.Esd.Client.Common.dll [ EPROCESS 0x899715D0 ] PID: 1564, 86016 bytes
0x031F0000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x899715D0 ] PID: 1564, 86016 bytes
0x057E0000 Hidden Image-->Intuit.Spc.Esd.Client.Common.dll [ EPROCESS 0x899715D0 ] PID: 1564, 86016 bytes
0x05DD0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x899715D0 ] PID: 1564, 872448 bytes




RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xA8A32000 C:\WINDOWS\system32\DRIVERS\04080391.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xA8F52000 C:\WINDOWS\system32\DRIVERS\09810121.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xA9472000 C:\WINDOWS\system32\DRIVERS\38617171.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0xA9992000 C:\WINDOWS\system32\DRIVERS\51914251.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF080000 C:\WINDOWS\System32\ati3duag.dll 1892352 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBA61F000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 815104 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF24E000 C:\WINDOWS\System32\ativvaxx.dll 520192 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xBA3ED000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 466944 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xA9EB2000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBA367000 C:\WINDOWS\system32\drivers\ALCXSENS.SYS 401408 bytes (Sensaura Ltd, Sensaura WDM 3D Audio Driver)
0xBA2E1000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA9FBD000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA8450000 C:\WINDOWS\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xAA168000 C:\WINDOWS\system32\DRIVERS\0981012.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wnet_x86])
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA84F2000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAA108000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 262144 bytes (Roxio, CD-UDF NT Filesystem Driver)
0xBF048000 C:\WINDOWS\System32\ati2cqag.dll 229376 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 221184 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xAA063000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 217088 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA8623000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7408000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA7928000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA9F22000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA9F95000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA9F6F000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAA0AA000 C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS 147456 bytes (Roxio, DVDVR XP Filesystem Reader Driver)
0xA7A1E000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xBA3C9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xBA5C8000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xBA4F4000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA9F4D000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7471000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xBA5EC000 C:\WINDOWS\System32\DRIVERS\e1000325.sys 126976 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.1 deserialized driver)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBA4D7000 C:\WINDOWS\System32\Drivers\pwd_2k.SYS 118784 bytes (Roxio, Win2000 Framework for Packet Write Driver)
0xF787D000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF74C0000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA8902000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7491000 C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7448000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xBA350000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF74A9000 SI3114R.sys 94208 bytes (Silicon Image, Inc, SATARAID miniport driver (PRE-RELEASE))
0xA8053000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xBA60B000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAA016000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7435000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF745F000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xBA517000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 69632 bytes (Roxio, CDR4_XP CDR Helper)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xBA33F000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA598000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7577000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76D7000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7607000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA780000 C:\WINDOWS\System32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7547000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7567000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA80C8000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA7B0000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7617000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF76A7000 04080392.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7697000 09810122.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7687000 38617172.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7677000 51914252.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xF7657000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7587000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7537000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA568000 C:\WINDOWS\System32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF7637000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7517000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7667000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xBA5B8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7557000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7627000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7527000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xA8838000 C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 40960 bytes (LogMeIn, Inc., LogMeIn Rfs Drivemap Driver)
0xBA7F0000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76F7000 C:\WINDOWS\System32\drivers\pivot.sys 40960 bytes (Portrait Displays, Inc., Pivot Software Miniport Driver)
0xF74F7000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7647000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7507000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA770000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA81E0000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF76E7000 C:\WINDOWS\System32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA790000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA477000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA497000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF775F000 C:\WINDOWS\System32\DRIVERS\atinmdxx.sys 28672 bytes (ATI Technologies Inc., ATI Specialized MVD VBI Codec RT2)
0xF778F000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA4A7000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7767000 C:\WINDOWS\System32\Drivers\mvb35316.SYS 28672 bytes
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF780F000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF77BF000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)
0xF7777000 C:\WINDOWS\System32\Drivers\dvd_2K.SYS 24576 bytes (Roxio, DVD-RAM AddOn Driver)
0xF77D7000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF77A7000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF779F000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF777F000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA49F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7797000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xBA487000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7817000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF771F000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7807000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77E7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789F000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA72C000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA87C0000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAA031000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7947000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA734000 C:\WINDOWS\System32\Drivers\PdiPorts.sys 12288 bytes (Portrait Displays, Inc., PdiPorts Device Driver)
0xBA730000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF78A3000 SiWinAcc.sys 12288 bytes (Silicon Image, Inc., Windows Accelerator Driver)
0xF799F000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A01000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF799B000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79B3000 C:\WINDOWS\System32\Drivers\MCSTRM.SYS 8192 bytes (RealNetworks, Inc., RealNetworks Virtual Path Manager®)
0xF79A3000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79A7000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7991000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7997000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6EC000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7ABA000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xF7A9C000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A90000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x05570000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x899715D0 ] PID: 1564, 1077248 bytes
0x05510000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x899715D0 ] PID: 1564, 126976 bytes
0x05CC0000 Hidden Image-->Intuit.Spc.Esd.Client.BusinessLogic.dll [ EPROCESS 0x899715D0 ] PID: 1564, 135168 bytes
0x03EB0000 Hidden Image-->Intuit.Spc.Esd.Client.DataAccess.dll [ EPROCESS 0x899715D0 ] PID: 1564, 135168 bytes
0x05C60000 Hidden Image-->Intuit.Spc.Esd.Client.DataAccess.dll [ EPROCESS 0x899715D0 ] PID: 1564, 135168 bytes
0x03F40000 Hidden Image-->Intuit.Spc.Esd.Client.BusinessLogic.dll [ EPROCESS 0x899715D0 ] PID: 1564, 143360 bytes
0x03290000 Hidden Image-->System.XML.dll [ EPROCESS 0x899715D0 ] PID: 1564, 2060288 bytes
0x00EA0000 Hidden Image-->Intuit.Spc.Esd.Core.dll [ EPROCESS 0x899715D0 ] PID: 1564, 258048 bytes
0x04660000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x899715D0 ] PID: 1564, 266240 bytes
0x043B0000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x899715D0 ] PID: 1564, 270336 bytes
0x05920000 Hidden Image-->log4net.dll [ EPROCESS 0x899715D0 ] PID: 1564, 282624 bytes
0x00C40000 Hidden Image-->Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll [ EPROCESS 0x899715D0 ] PID: 1564, 28672 bytes
0x05850000 Hidden Image-->Intuit.Spc.Esd.Core.dll [ EPROCESS 0x899715D0 ] PID: 1564, 290816 bytes
0x04040000 Hidden Image-->System.Data.dll [ EPROCESS 0x899715D0 ] PID: 1564, 2961408 bytes
0x04C00000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x899715D0 ] PID: 1564, 307200 bytes
0x034B0000 Hidden Image-->System.dll [ EPROCESS 0x899715D0 ] PID: 1564, 3190784 bytes
0x00A00000 Hidden Image-->Intuit.Spc.Esd.WinClient.Application.UpdateService.dll [ EPROCESS 0x899715D0 ] PID: 1564, 36864 bytes
0x00EF0000 Hidden Image-->Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll [ EPROCESS 0x899715D0 ] PID: 1564, 36864 bytes
0x058B0000 Hidden Image-->Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll [ EPROCESS 0x899715D0 ] PID: 1564, 36864 bytes
0x03C10000 Hidden Image-->Intuit.Spc.Esd.WinClient.Api.Net.dll [ EPROCESS 0x899715D0 ] PID: 1564, 421888 bytes
0x06370000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x899715D0 ] PID: 1564, 421888 bytes
0x03220000 Hidden Image-->System.configuration.dll [ EPROCESS 0x899715D0 ] PID: 1564, 438272 bytes
0x05BC0000 Hidden Image-->Intuit.Spc.Esd.WinClient.Api.Net.dll [ EPROCESS 0x899715D0 ] PID: 1564, 438272 bytes
0x03020000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x899715D0 ] PID: 1564, 471040 bytes
0x044A0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x899715D0 ] PID: 1564, 479232 bytes
0x05F70000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x899715D0 ] PID: 1564, 479232 bytes
0x04E50000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x899715D0 ] PID: 1564, 5033984 bytes
0x00F10000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x899715D0 ] PID: 1564, 53248 bytes
0x00E00000 Hidden Image-->Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll [ EPROCESS 0x899715D0 ] PID: 1564, 61440 bytes
0x057A0000 Hidden Image-->Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll [ EPROCESS 0x899715D0 ] PID: 1564, 61440 bytes
0x05390000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x899715D0 ] PID: 1564, 634880 bytes
0x00FD0000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x899715D0 ] PID: 1564, 77824 bytes
0x03F70000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x899715D0 ] PID: 1564, 778240 bytes
0x00E40000 Hidden Image-->Intuit.Spc.Esd.Client.Common.dll [ EPROCESS 0x899715D0 ] PID: 1564, 86016 bytes
0x031F0000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x899715D0 ] PID: 1564, 86016 bytes
0x057E0000 Hidden Image-->Intuit.Spc.Esd.Client.Common.dll [ EPROCESS 0x899715D0 ] PID: 1564, 86016 bytes
0x05DD0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x899715D0 ] PID: 1564, 872448 bytes

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:06 PM

Posted 04 October 2010 - 09:53 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"
    In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 peterp150

peterp150
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 05 October 2010 - 11:16 AM

Installed combofix, got a message that Norton 360 & Kaspersky were initialized, however I had uninstalled both products, neither have anything in the system tray, and none of the processes running in Task manager belong to those products. I can only assume the uninstall leaves things behind in the registry. The combofix process seemed to run successfully, 50 stages completed and several several files removed. I allowed the system to reboot, when the log was created I tried re-install MBAM, same problem, main screen comes up, I chose 'Quick Scan', it starts preparing to scan and terminates after a few seconds. If I try to run again get the following message. 'Windows cannot access the specified device, path, or file. You may not have have the appropriate permissions to access the item'. Get the same message with other packages such as 'Hijack This' Eusing Registry Cleaner', etc.. I have tried fixing the acess issue with 'secedit' and 'subinacl', no success.

ComboFix 10-10-04.02 - Peter 10/05/2010 11:46:07.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1585 [GMT -4:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\My Documents\regedit.backup.reg
c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\Peter\Local Settings\WhoAmi3.exe
C:\IE8-WI~1.EXE
C:\Thumbs.db
c:\windows\AutoRun.ini
c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15.inf
c:\windows\SET485.tmp
c:\windows\system32\_003797_.tmp.dll
c:\windows\system32\_003970_.tmp.dll
c:\windows\system32\_003971_.tmp.dll
c:\windows\system32\_003972_.tmp.dll
c:\windows\system32\_003973_.tmp.dll
c:\windows\system32\_003980_.tmp.dll
c:\windows\system32\ReadMe.txt

.
((((((((((((((((((((((((( Files Created from 2010-09-05 to 2010-10-05 )))))))))))))))))))))))))))))))
.

2010-10-05 01:01 . 2008-04-14 09:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-10-05 01:01 . 2008-04-14 02:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-10-05 00:57 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-04 23:14 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-04 23:14 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-04 22:53 . 2010-10-05 01:01 -------- d-----w- c:\windows\ServicePackFiles
2010-10-04 21:33 . 2001-08-23 12:00 9728 -c--a-w- c:\windows\system32\dllcache\query.exe
2010-10-04 21:32 . 2001-08-23 12:00 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-10-04 21:32 . 2001-08-23 12:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-10-04 21:32 . 2001-08-23 12:00 15872 -c--a-w- c:\windows\system32\dllcache\chgport.exe
2010-10-04 21:32 . 2001-08-23 12:00 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2010-10-04 21:32 . 2001-08-23 12:00 13312 -c--a-w- c:\windows\system32\dllcache\chglogon.exe
2010-10-04 21:32 . 2001-08-23 12:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2010-10-04 21:32 . 2001-08-23 12:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-10-04 21:32 . 2001-08-23 12:00 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2010-10-04 21:32 . 2001-08-18 02:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-10-04 21:32 . 2001-08-18 02:36 312832 -c--a-w- c:\windows\system32\dllcache\EXCH_aqueue.dll
2010-10-04 21:32 . 2001-08-18 02:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-10-04 21:32 . 2001-08-18 02:36 2134528 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2010-10-04 21:32 . 2001-08-18 02:36 175104 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpadm.dll
2010-10-04 21:22 . 2008-04-14 09:42 184320 ----a-w- c:\windows\system32\accwiz.exe
2010-10-04 21:17 . 2008-04-14 04:15 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-10-04 21:17 . 2008-04-14 04:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-10-04 21:15 . 2008-04-14 04:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-10-04 21:13 . 2008-04-14 09:43 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-10-04 21:12 . 2008-04-14 09:42 146432 ----a-w- c:\windows\system\winspool.drv
2010-10-04 21:12 . 2008-04-14 09:42 74752 ----a-w- c:\windows\system32\storprop.dll
2010-10-04 21:12 . 2008-04-14 04:24 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2010-10-04 21:12 . 2001-08-23 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-04 21:12 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-04 21:12 . 2001-08-23 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-04 21:12 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-04 02:27 . 2010-10-04 02:27 -------- d-----w- c:\program files\Windows Resource Kits
2010-10-01 16:38 . 2010-10-05 15:55 -------- d-----w- c:\windows\system32\CatRoot2
2010-10-01 15:44 . 2010-10-05 02:46 32777 ----a-w- C:\AVZ_Report_syscure.zip
2010-10-01 15:31 . 2010-10-01 15:31 -------- d-----w- c:\program files\ATI Technologies
2010-10-01 15:31 . 2010-10-01 15:31 -------- d-----w- C:\ATI
2010-10-01 15:07 . 2010-06-09 07:43 692736 ----a-w- c:\windows\inetcomm.dll
2010-10-01 15:04 . 2008-04-14 00:12 10752 ----a-w- c:\windows\dumprep.exe
2010-09-30 15:21 . 2010-09-30 15:22 -------- d-----w- C:\tmp
2010-09-30 07:36 . 2010-09-30 07:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Malwarebytes
2010-09-30 04:47 . 2010-09-30 03:35 32768 ----a-w- C:\WhoAmi3.exe
2010-09-30 04:30 . 2010-09-30 04:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DisplayTune
2010-09-30 02:27 . 2010-09-30 02:27 -------- d-----w- c:\documents and settings\Administrator\aaaa
2010-09-28 18:30 . 2010-10-04 23:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-28 13:56 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\09810122.sys
2010-09-28 13:56 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\0981012.sys
2010-09-28 13:56 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\09810121.sys
2010-09-28 07:27 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\51914252.sys
2010-09-28 07:27 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\5191425.sys
2010-09-28 07:27 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\51914251.sys
2010-09-28 04:13 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\38617172.sys
2010-09-28 04:13 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\3861717.sys
2010-09-28 04:13 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\38617171.sys
2010-09-28 01:52 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\04080392.sys
2010-09-28 01:52 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\04080391.sys
2010-09-28 01:52 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\0408039.sys
2010-09-28 00:04 . 2010-09-28 00:04 -------- d-----w- c:\program files\Kaspersky Lab
2010-09-27 22:10 . 2008-04-14 09:41 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-27 20:36 . 2010-09-27 20:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2010-09-27 20:30 . 2001-08-23 12:00 520192 -c--a-w- c:\windows\system32\dllcache\wmpvis.dll
2010-09-27 20:30 . 2001-08-23 12:00 110657 -c--a-w- c:\windows\system32\dllcache\wmmfilt.dll
2010-09-27 20:30 . 2001-08-23 12:00 319551 -c--a-w- c:\windows\system32\dllcache\wmmres.dll
2010-09-27 20:30 . 2001-08-23 12:00 163906 -c--a-w- c:\windows\system32\dllcache\wmmutil.dll
2010-09-27 16:12 . 2010-09-27 16:12 -------- d-----w- c:\windows\msapps
2010-09-27 04:50 . 2010-09-27 04:50 -------- d-----w- c:\documents and settings\Donna\Application Data\Malwarebytes
2010-09-27 03:30 . 2010-09-28 05:05 -------- d-----w- c:\program files\Trend Micro
2010-09-27 02:56 . 2010-09-27 02:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-27 02:13 . 2010-09-27 02:13 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
2010-09-27 02:13 . 2010-09-27 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-26 06:45 . 2010-09-26 06:45 -------- d-----w- C:\$AVG
2010-09-26 00:28 . 2010-09-26 00:28 -------- d-----w- c:\documents and settings\Peter\Local Settings\Application Data\NPE
2010-09-25 23:58 . 2010-09-30 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-09-25 23:42 . 2010-09-25 23:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2010-09-25 21:35 . 2010-09-25 21:35 -------- d-----w- c:\documents and settings\Peter\Application Data\Tific
2010-09-25 21:35 . 2010-09-25 21:35 -------- d-----w- c:\documents and settings\Peter\Local Settings\Application Data\Symantec
2010-09-25 16:31 . 2010-09-25 16:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
2010-09-25 16:16 . 2010-09-25 16:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2010-09-25 16:16 . 2010-09-25 16:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-24 22:38 . 2010-09-24 22:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-24 22:27 . 2010-09-25 16:34 -------- d-----w- c:\documents and settings\Peter\Application Data\2FCDE74F763D0FB5576065FABE8F09E8
2010-09-23 22:17 . 2010-09-30 21:37 -------- d-----w- C:\downloads
2010-09-16 16:23 . 2010-09-16 16:25 -------- dc-h--w- c:\windows\ie8
2010-09-16 16:06 . 2010-09-16 16:06 15452536 ----a-w- C:\IE7-WindowsXP-x86-enu.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 15:26 . 2006-12-17 21:46 -------- d-----w- c:\program files\Canon
2010-10-04 21:27 . 2010-10-04 21:25 76825 ----a-w- c:\windows\pchealth\HELPCTR\OfflineCache\index.dat
2010-10-04 21:23 . 2004-05-19 11:24 23388 ----a-w- c:\windows\system32\emptyregdb.dat
2010-10-01 15:36 . 2010-01-24 18:23 62009 ----a-w- c:\windows\system32\wpfb_ati2dvag.dll
2010-10-01 08:41 . 2008-08-17 17:57 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-09-30 22:27 . 2010-01-24 18:23 62009 ----a-w- c:\windows\system32\wpfb_lmimirr.dll
2010-09-30 02:36 . 2004-12-27 01:03 -------- d-----w- c:\program files\Google
2010-09-29 05:00 . 2008-12-14 19:42 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-09-29 04:49 . 2004-05-19 11:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-29 04:47 . 2004-08-01 01:35 -------- d-----w- c:\program files\Broderbund
2010-09-29 04:34 . 2007-07-07 19:06 -------- d-----w- c:\program files\Java
2010-09-29 04:19 . 2004-05-20 00:17 -------- d-----w- c:\program files\ATI Multimedia
2010-09-29 04:15 . 2004-05-20 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC
2010-09-28 05:54 . 2004-05-25 22:19 55640 ----a-w- c:\documents and settings\Peter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-27 23:26 . 2007-06-24 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-27 21:42 . 2010-05-14 16:28 -------- d-----w- c:\program files\Norton1360
2010-09-27 21:39 . 2004-05-20 18:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-26 00:26 . 2007-01-02 04:12 -------- d-----w- c:\program files\Windows Defender
2010-09-25 23:42 . 2010-05-14 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-25 21:42 . 2004-06-03 15:47 -------- d-----w- c:\program files\Quicken
2010-09-23 22:34 . 2010-08-14 13:46 -------- d-----w- c:\documents and settings\Peter\Application Data\vlc
2010-09-07 22:15 . 2004-06-30 19:43 -------- d-----w- c:\documents and settings\Peter\Application Data\WeatherBug
2010-09-01 18:46 . 2010-09-01 18:46 6725632 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
2010-08-29 01:00 . 2004-08-23 16:11 74008 ----a-w- c:\documents and settings\Donna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-27 12:02 . 2010-08-27 12:02 92816 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2011 11.0.1.400\English\setup.exe
2010-08-26 00:52 . 2007-04-10 02:55 -------- d-----w- c:\documents and settings\Peter\Application Data\Canon
2010-08-11 19:42 . 2009-02-23 23:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-11 16:26 . 2010-08-11 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\IM
2010-08-11 16:24 . 2010-08-11 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\IncrediMail
2010-07-22 05:57 . 2009-04-16 00:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2006-10-28 19:46 . 2006-10-28 19:46 4 -c--a-w- c:\program files\Common Files\Cvtaqlog.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-06-26 1593344]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"Tweak UI"="TWEAKUI.CPL" [2005-03-05 106544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-09-25 53248]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\Peter\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\palmOne\HOTSYNC.EXE [2004-4-12 299008]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh6\\iMesh6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 04080392;04080392 Boot Guard Driver;c:\windows\system32\drivers\04080392.sys [9/27/2010 9:52 PM 37392]
R0 09810122;09810122 Boot Guard Driver;c:\windows\system32\drivers\09810122.sys [9/28/2010 9:56 AM 37392]
R0 38617172;38617172 Boot Guard Driver;c:\windows\system32\drivers\38617172.sys [9/28/2010 12:13 AM 37392]
R0 51914252;51914252 Boot Guard Driver;c:\windows\system32\drivers\51914252.sys [9/28/2010 3:27 AM 37392]
R1 04080391;04080391;c:\windows\system32\drivers\04080391.sys [9/27/2010 9:52 PM 128016]
R1 09810121;09810121;c:\windows\system32\drivers\09810121.sys [9/28/2010 9:56 AM 128016]
R1 38617171;38617171;c:\windows\system32\drivers\38617171.sys [9/28/2010 12:13 AM 128016]
R1 51914251;51914251;c:\windows\system32\drivers\51914251.sys [9/28/2010 3:27 AM 128016]
R1 setup_9.0.0.722_28.09.2010_04-29drv;setup_9.0.0.722_28.09.2010_04-29drv;c:\windows\system32\drivers\0981012.sys [9/28/2010 9:56 AM 315408]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [1/24/2010 2:22 PM 90112]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 10:41 AM 92008]
R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [8/23/2001 8:00 AM 12800]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{AAC4FC36-8F89-4587-8DD3-EBC57C83374D} - c:\program files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\setup\hpzscr01.exe



[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EventSystem]
"ServiceDll"="c:\windows\System32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fdc]
"ImagePath"="System32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Flpydisk]
"ImagePath"="System32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ftdisk]
"ImagePath"="System32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GEARAspiWDM]
"ImagePath"="System32\Drivers\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\getPlus® Helper]
"ImagePath"="c:\program files\NOS\bin\getPlus_HelperSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Gpc]
"ImagePath"="System32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gupdate]
"ImagePath"="\"c:\program files\Google\Update\GoogleUpdate.exe\" /svc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidBatt]
"ImagePath"="system32\DRIVERS\HidBatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidServ]
"ServiceDll"=" %SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidUsb]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hpt3xx]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i8042prt]
"ImagePath"="System32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDriverT]
"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ILADFtmi]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Imapi]
"ImagePath"="System32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IntelIde]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\intelppm]
"ImagePath"="System32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IntuitUpdateService]
"ImagePath"="\"c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ip6Fw]
"ImagePath"="system32\drivers\ip6fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpFilterDriver]
"ImagePath"="System32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpInIp]
"ImagePath"="System32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpNat]
"ImagePath"="System32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iPod Service]
"ImagePath"="\"c:\program files\iPod\bin\iPodService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IPSec]
"ImagePath"="System32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IRENUM]
"ImagePath"="System32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\isapnp]
"ImagePath"="System32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Kbdclass]
"ImagePath"="System32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LightScribeService]
"ImagePath"="\"c:\program files\Common Files\LightScribe\LSSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LMIInfo]
"ImagePath"="\??\c:\program files\LogMeIn\x86\RaInfo.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lmimirr]
"ImagePath"="system32\DRIVERS\lmimirr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LMIRfsClientNP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LMIRfsDriver]
"ImagePath"="\??\c:\windows\system32\drivers\LMIRfsDriver.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MCSTRM]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mmc_2K]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mnmsrvc]
"ImagePath"="c:\windows\System32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Mouclass]
"ImagePath"="System32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mouhid]
"ImagePath"="System32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mrtRate]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MRxDAV]
"ImagePath"="System32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MRxSmb]
"ImagePath"="System32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTC]
"ImagePath"="c:\windows\System32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mssmbios]
"ImagePath"="System32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mvb35316]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MVDCODEC]
"ImagePath"="System32\DRIVERS\atinmdxx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NABTSFEC]
"ImagePath"="System32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisIP]
"ImagePath"="System32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisTapi]
"ImagePath"="System32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ndisuio]
"ImagePath"="System32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisWan]
"ImagePath"="System32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBIOS]
"ImagePath"="System32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBT]
"ImagePath"="System32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetSvc]
"ImagePath"="c:\program files\Intel\PROSetWired\NCS\Sync\NetSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIC1394]
"ImagePath"="System32\DRIVERS\nic1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\System32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NwlnkFlt]
"ImagePath"="System32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NwlnkFwd]
"ImagePath"="System32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\odserv]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ohci1394]
"ImagePath"="System32\DRIVERS\ohci1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ose]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PalmUSBD]
"ImagePath"="system32\drivers\PalmUSBD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Parport]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCI]
"ImagePath"="System32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCIIde]
"ImagePath"="System32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PdiPorts]
"ImagePath"="System32\Drivers\PdiPorts.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PdiService]
"ImagePath"="c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Pivot]
"ImagePath"="System32\drivers\pivot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pivotmou]
"ImagePath"="\??\c:\windows\System32\drivers\pivotmou.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Pml Driver HPZ12]
"ImagePath"="c:\windows\system32\HPZipm12.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PptpMiniport]
"ImagePath"="System32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Processor]
"ImagePath"="System32\DRIVERS\processr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PSched]
"ImagePath"="System32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ptilink]
"ImagePath"="System32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pwd_2k]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasAcd]
"ImagePath"="System32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Rasl2tp]
"ImagePath"="System32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasPppoe]
"ImagePath"="System32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Raspti]
"ImagePath"="System32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Rdbss]
"ImagePath"="System32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\redbook]
"ImagePath"="System32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcLocator]
"ImagePath"="%SystemRoot%\System32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RSVP]
"ImagePath"="%SystemRoot%\System32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Secdrv]
"ImagePath"="System32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Serial]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\setup_9.0.0.722_28.09.2010_04-29drv]
"ImagePath"="system32\DRIVERS\0981012.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SI3114r]
"ImagePath"="System32\DRIVERS\SI3114R.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SiFilter]
"ImagePath"="System32\DRIVERS\SiWinAcc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SLIP]
"ImagePath"="System32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sr]
"ImagePath"="System32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Srv]
"ImagePath"="System32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\streamip]
"ImagePath"="System32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swenum]
"ImagePath"="System32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SwPrv]
"ImagePath"="c:\windows\System32\dllhost.exe /Processid:{A9E0E794-BA13-4034-B04F-7B12200D13AB}"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swwd]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip]
"ImagePath"="System32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TermDD]
"ImagePath"="System32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TlntSvr]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TomTomHOMEService]
"ImagePath"="c:\program files\TomTom HOME 2\TomTomHOMEService.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UdfReadr_xp]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UMWdf]
"ImagePath"="c:\windows\System32\wdfmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Update]
"ImagePath"="System32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\USBAAPL]
"ImagePath"="System32\Drivers\usbaapl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbehci]
"ImagePath"="System32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbhub]
"ImagePath"="System32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbprint]
"ImagePath"="System32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbuhci]
"ImagePath"="System32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Wanarp]
"ImagePath"="System32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WebPost]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock - Google Desktop Search Backup Before First Install]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock - Google Desktop Search Backup Before Last Install]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock2 - Google Desktop Search Backup Before First Install]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock2 - Google Desktop Search Backup Before Last Install]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\mspmsnsv.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Wmi]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApSrv]
"ImagePath"="c:\windows\System32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WpdUsb]
"ImagePath"="system32\DRIVERS\wpdusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WSTCODEC]
"ImagePath"="System32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{459D5A3E-66CC-4458-AA67-898A33663A1E}]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{D377A652-D2DE-491E-8D4D-4BB7E2C6A8EA}]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{F0D00B89-6D57-4743-B451-C5E61F64C589}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2240)
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\dtsrvc.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Acer Display\eDisplay Management\DTHtml.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Microsoft Office\Office12\WINWORD.EXE
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Portrait Displays\Pivot Software\floater.exe
.
**************************************************************************
.
Completion time: 2010-10-05 12:02:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-05 16:02

Pre-Run: 62,692,823,040 bytes free
Post-Run: 63,039,168,512 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 1B202EBA520A85B7516B62E1D618DE34


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:06 PM

Posted 06 October 2010 - 11:49 PM

Greetings

Very sorry for not responding sooner Real life got in the way sad.gif

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\system32\drivers\09810122.sys
c:\windows\system32\drivers\0981012.sys
c:\windows\system32\drivers\09810121.sys
c:\windows\system32\drivers\51914252.sys
c:\windows\system32\drivers\5191425.sys
c:\windows\system32\drivers\51914251.sys
c:\windows\system32\drivers\38617172.sys
c:\windows\system32\drivers\3861717.sys
c:\windows\system32\drivers\38617171.sys
c:\windows\system32\drivers\04080392.sys
c:\windows\system32\drivers\04080391.sys
c:\windows\system32\drivers\0408039.sys

Driver::
04080392
09810122
38617172
51914252
04080391
09810121
38617171
51914251
setup_9.0.0.722_28.09.2010_04-29drv


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 peterp150

peterp150
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 07 October 2010 - 12:43 PM

Please don't worry if it takes you a few days to respond. i am very grateful there are a group of folks out there willing to help us get our computers back.

I run combox fix with your install script, it asked to download files when it completed. Although I cannot access any browser, (error 'the ordinal 410 could not be located in the dynamic link library urlmon.dll), i do get an ip address from my ISP, and the file(s) seemed to download someplace, although not sure how you will identify it.

upon re-install of mbam, the application still closes after 5 or 6 seconds, just after preparing to scan. get an access denied error if i try to run a second time...same problem. thanks for your continued help. one other question. i have uninstalled kaspersky and norton 360, think i have removed all registry items, yet they still seem to be active, according to combofix. is this causing a problem ?

ComboFix 10-10-04.02 - Peter 10/07/2010 12:37:13.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1616 [GMT -4:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Peter\Desktop\cfscript.txt
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\0408039.sys"
"c:\windows\system32\drivers\04080391.sys"
"c:\windows\system32\drivers\04080392.sys"
"c:\windows\system32\drivers\0981012.sys"
"c:\windows\system32\drivers\09810121.sys"
"c:\windows\system32\drivers\09810122.sys"
"c:\windows\system32\drivers\3861717.sys"
"c:\windows\system32\drivers\38617171.sys"
"c:\windows\system32\drivers\38617172.sys"
"c:\windows\system32\drivers\5191425.sys"
"c:\windows\system32\drivers\51914251.sys"
"c:\windows\system32\drivers\51914252.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\0408039.sys
c:\windows\system32\drivers\04080391.sys
c:\windows\system32\drivers\04080392.sys
c:\windows\system32\drivers\0981012.sys
c:\windows\system32\drivers\09810121.sys
c:\windows\system32\drivers\09810122.sys
c:\windows\system32\drivers\3861717.sys
c:\windows\system32\drivers\38617171.sys
c:\windows\system32\drivers\38617172.sys
c:\windows\system32\drivers\5191425.sys
c:\windows\system32\drivers\51914251.sys
c:\windows\system32\drivers\51914252.sys
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_04080391
-------\Legacy_04080392
-------\Legacy_09810121
-------\Legacy_09810122
-------\Legacy_38617171
-------\Legacy_38617172
-------\Legacy_51914251
-------\Legacy_51914252
-------\Legacy_NPF
-------\Legacy_SETUP_9.0.0.722_28.09.2010_04-29DRV
-------\Service_04080391
-------\Service_04080392
-------\Service_09810121
-------\Service_09810122
-------\Service_38617171
-------\Service_38617172
-------\Service_51914251
-------\Service_51914252
-------\Service_setup_9.0.0.722_28.09.2010_04-29drv


((((((((((((((((((((((((( Files Created from 2010-09-07 to 2010-10-07 )))))))))))))))))))))))))))))))
.

2010-10-06 03:28 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-06 03:28 . 2010-10-06 03:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-06 03:28 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-05 01:01 . 2008-04-14 09:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-10-05 01:01 . 2008-04-14 02:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-10-05 00:57 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-10-04 22:53 . 2010-10-05 01:01 -------- d-----w- c:\windows\ServicePackFiles
2010-10-04 21:33 . 2001-08-23 12:00 9728 -c--a-w- c:\windows\system32\dllcache\query.exe
2010-10-04 21:32 . 2001-08-23 12:00 9728 -c--a-w- c:\windows\system32\dllcache\change.exe
2010-10-04 21:32 . 2001-08-23 12:00 1677824 -c--a-w- c:\windows\system32\dllcache\chsbrkr.dll
2010-10-04 21:32 . 2001-08-23 12:00 15872 -c--a-w- c:\windows\system32\dllcache\chgport.exe
2010-10-04 21:32 . 2001-08-23 12:00 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2010-10-04 21:32 . 2001-08-23 12:00 13312 -c--a-w- c:\windows\system32\dllcache\chglogon.exe
2010-10-04 21:32 . 2001-08-23 12:00 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2010-10-04 21:32 . 2001-08-23 12:00 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2010-10-04 21:32 . 2001-08-23 12:00 6656 -c--a-w- c:\windows\system32\dllcache\c_is2022.dll
2010-10-04 21:32 . 2001-08-18 02:36 45056 -c--a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2010-10-04 21:32 . 2001-08-18 02:36 312832 -c--a-w- c:\windows\system32\dllcache\EXCH_aqueue.dll
2010-10-04 21:32 . 2001-08-18 02:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2010-10-04 21:32 . 2001-08-18 02:36 2134528 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpsnap.dll
2010-10-04 21:32 . 2001-08-18 02:36 175104 -c--a-w- c:\windows\system32\dllcache\EXCH_smtpadm.dll
2010-10-04 21:22 . 2008-04-14 09:42 184320 ----a-w- c:\windows\system32\accwiz.exe
2010-10-04 21:17 . 2008-04-14 04:15 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2010-10-04 21:17 . 2008-04-14 04:15 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-10-04 21:15 . 2008-04-14 04:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-10-04 21:13 . 2008-04-14 09:43 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-10-04 21:12 . 2008-04-14 09:42 146432 ----a-w- c:\windows\system\winspool.drv
2010-10-04 21:12 . 2008-04-14 09:42 74752 ----a-w- c:\windows\system32\storprop.dll
2010-10-04 21:12 . 2008-04-14 04:24 11264 ----a-w- c:\windows\system32\drivers\irenum.sys
2010-10-04 21:12 . 2001-08-23 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-10-04 21:12 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-10-04 21:12 . 2001-08-23 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-10-04 21:12 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-10-04 02:27 . 2010-10-04 02:27 -------- d-----w- c:\program files\Windows Resource Kits
2010-10-01 16:38 . 2010-10-07 16:47 -------- d-----w- c:\windows\system32\CatRoot2
2010-10-01 15:44 . 2010-10-05 02:46 32777 ----a-w- C:\AVZ_Report_syscure.zip
2010-10-01 15:31 . 2010-10-01 15:31 -------- d-----w- c:\program files\ATI Technologies
2010-10-01 15:31 . 2010-10-01 15:31 -------- d-----w- C:\ATI
2010-10-01 15:07 . 2010-06-09 07:43 692736 ----a-w- c:\windows\inetcomm.dll
2010-10-01 15:04 . 2008-04-14 00:12 10752 ----a-w- c:\windows\dumprep.exe
2010-09-30 15:21 . 2010-09-30 15:22 -------- d-----w- C:\tmp
2010-09-30 07:36 . 2010-09-30 07:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Malwarebytes
2010-09-30 04:47 . 2010-09-30 03:35 32768 ----a-w- C:\WhoAmi3.exe
2010-09-30 04:30 . 2010-09-30 04:30 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DisplayTune
2010-09-30 02:27 . 2010-09-30 02:27 -------- d-----w- c:\documents and settings\Administrator\aaaa
2010-09-28 00:04 . 2010-09-28 00:04 -------- d-----w- c:\program files\Kaspersky Lab
2010-09-27 22:10 . 2008-04-14 09:41 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-27 20:36 . 2010-09-27 20:36 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2010-09-27 20:30 . 2001-08-23 12:00 520192 -c--a-w- c:\windows\system32\dllcache\wmpvis.dll
2010-09-27 20:30 . 2001-08-23 12:00 110657 -c--a-w- c:\windows\system32\dllcache\wmmfilt.dll
2010-09-27 20:30 . 2001-08-23 12:00 319551 -c--a-w- c:\windows\system32\dllcache\wmmres.dll
2010-09-27 20:30 . 2001-08-23 12:00 163906 -c--a-w- c:\windows\system32\dllcache\wmmutil.dll
2010-09-27 16:12 . 2010-09-27 16:12 -------- d-----w- c:\windows\msapps
2010-09-27 04:50 . 2010-09-27 04:50 -------- d-----w- c:\documents and settings\Donna\Application Data\Malwarebytes
2010-09-27 03:30 . 2010-09-28 05:05 -------- d-----w- c:\program files\Trend Micro
2010-09-27 02:56 . 2010-09-27 02:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-27 02:13 . 2010-09-27 02:13 -------- d-----w- c:\documents and settings\Peter\Application Data\Malwarebytes
2010-09-27 02:13 . 2010-09-27 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-26 06:45 . 2010-09-26 06:45 -------- d-----w- C:\$AVG
2010-09-26 00:28 . 2010-09-26 00:28 -------- d-----w- c:\documents and settings\Peter\Local Settings\Application Data\NPE
2010-09-25 23:58 . 2010-09-30 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-09-25 23:42 . 2010-09-25 23:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\NPE
2010-09-25 21:35 . 2010-09-25 21:35 -------- d-----w- c:\documents and settings\Peter\Application Data\Tific
2010-09-25 21:35 . 2010-09-25 21:35 -------- d-----w- c:\documents and settings\Peter\Local Settings\Application Data\Symantec
2010-09-25 16:31 . 2010-09-25 16:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tific
2010-09-25 16:16 . 2010-09-25 16:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2010-09-25 16:16 . 2010-09-25 16:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-24 22:38 . 2010-09-24 22:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-09-24 22:27 . 2010-09-25 16:34 -------- d-----w- c:\documents and settings\Peter\Application Data\2FCDE74F763D0FB5576065FABE8F09E8
2010-09-23 22:17 . 2010-09-30 21:37 -------- d-----w- C:\downloads
2010-09-16 16:23 . 2010-09-16 16:25 -------- dc-h--w- c:\windows\ie8
2010-09-16 16:06 . 2010-09-16 16:06 15452536 ----a-w- C:\IE7-WindowsXP-x86-enu.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-05 15:26 . 2006-12-17 21:46 -------- d-----w- c:\program files\Canon
2010-10-04 21:27 . 2010-10-04 21:25 76825 ----a-w- c:\windows\pchealth\HELPCTR\OfflineCache\index.dat
2010-10-04 21:23 . 2004-05-19 11:24 23388 ----a-w- c:\windows\system32\emptyregdb.dat
2010-10-01 15:36 . 2010-01-24 18:23 62009 ----a-w- c:\windows\system32\wpfb_ati2dvag.dll
2010-10-01 08:41 . 2008-08-17 17:57 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-09-30 22:27 . 2010-01-24 18:23 62009 ----a-w- c:\windows\system32\wpfb_lmimirr.dll
2010-09-30 02:36 . 2004-12-27 01:03 -------- d-----w- c:\program files\Google
2010-09-29 05:00 . 2008-12-14 19:42 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-09-29 04:49 . 2004-05-19 11:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-29 04:47 . 2004-08-01 01:35 -------- d-----w- c:\program files\Broderbund
2010-09-29 04:34 . 2007-07-07 19:06 -------- d-----w- c:\program files\Java
2010-09-29 04:19 . 2004-05-20 00:17 -------- d-----w- c:\program files\ATI Multimedia
2010-09-29 04:15 . 2004-05-20 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC
2010-09-28 05:54 . 2004-05-25 22:19 55640 ----a-w- c:\documents and settings\Peter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-27 23:26 . 2007-06-24 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-27 21:42 . 2010-05-14 16:28 -------- d-----w- c:\program files\Norton1360
2010-09-27 21:39 . 2004-05-20 18:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-09-26 00:26 . 2007-01-02 04:12 -------- d-----w- c:\program files\Windows Defender
2010-09-25 23:42 . 2010-05-14 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-25 21:42 . 2004-06-03 15:47 -------- d-----w- c:\program files\Quicken
2010-09-23 22:34 . 2010-08-14 13:46 -------- d-----w- c:\documents and settings\Peter\Application Data\vlc
2010-09-07 22:15 . 2004-06-30 19:43 -------- d-----w- c:\documents and settings\Peter\Application Data\WeatherBug
2010-09-01 18:46 . 2010-09-01 18:46 6725632 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
2010-08-29 01:00 . 2004-08-23 16:11 74008 ----a-w- c:\documents and settings\Donna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-27 12:02 . 2010-08-27 12:02 92816 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2011 11.0.1.400\English\setup.exe
2010-08-26 00:52 . 2007-04-10 02:55 -------- d-----w- c:\documents and settings\Peter\Application Data\Canon
2010-08-11 19:42 . 2009-02-23 23:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-11 16:26 . 2010-08-11 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\IM
2010-08-11 16:24 . 2010-08-11 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\IncrediMail
2010-07-22 05:57 . 2009-04-16 00:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2006-10-28 19:46 . 2006-10-28 19:46 4 -c--a-w- c:\program files\Common Files\Cvtaqlog.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-06-26 1593344]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"Tweak UI"="TWEAKUI.CPL" [2005-03-05 106544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SoundMan"="SOUNDMAN.EXE" [2003-10-08 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2010-09-25 53248]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh6\\iMesh6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [1/24/2010 2:22 PM 90112]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [6/24/2010 10:41 AM 92008]
R3 mvb35316;mvb35316;c:\windows\system32\drivers\mvb35316.sys [8/23/2001 8:00 AM 12800]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 mrtRate;mrtRate; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EventSystem]
"ServiceDll"="c:\windows\System32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fdc]
"ImagePath"="System32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Flpydisk]
"ImagePath"="System32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ftdisk]
"ImagePath"="System32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GEARAspiWDM]
"ImagePath"="System32\Drivers\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\getPlus® Helper]
"ImagePath"="c:\program files\NOS\bin\getPlus_HelperSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Gpc]
"ImagePath"="System32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gupdate]
"ImagePath"="\"c:\program files\Google\Update\GoogleUpdate.exe\" /svc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidBatt]
"ImagePath"="system32\DRIVERS\HidBatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidServ]
"ServiceDll"=" %SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidUsb]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hpt3xx]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i8042prt]
"ImagePath"="System32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDriverT]
"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ILADFtmi]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Imapi]
"ImagePath"="System32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IntelIde]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\intelppm]
"ImagePath"="System32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IntuitUpdateService]
"ImagePath"="\"c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ip6Fw]
"ImagePath"="system32\drivers\ip6fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpFilterDriver]
"ImagePath"="System32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpInIp]
"ImagePath"="System32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpNat]
"ImagePath"="System32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iPod Service]
"ImagePath"="\"c:\program files\iPod\bin\iPodService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IPSec]
"ImagePath"="System32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IRENUM]
"ImagePath"="System32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\isapnp]
"ImagePath"="System32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Kbdclass]
"ImagePath"="System32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LightScribeService]
"ImagePath"="\"c:\program files\Common Files\LightScribe\LSSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LMIInfo]
"ImagePath"="\??\c:\program files\LogMeIn\x86\RaInfo.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lmimirr]
"ImagePath"="system32\DRIVERS\lmimirr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LMIRfsClientNP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LMIRfsDriver]
"ImagePath"="\??\c:\windows\system32\drivers\LMIRfsDriver.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MCSTRM]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mmc_2K]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mnmsrvc]
"ImagePath"="c:\windows\System32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Mouclass]
"ImagePath"="System32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mouhid]
"ImagePath"="System32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mrtRate]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MRxDAV]
"ImagePath"="System32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MRxSmb]
"ImagePath"="System32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTC]
"ImagePath"="c:\windows\System32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mssmbios]
"ImagePath"="System32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mvb35316]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MVDCODEC]
"ImagePath"="System32\DRIVERS\atinmdxx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NABTSFEC]
"ImagePath"="System32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisIP]
"ImagePath"="System32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisTapi]
"ImagePath"="System32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ndisuio]
"ImagePath"="System32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisWan]
"ImagePath"="System32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBIOS]
"ImagePath"="System32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBT]
"ImagePath"="System32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetSvc]
"ImagePath"="c:\program files\Intel\PROSetWired\NCS\Sync\NetSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIC1394]
"ImagePath"="System32\DRIVERS\nic1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\System32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NwlnkFlt]
"ImagePath"="System32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NwlnkFwd]
"ImagePath"="System32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\odserv]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ohci1394]
"ImagePath"="System32\DRIVERS\ohci1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ose]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PalmUSBD]
"ImagePath"="system32\drivers\PalmUSBD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Parport]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCI]
"ImagePath"="System32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCIIde]
"ImagePath"="System32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PdiPorts]
"ImagePath"="System32\Drivers\PdiPorts.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PdiService]
"ImagePath"="c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Pivot]
"ImagePath"="System32\drivers\pivot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pivotmou]
"ImagePath"="\??\c:\windows\System32\drivers\pivotmou.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Pml Driver HPZ12]
"ImagePath"="c:\windows\system32\HPZipm12.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PptpMiniport]
"ImagePath"="System32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Processor]
"ImagePath"="System32\DRIVERS\processr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PSched]
"ImagePath"="System32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ptilink]
"ImagePath"="System32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\pwd_2k]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasAcd]
"ImagePath"="System32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Rasl2tp]
"ImagePath"="System32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasPppoe]
"ImagePath"="System32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Raspti]
"ImagePath"="System32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Rdbss]
"ImagePath"="System32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\redbook]
"ImagePath"="System32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcLocator]
"ImagePath"="%SystemRoot%\System32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RSVP]
"ImagePath"="%SystemRoot%\System32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Secdrv]
"ImagePath"="System32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Serial]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SI3114r]
"ImagePath"="System32\DRIVERS\SI3114R.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SiFilter]
"ImagePath"="System32\DRIVERS\SiWinAcc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SLIP]
"ImagePath"="System32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sr]
"ImagePath"="System32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Srv]
"ImagePath"="System32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\streamip]
"ImagePath"="System32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swenum]
"ImagePath"="System32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SwPrv]
"ImagePath"="c:\windows\System32\dllhost.exe /Processid:{A9E0E794-BA13-4034-B04F-7B12200D13AB}"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swwd]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip]
"ImagePath"="System32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TermDD]
"ImagePath"="System32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TlntSvr]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TomTomHOMEService]
"ImagePath"="c:\program files\TomTom HOME 2\TomTomHOMEService.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UdfReadr_xp]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UMWdf]
"ImagePath"="c:\windows\System32\wdfmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Update]
"ImagePath"="System32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\USBAAPL]
"ImagePath"="System32\Drivers\usbaapl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbehci]
"ImagePath"="System32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbhub]
"ImagePath"="System32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbprint]
"ImagePath"="System32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbuhci]
"ImagePath"="System32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Wanarp]
"ImagePath"="System32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WebPost]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock - Google Desktop Search Backup Before First Install]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock - Google Desktop Search Backup Before Last Install]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock2 - Google Desktop Search Backup Before First Install]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock2 - Google Desktop Search Backup Before Last Install]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\mspmsnsv.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Wmi]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApSrv]
"ImagePath"="c:\windows\System32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WpdUsb]
"ImagePath"="system32\DRIVERS\wpdusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WSTCODEC]
"ImagePath"="System32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{459D5A3E-66CC-4458-AA67-898A33663A1E}]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{D377A652-D2DE-491E-8D4D-4BB7E2C6A8EA}]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{F0D00B89-6D57-4743-B451-C5E61F64C589}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(1164)
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\program files\Common Files\Microsoft Shared\OFFICE12\MSOXEV.DLL
c:\progra~1\COMMON~1\ArcSoft\MPEGEN~1\AC3Dec.ax
c:\progra~1\COMMON~1\ArcSoft\MPEGEN~1\AdavAC3Dec.dll
c:\windows\system32\ffdshow.ax
c:\progra~1\COMMON~1\ArcSoft\SHARED~1\MP4Decoder.ax
c:\progra~1\COMMON~1\ArcSoft\SHARED~1\h263dec.ax
c:\program files\Common Files\Ahead\DSFilter\NeVideo.ax
c:\program files\Common Files\Ahead\Lib\AdvrCntr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\dtsrvc.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Acer Display\eDisplay Management\DTHtml.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\Microsoft Office\Office12\WINWORD.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Portrait Displays\Pivot Software\floater.exe
.
**************************************************************************
.
Completion time: 2010-10-07 13:23:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-07 17:23
ComboFix2.txt 2010-10-06 03:11
ComboFix3.txt 2010-10-05 16:02

Pre-Run: 62,990,036,992 bytes free
Post-Run: 62,977,073,152 bytes free

- - End Of File - - E367F6FD1D3ACC5298B408D88A16C09A


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:06 PM

Posted 07 October 2010 - 03:44 PM

Hello

Here is what I want you to try

Copy and past this into your browser window

C:\Program Files\Malwarebytes' Anti-Malware

the malwarebytes folder will open up check for and let me know if this file is in the folder MBAM.exe just let me know in your next post.

Now I want you to download the following file and save it to the malwarebytes folder that we have open

http://www.malwarebytes.org/mbam-download-...lone-random.php

It will download a random named file to the folder after it finishes downloading to the folder I want you to double click it to run the file.

MBAM should now run please update and do a full scan for me and send me the report.

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 peterp150

peterp150
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 09 October 2010 - 12:12 PM

Sorry, but as I've mentioned I can no longer open any browser window without urlmon.dll error. I've included an ms-paint snap shot of the error (browser error.jpeg). I did go into 'Program Files' the malwarebytes folder and am including a jpg snap shot of the mbam.exe properties (mbam.info).

I was able to download the random file from malwarebytes.org unto a flash drive and copy it into the malwarebytes folder of the desktop you have been helping me with. When I ran the program, it did not run for more then a few seconds, but I did get the following error message.

Scanning autorun entries:

MBAM_ERROR_EXPANDING_VARIABLES (0,453)

MBAM_ERROR_MISSING_FILE (3, 0, mbamswissarmy.sys)
The system cannot find the path specified

Hope this helps...Peter

Attached Files



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:06 PM

Posted 09 October 2010 - 11:42 PM

Hello

please go here and do the first two methods and see if it fixes things

http://support.microsoft.com/default.aspx?...kb;EN-US;318378



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 peterp150

peterp150
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 11 October 2010 - 09:36 AM

I've already been to that microsoft white paper. I cannot open any browser I.E. or Firefox without the urlmon.dll error, therefore cannot reset Internet Explorer options to default. Because I cannot open a browser, the autofix from Microsoft is out.

If I try and re-install I.E. 6, get a message that a newer version is alreay installed. If I attempt to re-install I.E. 7, get the following error. 'Setup could not verify the integrity of the filesd needed for installation. Make sure the Cryptographic serivce is running' It is running I checked from the services tab, tried stopping and re-starting, no change.

Have already tried re-installing xp sp3, in fact had to use my original xp installion disk and did a repair installation, ended up reapplying sp2 and sp3.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:06 PM

Posted 11 October 2010 - 10:51 PM

Have already tried re-installing xp sp3, in fact had to use my original xp installion disk and did a repair installation, ended up reapplying sp2 and sp3.

when did you do this?


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
CODE
:filefind
urlmon.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt




Gringo

Edited by gringo_pr, 11 October 2010 - 10:55 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 peterp150

peterp150
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 12 October 2010 - 04:57 PM

The first time I ran GMER a few weeks ago, the system crashed and would not reboot, just kept shutting down and trying to restart. It would not boot in safe mode, last known good configuration, nothing. So I used my xp installtion disk, hoping a repair would work. Guess it did to some extent, windows started, my files remained intact, but I was back to SP1, had to re-install SP2 & 3.

Output from Systemlook.

SystemLook 04.09.10 by jpshortstuff
Log created at 17:27 on 12/10/2010 by Peter
Administrator - Elevation successful

========== filefind ==========

Searching for "urlmon.dll"
C:\WINDOWS\$hf_mig$\KB2183461-IE8\SP3QFE\urlmon.dll --a---- 1211904 bytes [22:15 12/08/2010] [12:24 24/06/2010] 58AB2093CDD0F99AAF7431AC9112D5C5
C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\urlmon.dll --a--c- 603648 bytes [20:19 17/10/2004] [18:27 29/09/2004] 7489DAE6077BDD288EFEEC0346B37920
C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\urlmon.dll --a--c- 607744 bytes [14:50 19/02/2005] [17:08 27/01/2005] 1812D529A1E15655B3DF300715D64944
C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\urlmon.dll --a--c- 608256 bytes [20:57 02/05/2005] [20:57 02/05/2005] D8B3DD8A84A4A43463E7A25216C92810
C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\urlmon.dll --a--c- 607744 bytes [07:43 10/03/2005] [07:43 10/03/2005] 6CA809B5DAAB465542CD51A48ADC9D6E
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\urlmon.dll --a--c- 609280 bytes [23:53 02/09/2005] [23:53 02/09/2005] 80B83FF6C7C1C7AF05AAF6F4DBB597B5
C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\urlmon.dll --a--c- 608256 bytes [02:09 03/07/2005] [02:09 03/07/2005] 4094DA19DC034CB98530016599D65CD4
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\urlmon.dll --a--c- 610304 bytes [03:34 05/11/2005] [03:34 05/11/2005] 39B01FF1C66F2ED46A64B2A8E250E2B9
C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\urlmon.dll --a--c- 1153024 bytes [22:55 08/05/2007] [17:40 07/03/2007] CFAC503CCAB6130526D20FE16F4AA3FF
C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\urlmon.dll --a--c- 1153536 bytes [09:08 25/04/2007] [09:08 25/04/2007] 1D3F6FD58697EE68EA04F917F11632B5
C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\urlmon.dll --a--c- 1154048 bytes [14:40 27/06/2007] [14:40 27/06/2007] 652AD260B0AF3171A81DF314120AF5D8
C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\urlmon.dll --a--c- 1161728 bytes [10:02 20/08/2007] [10:02 20/08/2007] B671AB92BB2617E8A41E11ED8C105972
C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\urlmon.dll --a--c- 1162240 bytes [23:47 10/10/2007] [23:47 10/10/2007] C7BED13D2632A156D87E253BD49AD7AE
C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\urlmon.dll --a--c- 1162752 bytes [02:01 07/12/2007] [02:01 07/12/2007] 75CE874ADF205C93D313A5025D3DA2E8
C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\urlmon.dll --a--c- 1162752 bytes [21:09 13/04/2008] [13:03 01/03/2008] CB8B8DDC41B5F3264F3FF5BBEBCA7B2F
C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\urlmon.dll --a--c- 1162752 bytes [19:26 12/06/2008] [03:35 23/04/2008] 939CB798CF074F117E625C55D5AEBAA9
C:\WINDOWS\$hf_mig$\KB953838-IE7\SP2QFE\urlmon.dll --a--c- 1162752 bytes [01:29 16/08/2008] [16:01 23/06/2008] 11913D7A76327075A7755A44D1444D31
C:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE\urlmon.dll --a--c- 1162752 bytes [09:08 26/08/2008] [09:08 26/08/2008] F9FA9548555B982B8236D22DA62774A8
C:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE\urlmon.dll --a--c- 1163264 bytes [22:50 09/12/2008] [20:24 16/10/2008] 37A5582C71AE52FBA2D22A14A3D1A550
C:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE\urlmon.dll --a--c- 1163264 bytes [03:36 12/02/2009] [23:55 20/12/2008] C04BC9D39CCB3132474EBED00231F11D
C:\WINDOWS\$hf_mig$\KB963027-IE7\SP3QFE\urlmon.dll --a--c- 1163264 bytes [18:09 20/02/2009] [18:09 20/02/2009] 7A52B24B6B8BD2D4E19F7911D748D58F
C:\WINDOWS\$hf_mig$\KB969897-IE7\SP3QFE\urlmon.dll --a---- 1163264 bytes [04:49 29/04/2009] [04:49 29/04/2009] 8C8C0AFB9A7FED1F0277380257FA2F14
C:\WINDOWS\$hf_mig$\KB969897-IE8\SP3QFE\urlmon.dll --a---- 1207808 bytes [17:00 08/07/2009] [21:22 30/04/2009] E61BC14AA766443029FFB43F997FD2A3
C:\WINDOWS\$hf_mig$\KB972260-IE8\SP3QFE\urlmon.dll --a---- 1208832 bytes [18:29 29/07/2009] [17:06 03/07/2009] B1ACBABD4B002DAADB621D03ECEA2011
C:\WINDOWS\$hf_mig$\KB974455-IE8\SP3QFE\urlmon.dll --a---- 1209344 bytes [14:04 14/10/2009] [08:01 29/08/2009] 3EE2E7731FB57CDD4E19AFF7DD2F785E
C:\WINDOWS\$hf_mig$\KB976325-IE8\SP3QFE\urlmon.dll --a---- 1209344 bytes [16:29 09/12/2009] [07:45 29/10/2009] 307C46813FFDBDD5C1EF56B7E03D9BE8
C:\WINDOWS\$hf_mig$\KB978207-IE8\SP3QFE\urlmon.dll --a---- 1209344 bytes [22:55 21/01/2010] [19:09 21/12/2009] D92F9EA189A95F00BD4DF32223177EBD
C:\WINDOWS\$hf_mig$\KB980182-IE8\SP3QFE\urlmon.dll --a---- 1209856 bytes [22:47 30/03/2010] [06:19 25/02/2010] 62F3DD4EE6F08BB5474023648B27A50C
C:\WINDOWS\$hf_mig$\KB982381-IE8\SP3QFE\urlmon.dll --a---- 1209856 bytes [16:19 09/06/2010] [10:36 06/05/2010] 28A11881A04B8EEA7BBE1882651066C1
C:\WINDOWS\$NtServicePackUninstall$\urlmon.dll -----c- 601088 bytes [00:53 05/10/2010] [04:56 04/08/2004] 19D0EAB2740080925F812FF36A2D6378
C:\WINDOWS\$NtUninstallKB834707$\urlmon.dll --a--c- 601088 bytes [20:19 17/10/2004] [07:56 04/08/2004] 19D0EAB2740080925F812FF36A2D6378
C:\WINDOWS\$NtUninstallKB867282$\urlmon.dll --a--c- 603648 bytes [14:52 19/02/2005] [18:47 29/09/2004] AE492783117A9A50887F6D5DED646767
C:\WINDOWS\$NtUninstallKB883939$\urlmon.dll --a--c- 607744 bytes [22:20 16/06/2005] [08:02 10/03/2005] 2511FA80FFEA8E186DDA6D28F847E113
C:\WINDOWS\$NtUninstallKB890923$\urlmon.dll --a--c- 607744 bytes [01:04 14/04/2005] [17:13 27/01/2005] 7E0A6B4005A271C1FD1D82DD08FA884F
C:\WINDOWS\$NtUninstallKB896688$\urlmon.dll --a--c- 607744 bytes [03:15 13/10/2005] [02:11 03/07/2005] D73024F1A233361B9876C9D8432E87D7
C:\WINDOWS\$NtUninstallKB896727$\urlmon.dll --a--c- 607744 bytes [18:53 09/08/2005] [20:52 02/05/2005] 00FA78AA7E5004EC6605F8CE5FC054BF
C:\WINDOWS\$NtUninstallKB905915$\urlmon.dll --a--c- 608768 bytes [13:17 16/12/2005] [23:52 02/09/2005] 68FC8BCD27FC08EE4894A08F327D35D2
C:\WINDOWS\$NtUninstallKB912812$\urlmon.dll --a--c- 613376 bytes [01:17 15/04/2006] [18:02 09/01/2006] A3ADBBDE8883EF1CE66167C76324113D
C:\WINDOWS\$NtUninstallKB912945$\urlmon.dll --a--c- 609280 bytes [23:11 16/03/2006] [03:16 05/11/2005] 890CEE6509D9F99054265C2B6313EADA
C:\WINDOWS\$NtUninstallKB916281$\urlmon.dll --a--c- 614400 bytes [01:12 15/06/2006] [11:04 18/03/2006] D4C84AAB6434BA9F78C4227B60EA99F4
C:\WINDOWS\$NtUninstallKB918899$\urlmon.dll --a--c- 615424 bytes [02:39 12/08/2006] [05:25 10/05/2006] 3A6882F7EFDFC8CB4AC575A3C8D1E8D3
C:\WINDOWS\$NtUninstallKB922760$\urlmon.dll --a--c- 615424 bytes [03:36 17/11/2006] [20:42 25/07/2006] 7BD49A507A0B563AD182C2D0C29D9B6F
C:\WINDOWS\ie7\urlmon.dll --a--c- 615936 bytes [23:52 06/12/2006] [08:31 14/09/2006] F94C2AD0CF4FB6EAA1DC918ADBB0A7DC
C:\WINDOWS\ie7updates\KB928090-IE7\urlmon.dll --a--c- 1162240 bytes [21:01 17/02/2007] [02:03 08/11/2006] 119F9FD3A45100CA9FA9ECB47BF9EDEA
C:\WINDOWS\ie7updates\KB931768-IE7\urlmon.dll --a--c- 1149952 bytes [00:33 09/05/2007] [14:27 12/01/2007] DA533963FAC9AFCF6BB17FA841475BCF
C:\WINDOWS\ie7updates\KB933566-IE7\urlmon.dll --a--c- 1150464 bytes [01:28 13/06/2007] [17:45 07/03/2007] A8F82EE792F050FDFBBAB787FC61639C
C:\WINDOWS\ie7updates\KB937143-IE7\urlmon.dll --a--c- 1152000 bytes [20:57 14/08/2007] [08:41 25/04/2007] 6328BC5FE50EB5246D6BD2DE7F9D8E0A
C:\WINDOWS\ie7updates\KB939653-IE7\urlmon.dll --a--c- 1152000 bytes [18:51 09/10/2007] [14:34 27/06/2007] AA0DFDE724B235C70260D2E7C8CCAF42
C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll --a--c- 1152000 bytes [23:05 11/12/2007] [10:04 20/08/2007] 7C5217BE286320EC8C15F2011D4E3CA4
C:\WINDOWS\ie7updates\KB944533-IE7\urlmon.dll --a--c- 1159680 bytes [21:52 13/02/2008] [23:56 10/10/2007] A0C7A44451208353A8B6B7F5FE5C0BB6
C:\WINDOWS\ie7updates\KB947864-IE7\urlmon.dll --a--c- 1159680 bytes [02:27 14/04/2008] [02:21 07/12/2007] A6CC36E39A223D6E7D4496BDCC46DFC3
C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll --a--c- 1159680 bytes [23:25 12/06/2008] [13:06 01/03/2008] 2616F6A2EAF515FE7B95B29F77604E5B
C:\WINDOWS\ie7updates\KB953838-IE7\urlmon.dll --a--c- 1159680 bytes [01:50 16/08/2008] [04:16 23/04/2008] 69F3EADC7FD9456A15DF0A00722CFC9E
C:\WINDOWS\ie7updates\KB956390-IE7\urlmon.dll --a--c- 1159680 bytes [02:12 16/10/2008] [16:57 23/06/2008] 5D3590F9082FDB3E004FEE2DE3A6C34C
C:\WINDOWS\ie7updates\KB958215-IE7\urlmon.dll --a--c- 1159680 bytes [07:06 10/12/2008] [07:24 26/08/2008] 7EBBDFF3DAA94142417FF14CDC8D0334
C:\WINDOWS\ie7updates\KB961260-IE7\urlmon.dll --a--c- 1160192 bytes [05:48 12/02/2009] [20:38 16/10/2008] 26A62A18668C58A59C178B76A8CA81EC
C:\WINDOWS\ie7updates\KB963027-IE7\urlmon.dll --a--c- 1160192 bytes [01:09 16/04/2009] [23:15 20/12/2008] 045FD1FDF0DF2F4ADA825B6484720C8D
C:\WINDOWS\ie7updates\KB969897-IE7\urlmon.dll --a--c- 1160192 bytes [17:24 10/06/2009] [18:09 20/02/2009] C05AB5AD5472CDCBCEA9E0AFEA9F3678
C:\WINDOWS\ie8\urlmon.dll --a--c- 1159680 bytes [16:23 16/09/2010] [04:56 29/04/2009] 7CAA288B1610CC1F37FF0B984253AF05
C:\WINDOWS\ie8updates\KB2183461-IE8\urlmon.dll --a--c- 1209344 bytes [16:28 16/09/2010] [10:41 06/05/2010] E3AB3442249C4861C9D591F95330731F
C:\WINDOWS\ie8updates\KB982381-IE8\urlmon.dll --a--c- 1206784 bytes [16:27 16/09/2010] [08:34 08/03/2009] 05642AE6A7BDAA7541A7451F5A4C6512
C:\WINDOWS\ServicePackFiles\i386\urlmon.dll --a---- 619520 bytes [22:54 04/10/2010] [09:42 14/04/2008] DD639FAE9C80EBB3B9E632202A9DEB54
C:\WINDOWS\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3GDR\urlmon.dll --a---- 1207808 bytes [16:55 08/07/2009] [21:22 30/04/2009] F5228D04CC6A5B81B3C06E605F1D80AE
C:\WINDOWS\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3QFE\urlmon.dll --a---- 1207808 bytes [16:55 08/07/2009] [21:22 30/04/2009] E61BC14AA766443029FFB43F997FD2A3
C:\WINDOWS\system32\urlmon.dll --a---- 619520 bytes [12:00 23/08/2001] [09:42 14/04/2008] DD639FAE9C80EBB3B9E632202A9DEB54

-= EOF =-

#14 peterp150

peterp150
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 17 October 2010 - 09:19 AM

Hi Gringo, have not heard from you in several days, since I posted the ''syslook" information you requested. Has it come to the point where I'm going to have to do a fresh install of Windows Xp. Thanks Peter

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:06 PM

Posted 17 October 2010 - 03:51 PM

Hello

Sorry for not getting back to you sooner.

The file that is in the system 32 folder is ok I don't know why you are getting the error and I have not found out why you would get it.

You asked if you should do a fresh install of Windows Xp, That might be best at this time and the quickest. you reports have been comeing back clean so I would not worry about backing up any files - I would scan them before putting them back just to be safe

Let me know what you want to do


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users