Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OS won't load


  • This topic is locked This topic is locked
37 replies to this topic

#1 iamerror

iamerror

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:12:01 AM

Posted 26 May 2011 - 04:10 PM

Not sure if this is the right forum section for this, but I would consider it sort of a BIOS question.

My current OS specs
Windows Vista Home Premium 32-bit service pack 2

My problem
When I turn on the computer I get the Dell logo/loading screen then it goes to a black screen with a white cursor that flashes in the upper left corner of the screen

What I've tried already to fix it
(1) F2 at startup> moved hard drive to top booting priority
(2) F12 at startup> boot cd drive (vista recovery disk)> repair computer> startup repair> got message "startup repair could not detect a problem"
(3) F12 at startup> boot cd drive (vista recovery disk)> repair computer> system restore> got message "system restore failed due to an unspecified error. the parameter is incorrect (0x80070057)"

None of these affected the issue


When this all began
I had various corruptions (trojans, root problems etc) & got advice here in the forums, my post about those issues & the steps given to me to correct those issues can be found here: my original post I followed all of the instructions given & they seemed to fixed the problems, the computer was running properly. Later that day I tried to startup the computer & got the black screen.

Edited by iamerror, 26 May 2011 - 04:12 PM.

"Thou art dead." Poetic injustice.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:03:01 PM

Posted 26 May 2011 - 04:52 PM

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 iamerror

iamerror
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:12:01 AM

Posted 26 May 2011 - 05:23 PM

Thanks!
"Thou art dead." Poetic injustice.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:01 AM

Posted 26 May 2011 - 05:28 PM

Hi, :welcome:


On your previous topic the reports showed a boot record Rootkit.

Boot the computer to the Recovery Console. Select the Command prompt. At the prompt type the following and press Enter after each line:

Bootrec /FixMbr
Exit


Validate any dialog box and restart the computer in Normal Mode.

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 iamerror

iamerror
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:12:01 AM

Posted 26 May 2011 - 06:00 PM

Thanks so much.

Now the os seems to start to load, but if I try to start windows normally & type in password it goes to a blue screen & then restarts the computer. The blue screen says :
________________
"A problem has been detected and windows has been shut down to prevent damage to your computer .

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again follow these steps.

Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or diable components, restart your computer, press F8 to select advanced startup options, and then select safe mode.

Technical information:
STOP: 0x0000008E (0xC0000005, 0x82480157, 0x8A09C91C, 0x00000000)

Collecting data for crash dump...
Initializing disk for crash dump..."
________________

I looked through the BIOS setup but I'm not sure how to check any of the things that the stop error screen is suggesting. I can start the os in safe mode, but it seems to have even more limited access to things than usual safe mode.
"Thou art dead." Poetic injustice.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:01 AM

Posted 26 May 2011 - 06:29 PM

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:01 AM

Posted 26 May 2011 - 07:21 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logss forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 iamerror

iamerror
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:12:01 AM

Posted 26 May 2011 - 08:10 PM

REPORT

Thu May 26 20:37:28 UTC 2011
Driver report for /mnt/sda3/Windows/System32/drivers
e269bb33062f9a6b4115c86781d767aa volsnap.sys has NO Company Name!

0349be02f329f4f48f1d48097fd65974 1394bus.sys
Microsoft Corporation

e55b4931f47afff03478acabad40329e 197B281.sys
a`"?StringFileInfoBCompanyNameiTSystemsL$FileDescriptionProtectionWare(bFileVersionaInternalNamesfgssPLegalCopyrightItSystemsCorp.Allrightsreserved.@OriginalFilenamesfdgadexe<ProductNameITSoftWare,bProductVersionqeDVarFileInfo$Translation<?xm

ec818aed40e3359fe49ddb1700151e56 ACEDRV09.sys
aHXVS_VERSION_INFOtaaNStringFileInfo*bLCompanyNameProtectSoftwareGmbHFileDescriptionFilterDriverProtectDisc>FileVersion,,,.aInternalNameDriver.LegalCopyright©Copyright-ProtectSoftwareGmbH>vOriginalFilenamehwctrl.drv:vProductVersion,,,DVarFileInfo$Translationa*

82b296ae1892fe3dbee00c9cf92f8ac7 acpi.sys
Microsoft Corporation

2edc5bbac6c651ece337bde8ed97c9fb adp94xx.sys
Adaptec

b84088ca3cdca97da44a984c6ce1ccad adpahci.sys
Adaptec

7880c67bccc27c86fd05aa2afb5ea469 adpu160m.sys
Adaptec

9ae713f8e30efc2abccd84904333df4d adpu320.sys
Adaptec

a201207363aa900abf1a388468688570 afd.sys
Microsoft Corporation

8b10ce1c1f9f1d47e4deb1a547a00cd4 AGP440.sys
Microsoft Corporation

e32a92e1574a467f7c762922f6162d76 aliide.sys
Acer Laboratories

848f27e5b27c1c253f6cefdc1a5d8f21 AMDAGP.SYS
Microsoft Corporation

b52b576cb0099a62f87214f371031561 amdide.sys
Microsoft Corporation

dc487885bcef9f28eece6fac0e5ddfc5 amdk7.sys
Microsoft Corporation

0ca0071da4315b00fc1328ca86b425da amdk8.sys
Microsoft Corporation

1de27858a431a5749e0f3df54ba935b9 Apfiltr.sys
Alps Electric

957f7540b5e7f602e44648c7de5a1c05 arcsas.sys
Adaptec

5f673180268bb1fdb69c99b6619fe379 arc.sys
Adaptec

53b202abee6455406254444303e87be1 asyncmac.sys
Microsoft Corporation

e03e8c99d15d0381e02743c36afc7c6f atapi.sys
Microsoft Corporation

5bd29d71b0c25ca021fc55f0710884d7 ataport.sys
Microsoft Corporation

e642b131fb74caf4bb8a014f31113142 atikmdag.sys
ATI Technologies

a7f31519efda39d9c4669aaa5475d38f AVFilter.sys
PC Tools

8ff38af73a478a01fd3065adbbef401c AVHook.sys
PC Tools

e7510743a3d54e96eea34dbf5255fd5e AVRec.sys
PC Tools

2b8a5a8879238c3ba9a89a8e3ac4e45d battc.sys
Microsoft Corporation

7bd70aeed0d975285a1b20bd012ebf4e bcm42rly.sys
Broadcom Corporation

fa6707a346cd122407f3b0bad1c47639 BCMWL6.SYS
Broadcom Corporation

9f5f8f2318dfa3974a6f6a5602733929 bdasup.sys
Microsoft Corporation

67e506b75bd5326a3ec7b70bd014dfb6 beep.sys
Microsoft Corporation

74b442b2be1260b7588c136177ceac66 bowser.sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys
Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys
Brother Industries

b1564976d98e91fc764d5dc28a0297da bridge.sys
Microsoft Corporation

b304e75cff293029eddf094246747113 BrSerId.sys
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys
Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys
Brother Industries

ad07c1ec6665b8b35741ab91200c6b68 bthmodem.sys
Microsoft Corporation

7add03e75beb9e6dd102c3081d29840a cdfs.sys
Microsoft Corporation

c716c877a528fae6d352a7430ae0a4a4 cdr4_xp.sys
Sonic Solutions

17cd01a8b4d0a1e6cbf4bb07cd57043c cdralw2k.sys
Sonic Solutions

6b4bffb9becd728097024276430db314 cdrom.sys
Microsoft Corporation

e5d4133f37219dbcfe102bc61072589d circlass.sys
Microsoft Corporation

0767b09c74d935a590b4879d14463b64 Classpnp.sys
Microsoft Corporation

99afc3795b58cc478fbbbcdc658fcb56 CmBatt.sys
Microsoft Corporation

c177dd90b5dc1dcaa96ccece752e6f0f cmdide.sys
CMD Technology

6afef0b60fa25de07c0968983ee4f60a compbatt.sys
Microsoft Corporation

36975327ef03949cc378ab01e316b574 crashdmp.sys
Microsoft Corporation

2a213ae086bbec5e937553c7d9a2b22c crcdisk.sys
Microsoft Corporation

22a7f883508176489f559ee745b5bf5d crusoe.sys
Microsoft Corporation

218d8ae46c88e82014f5d73d0236d9b2 dfsc.sys
Microsoft Corporation

494075282e23d838f43a4c9fb7143959 Diskdump.sys
Microsoft Corporation

5d4aefc3386920236a548271f8f1af6a disk.sys
Microsoft Corporation

ae1fdf7bf7bb6c6a70f67699d880592a djsvs.sys
Adaptec

97fef831ab90bee128c9af390e243f80 drmkaud.sys
Microsoft Corporation

7be5a3c671a2cb56e94403bfc2020a0d drmk.sys
Microsoft Corporation

c67ebf9c05531c406e1e079ff669a2e6 Dumpata.sys
Microsoft Corporation

eaaafef04fbb45665c9576e525d45a12 dxapi.sys
Microsoft Corporation

c68ac676b0ef30cfbb1080adce49eb1f dxgkrnl.sys
Microsoft Corporation

c8d5369bfe193b5fb53337dce77ce314 dxg.sys
Microsoft Corporation

7505290504c8e2d172fa378cc0497bcc e1e6032.sys
Intel Corporation

f88fb26547fd2ce6d0a5af2985892c48 E1G60I32.sys
Intel Corporation

7f64ea048dcfac7acf8b4d7b4e6fe371 ecache.sys
Microsoft Corporation

e8f3f21a71720c84bcf423b80028359f elxstor.sys
Emulex

22b408651f9123527bcee54b4f6c5cae exfat.sys
Microsoft Corporation

1e9b9a70d332103c52995e957dc09ef8 fastfat.sys
Microsoft Corporation

63bdada84951b9c03e641800e176898a fdc.sys
Microsoft Corporation

a8c0139a884861e3aae9cfe73b208a9f fileinfo.sys
Microsoft Corporation

0ae429a696aecbc5970e3cf2c62635ae filetrace.sys
Microsoft Corporation

6603957eff5ec62d25075ea8ac27de68 flpydisk.sys
Microsoft Corporation

01334f9ea68e6877c4ef05d3ea8abb05 fltMgr.sys
Microsoft Corporation

65ea8b77b5851854f0c55c43fa51a198 fs_rec.sys
Microsoft Corporation

73594dbc99e22958150192ee99bc48ce FWPKCLNT.SYS
Microsoft Corporation

4e1cd0a45c50a8882616cae5bf82f3c5 GAGP30KX.SYS
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

062452b7ffd68c8c042a6261fe8dff4a hdaudbus.sys
Microsoft Corporation

1338520e78d90154ed6be8f84de5fceb hidbth.sys
Microsoft Corporation

5961cadb7cad938368d2028725ef771d hidclass.sys
Microsoft Corporation

d8df3722d5e961baa1292aa2f12827e2 hidir.sys
Microsoft Corporation

175444d3a01ca45d0e1c5dc5f48df7cd hidparse.sys
Microsoft Corporation

cca4b519b17e23a00b826c55716809cc hidusb.sys
Microsoft Corporation

df353b401001246853763c4b7aaa6f50 HpCISSs.sys
Hewlett-Packard

f870aa3e254628ebeafe754108d664de http.sys
Microsoft Corporation

8420bf9ad8ae0b4a96f30bd7c8fb9adf i2omgmt.sys
Microsoft Corporation

324c2152ff2c61abae92d09f3cca4d63 i2omp.sys
Microsoft Corporation

22d56c8184586b7a1f6fa60be5f5a2bd i8042prt.sys
Microsoft Corporation

2358c53f30cb9dcd1d3843c4e2f299b2 iaStor.sys
Intel Corporation

c957bf4b5d80b46c5017bf0101e6c906 iaStorV.sys
Intel Corporation

9378d57e2b96c0a185d844770ad49948 igdkmd32.sys
Intel Corporation

2d077bf86e843f901d8db709c95b49a5 iirsp.sys
Intel Corp

98d303ccb3415e9202e82043b37d66dc IntcHdmi.sys
Intel Corporation

59b00efb24ead979becf413703bb1fac intelide.sys
Microsoft Corporation

224191001e78c89dfa78924c3ea595ff intelppm.sys
Microsoft Corporation

62c265c38769b864cb25b4bcf62df6c3 ipfltdrv.sys
Microsoft Corporation

40f34f8aba2a015d780e4b09138b6c17 IPMIDrv.sys
Microsoft Corporation

8793643a67b42cec66490b2a0cf92d68 ipnat.sys
Microsoft Corporation

e50a95179211b12946f7e035d60af560 irda.sys
Microsoft Corporation

109c0dfb82c3632fbd11949b73aeeac9 irenum.sys
Microsoft Corporation

2f8ece2699e7e2070545e9b0960a8ed2 isapnp.sys
Microsoft Corporation

bced60d16156e428f8df8cf27b0df150 iteatapi.sys
Integrated Technology Express

8bcd857c7932ad005d5f9c89329da2e1 itecir.sys
?bStringFileInfoB@CompanyNameITETech.Inc.j!FileDescriptionITEConsumerIRDriverforeHome`FileVersion...builtby:WinDDKvInternalNameitecir.sysh"LegalCopyrightCopyright©ITETech.Inc.>vOriginalFilenameitecir.sysb!ProductNameITEConsumerIRDriverforeHomeBProductVersion...DVarFileInfo$Translationt

06fa654504a498c30adca8bec4e87e7e iteraid.sys
Integrated Technology Express

a67e8cfcad7d4f8b35643d6c79ba64c3 k57nd60x.sys
Broadcom Corporation

37605e0a8cf00cbba538e753e4344c6e kbdclass.sys
Microsoft Corporation

ede59ec70e25c24581add1fbec7325f7 kbdhid.sys
Microsoft Corporation

86165728af9bf72d6442a894fdfb4f8b ksecdd.sys
Microsoft Corporation

ef73c1e29fbe7b0fd0274bf4394e346a ks.sys
Microsoft Corporation

5353218b3265e3b8190335059f697a11 lgusbbus.sys
tH&VS_VERSION_INFO?StringFileInfobbCommentsHCompanyNameLGElectronicsInc.BrFileDescriptionlgusbbus.sysbFileVersionVer..aInternalNameUSBBUSh"LegalCopyrightLGElectronicsInc.Seoul,Korea.l"LegalTrademarksLGElectronicsInc.Seoul,Korea.BrOriginalFilenamelgusbbus.sysPrivateBuildd"ProductNameLGCDMAUSBMultifunctionDriverbProductVersionVer.SpecialBuildDVarFileInfo$Translationt

7dd3eefc62a1ef44e5f940fa651ed9ed lgusbdiag.sys
tHDVS_VERSION_INFO?StringFileInfobbCommentsHCompanyNameLGElectronicsInc.DFileDescriptionlgusbdiag.sysbFileVersionVer.nInternalNameLGUSBDIAGh"LegalCopyrightLGElectronicsInc.Seoul,Korea.l"LegalTrademarksLGElectronicsInc.Seoul,Korea.DOriginalFilenamelgusbdiag.sysPrivateBuild^ProductNameLGCDMAUSBDiagnosticsDriverbProductVersionVer.SpecialBuildDVarFileInfo$Translationt

083031a78822eccbd7510bccd3e20d4c lgusbmodem.sys
tH`HVS_VERSION_INFO?StringFileInfobbCommentsHCompanyNameLGElectronicsInc.FFileDescriptionlgusbmodem.sysbFileVersionVer.vInternalNameLGUSBMODEMh"LegalCopyrightLGElectronicsInc.Seoul,Korea.l"LegalTrademarksLGElectronicsInc.Seoul,Korea.FOriginalFilenamelgusbmodem.sysPrivateBuildRProductNameLGCDMAUSBModemDriverbProductVersionVer.SpecialBuildDVarFileInfo$Translationt

d1c5883087a0c3f1344d9d55a44901f6 lltdio.sys
Microsoft Corporation

a2262fb9f28935e862b4db46438c80d2 lsi_fc.sys
LSI Logic

30d73327d390f72a62f32c103daf1d6d lsi_sas.sys
LSI Logic

e1e36fefd45849a95f1ab81de0159fe3 lsi_scsi.sys
LSI Logic

8f5c7426567798e62a3b3614965d62cc luafv.sys
Microsoft Corporation

d68e165c3123aba3b1282eddb4213bd8 mbamswissarmy.sys
Malwarebytes Corporation

b271ec02e71271a2da28b3b7bc4e4f15 mcd.sys
Microsoft Corporation

d153b14fc6598eae8422a2037553adce megasas.sys
LSI Logic

e13b5ea0f51ba5b1512ec671393d09ba modem.sys
Microsoft Corporation

0a9bb33b56e294f686abb7c1e4e2d8a8 monitor.sys
Microsoft Corporation

5bf6a1326a335c5298477754a506d263 mouclass.sys
Microsoft Corporation

93b8d4869e12cfbe663915502900876f mouhid.sys
Microsoft Corporation

bdafc88aa6b92f7842416ea6a48e1600 mountmgr.sys
Microsoft Corporation

583a41f26278d9e0ea548163d6139397 mpio.sys
Microsoft Corporation

22241feba9b2defa669c8cb0a8dd7d2e mpsdrv.sys
Microsoft Corporation

4fbbb70d30fd20ec51f80061703b001e Mraid35x.sys
LSI Logic

82cea0395524aacfeb58ba1448e8325c mrxdav.sys
Microsoft Corporation

2a4901aff069944fa945ed5bbf4dcde3 mrxsmb10.sys
Microsoft Corporation

28b3f1ab44bdd4432c041581412f17d9 mrxsmb20.sys
Microsoft Corporation

454341e652bdf5e01b0f2140232b073e mrxsmb.sys
Microsoft Corporation

2681302b63b318cbea6c82902ac5428c msahci.sys
Microsoft Corporation

3fc82a2ae4cc149165a94699183d3028 msdsm.sys
Microsoft Corporation

a9927f4a46b816c92f461acb90cf8515 msfs.sys
Microsoft Corporation

0f400e306f385c56317357d6dea56f62 msisadrv.sys
Microsoft Corporation

232fa340531d940aac623b121a595034 msiscsi.sys
Microsoft Corporation

d8c63d34d9c9e56c059e24ec7185cc07 mskssrv.sys
Microsoft Corporation

1d373c90d62ddb641d50e55b9e78d65e mspclock.sys
Microsoft Corporation

b572da05bf4e098d4bba3a4734fb505b mspqm.sys
Microsoft Corporation

b49456d70555de905c311bcda6ec6adb msrpc.sys
Microsoft Corporation

e384487cb84be41d09711c30ca79646c mssmbios.sys
Microsoft Corporation

7199c1eec1e4993caf96b8c0a26bd58a mstee.sys
Microsoft Corporation

6a57b5733d4cb702c8ea4542e836b96c mup.sys
Microsoft Corporation

0df9cc7b5cc173f545723f23e68fac93 nchssvad.sys
H`LLVS_VERSION_INFO?btStringFileInfob@CompanyNameNCHSwiftSoundRFileDescriptionVirtualAudioDevicebFileVersion...:rInternalNamenchssvad.sysLegalCopyrightCopyright©NCHSwiftSound.Allrightsreserved.BrOriginalFilenamenchssvad.sysj%ProductNameNCHSwiftSoundVirtualAudioDevicebProductVersion...DVarFileInfo$Translationt*

1357274d1883f68300aeadd15d7bbb42 ndis.sys
Microsoft Corporation

0e186e90404980569fb449ba7519ae61 ndistapi.sys
Microsoft Corporation

d6973aa34c4d5d76c0430b181c3cd389 ndisuio.sys
Microsoft Corporation

818f648618ae34f729fdb47ec68345c3 ndiswan.sys
Microsoft Corporation

71dab552b41936358f3b541ae5997fb3 ndproxy.sys
Microsoft Corporation

bcd093a5a6777cf626434568dc7dba78 netbios.sys
Microsoft Corporation

ecd64230a59cbd93c85f1cd1cab9f3f6 netbt.sys
Microsoft Corporation

063ee4d3cb88a14eab9901875cee98b1 netio.sys
Microsoft Corporation

2e7fb731d4790a1bc6270accefacb36e nfrd960.sys
IBM Corp

d36f239d7cce1931598e8fb90a0dbc26 npfs.sys
Microsoft Corporation

609773e344a97410ce4ebf74a8914fcf nsiproxy.sys
Microsoft Corporation

6a4a98cee84cf9e99564510dda4baa47 ntfs.sys
Microsoft Corporation

e875c093aec0c978a90f30c9e0dfbb72 ntrigdigi.sys
N-trig Innovative Technologies

c5dbbcda07d780bda9b685df333bb41e null.sys
Microsoft Corporation

055081fd5076401c1ee1bcab08d81911 NV_AGP.SYS
Microsoft Corporation

e69e946f80c1c31c53003bfbf50cbb7c nvraid.sys
NVIDIA Corporation

9e0ba19a28c498a6d323d065db76dffc nvstor.sys
NVIDIA Corporation

85c44fdff9cf7e72a40dcb7ec06a4416 nwifi.sys
Microsoft Corporation

ec528056b89d15755abb624e55949e44 OA001Afx.sys
Creative Technology

9b7cd7151a7c4009c383396155f02b95 OA001Ufd.sys
Creative Technology

cdcdad303a9208cf3513400ef2a05f80 OA001Vid.sys
Creative Technology

6f310e890d46e246e0e261a63d9b36b4 ohci1394.sys
Microsoft Corporation

99514faa8df93d34b5589187db3aa0ba pacer.sys
Microsoft Corporation

0fa9b5055484649d63c303fe404e5f4d parport.sys
Microsoft Corporation

57389fa59a36d96b3eb09d0cb91e9cdc partmgr.sys
Microsoft Corporation

4f9a6a8a31413180d0fcb279ad5d8112 parvdm.sys
Microsoft Corporation

b2fc76090ef1003463ccb07cabb35cff pciide.sys
Microsoft Corporation

24f15b0c541ae19b3b523d40c092084b pciidex.sys
Microsoft Corporation

941dc1d19e7e8620f40bbc206981efdb pci.sys
Microsoft Corporation

e6f3fb1b86aa519e7698ad05e58b04e5 pcmcia.sys
Microsoft Corporation

3379e7a840de135fb7a829e03bc9cc25 PCTAppEvent.sys
PC Tools

aa9cfa67850893fbb168b9c4e4c86952 PCTCore.sys
PC Tools

6349f6ed9c623b44b52ea3c63c831a92 PEAuth.sys
Microsoft Corporation

218286724ec530ff252648369e05b090 portcls.sys
Microsoft Corporation

0e3cef5d28b40cf273281d620c50700a processr.sys
Microsoft Corporation

03e0fe281823ba64b3782f5b38950e73 pxhelp20.sys
Sonic Solutions

ccdac889326317792480c0a67156a1ec ql2300.sys
QLogic Corporation

81a7e5c076e59995d54bc1ed3a16e60b ql40xx.sys
QLogic Corporation

9f5e0e1926014d17486901c88eca2db7 qwavedrv.sys
Microsoft Corporation

147d7f9c556d259924351feb0de606c3 rasacd.sys
Microsoft Corporation

a214adbaf4cb47dd2728859ef31f26b0 rasl2tp.sys
Microsoft Corporation

509a98dd18af4375e1fc40bc175f1def raspppoe.sys
Microsoft Corporation

ecfffaec0c1ecd8dbc77f39070ea1db1 raspptp.sys
Microsoft Corporation

2005f4a1e05fa09389ac85840f0a9e4d rassstp.sys
Microsoft Corporation

b14c9d5b9add2f84f70570bbbfaa7935 rdbss.sys
Microsoft Corporation

89e59be9a564262a3fb6c4f4f1cd9899 RDPCDD.sys
Microsoft Corporation

0245418224cfa77bf4b41c2fe0622258 rdpdr.sys
Microsoft Corporation

9d91fe5286f748862ecffa05f8a0710c RDPENCDD.sys
Microsoft Corporation

30bfbdfb7f95559ede971f9ddb9a00ba rdpwd.sys
Microsoft Corporation

c2ef513bbe069f0d4ee0938a76f975d3 rimmptsk.sys
Ricoh Company

c398bca91216755b098679a8da8a2300 rimsptsk.sys
Ricoh Company

2a2554cb24506e0a0508fc395c4a1b42 rixdptsk.sys
Ricoh Company

eec7ee5675294b03e88aa868540007c1 rmcast.sys
Microsoft Corporation

d9225d107e40d0fa5c5069446759c8e9 RNDISMP.sys
Microsoft Corporation

75e8a6bfa7374aba833ae92bf41ae4e6 rootmdm.sys
Microsoft Corporation

9c508f4074a39e8b4b31d27198146fad rspndr.sys
Microsoft Corporation

3ce8f073a557e172b330109436984e30 sbp2port.sys
Microsoft Corporation

6f5ca34ae885645acf8a20d564db976c scsiport.sys
Microsoft Corporation

8f36b54688c31eed4580129040c6a3d3 sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

68e44e331d46f0fb38f0863a84cd1a31 serenum.sys
Microsoft Corporation

c70d69a918b178d3c3b06339b40c2e1b serial.sys
Microsoft Corporation

8af3d28a879bf75db53a0ee7a4289624 sermouse.sys
Microsoft Corporation

3efa810bdca87f6ecc24f9832243fe86 sffdisk.sys
Microsoft Corporation

b86dfcd55294a0495571a27b861e6ef3 sffp_mmc.sys
Microsoft Corporation

9f66a46c55d6f1ccabc79bb7afccc545 sffp_sd.sys
Microsoft Corporation

46ed8e91793b2e6f848015445a0ac188 sfloppy.sys
Microsoft Corporation

08072b2fb92477fc813271a84b3a8698 SISAGP.SYS
Microsoft Corporation

cedd6f4e7d84e9f98b34b3fe988373aa sisraid2.sys
Silicon Integrated Systems

df843c528c4f69d12ce41ce462e973a7 sisraid4.sys
Silicon Integrated Systems

7b75299a4d201d6a6533603d6914ab04 smb.sys
Microsoft Corporation

a7d7ea1771d2ed6f39a8063e79b6c3e8 smclib.sys
Microsoft Corporation

7aebdeef071fe28b0eef2cdd69102bff spldr.sys
Microsoft Corporation

a7f8bad9590addc425b4003e94780dfa spsys.sys
Microsoft Corporation

d15959d9f69f0d39a0153e9c244f20dd srv2.sys
Microsoft Corporation

faa0d553a49e85008c6bb3781987c574 srvnet.sys
Microsoft Corporation

ff3cbc13db84d81f56931bc922cc37c4 srv.sys
Microsoft Corporation

47e55afe1ed1d5aff09690db226f4a7a Storport.sys
Microsoft Corporation

70a92e46a2f459cdede3ca558cb26b6a stream.sys
Microsoft Corporation

805b1fc7e25613ce2dc93c0759d0aa30 stwrt.sys
n?btStringFileInfoBnCompanyNameIDT,Inc.BrFileDescriptionIDTPCAudiobFileVersion...bInternalNameIDTPCAh"LegalCopyrightCopyright-IDT,Inc.<nOriginalFilenamestwrt.sys:rProductNameIDTPCAudio<bProductVersion...BrLegalTrademarksIDTPCAudiol*CommentsAllRightsReserved-IDT,Inc.DVarFileInfo$Translationt

7ba58ecf0c0a9a69d44b3dca62becf56 swenum.sys
Microsoft Corporation

192aa3ac01df071b541094f251deed10 symc8xx.sys
LSI Logic

8c8eb8c76736ebaf3b13b633b2e64125 sym_hi.sys
LSI Logic

8072af52b5fd103bbba387a1e49f62cb sym_u3.sys
LSI Logic

1239fd18895040d97b7cdbc19bc2075e tape.sys
Microsoft Corporation

608c345a255d82a6289c2d468eb41fd7 tcpipreg.sys
Microsoft Corporation

a474879afa4a596b3a531f3e69730dbf tcpip.sys
Microsoft Corporation

77937eff009ac696b90e09f671f9d0a4 tdi.sys
Microsoft Corporation

5dcf5e267be67a1ae926f2df77fbcc56 tdpipe.sys
Microsoft Corporation

389c63e32b3cefed425b61ed92d3f021 tdtcp.sys
Microsoft Corporation

76b06eb8a01fc8624d699e7045303e54 tdx.sys
Microsoft Corporation

3cad38910468eab9a6479e2f01db43c7 termdd.sys
Microsoft Corporation

dcf0f056a2e4f52287264f5ab29cf206 tssecsrv.sys
Microsoft Corporation

caecc0120ac49e3d2f758b9169872d38 TUNMP.SYS
Microsoft Corporation

300db877ac094feab0be7688c3454a9c tunnel.sys
Microsoft Corporation

c3ade15414120033a36c0f293d4a4121 UAGP35.SYS
Microsoft Corporation

d9728af68c4c7693cb100b8441cbdec6 udfs.sys
Microsoft Corporation

6d72ef05921abdf59fc45c7ebfe7e8dd ULIAGPKX.SYS
Microsoft Corporation

3cd4ea35a6221b85dcc25daa46313f8d uliahci.sys
ULi Electronics

38c3c6e62b157a6bc46594fada45c62b ulsata2.sys
Promise Technology

8514d0e5cd0534467c5fc61be94a569f ulsata.sys
Promise Technology

32cff9f809ae9aed85464492bf3e32d2 umbus.sys
Microsoft Corporation

88bd96a1baeed33ee8bdf9499c07a841 umpass.sys
Microsoft Corporation

830d5d8456b822c1247c1e59b4c464fa usb8023.sys
Microsoft Corporation

eae017d3aa298374a1967b96c379c5ab USBCAMD2.sys
Microsoft Corporation

d06f193f3e9cc3b356df97f6a43c054a USBCAMD.sys
Microsoft Corporation

caf811ae4c147ffcd5b51750c7f09142 usbccgp.sys
Microsoft Corporation

e9476e6c486e76bc4898074768fb7131 usbcir.sys
Microsoft Corporation

790fdac6d0c762df9047c3c625a6ff6c usbd.sys
Microsoft Corporation

79e96c23a97ce7b8f14d310da2db0c9b usbehci.sys
Microsoft Corporation

4673bbcb006af60e7abddbe7a130ba42 usbhub.sys
Microsoft Corporation

38dbc7dd6cc5a72011f187425384388b usbohci.sys
Microsoft Corporation

a1c100a87d981ad0774fbc0b4b82e913 usbport.sys
Microsoft Corporation

e75c4b5269091d15a2e7dc0b6d35f2f5 usbprint.sys
Microsoft Corporation

a508c9bd8724980512136b039bba65e9 usbscan.sys
Microsoft Corporation

be3da31c191bc222d9ad503c5224f2ad USBSTOR.SYS
Microsoft Corporation

814d653efc4d48be3b04a307eceff56f usbuhci.sys
Microsoft Corporation

7d92be0028ecdedec74617009084b5ef vgapnp.sys
Microsoft Corporation

2e93ac0a1d8c79d019db6c51f036636c vga.sys
Microsoft Corporation

d5929a28bdff4367a12caf06af901971 VIAAGP.SYS
Microsoft Corporation

56a4de5f02f2e88182b0981119b4dd98 viac7.sys
Microsoft Corporation

689547ce911998d1e0da7a5992e025fc viaide.sys
VIA Technologies

c048d2c33d27441a0cdcaae2651eb03d videoprt.sys
Microsoft Corporation

69503668ac66c77c6cd7af86fbdf8c43 volmgr.sys
Microsoft Corporation

23e41b834759917bfd6b9a0d625d0c28 volmgrx.sys
Microsoft Corporation

e269bb33062f9a6b4115c86781d767aa volsnap.sys

d984439746d42b30fc65a4c3546c6829 vsmraid.sys
VIA Technologies

48dfee8f1af7c8235d4e626f0c4fe031 wacompen.sys
Microsoft Corporation

55201897378cca7af8b5efd874374a26 wanarp.sys
Microsoft Corporation

4a5c31e2c1646034e6a60eba4c747ff6 watchdog.sys
Microsoft Corporation

b6f0a7ad6d4bd325fbcd8bac96cd8d96 Wdf01000.sys
Microsoft Corporation

b4fc6dd9167b058e6dbe6cb14acfa2cb WdfLdr.sys
Microsoft Corporation

afc5ad65b991c1e205cf25cfdbf7a6f4 wd.sys
Microsoft Corporation

2e7255d172df0b8283cdfb7b433b864e wmiacpi.sys
Microsoft Corporation

c546864eed786304762d030febf6b411 wmilib.sys
Microsoft Corporation

de9d36f91a4df3d911626643debf11ea WpdUsb.sys
Microsoft Corporation

e3a3cb253c0ec2494d4a61f5e43a389c ws2ifsl.sys
Microsoft Corporation

13b5f255e90624a5ba0441d39cfb6be2 WUDFPf.sys
Microsoft Corporation

ac13cb789d93412106b0fb6c7eb2bcb6 WUDFRd.sys
Microsoft Corporation

Driver report for /mnt/sda2/Windows/System32/drivers

b46aa621e7bd4fe150bcc140daceda1b 1394bus.sys
Microsoft Corporation

192bdbd1540645c4a2aa69f24cce197f acpi.sys
Microsoft Corporation

2edc5bbac6c651ece337bde8ed97c9fb adp94xx.sys
Adaptec

b84088ca3cdca97da44a984c6ce1ccad adpahci.sys
Adaptec

7880c67bccc27c86fd05aa2afb5ea469 adpu160m.sys
Adaptec

9ae713f8e30efc2abccd84904333df4d adpu320.sys
Adaptec

5d24caf8efd924a875698ff28384db8b afd.sys
Microsoft Corporation

ef23439cdd587f64c2c1b8825cead7d8 AGP440.sys
Microsoft Corporation

90395b64600ebb4552e26e178c94b2e4 aliide.sys
Acer Laboratories

2b13e304c9dfdfa5eb582f6a149fa2c7 AMDAGP.SYS
Microsoft Corporation

0577df1d323fe75a739c787893d300ea amdide.sys
Microsoft Corporation

dc487885bcef9f28eece6fac0e5ddfc5 amdk7.sys
Microsoft Corporation

0ca0071da4315b00fc1328ca86b425da amdk8.sys
Microsoft Corporation

957f7540b5e7f602e44648c7de5a1c05 arcsas.sys
Adaptec

5f673180268bb1fdb69c99b6619fe379 arc.sys
Adaptec

e86cf7ce67d5de898f27ef884dc357d8 asyncmac.sys
Microsoft Corporation

4f4fcb8b6ea06784fb6d475b7ec7300f atapi.sys
Microsoft Corporation

bf1dc83332edfdcfacb1be080e119655 ataport.sys
Microsoft Corporation

87d8e49d1615d419efceddefe02161cc battc.sys
Microsoft Corporation

fa6707a346cd122407f3b0bad1c47639 BCMWL6.SYS
Broadcom Corporation

913cd06fbe9105ce6077e90fd4418561 bowser.sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys
Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys
Brother Industries

b304e75cff293029eddf094246747113 BrSerId.sys
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys
Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys
Brother Industries

ad07c1ec6665b8b35741ab91200c6b68 bthmodem.sys
Microsoft Corporation

6c3a437fc873c6f6a4fc620b6888cb86 cdfs.sys
Microsoft Corporation

8d1866e61af096ae8b582454f5e4d303 cdrom.sys
Microsoft Corporation

d1d2b10698d97df0fc95bc8c108f09c1 Classpnp.sys
Microsoft Corporation

45201046c776ffdaf3fc8a0029c581c8 cmdide.sys
CMD Technology

82b8c91d327cfecf76cb58716f7d4997 compbatt.sys
Microsoft Corporation

22a7f883508176489f559ee745b5bf5d crusoe.sys
Microsoft Corporation

a7179de59ae269ab70345527894ccd7c dfsc.sys
Microsoft Corporation

841af4c4d41d3e3b2f244e976b0f7963 disk.sys
Microsoft Corporation

ae1fdf7bf7bb6c6a70f67699d880592a djsvs.sys
Adaptec

c4a6c98628b8f697c743b2e0b55ca8e7 dumpfve.sys
Microsoft Corporation

a253aa14ca560a4b8ba6e9d1f78ef10e dxapi.sys
Microsoft Corporation

61d4d58d09357f0598a04d1192a4b76c dxg.sys
Microsoft Corporation

e8f3f21a71720c84bcf423b80028359f elxstor.sys
Emulex

84a317cb0b3954d3768cdcd018dbf670 fastfat.sys
Microsoft Corporation

190643bef74c8b30c8276d5979f5d62b fbwf.sys
Microsoft Corporation

63bdada84951b9c03e641800e176898a fdc.sys
Microsoft Corporation

6603957eff5ec62d25075ea8ac27de68 flpydisk.sys
Microsoft Corporation

a6a8da7ae4d53394ab22ac3ab6d3f5d3 fltMgr.sys
Microsoft Corporation

1ed8599e1e08ba40f2b7301f0b83583a fs_rec.sys
Microsoft Corporation

06a1cf72fbe3b50035fbff428c8d84b4 fvevol.sys
Microsoft Corporation

e216cf8c8605e546981098484b78d08b FWPKCLNT.SYS
Microsoft Corporation

4e1cd0a45c50a8882616cae5bf82f3c5 GAGP30KX.SYS
Microsoft Corporation

5fd053f305b77ebe97f284b20d89dc1c hdaudbus.sys
Microsoft Corporation

1338520e78d90154ed6be8f84de5fceb hidbth.sys
Microsoft Corporation

081655939fa6c09eec56da090f461ecc hidclass.sys
Microsoft Corporation

ff3160c3a2445128c5a6d9b076da519e hidir.sys
Microsoft Corporation

451a4d76448cee21407fb0a9a362c057 hidparse.sys
Microsoft Corporation

3c64042b95e583b366ba4e5d2450235e hidusb.sys
Microsoft Corporation

df353b401001246853763c4b7aaa6f50 HpCISSs.sys
Hewlett-Packard

8420bf9ad8ae0b4a96f30bd7c8fb9adf i2omgmt.sys
Microsoft Corporation

324c2152ff2c61abae92d09f3cca4d63 i2omp.sys
Microsoft Corporation

1060f1377f395a242e27719440ece602 i8042prt.sys
Microsoft Corporation

2358c53f30cb9dcd1d3843c4e2f299b2 iaStor.sys
Intel Corporation

c957bf4b5d80b46c5017bf0101e6c906 iaStorV.sys
Intel Corporation

2d077bf86e843f901d8db709c95b49a5 iirsp.sys
Intel Corp

97469037714070e45194ed318d636401 intelide.sys
Microsoft Corporation

ce44cc04262f28216dd4341e9e36a16f intelppm.sys
Microsoft Corporation

40f34f8aba2a015d780e4b09138b6c17 IPMIDrv.sys
Microsoft Corporation

350fca7e73cf65bcef43fae1e4e91293 isapnp.sys
Microsoft Corporation

bced60d16156e428f8df8cf27b0df150 iteatapi.sys
Integrated Technology Express

06fa654504a498c30adca8bec4e87e7e iteraid.sys
Integrated Technology Express

a67e8cfcad7d4f8b35643d6c79ba64c3 k57nd60x.sys
Broadcom Corporation

1a48765f92ba1a88445fc25c9c9d94fc kbdclass.sys
Microsoft Corporation

d2600cb17b7408b4a83f231dc9a11ac3 kbdhid.sys
Microsoft Corporation

11d0bc1f2afd8abbb5a3dc47a042de54 ksecdd.sys
Microsoft Corporation

48314cdd79ce94b8f36bd6243323a310 ks.sys
Microsoft Corporation

a2262fb9f28935e862b4db46438c80d2 lsi_fc.sys
LSI Logic

30d73327d390f72a62f32c103daf1d6d lsi_sas.sys
LSI Logic

e1e36fefd45849a95f1ab81de0159fe3 lsi_scsi.sys
LSI Logic

0447888a6feb655068bd1696d1c16a5b mcd.sys
Microsoft Corporation

d153b14fc6598eae8422a2037553adce megasas.sys
LSI Logic

3c9469dfb3440555dab070716d768b1e mouclass.sys
Microsoft Corporation

a3a6dff7e9e757db3df51a833bc28885 mouhid.sys
Microsoft Corporation

01f1e5a3e4877c931cbb31613fec16a6 mountmgr.sys
Microsoft Corporation

8d326e8b321685d4784afa1c55169d73 mpsdrv.sys
Microsoft Corporation

4fbbb70d30fd20ec51f80061703b001e Mraid35x.sys
LSI Logic

58a9ab5754fa4cabede7401283b5a771 mrxsmb10.sys
Microsoft Corporation

79b09504e4a790104683722cd04f76b4 mrxsmb20.sys
Microsoft Corporation

fca7563d87f71c6db0182ca67cc19aa7 mrxsmb.sys
Microsoft Corporation

742aed7939e734c36b7e8d6228ce26b7 msahci.sys
Microsoft Corporation

729eafefd4e7417165f353a18dbe947d msfs.sys
Microsoft Corporation

5f454a16a5146cd91a176d70f0cfa3ec msisadrv.sys
Microsoft Corporation

4dca456d4d5723f8fa9c6760d240b0df msiscsi.sys
Microsoft Corporation

892cedefa7e0ffe7be8da651b651d047 mskssrv.sys
Microsoft Corporation

ae2cb1da69b2676b4cee2a501af5871c mspclock.sys
Microsoft Corporation

f910da84fa90c44a3addb7cd874463fd mspqm.sys
Microsoft Corporation

84571c0ae07647ba38d493f5f0015df7 msrpc.sys
Microsoft Corporation

4385c80ede885e25492d408cad91bd6f mssmbios.sys
Microsoft Corporation

c826dd1373f38afd9ca46ec3c436a14e mstee.sys
Microsoft Corporation

fa7aa70050cf5e2d15de00941e5665e5 mup.sys
Microsoft Corporation

227c11e1e7cf6ef8afb2a238d209760c ndis.sys
Microsoft Corporation

7584f1794b23b83d63cc124a8c56d103 ndistapi.sys
Microsoft Corporation

397402adcbb8946223a1950101f6cd94 ndiswan.sys
Microsoft Corporation

874c12e3ad1431cabc854697d302c563 ndproxy.sys
Microsoft Corporation

356dbb9f98e8dc1028dd3092fceeb877 netbios.sys
Microsoft Corporation

e3a168912e7eefc3bd3b814720d68b41 netbt.sys
Microsoft Corporation

f4d83b4bf1613ca1dd3887089b648247 netio.sys
Microsoft Corporation

2e7fb731d4790a1bc6270accefacb36e nfrd960.sys
IBM Corp

4f9832beb9fafd8ceb0e541f1323b26e npfs.sys
Microsoft Corporation

b488dfec274de1fc9d653870ef2587be nsiproxy.sys
Microsoft Corporation

3f379380a4a2637f559444e338cf1b51 ntfs.sys
Microsoft Corporation

e875c093aec0c978a90f30c9e0dfbb72 ntrigdigi.sys
N-trig Innovative Technologies

ec5efb3c60f1b624648344a328bce596 null.sys
Microsoft Corporation

07c186427eb8fcc3d8d7927187f260f7 NV_AGP.SYS
Microsoft Corporation

e69e946f80c1c31c53003bfbf50cbb7c nvraid.sys
NVIDIA Corporation

9e0ba19a28c498a6d323d065db76dffc nvstor.sys
NVIDIA Corporation

be32da025a0be1878f0ee8d6d9386cd5 ohci1394.sys
Microsoft Corporation

0fa9b5055484649d63c303fe404e5f4d parport.sys
Microsoft Corporation

555a5b2c8022983bc7467bc925b222ee partmgr.sys
Microsoft Corporation

4f9a6a8a31413180d0fcb279ad5d8112 parvdm.sys
Microsoft Corporation

3b1901e401473e03eb8c874271e50c26 pciide.sys
Microsoft Corporation

12149268080ddfe98fd1fb4a83c857d7 pciidex.sys
Microsoft Corporation

1085d75657807e0e8b32f9e19a1647c3 pci.sys
Microsoft Corporation

e6f3fb1b86aa519e7698ad05e58b04e5 pcmcia.sys
Microsoft Corporation

0e3cef5d28b40cf273281d620c50700a processr.sys
Microsoft Corporation

ccdac889326317792480c0a67156a1ec ql2300.sys
QLogic Corporation

81a7e5c076e59995d54bc1ed3a16e60b ql40xx.sys
QLogic Corporation

50e80f018d1617211d64be8bca7399be ramdisk.sys
Microsoft Corporation

bd7b30f55b3649506dd8b3d38f571d2a rasacd.sys
Microsoft Corporation

88587dd843e2059848995b407b67f6cf rasl2tp.sys
Microsoft Corporation

ccf4e9c6cbbac81437f88cb2ae0b6c96 raspppoe.sys
Microsoft Corporation

6c359ac71d7b550a0d41f9db4563ce05 raspptp.sys
Microsoft Corporation

54129c5d9581bbec8bd1ebd3ba813f47 rdbss.sys
Microsoft Corporation

e8bd98d46f2ed77132ba927fccb47d8b rdpdr.sys
Microsoft Corporation

880b90551bf438fe970b24ee228907d5 sacdrv.sys
Microsoft Corporation

3ce8f073a557e172b330109436984e30 sbp2port.sys
Microsoft Corporation

f5dbd29fbdb39bf49af7bb81a4d9561d scsiport.sys
Microsoft Corporation

68e44e331d46f0fb38f0863a84cd1a31 serenum.sys
Microsoft Corporation

c70d69a918b178d3c3b06339b40c2e1b serial.sys
Microsoft Corporation

fd06895f55c0bec3cbd84bda14e1c6b7 sermouse.sys
Microsoft Corporation

46ed8e91793b2e6f848015445a0ac188 sfloppy.sys
Microsoft Corporation

d2a595d6eebeeaf4334f8e50efbc9931 SISAGP.SYS
Microsoft Corporation

cedd6f4e7d84e9f98b34b3fe988373aa sisraid2.sys
Silicon Integrated Systems

df843c528c4f69d12ce41ce462e973a7 sisraid4.sys
Silicon Integrated Systems

ac0d90738adb51a6fd12ff00874a2162 smb.sys
Microsoft Corporation

4e7bb783f21efba4b563f1b8f79e5c98 smclib.sys
Microsoft Corporation

ed386e31d263448b2ed36d4839f2ca04 Storport.sys
Microsoft Corporation

c13b3688451d86e8557ba9486ddbb2d1 stream.sys
Microsoft Corporation

1379bdb336f8158c176a465e30759f57 swenum.sys
Microsoft Corporation

192aa3ac01df071b541094f251deed10 symc8xx.sys
LSI Logic

8c8eb8c76736ebaf3b13b633b2e64125 sym_hi.sys
LSI Logic

8072af52b5fd103bbba387a1e49f62cb sym_u3.sys
LSI Logic

c92e9f3e4154415ceebeb80250e32d19 tape.sys
Microsoft Corporation

d944522b048a5feb7700b5170d3d9423 tcpip.sys
Microsoft Corporation

bbe07d2766fb165bdf1f49107dabce85 tdi.sys
Microsoft Corporation

ab4fde8af4a0270a46a001c08cbce1c2 tdx.sys
Microsoft Corporation

2c549bd9dd091fbfaa0a2a48e82ec2fb termdd.sys
Microsoft Corporation

c3ade15414120033a36c0f293d4a4121 UAGP35.SYS
Microsoft Corporation

6348da98707ceda8a0dfb05820e17732 udfs.sys
Microsoft Corporation

75e6890ebfce0841d3291b02e7a8bdb0 ULIAGPKX.SYS
Microsoft Corporation

3cd4ea35a6221b85dcc25daa46313f8d uliahci.sys
ULi Electronics

38c3c6e62b157a6bc46594fada45c62b ulsata2.sys
Promise Technology

8514d0e5cd0534467c5fc61be94a569f ulsata.sys
Promise Technology

3fb78f1d1dd86d87bececd9dffa24dd9 umbus.sys
Microsoft Corporation

d2f0639163b12f791f81b52dc1155863 USBCAMD2.sys
Microsoft Corporation

391e74f5c8c5b3c41c360b71798e2801 USBCAMD.sys
Microsoft Corporation

8bd3ae150d97ba4e633c6c5c51b41ae1 usbccgp.sys
Microsoft Corporation

e5350a6599d84f73da3dc87183c40bd7 usbd.sys
Microsoft Corporation

63fe924d8a1113c3ba6750693fbec7d3 usbehci.sys
Microsoft Corporation

5edec5510592c905e91817707dce62a2 usbhub.sys
Microsoft Corporation

38dbc7dd6cc5a72011f187425384388b usbohci.sys
Microsoft Corporation

7f510748487d3d67c70fe5fb061fe55a usbport.sys
Microsoft Corporation

b51e52acf758be00ef3a58ea452fe360 usbprint.sys
Microsoft Corporation

325dbbacb8a36af9988ccf40eac228cc usbuhci.sys
Microsoft Corporation

17a8f877314e4067f8c8172cc6d9101c vga.sys
Microsoft Corporation

045d9961e591cf0674a920b6ba3ba5cb VIAAGP.SYS
Microsoft Corporation

56a4de5f02f2e88182b0981119b4dd98 viac7.sys
Microsoft Corporation

fd2e3175fcada350c7ab4521dca187ec viaide.sys
VIA Technologies

d1fa901e4878b7011fe8a8c2890e90c7 videoprt.sys
Microsoft Corporation

103e84c95832d0ed93507997cc7b54e8 volmgr.sys
Microsoft Corporation

294da8d3f965f6a8db934a83c7b461ff volmgrx.sys
Microsoft Corporation

11ef6c1caef76b685233450a126125d6 volsnap.sys
Microsoft Corporation

d984439746d42b30fc65a4c3546c6829 vsmraid.sys
VIA Technologies

48dfee8f1af7c8235d4e626f0c4fe031 wacompen.sys
Microsoft Corporation

6e1a5be9a0605f3d932ff35fba2b22b3 wanarp.sys
Microsoft Corporation

3a1f38a6fb749fc7a57a2826f6f8fb01 watchdog.sys
Microsoft Corporation

5dfdbd5ef13e4d95be6fc108e2ed4a67 Wdf01000.sys
Microsoft Corporation

2ad694d25fdfda2abaa19fd297a59b47 WdfLdr.sys
Microsoft Corporation

afc5ad65b991c1e205cf25cfdbf7a6f4 wd.sys
Microsoft Corporation

536040650698a73629b7ba5d3586c714 wimfsf.sys
Microsoft Corporation

701a9f884a294327e9141d73746ee279 wmiacpi.sys
Microsoft Corporation

20b05e362bb678cf51d610673c9a12e7 wmilib.sys
Microsoft Corporation

84620aecdcfd2a7a14e6263927d8c0ed ws2ifsl.sys
Microsoft Corporation

FILEFIND

Search results for Winlogon.exe

898e7c06a350d4a1a64a9ea264d55452 /mnt/sda3/Windows/System32/winlogon.exe
307.0K Apr 11 2009

9f75392b9128a91abafb044ea350baad /mnt/sda3/Windows/winsxs/x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21/winlogon.exe
301.0K Nov 2 2006

c2610b6bdbefc053bbdab4f1b965cb24 /mnt/sda3/Windows/winsxs/x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5/winlogon.exe
307.5K Jan 19 2008

898e7c06a350d4a1a64a9ea264d55452 /mnt/sda3/Windows/winsxs/x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741/winlogon.exe
307.0K Apr 11 2009

9f75392b9128a91abafb044ea350baad /mnt/sda2/Windows/System32/winlogon.exe
301.0K Nov 2 2006

9f75392b9128a91abafb044ea350baad /mnt/sda2/Windows/winsxs/x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6000.16386_none_6d8c3f1ad8066b21/winlogon.exe
301.0K Nov 2 2006


Search results for volsnap.sys

e269bb33062f9a6b4115c86781d767aa /mnt/sda3/Windows/System32/drivers/volsnap.sys
221.0K Apr 11 2009

147281c01fcb1df9252de2a10d5e7093 /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_1e6030e4/volsnap.sys
221.0K Apr 11 2009

11ef6c1caef76b685233450a126125d6 /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_9320b452/volsnap.sys
203.6K Nov 2 2006

80dc0c9bcb579ed9815001a4d37cbfd5 /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_f47b2c78/volsnap.sys
206.1K Oct 11 2008

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_f53a1785/volsnap.sys
222.6K Jan 19 2008

327639d2ec931b057f3826a51adc73e9 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6000.20709_none_146318401803edb5/volsnap.sys
206.1K Oct 11 2008

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd/volsnap.sys
222.6K Jan 19 2008

147281c01fcb1df9252de2a10d5e7093 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619/volsnap.sys
221.0K Apr 11 2009

80dc0c9bcb579ed9815001a4d37cbfd5 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6000.16586_none_137ff950ff29e447/volsnap.sys
206.1K Oct 11 2008

11ef6c1caef76b685233450a126125d6 /mnt/sda2/Windows/System32/drivers/volsnap.sys
203.6K Nov 2 2006

11ef6c1caef76b685233450a126125d6 /mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_9320b452/volsnap.sys
203.6K Nov 2 2006


Search results for explorer.exe

d07d4c3038f3578ffce1c0237f2a1253 /mnt/sda3/Windows/explorer.exe
2.8M Apr 11 2009

fd8c53fb002217f6f888bcf6f5d7084d /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb/explorer.exe
2.8M Nov 2 2006

6d06cd98d954fe87fb2db8108793b399 /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a/explorer.exe
2.8M Oct 11 2008

bd06f0bf753bc704b653c3a50f89d362 /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf/explorer.exe
2.8M Oct 11 2008

e7156b0b74762d9de0e66bdcde06e5fb /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b/explorer.exe
2.8M Oct 28 2008

ffa764631cb70a30065c12ef8e174f9f /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf/explorer.exe
2.8M Jan 19 2008

4f554999d7d5f05daaebba7b5ba1089d /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8/explorer.exe
2.8M Oct 29 2008

50ba5850147410cde89c523ad3bc606e /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1/explorer.exe
2.8M Oct 30 2008

d07d4c3038f3578ffce1c0237f2a1253 /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b/explorer.exe
2.8M Apr 11 2009

37440d09deae0b672a04dccf7abf06be /mnt/sda3/Windows/winsxs/x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3/explorer.exe
2.8M Oct 29 2008


Search results for Userinit.exe

0e135526e9785d085bcd9aede6fbcbf9 /mnt/sda3/Windows/System32/userinit.exe
24.5K Jan 19 2008

22027835939f86c3e47ad8e3fbde3d11 /mnt/sda3/Windows/winsxs/x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737/userinit.exe
24.0K Nov 2 2006

0e135526e9785d085bcd9aede6fbcbf9 /mnt/sda3/Windows/winsxs/x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b/userinit.exe
24.5K Jan 19 2008

22027835939f86c3e47ad8e3fbde3d11 /mnt/sda2/Windows/System32/userinit.exe
24.0K Nov 2 2006

22027835939f86c3e47ad8e3fbde3d11 /mnt/sda2/Windows/winsxs/x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6000.16386_none_d9f1f819d4c4e737/userinit.exe
24.0K Nov 2 2006


Search results for Exit


Search results for bash query.sh



REGREPORT

Remote Registry Report

Hive </mnt/sda3/Windows/System32/config/software>
(...)\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 64 [0x40]
Windows Vista ™ Home Premium
(...)\Microsoft\Windows NT\CurrentVersion> Value <CSDVersion> of type REG_SZ, data length 30 [0x1e]
Service Pack 2
(...)\Microsoft\Windows NT\CurrentVersion> Value <SystemRoot> of type REG_SZ, data length 22 [0x16]
C:\Windows
(...)\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\Windows\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 2 subkeys and 0 values
<GoToAssist>
<igfxcui>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 11 values
size type value name [value if type DWORD]
74 REG_SZ <Apoint>
62 REG_SZ <Broadcom Wireless Manager UI>
128 REG_SZ <dscactivate>
152 REG_SZ <DellSupportCenter>
82 REG_SZ <MSConfig>
2 REG_SZ <>
90 REG_SZ <SunJavaUpdateSched>
68 REG_EXPAND_SZ <SysTrayApp>
100 REG_SZ <Windows Defender>
146 REG_SZ <Malwarebytes' Anti-Malware (reboot)>
182 REG_SZ <Jrerudeneno>
(...)\Windows\CurrentVersion\Policies\System> Node has 1 subkeys and 18 values
<UIPI>
4 REG_DWORD <ConsentPromptBehaviorAdmin> 2 [0x2]
4 REG_DWORD <ConsentPromptBehaviorUser> 1 [0x1]
4 REG_DWORD <EnableInstallerDetection> 1 [0x1]
4 REG_DWORD <EnableLUA> 1 [0x1]
4 REG_DWORD <EnableSecureUIAPaths> 1 [0x1]
4 REG_DWORD <EnableVirtualization> 1 [0x1]
4 REG_DWORD <PromptOnSecureDesktop> 1 [0x1]
4 REG_DWORD <ValidateAdminCodeSignatures> 0 [0x0]
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
2 REG_SZ <legalnoticecaption>
6 REG_SZ <legalnoticetext>
4 REG_DWORD <scforceoption> 0 [0x0]
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]
4 REG_DWORD <FilterAdministratorToken> 0 [0x0]
4 REG_DWORD <EnableUIADesktopToggle> 0 [0x0]
4 REG_DWORD <DisableRegistryTools> 0 [0x0]
4 REG_DWORD <DisableTaskMgr> 1 [0x1]


Hive </mnt/sda2/Windows/System32/config/SOFTWARE>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 124 [0x7c]
Windows ™ Code Name "Longhorn" Preinstallation Environment
\Microsoft\Windows NT\CurrentVersion> cat_vk: No such value <CSDVersion>
\Microsoft\Windows NT\CurrentVersion> Value <SystemRoot> of type REG_SZ, data length 22 [0x16]
D:\Windows
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 50 [0x32]
cmd.exe /k start cmd.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
D:\Windows\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon> Node has 1 subkeys and 16 values
<GPExtensions>
size type value name [value if type DWORD]
50 REG_SZ <Shell>
68 REG_SZ <Userinit>
88 REG_SZ <VmApplet>
4 REG_SZ <ReportBootOk>
4 REG_DWORD <AutoRestartShell> 1 [0x1]
2 REG_SZ <LegalNoticeCaption>
2 REG_SZ <LegalNoticeText>
4 REG_SZ <PowerdownAfterShutdown>
4 REG_SZ <ShutdownWithoutLogon>
6 REG_SZ <cachedlogonscount>
4 REG_DWORD <forceunlocklogon> 0 [0x0]
4 REG_DWORD <passwordexpirywarning> 14 [0xe]
12 REG_SZ <Background>
6 REG_SZ <DebugServerCommand>
4 REG_SZ <WinStationsDisabled>
4 REG_DWORD <ShutdownFlags> 39 [0x27]
(...)\Windows\CurrentVersion\Policies\System> Node has 1 subkeys and 2 values
<UIPI>
4 REG_DWORD <EnableMIC> 0 [0x0]
4 REG_DWORD <EnableUIPI> 0 [0x0]


Hive </mnt/sda3/Users/Alissa/ntuser.dat>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
56 REG_SZ <ehTray.exe>
112 REG_SZ <SpybotSD TeaTimer>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 1 subkeys and 2 values
<run>
4 REG_DWORD <NoDriveTypeAutoRun> 0 [0x0]
4 REG_DWORD <NoDrives> 0 [0x0]
(...)\Windows\CurrentVersion\Policies\system> Node has 0 subkeys and 0 values
\Software\Policies\Microsoft\Windows\System> Node has 0 subkeys and 0 values


Hive </mnt/sda3/Windows/ERDNT/Hiv-backup/Users/00000001/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
108 REG_EXPAND_SZ <Sidebar>
88 REG_SZ <WindowsWelcomeCenter>


Hive </mnt/sda3/Windows/ERDNT/Hiv-backup/Users/00000002/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 2 values
size type value name [value if type DWORD]
108 REG_EXPAND_SZ <Sidebar>
88 REG_SZ <WindowsWelcomeCenter>


Hive </mnt/sda3/Windows/ERDNT/Hiv-backup/Users/00000003/ntuser.dat>
(...)\Microsoft\Windows\CurrentVersion\Run> Node has 0 subkeys and 7 values
size type value name [value if type DWORD]
108 REG_SZ <Sidebar>
152 REG_SZ <DellSupportCenter>
56 REG_SZ <ehTray.exe>
1 REG_SZ <Aim6>
130 REG_SZ <VeohPlugin>
54 REG_SZ <S45>
132 REG_SZ <Uniblue RegistryBooster 2009>
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 0 subkeys and 1 values
4 REG_DWORD <NoDriveTypeAutoRun> 0 [0x0]
(...)\Windows\CurrentVersion\Policies\System> Node has 0 subkeys and 1 values
4 REG_DWORD <DisableRegistryTools> 0 [0x0]
\Software\Policies\Microsoft\Windows\System> Node has 0 subkeys and 1 values
4 REG_DWORD <DisableCMD> 0 [0x0]


MBR.BIN
- I'm not sure how to 'zip' the .bin file, I tried to just attach mbr.bin but got 'error: you aren't permitted to upload this kind of file'
"Thou art dead." Poetic injustice.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:01 AM

Posted 26 May 2011 - 10:14 PM

Lets try this fix manually.

Boot to xPUD.

  • Press File
  • Expand mnt
  • Browse to the /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_1e6030e4 folder
  • Locate the volsnap.sys file
  • Right click on it and select Copy
  • Go back to the System32 folder and browse to the /mnt/sda3/Windows/System32/drivers folder.
  • Right click on an empty space in the drivers folder and select Paste, thereby replacing the volsnap.sys file present therein.

Restart in Normal Mode.

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 iamerror

iamerror
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:12:01 AM

Posted 26 May 2011 - 10:35 PM

Thanks so much

When starting normally still goes to logon screen, and when I try to type in the password it goes back to the blue stop screen.
Not sure if it matters, but the 'technical info' this time was:
STOP: 0x0000008E (0xC0000005, 0x8247E157, 0x8A0C291C, 0x00000000)
"Thou art dead." Poetic injustice.

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:01 AM

Posted 27 May 2011 - 12:43 AM

Try these again now that he mbr seems able to boot the computer:

  • F12 at startup> boot cd drive (vista recovery disk)> repair computer> startup repair
  • F12 at startup> boot cd drive (vista recovery disk)> repair computer> system restore

If you still experiencing problems with it, try the Command prompt. At the prompt type C: and press Enter. Does it return an error message? -or- Does the prompt changes to C:>?

Type Exit and press Enter to return to the menu.

If none of the above works, lets check if the file copy was successful:

Delete the following files from the USB drive:

report.txt
filefind.txt
RegReport.txt


Boot to xPUD

  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • Then type bash query.sh -sv
  • Press Enter
  • After it has finished a especial report will be located in the USB drive as RegReport.txt

Post the new filefind.txt, report.txt and RegReport.txt.


In the /mnt/sda3/Windows there must be a minidump folder. If present, copy that folder to the USB drive. In a working computer, right click on the minidump folder and select "Send to". Select Compressed (zipped folder). That should produce a zip folder. Attach it to a reply.

Edited by JSntgRvr, 27 May 2011 - 12:48 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 iamerror

iamerror
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:12:01 AM

Posted 27 May 2011 - 07:11 PM

Startup repair could not detect a problem.

This time when I tried to system restore, instead of various dates/options, I got a message that read 'No restore points have been created on your computer's system disk.'

When I type C: in the command prompt & hit enter the prompt changes to C:\>

Here are the reports..

_______________________
FILEFIND

Search results for volsnap.sys

147281c01fcb1df9252de2a10d5e7093 /mnt/sda3/Windows/System32/drivers/volsnap.sys
221.0K Apr 11 2009

147281c01fcb1df9252de2a10d5e7093 /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_1e6030e4/volsnap.sys
221.0K Apr 11 2009

11ef6c1caef76b685233450a126125d6 /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_9320b452/volsnap.sys
203.6K Nov 2 2006

80dc0c9bcb579ed9815001a4d37cbfd5 /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_f47b2c78/volsnap.sys
206.1K Oct 11 2008

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_f53a1785/volsnap.sys
222.6K Jan 19 2008

327639d2ec931b057f3826a51adc73e9 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6000.20709_none_146318401803edb5/volsnap.sys
206.1K Oct 11 2008

d8b4a53dd2769f226b3eb374374987c9 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd/volsnap.sys
222.6K Jan 19 2008

147281c01fcb1df9252de2a10d5e7093 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619/volsnap.sys
221.0K Apr 11 2009

80dc0c9bcb579ed9815001a4d37cbfd5 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.0.6000.16586_none_137ff950ff29e447/volsnap.sys
206.1K Oct 11 2008

11ef6c1caef76b685233450a126125d6 /mnt/sda2/Windows/System32/drivers/volsnap.sys
203.6K Nov 2 2006

11ef6c1caef76b685233450a126125d6 /mnt/sda2/Windows/System32/DriverStore/FileRepository/volume.inf_9320b452/volsnap.sys
203.6K Nov 2 2006

__________________________

REGREPORT

Remote Registry Service Report

Hive </mnt/sda3/Windows/System32/config/system>
>
<ControlSet001>
<ControlSet002>
<RNG>
size type value name [value if type DWORD]
4 REG_DWORD <Current> 1 [0x1]
4 REG_DWORD <Default> 1 [0x1]
4 REG_DWORD <Failed> 0 [0x0]
4 REG_DWORD <LastKnownGood> 2 [0x2]


\ControlSet001\Services>
<.NET CLR Data>
<.NET CLR Networking>
<.NET CLR Networking 4.0.0.0>
<.NET Data Provider for Oracle>
<.NET Data Provider for SqlServer>
<.NETFramework>
<ACEDRV09>
<ACPI>
<Adobe LM Service>
<Adobe Version Cue CS2>
<adp94xx>
<adpahci>
<adpu160m>
<adpu320>
<adsi>
<AeLookupSvc>
<AESTFilters>
<AFD>
<agp440>
<aic78xx>
<ALG>
<aliide>
<amdagp>
<amdide>
<AmdK7>
<AmdK8>
<ApfiltrService>
<Appinfo>
<Apple Mobile Device>
<AppMgmt>
<arc>
<arcsas>
<AsyncMac>
<atapi>
<AudioEndpointBuilder>
<Audiosrv>
<AVFilter>
<AVHook>
<AVRec>
<BattC>
<BCM42RLY>
<BCM43XX>
<BCMLogon>
<Beep>
<BFE>
<BITS>
<blbdrive>
<Bonjour Service>
<bowser>
<BrFiltLo>
<BrFiltUp>
<Browser>
<Brserid>
<BrSerWdm>
<BrUsbMdm>
<BrUsbSer>
<BTHMODEM>
<BTHPORT>
<catchme>
<cdfs>
<cdrom>
<CertPropSvc>
<circlass>
<CLFS>
<clr_optimization_v2.0.50727_32>
<clr_optimization_v4.0.30319_32>
<CmBatt>
<cmdide>
<Compbatt>
<COMSysApp>
<crcdisk>
<Crusoe>
<crypt32>
<CryptSvc>
<DCLocator>
<DcomLaunch>
<DfsC>
<DFSR>
<Dhcp>
<disk>
<Dnscache>
<DockLoginService>
<dot3svc>
<DPS>
<drmkaud>
<DXGKrnl>
<e1express>
<E1G60>
<EagleNT>
<EapHost>
<Ecache>
<ehRecvr>
<ehSched>
<ehstart>
<elxstor>
<EmdCache>
<EMDMgmt>
<ESENT>
<Eventlog>
<EventSystem>
<exfat>
<fastfat>
<fdc>
<fdPHost>
<FDResPub>
<FileInfo>
<Filetrace>
<FirebirdServerMAGIXInstance>
<flpydisk>
<FltMgr>
<FontCache>
<FontCache3.0.0.0>
<Fs_Rec>
<gagp30kx>
<GEARAspiWDM>
<GoToAssist>
<gpsvc>
<HDAudBus>
<HidBth>
<HidIr>
<hidserv>
<HidUsb>
<hkmsvc>
<HpCISSs>
<HTTP>
<i2omp>
<i8042prt>
<IAANTMON>
<iaStor>
<iaStorV>
<idsvc>
<igfx>
<iirsp>
<IKEEXT>
<inetaccs>
<IntcHdmiAddService>
<intelide>
<intelppm>
<IPBusEnum>
<iphlpsvc>
<IpInIp>
<IPMIDRV>
<IPNAT>
<iPod Service>
<IRENUM>
<isapnp>
<iScsiPrt>
<iteatapi>
<itecir>
<iteraid>
<k57nd60x>
<kbdclass>
<kbdhid>
<KeyIso>
<KSecDD>
<KtmRm>
<LanmanServer>
<LanmanWorkstation>
<ldap>
<lltdio>
<lltdsvc>
<lmhosts>
<Lsa>
<LSI_FC>
<LSI_SAS>
<LSI_SCSI>
<luafv>
<MBAMSwissArmy>
<MCSTRM>
<Mcx2Svc>
<megasas>
<MMCSS>
<Modem>
<monitor>
<mouclass>
<mouhid>
<MountMgr>
<mpio>
<mpsdrv>
<MpsSvc>
<Mraid35x>
<MRxDAV>
<mrxsmb>
<mrxsmb10>
<mrxsmb20>
<msahci>
<msdsm>
<MSDTC>
<MSDTC Bridge 3.0.0.0>
<MSDTC Bridge 4.0.0.0>
<Msfs>
<msisadrv>
<MSiSCSI>
<msiserver>
<MSKSSRV>
<MSPCLOCK>
<MSPQM>
<MsRPC>
<MSSCNTRS>
<mssmbios>
<MSSQL$MSSMLBIZ>
<MSSQLServerADHelper>
<MSTEE>
<Mup>
<napagent>
<NativeWifiP>
<NCHSSVAD>
<NDIS>
<NdisTapi>
<Ndisuio>
<NdisWan>
<NDProxy>
<NetBIOS>
<netbt>
<Netlogon>
<Netman>
<netprofm>
<NetTcpPortSharing>
<nfrd960>
<NlaSvc>
<Npfs>
<nsi>
<nsiproxy>
<NTDS>
<Ntfs>
<ntrigdigi>
<Null>
<nvraid>
<nvstor>
<nv_agp>
<NwlnkFlt>
<NwlnkFwd>
<OA001Ufd>
<OA001Vid>
<ohci1394>
<p2pimsvc>
<p2psvc>
<Parport>
<partmgr>
<Parvdm>
<PcaSvc>
<pci>
<pciide>
<pcmcia>
<PCTAVSvc>
<PCTCore>
<PEAUTH>
<PerfDisk>
<PerfNet>
<PerfOS>
<PerfProc>
<pla>
<PlugPlay>
<PNRPAutoReg>
<PNRPsvc>
<PolicyAgent>
<PortProxy>
<PptpMiniport>
<Processor>
<ProfSvc>
<ProtectedStorage>
<PSched>
<PxHelp20>
<ql2300>
<ql40xx>
<QWAVE>
<QWAVEdrv>
<R300>
<RasAcd>
<RasAuto>
<Rasl2tp>
<RasMan>
<RasPppoe>
<RasSstp>
<rdbss>
<RDPCDD>
<RDPDD>
<rdpdr>
<RDPENCDD>
<RDPNP>
<RDPWD>
<RemoteAccess>
<RemoteRegistry>
<rimmptsk>
<rimsptsk>
<rismxdp>
<RpcLocator>
<RpcSs>
<rspndr>
<SamSs>
<SASDIFSV>
<SASKUTIL>
<sbp2port>
<SBSDWSCService>
<SCardSvr>
<Schedule>
<SCPolicySvc>
<sdbus>
<SDRSVC>
<secdrv>
<seclogon>
<SENS>
<Serenum>
<Serial>
<sermouse>
<ServiceModelEndpoint 3.0.0.0>
<ServiceModelOperation 3.0.0.0>
<ServiceModelService 3.0.0.0>
<SessionEnv>
<sffdisk>
<sffp_mmc>
<sffp_sd>
<sfloppy>
<SharedAccess>
<ShellHWDetection>
<sisagp>
<SiSRaid2>
<SiSRaid4>
<slsvc>
<SLUINotify>
<Smb>
<SMSvcHost 3.0.0.0>
<SMSvcHost 4.0.0.0>
<SNMPTRAP>
<spldr>
<Spooler>
<sprtsvc_dellsupportcenter>
<SQLBrowser>
<SQLWriter>
<srv>
<srv2>
<srvnet>
<SSDPSRV>
<SstpSvc>
<STacSV>
<STHDA>
<stisvc>
<stllssvr>
<swenum>
<swprv>
<Symc8xx>
<Sym_hi>
<Sym_u3>
<SysMain>
<TabletInputService>
<TapiSrv>
<TBS>
<Tcpip>
<Tcpip6>
<tcpipreg>
<TDPIPE>
<TDTCP>
<tdx>
<TermDD>
<TermService>
<Themes>
<THREADORDER>
<TrkWks>
<TrustedInstaller>
<TSDDD>
<tssecsrv>
<tunmp>
<tunnel>
<uagp35>
<udfs>
<UGatherer>
<UGTHRSVC>
<UI0Detect>
<uliagpkx>
<uliahci>
<UlSata>
<ulsata2>
<umbus>
<upnphost>
<UPnPService>
<usb>
<usbbus>
<usbccgp>
<usbcir>
<UsbDiag>
<usbehci>
<usbhub>
<USBModem>
<usbohci>
<usbprint>
<usbscan>
<USBSTOR>
<usbuhci>
<UxSms>
<vds>
<vga>
<VgaSave>
<viaagp>
<ViaC7>
<viaide>
<volmgr>
<volmgrx>
<volsnap>
<vsmraid>
<VSS>
<W32Time>
<W3SVC>
<WacomPen>
<Wanarp>
<Wanarpv6>
<wcncsvc>
<WcsPlugInService>
<Wd>
<Wdf01000>
<WdiServiceHost>
<WdiSystemHost>
<WebClient>
<Wecsvc>
<wercplsupport>
<WerSvc>
<Windows Workflow Foundation 3.0.0.0>
<WinHttpAutoProxySvc>
<Winmgmt>
<WinRM>
<Winsock>
<WinSock2>
<Wlansvc>
<wltrysvc>
<WmiAcpi>
<WmiApRpl>
<wmiApSrv>
<WMPNetworkSvc>
<WPCSvc>
<WPDBusEnum>
<WpdUsb>
<WPFFontCache_v0400>
<ws2ifsl>
<wscsvc>
<WSearch>
<WSearchIdxPi>
<wuauserv>
<WUDFRd>
<wudfsvc>
<xmlprov>
<{88731292-D32F-4114-A919-DC99D3E2E213}>
<{D0268B01-BAFD-45FC-B207-A04AB77DF9F5}>


\ControlSet001\Services\ACEDRV09> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
\??\C:\Windows\system32\drivers\ACEDRV09.sys
\ControlSet001\Services\ACEDRV09> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\ACPI> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\drivers\acpi.sys
\ControlSet001\Services\ACPI> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Adobe LM Service> Value <ImagePath> of type REG_EXPAND_SZ, data length 152 [0x98]
"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
\ControlSet001\Services\Adobe LM Service> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

(...)\Services\Adobe Version Cue CS2> Value <ImagePath> of type REG_EXPAND_SZ, data length 166 [0xa6]
"C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service
(...)\Services\Adobe Version Cue CS2> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\adp94xx> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\adp94xx.sys
\ControlSet001\Services\adp94xx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\adpahci> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\adpahci.sys
\ControlSet001\Services\adpahci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\adpu160m> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\adpu160m.sys
\ControlSet001\Services\adpu160m> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\adpu320> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\adpu320.sys
\ControlSet001\Services\adpu320> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\AeLookupSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\AeLookupSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\AESTFilters> Value <ImagePath> of type REG_EXPAND_SZ, data length 156 [0x9c]
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe
\ControlSet001\Services\AESTFilters> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\AFD> Value <ImagePath> of type REG_EXPAND_SZ, data length 74 [0x4a]
\SystemRoot\system32\drivers\afd.sys
\ControlSet001\Services\AFD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\agp440> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\agp440.sys
\ControlSet001\Services\agp440> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\aic78xx> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\djsvs.sys
\ControlSet001\Services\aic78xx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\ALG> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
%SystemRoot%\System32\alg.exe
\ControlSet001\Services\ALG> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\aliide> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\aliide.sys
\ControlSet001\Services\aliide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\amdagp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\amdagp.sys
\ControlSet001\Services\amdagp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\amdide> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\amdide.sys
\ControlSet001\Services\amdide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\AmdK7> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\amdk7.sys
\ControlSet001\Services\AmdK7> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\AmdK8> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\amdk8.sys
\ControlSet001\Services\AmdK8> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\ApfiltrService> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\Apfiltr.sys
\ControlSet001\Services\ApfiltrService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Appinfo> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\Appinfo> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Apple Mobile Device> Value <ImagePath> of type REG_EXPAND_SZ, data length 186 [0xba]
"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
\ControlSet001\Services\Apple Mobile Device> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\AppMgmt> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs

\ControlSet001\Services\arc> Value <ImagePath> of type REG_EXPAND_SZ, data length 74 [0x4a]
\SystemRoot\system32\drivers\arc.sys
\ControlSet001\Services\arc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\arcsas> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\arcsas.sys
\ControlSet001\Services\arcsas> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\AsyncMac> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\asyncmac.sys
\ControlSet001\Services\AsyncMac> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\atapi> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\atapi.sys
\ControlSet001\Services\atapi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\AudioEndpointBuilder> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\AudioEndpointBuilder> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Audiosrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\Audiosrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\AVFilter> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\AVFilter.sys
\ControlSet001\Services\AVFilter> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\AVHook> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\AVHook.sys
\ControlSet001\Services\AVHook> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\AVRec> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\AVRec.sys
\ControlSet001\Services\AVRec> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BCM42RLY> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\BCM42RLY.sys
\ControlSet001\Services\BCM42RLY> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BCM43XX> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\bcmwl6.sys
\ControlSet001\Services\BCM43XX> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Beep> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\BFE> Value <ImagePath> of type REG_EXPAND_SZ, data length 118 [0x76]
%systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
\ControlSet001\Services\BFE> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\BITS> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\BITS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\blbdrive> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\blbdrive.sys
\ControlSet001\Services\blbdrive> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\Bonjour Service> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
"C:\Program Files\Bonjour\mDNSResponder.exe"
\ControlSet001\Services\Bonjour Service> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\bowser> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\bowser.sys
\ControlSet001\Services\bowser> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BrFiltLo> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brfiltlo.sys
\ControlSet001\Services\BrFiltLo> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BrFiltUp> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brfiltup.sys
\ControlSet001\Services\BrFiltUp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Browser> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\Browser> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Brserid> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\brserid.sys
\ControlSet001\Services\Brserid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\BrSerWdm> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brserwdm.sys
\ControlSet001\Services\BrSerWdm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\BrUsbMdm> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brusbmdm.sys
\ControlSet001\Services\BrUsbMdm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\BrUsbSer> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brusbser.sys
\ControlSet001\Services\BrUsbSer> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BTHMODEM> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\bthmodem.sys
\ControlSet001\Services\BTHMODEM> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\catchme> Value <ImagePath> of type REG_EXPAND_SZ, data length 102 [0x66]
\??\C:\Users\Alissa\AppData\Local\Temp\catchme.sys
\ControlSet001\Services\catchme> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\cdfs> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\DRIVERS\cdfs.sys
\ControlSet001\Services\cdfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\cdrom> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\cdrom.sys
\ControlSet001\Services\cdrom> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\CertPropSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\CertPropSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\circlass> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\circlass.sys
\ControlSet001\Services\circlass> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\CLFS> Value <ImagePath> of type REG_EXPAND_SZ, data length 36 [0x24]
System32\CLFS.sys
\ControlSet001\Services\CLFS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

(...)\Services\clr_optimization_v2.0.50727_32> Value <ImagePath> of type REG_EXPAND_SZ, data length 122 [0x7a]
%systemroot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
(...)\Services\clr_optimization_v2.0.50727_32> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

(...)\Services\clr_optimization_v4.0.30319_32> Value <ImagePath> of type REG_EXPAND_SZ, data length 118 [0x76]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(...)\Services\clr_optimization_v4.0.30319_32> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\CmBatt> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\CmBatt.sys
\ControlSet001\Services\CmBatt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\cmdide> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\cmdide.sys
\ControlSet001\Services\cmdide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\Compbatt> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\compbatt.sys
\ControlSet001\Services\Compbatt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\COMSysApp> Value <ImagePath> of type REG_EXPAND_SZ, data length 168 [0xa8]
%SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
\ControlSet001\Services\COMSysApp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\crcdisk> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\crcdisk.sys
\ControlSet001\Services\crcdisk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Crusoe> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\crusoe.sys
\ControlSet001\Services\Crusoe> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\CryptSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\system32\svchost.exe -k NetworkService
\ControlSet001\Services\CryptSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\DcomLaunch> Value <ImagePath> of type REG_EXPAND_SZ, data length 96 [0x60]
%SystemRoot%\system32\svchost.exe -k DcomLaunch
\ControlSet001\Services\DcomLaunch> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\DfsC> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
System32\Drivers\dfsc.sys
\ControlSet001\Services\DfsC> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\DFSR> Value <ImagePath> of type REG_EXPAND_SZ, data length 62 [0x3e]
%SystemRoot%\system32\DFSR.exe
\ControlSet001\Services\DFSR> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Dhcp> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\Dhcp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\disk> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\drivers\disk.sys
\ControlSet001\Services\disk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Dnscache> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\system32\svchost.exe -k NetworkService
\ControlSet001\Services\Dnscache> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\DockLoginService> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
C:\Program Files\Dell\DellDock\DockLogin.exe
\ControlSet001\Services\DockLoginService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\dot3svc> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\dot3svc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\DPS> Value <ImagePath> of type REG_EXPAND_SZ, data length 118 [0x76]
%SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork
\ControlSet001\Services\DPS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\drmkaud> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\drmkaud.sys
\ControlSet001\Services\drmkaud> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\DXGKrnl> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\System32\drivers\dxgkrnl.sys
\ControlSet001\Services\DXGKrnl> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\e1express> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\e1e6032.sys
\ControlSet001\Services\e1express> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ehRecvr> Value <ImagePath> of type REG_EXPAND_SZ, data length 62 [0x3e]
%systemroot%\ehome\ehRecvr.exe
\ControlSet001\Services\ehRecvr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ehSched> Value <ImagePath> of type REG_EXPAND_SZ, data length 62 [0x3e]
%systemroot%\ehome\ehsched.exe
\ControlSet001\Services\ehSched> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ehstart> Value <ImagePath> of type REG_EXPAND_SZ, data length 110 [0x6e]
%windir%\system32\svchost.exe -k LocalServiceNoNetwork
\ControlSet001\Services\ehstart> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\elxstor> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\elxstor.sys
\ControlSet001\Services\elxstor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\exfat> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\fastfat> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\fdc> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
system32\DRIVERS\fdc.sys
\ControlSet001\Services\fdc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\fdPHost> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\fdPHost> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\FDResPub> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\FDResPub> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\FileInfo> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\fileinfo.sys
\ControlSet001\Services\FileInfo> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Filetrace> Value <ImagePath> of type REG_EXPAND_SZ, data length 62 [0x3e]
system32\drivers\filetrace.sys
\ControlSet001\Services\Filetrace> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

(...)\Services\FirebirdServerMAGIXInstance> Value <ImagePath> of type REG_EXPAND_SZ, data length 112 [0x70]
C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
(...)\Services\FirebirdServerMAGIXInstance> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\flpydisk> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\flpydisk.sys
\ControlSet001\Services\flpydisk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\FltMgr> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\fltmgr.sys
\ControlSet001\Services\FltMgr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\FontCache> Value <ImagePath> of type REG_EXPAND_SZ, data length 136 [0x88]
%SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
\ControlSet001\Services\FontCache> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\FontCache3.0.0.0> Value <ImagePath> of type REG_EXPAND_SZ, data length 144 [0x90]
%systemroot%\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
\ControlSet001\Services\FontCache3.0.0.0> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Fs_Rec> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\gagp30kx> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\gagp30kx.sys
\ControlSet001\Services\gagp30kx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\GEARAspiWDM> Value <ImagePath> of type REG_EXPAND_SZ, data length 66 [0x42]
system32\DRIVERS\GEARAspiWDM.sys
\ControlSet001\Services\GEARAspiWDM> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\GoToAssist> Value <ImagePath> of type REG_EXPAND_SZ, data length 140 [0x8c]
"C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe" Start=service
\ControlSet001\Services\GoToAssist> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\gpsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%windir%\system32\svchost.exe -k GPSvcGroup
\ControlSet001\Services\gpsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\HDAudBus> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\HDAudBus.sys
\ControlSet001\Services\HDAudBus> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\HidBth> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\hidbth.sys
\ControlSet001\Services\HidBth> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\HidIr> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\hidir.sys
\ControlSet001\Services\HidIr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\hidserv> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\hidserv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\HidUsb> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\hidusb.sys
\ControlSet001\Services\HidUsb> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\hkmsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\hkmsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\HpCISSs> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\hpcisss.sys
\ControlSet001\Services\HpCISSs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\HTTP> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\drivers\HTTP.sys
\ControlSet001\Services\HTTP> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\i2omp> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\i2omp.sys
\ControlSet001\Services\i2omp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\i8042prt> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\i8042prt.sys
\ControlSet001\Services\i8042prt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\IAANTMON> Value <ImagePath> of type REG_EXPAND_SZ, data length 130 [0x82]
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
\ControlSet001\Services\IAANTMON> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\iaStor> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\iastor.sys
\ControlSet001\Services\iaStor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\iaStorV> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\iastorv.sys
\ControlSet001\Services\iaStorV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\idsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 180 [0xb4]
"%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
\ControlSet001\Services\idsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\igfx> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\igdkmd32.sys
\ControlSet001\Services\igfx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\iirsp> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\iirsp.sys
\ControlSet001\Services\iirsp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\IKEEXT> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\IKEEXT> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\IntcHdmiAddService> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\IntcHdmi.sys
\ControlSet001\Services\IntcHdmiAddService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\intelide> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\intelide.sys
\ControlSet001\Services\intelide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\intelppm> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\intelppm.sys
\ControlSet001\Services\intelppm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\IPBusEnum> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\IPBusEnum> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\iphlpsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k NetSvcs
\ControlSet001\Services\iphlpsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\IpInIp> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\ipinip.sys
\ControlSet001\Services\IpInIp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\IPMIDRV> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\ipmidrv.sys
\ControlSet001\Services\IPMIDRV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\IPNAT> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\ipnat.sys
\ControlSet001\Services\IPNAT> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\iPod Service> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
"C:\Program Files\iPod\bin\iPodService.exe"
\ControlSet001\Services\iPod Service> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\IRENUM> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\irenum.sys
\ControlSet001\Services\IRENUM> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\isapnp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\isapnp.sys
\ControlSet001\Services\isapnp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\iScsiPrt> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\msiscsi.sys
\ControlSet001\Services\iScsiPrt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\iteatapi> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\iteatapi.sys
\ControlSet001\Services\iteatapi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\itecir> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\itecir.sys
\ControlSet001\Services\itecir> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\iteraid> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\iteraid.sys
\ControlSet001\Services\iteraid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\k57nd60x> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\k57nd60x.sys
\ControlSet001\Services\k57nd60x> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\kbdclass> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\kbdclass.sys
\ControlSet001\Services\kbdclass> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\kbdhid> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\kbdhid.sys
\ControlSet001\Services\kbdhid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\KeyIso> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%SystemRoot%\system32\lsass.exe
\ControlSet001\Services\KeyIso> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\KSecDD> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\Drivers\ksecdd.sys
\ControlSet001\Services\KSecDD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\KtmRm> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\System32\svchost.exe -k NetworkService
\ControlSet001\Services\KtmRm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\LanmanServer> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\LanmanServer> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\LanmanWorkstation> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\System32\svchost.exe -k LocalService
\ControlSet001\Services\LanmanWorkstation> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\lltdio> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\lltdio.sys
\ControlSet001\Services\lltdio> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\lltdsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\System32\svchost.exe -k LocalService
\ControlSet001\Services\lltdsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\lmhosts> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\lmhosts> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\LSI_FC> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\lsi_fc.sys
\ControlSet001\Services\LSI_FC> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\LSI_SAS> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\lsi_sas.sys
\ControlSet001\Services\LSI_SAS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\LSI_SCSI> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\lsi_scsi.sys
\ControlSet001\Services\LSI_SCSI> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\luafv> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\luafv.sys
\ControlSet001\Services\luafv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\MBAMSwissArmy> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\ControlSet001\Services\MBAMSwissArmy> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MCSTRM> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Mcx2Svc> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\Mcx2Svc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\megasas> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\megasas.sys
\ControlSet001\Services\megasas> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\MMCSS> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\MMCSS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Modem> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\modem.sys
\ControlSet001\Services\Modem> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\monitor> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\monitor.sys
\ControlSet001\Services\monitor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\mouclass> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\mouclass.sys
\ControlSet001\Services\mouclass> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\mouhid> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\mouhid.sys
\ControlSet001\Services\mouhid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MountMgr> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
System32\drivers\mountmgr.sys
\ControlSet001\Services\MountMgr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\mpio> Value <ImagePath> of type REG_EXPAND_SZ, data length 76 [0x4c]
\SystemRoot\system32\drivers\mpio.sys
\ControlSet001\Services\mpio> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\mpsdrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\drivers\mpsdrv.sys
\ControlSet001\Services\mpsdrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MpsSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 118 [0x76]
%SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
\ControlSet001\Services\MpsSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Mraid35x> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\mraid35x.sys
\ControlSet001\Services\Mraid35x> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\MRxDAV> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\mrxdav.sys
\ControlSet001\Services\MRxDAV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\mrxsmb> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\mrxsmb.sys
\ControlSet001\Services\mrxsmb> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\mrxsmb10> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\mrxsmb10.sys
\ControlSet001\Services\mrxsmb10> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\mrxsmb20> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\mrxsmb20.sys
\ControlSet001\Services\mrxsmb20> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\msahci> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\msahci.sys
\ControlSet001\Services\msahci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\msdsm> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\msdsm.sys
\ControlSet001\Services\msdsm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\MSDTC> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%SystemRoot%\System32\msdtc.exe
\ControlSet001\Services\MSDTC> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Msfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\msisadrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\msisadrv.sys
\ControlSet001\Services\msisadrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\MSiSCSI> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\MSiSCSI> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\msiserver> Value <ImagePath> of type REG_EXPAND_SZ, data length 74 [0x4a]
%systemroot%\system32\msiexec.exe /V
\ControlSet001\Services\msiserver> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MSKSSRV> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\MSKSSRV.sys
\ControlSet001\Services\MSKSSRV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MSPCLOCK> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\MSPCLOCK.sys
\ControlSet001\Services\MSPCLOCK> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MSPQM> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\MSPQM.sys
\ControlSet001\Services\MSPQM> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MsRPC> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\mssmbios> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\mssmbios.sys
\ControlSet001\Services\mssmbios> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MSSQL$MSSMLBIZ> Value <ImagePath> of type REG_EXPAND_SZ, data length 166 [0xa6]
"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
\ControlSet001\Services\MSSQL$MSSMLBIZ> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\MSSQLServerADHelper> Value <ImagePath> of type REG_EXPAND_SZ, data length 130 [0x82]
"c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe"
\ControlSet001\Services\MSSQLServerADHelper> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\MSTEE> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\MSTEE.sys
\ControlSet001\Services\MSTEE> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Mup> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
System32\Drivers\mup.sys
\ControlSet001\Services\Mup> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\napagent> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\System32\svchost.exe -k NetworkService
\ControlSet001\Services\napagent> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\NativeWifiP> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\nwifi.sys
\ControlSet001\Services\NativeWifiP> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\NCHSSVAD> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\nchssvad.sys
\ControlSet001\Services\NCHSSVAD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\NDIS> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\drivers\ndis.sys
\ControlSet001\Services\NDIS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\NdisTapi> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\ndistapi.sys
\ControlSet001\Services\NdisTapi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Ndisuio> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\ndisuio.sys
\ControlSet001\Services\Ndisuio> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\NdisWan> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\ndiswan.sys
\ControlSet001\Services\NdisWan> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\NDProxy> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\NetBIOS> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\netbios.sys
\ControlSet001\Services\NetBIOS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\netbt> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
System32\DRIVERS\netbt.sys
\ControlSet001\Services\netbt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\Netlogon> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%SystemRoot%\system32\lsass.exe
\ControlSet001\Services\Netlogon> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Netman> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\Netman> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\netprofm> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\System32\svchost.exe -k LocalService
\ControlSet001\Services\netprofm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\NetTcpPortSharing> Value <ImagePath> of type REG_EXPAND_SZ, data length 182 [0xb6]
"%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
\ControlSet001\Services\NetTcpPortSharing> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\nfrd960> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\nfrd960.sys
\ControlSet001\Services\nfrd960> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\NlaSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\System32\svchost.exe -k NetworkService
\ControlSet001\Services\NlaSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Npfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\nsi> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%systemroot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\nsi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\nsiproxy> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\nsiproxy.sys
\ControlSet001\Services\nsiproxy> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\Ntfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ntrigdigi> Value <ImagePath> of type REG_EXPAND_SZ, data length 86 [0x56]
\SystemRoot\system32\drivers\ntrigdigi.sys
\ControlSet001\Services\ntrigdigi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\Null> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\nvraid> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\nvraid.sys
\ControlSet001\Services\nvraid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\nvstor> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\nvstor.sys
\ControlSet001\Services\nvstor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\nv_agp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\nv_agp.sys
\ControlSet001\Services\nv_agp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\NwlnkFlt> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\nwlnkflt.sys
\ControlSet001\Services\NwlnkFlt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\NwlnkFwd> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\nwlnkfwd.sys
\ControlSet001\Services\NwlnkFwd> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\OA001Ufd> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\OA001Ufd.sys
\ControlSet001\Services\OA001Ufd> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\OA001Vid> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\OA001Vid.sys
\ControlSet001\Services\OA001Vid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ohci1394> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\ohci1394.sys
\ControlSet001\Services\ohci1394> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\p2pimsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\p2pimsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\p2psvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\p2psvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Parport> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\parport.sys
\ControlSet001\Services\Parport> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\partmgr> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
System32\drivers\partmgr.sys
\ControlSet001\Services\partmgr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Parvdm> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\parvdm.sys
\ControlSet001\Services\Parvdm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\PcaSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\PcaSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\pci> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
system32\drivers\pci.sys
\ControlSet001\Services\pci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\pciide> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\pciide.sys
\ControlSet001\Services\pciide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\pcmcia> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\pcmcia.sys
\ControlSet001\Services\pcmcia> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\PCTAVSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 102 [0x66]
"C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe"
\ControlSet001\Services\PCTAVSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\PCTCore> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\PCTCore.sys
\ControlSet001\Services\PCTCore> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\PEAUTH> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\peauth.sys
\ControlSet001\Services\PEAUTH> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\pla> Value <ImagePath> of type REG_EXPAND_SZ, data length 118 [0x76]
%SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork
\ControlSet001\Services\pla> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\PlugPlay> Value <ImagePath> of type REG_EXPAND_SZ, data length 96 [0x60]
%SystemRoot%\system32\svchost.exe -k DcomLaunch
\ControlSet001\Services\PlugPlay> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\PNRPAutoReg> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\PNRPAutoReg> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\PNRPsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\PNRPsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\PolicyAgent> Value <ImagePath> of type REG_EXPAND_SZ, data length 138 [0x8a]
%SystemRoot%\system32\svchost.exe -k NetworkServiceNetworkRestricted
\ControlSet001\Services\PolicyAgent> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\PptpMiniport> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\raspptp.sys
\ControlSet001\Services\PptpMiniport> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Processor> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\processr.sys
\ControlSet001\Services\Processor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\ProfSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\ProfSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\ProtectedStorage> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%SystemRoot%\system32\lsass.exe
\ControlSet001\Services\ProtectedStorage> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\PSched> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\pacer.sys
\ControlSet001\Services\PSched> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\PxHelp20> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
System32\Drivers\PxHelp20.sys
\ControlSet001\Services\PxHelp20> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\ql2300> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\ql2300.sys
\ControlSet001\Services\ql2300> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\ql40xx> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\ql40xx.sys
\ControlSet001\Services\ql40xx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\QWAVE> Value <ImagePath> of type REG_EXPAND_SZ, data length 92 [0x5c]
%windir%\system32\svchost.exe -k LocalService
\ControlSet001\Services\QWAVE> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\QWAVEdrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\qwavedrv.sys
\ControlSet001\Services\QWAVEdrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\R300> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\atikmdag.sys
\ControlSet001\Services\R300> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\RasAcd> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\DRIVERS\rasacd.sys
\ControlSet001\Services\RasAcd> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\RasAuto> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\RasAuto> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Rasl2tp> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\rasl2tp.sys
\ControlSet001\Services\Rasl2tp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\RasMan> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\RasMan> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\RasPppoe> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\raspppoe.sys
\ControlSet001\Services\RasPppoe> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\RasSstp> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\rassstp.sys
\ControlSet001\Services\RasSstp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\rdbss> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\rdbss.sys
\ControlSet001\Services\rdbss> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\RDPCDD> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\DRIVERS\RDPCDD.sys
\ControlSet001\Services\RDPCDD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\rdpdr> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\rdpdr.sys
\ControlSet001\Services\rdpdr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\RDPENCDD> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\rdpencdd.sys
\ControlSet001\Services\RDPENCDD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\RDPWD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\RemoteAccess> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\RemoteAccess> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\RemoteRegistry> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%SystemRoot%\system32\svchost.exe -k regsvc
\ControlSet001\Services\RemoteRegistry> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\rimmptsk> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\rimmptsk.sys
\ControlSet001\Services\rimmptsk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\rimsptsk> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\rimsptsk.sys
\ControlSet001\Services\rimsptsk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\rismxdp> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\rixdptsk.sys
\ControlSet001\Services\rismxdp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\RpcLocator> Value <ImagePath> of type REG_EXPAND_SZ, data length 68 [0x44]
%SystemRoot%\system32\locator.exe
\ControlSet001\Services\RpcLocator> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\RpcSs> Value <ImagePath> of type REG_EXPAND_SZ, data length 86 [0x56]
%SystemRoot%\system32\svchost.exe -k rpcss
\ControlSet001\Services\RpcSs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\rspndr> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\rspndr.sys
\ControlSet001\Services\rspndr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\SamSs> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%SystemRoot%\system32\lsass.exe
\ControlSet001\Services\SamSs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\SASDIFSV> Value <ImagePath> of type REG_EXPAND_SZ, data length 102 [0x66]
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\ControlSet001\Services\SASDIFSV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\SASKUTIL> Value <ImagePath> of type REG_EXPAND_SZ, data length 102 [0x66]
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\ControlSet001\Services\SASKUTIL> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\sbp2port> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\sbp2port.sys
\ControlSet001\Services\sbp2port> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\SBSDWSCService> Value <ImagePath> of type REG_EXPAND_SZ, data length 112 [0x70]
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
\ControlSet001\Services\SBSDWSCService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\SCardSvr> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\SCardSvr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Schedule> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\Schedule> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\SCPolicySvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\SCPolicySvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\sdbus> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\sdbus.sys
\ControlSet001\Services\sdbus> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\SDRSVC> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%SystemRoot%\system32\svchost.exe -k SDRSVC
\ControlSet001\Services\SDRSVC> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\secdrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\seclogon> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
%windir%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\seclogon> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\SENS> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\SENS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Serenum> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\serenum.sys
\ControlSet001\Services\Serenum> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Serial> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\serial.sys
\ControlSet001\Services\Serial> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\sermouse> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\sermouse.sys
\ControlSet001\Services\sermouse> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\SessionEnv> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\SessionEnv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\sffdisk> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\sffdisk.sys
\ControlSet001\Services\sffdisk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\sffp_mmc> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\sffp_mmc.sys
\ControlSet001\Services\sffp_mmc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\sffp_sd> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\sffp_sd.sys
\ControlSet001\Services\sffp_sd> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\sfloppy> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\sfloppy.sys
\ControlSet001\Services\sfloppy> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\SharedAccess> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\SharedAccess> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\ShellHWDetection> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\ShellHWDetection> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\sisagp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\sisagp.sys
\ControlSet001\Services\sisagp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\SiSRaid2> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\sisraid2.sys
\ControlSet001\Services\SiSRaid2> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\SiSRaid4> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\sisraid4.sys
\ControlSet001\Services\SiSRaid4> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\slsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%SystemRoot%\system32\SLsvc.exe
\ControlSet001\Services\slsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\SLUINotify> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\SLUINotify> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Smb> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
system32\DRIVERS\smb.sys
\ControlSet001\Services\Smb> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\SNMPTRAP> Value <ImagePath> of type REG_EXPAND_SZ, data length 70 [0x46]
%SystemRoot%\System32\snmptrap.exe
\ControlSet001\Services\SNMPTRAP> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\spldr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Spooler> Value <ImagePath> of type REG_EXPAND_SZ, data length 68 [0x44]
%SystemRoot%\System32\spoolsv.exe
\ControlSet001\Services\Spooler> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

(...)\Services\sprtsvc_dellsupportcenter> Value <ImagePath> of type REG_EXPAND_SZ, data length 166 [0xa6]
C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter
(...)\Services\sprtsvc_dellsupportcenter> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\SQLBrowser> Value <ImagePath> of type REG_EXPAND_SZ, data length 130 [0x82]
"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
\ControlSet001\Services\SQLBrowser> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\SQLWriter> Value <ImagePath> of type REG_EXPAND_SZ, data length 128 [0x80]
"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
\ControlSet001\Services\SQLWriter> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\srv> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
System32\DRIVERS\srv.sys
\ControlSet001\Services\srv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\srv2> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
System32\DRIVERS\srv2.sys
\ControlSet001\Services\srv2> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\srvnet> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\DRIVERS\srvnet.sys
\ControlSet001\Services\srvnet> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\SSDPSRV> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\SSDPSRV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\SstpSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\SstpSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\STacSV> Value <ImagePath> of type REG_EXPAND_SZ, data length 154 [0x9a]
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe
\ControlSet001\Services\STacSV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\STHDA> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\stwrt.sys
\ControlSet001\Services\STHDA> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\stisvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%SystemRoot%\system32\svchost.exe -k imgsvc
\ControlSet001\Services\stisvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\stllssvr> Value <ImagePath> of type REG_EXPAND_SZ, data length 124 [0x7c]
"C:\Program Files\Common Files\SureThing Shared\stllssvr.exe"
\ControlSet001\Services\stllssvr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\swenum> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\swenum.sys
\ControlSet001\Services\swenum> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\swprv> Value <ImagePath> of type REG_EXPAND_SZ, data length 86 [0x56]
%SystemRoot%\System32\svchost.exe -k swprv
\ControlSet001\Services\swprv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Symc8xx> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\symc8xx.sys
\ControlSet001\Services\Symc8xx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\Sym_hi> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\sym_hi.sys
\ControlSet001\Services\Sym_hi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\Sym_u3> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\sym_u3.sys
\ControlSet001\Services\Sym_u3> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\SysMain> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\SysMain> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\TabletInputService> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\TabletInputService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\TapiSrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\System32\svchost.exe -k NetworkService
\ControlSet001\Services\TapiSrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\TBS> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\System32\svchost.exe -k LocalService
\ControlSet001\Services\TBS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Tcpip> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
System32\drivers\tcpip.sys
\ControlSet001\Services\Tcpip> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Tcpip6> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\tcpip.sys
\ControlSet001\Services\Tcpip6> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\tcpipreg> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
System32\drivers\tcpipreg.sys
\ControlSet001\Services\tcpipreg> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\TDPIPE> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\tdpipe.sys
\ControlSet001\Services\TDPIPE> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\TDTCP> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\tdtcp.sys
\ControlSet001\Services\TDTCP> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\tdx> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
system32\DRIVERS\tdx.sys
\ControlSet001\Services\tdx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\TermDD> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\termdd.sys
\ControlSet001\Services\TermDD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\TermService> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\System32\svchost.exe -k NetworkService
\ControlSet001\Services\TermService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Themes> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\Themes> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\THREADORDER> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\THREADORDER> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\TrkWks> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\TrkWks> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\TrustedInstaller> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%SystemRoot%\servicing\TrustedInstaller.exe
\ControlSet001\Services\TrustedInstaller> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\tssecsrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
System32\DRIVERS\tssecsrv.sys
\ControlSet001\Services\tssecsrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\tunmp> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\tunmp.sys
\ControlSet001\Services\tunmp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\tunnel> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\tunnel.sys
\ControlSet001\Services\tunnel> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\uagp35> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\uagp35.sys
\ControlSet001\Services\uagp35> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\udfs> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\DRIVERS\udfs.sys
\ControlSet001\Services\udfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\UI0Detect> Value <ImagePath> of type REG_EXPAND_SZ, data length 72 [0x48]
%SystemRoot%\system32\UI0Detect.exe
\ControlSet001\Services\UI0Detect> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\uliagpkx> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\uliagpkx.sys
\ControlSet001\Services\uliagpkx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\uliahci> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\uliahci.sys
\ControlSet001\Services\uliahci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\UlSata> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\ulsata.sys
\ControlSet001\Services\UlSata> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\ulsata2> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\ulsata2.sys
\ControlSet001\Services\ulsata2> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\umbus> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\umbus.sys
\ControlSet001\Services\umbus> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\upnphost> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\upnphost> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\UPnPService> Value <ImagePath> of type REG_EXPAND_SZ, data length 142 [0x8e]
C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
\ControlSet001\Services\UPnPService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbbus> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\lgusbbus.sys
\ControlSet001\Services\usbbus> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbccgp> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\usbccgp.sys
\ControlSet001\Services\usbccgp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbcir> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\usbcir.sys
\ControlSet001\Services\usbcir> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\UsbDiag> Value <ImagePath> of type REG_EXPAND_SZ, data length 62 [0x3e]
system32\DRIVERS\lgusbdiag.sys
\ControlSet001\Services\UsbDiag> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbehci> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\usbehci.sys
\ControlSet001\Services\usbehci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbhub> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\usbhub.sys
\ControlSet001\Services\usbhub> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\USBModem> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
system32\DRIVERS\lgusbmodem.sys
\ControlSet001\Services\USBModem> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbohci> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\usbohci.sys
\ControlSet001\Services\usbohci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\usbprint> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\usbprint.sys
\ControlSet001\Services\usbprint> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbscan> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\usbscan.sys
\ControlSet001\Services\usbscan> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\USBSTOR> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\USBSTOR.SYS
\ControlSet001\Services\USBSTOR> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbuhci> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\usbuhci.sys
\ControlSet001\Services\usbuhci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\UxSms> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\UxSms> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\vds> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
%SystemRoot%\System32\vds.exe
\ControlSet001\Services\vds> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\vga> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\vgapnp.sys
\ControlSet001\Services\vga> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\VgaSave> Value <ImagePath> of type REG_EXPAND_SZ, data length 74 [0x4a]
\SystemRoot\System32\drivers\vga.sys
\ControlSet001\Services\VgaSave> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\viaagp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\viaagp.sys
\ControlSet001\Services\viaagp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ViaC7> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\viac7.sys
\ControlSet001\Services\ViaC7> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\viaide> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\viaide.sys
\ControlSet001\Services\viaide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\volmgr> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\volmgr.sys
\ControlSet001\Services\volmgr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\volmgrx> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
System32\drivers\volmgrx.sys
\ControlSet001\Services\volmgrx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\volsnap> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\volsnap.sys
\ControlSet001\Services\volsnap> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\vsmraid> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\vsmraid.sys
\ControlSet001\Services\vsmraid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\VSS> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%systemroot%\system32\vssvc.exe
\ControlSet001\Services\VSS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\W32Time> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\W32Time> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WacomPen> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\wacompen.sys
\ControlSet001\Services\WacomPen> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\Wanarp> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\wanarp.sys
\ControlSet001\Services\Wanarp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Wanarpv6> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\wanarp.sys
\ControlSet001\Services\Wanarpv6> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\wcncsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\System32\svchost.exe -k LocalService
\ControlSet001\Services\wcncsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\WcsPlugInService> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%SystemRoot%\system32\svchost.exe -k wcssvc
\ControlSet001\Services\WcsPlugInService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Wd> Value <ImagePath> of type REG_EXPAND_SZ, data length 72 [0x48]
\SystemRoot\system32\drivers\wd.sys
\ControlSet001\Services\Wd> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\Wdf01000> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\Wdf01000.sys
\ControlSet001\Services\Wdf01000> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\WdiServiceHost> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%SystemRoot%\System32\svchost.exe -k wdisvc
\ControlSet001\Services\WdiServiceHost> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\WdiSystemHost> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\WdiSystemHost> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\WebClient> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\WebClient> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Wecsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\system32\svchost.exe -k NetworkService
\ControlSet001\Services\Wecsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\wercplsupport> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\wercplsupport> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\WerSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 98 [0x62]
%SystemRoot%\System32\svchost.exe -k WerSvcGroup
\ControlSet001\Services\WerSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WinHttpAutoProxySvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\WinHttpAutoProxySvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Winmgmt> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\Winmgmt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WinRM> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\System32\svchost.exe -k NetworkService
\ControlSet001\Services\WinRM> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Winsock> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Wlansvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\Wlansvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\wltrysvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 140 [0x8c]
%SystemRoot%\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe
\ControlSet001\Services\wltrysvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WmiAcpi> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\wmiacpi.sys
\ControlSet001\Services\WmiAcpi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\wmiApSrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
%systemroot%\system32\wbem\WmiApSrv.exe
\ControlSet001\Services\wmiApSrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\WMPNetworkSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 102 [0x66]
"%ProgramFiles%\Windows Media Player\wmpnetwk.exe"
\ControlSet001\Services\WMPNetworkSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WPCSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\WPCSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\WPDBusEnum> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\WPDBusEnum> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WpdUsb> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\wpdusb.sys
\ControlSet001\Services\WpdUsb> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\WPFFontCache_v0400> Value <ImagePath> of type REG_EXPAND_SZ, data length 146 [0x92]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
\ControlSet001\Services\WPFFontCache_v0400> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ws2ifsl> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\ws2ifsl.sys
\ControlSet001\Services\ws2ifsl> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\wscsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\wscsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WSearch> Value <ImagePath> of type REG_EXPAND_SZ, data length 102 [0x66]
%systemroot%\system32\SearchIndexer.exe /Embedding
\ControlSet001\Services\WSearch> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\wuauserv> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\wuauserv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WUDFRd> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\WUDFRd.sys
\ControlSet001\Services\WUDFRd> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\wudfsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\wudfsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

Hive </mnt/sda2/Windows/System32/config/SYSTEM>
>
<ControlSet001>
size type value name [value if type DWORD]
4 REG_DWORD <Current> 1 [0x1]
4 REG_DWORD <Default> 1 [0x1]
4 REG_DWORD <Failed> 0 [0x0]
4 REG_DWORD <LastKnownGood> 1 [0x1]


\ControlSet001\Services>
<ACPI>
<adp94xx>
<adpahci>
<adpu160m>
<adpu320>
<adsi>
<AFD>
<agp440>
<aic78xx>
<aliide>
<amdagp>
<amdide>
<AmdK7>
<AmdK8>
<arc>
<arcsas>
<atapi>
<BattC>
<BFE>
<bowser>
<BrFiltLo>
<BrFiltUp>
<Brserid>
<BrSerWdm>
<BrUsbMdm>
<BrUsbSer>
<BTHMODEM>
<cdfs>
<cdrom>
<CLFS>
<cmdide>
<Compbatt>
<Crusoe>
<CryptSvc>
<DCLocator>
<DcomLaunch>
<DfsC>
<Dhcp>
<disk>
<Dnscache>
<elxstor>
<Eventlog>
<fastfat>
<FBWF>
<fdc>
<flpydisk>
<FltMgr>
<Fs_Rec>
<fvevol>
<gagp30kx>
<gpsvc>
<HDAudBus>
<HidBth>
<HidIr>
<hidserv>
<HidUsb>
<HpCISSs>
<i2omp>
<i8042prt>
<iaStor>
<iaStorV>
<iirsp>
<IKEEXT>
<intelide>
<intelppm>
<IPMIDRV>
<isapnp>
<iScsiPrt>
<iteatapi>
<iteraid>
<kbdclass>
<kbdhid>
<KeyIso>
<KSecDD>
<LanmanWorkstation>
<ldap>
<lmhosts>
<Lsa>
<LSI_FC>
<LSI_SAS>
<LSI_SCSI>
<megasas>
<mouclass>
<mouhid>
<MountMgr>
<mpsdrv>
<MpsSvc>
<Mraid35x>
<mrxsmb>
<mrxsmb10>
<mrxsmb20>
<msahci>
<Msfs>
<msisadrv>
<MsRPC>
<mssmbios>
<Mup>
<napagent>
<NDIS>
<NDProxy>
<netbt>
<Netlogon>
<nfrd960>
<NlaSvc>
<Npfs>
<nsi>
<nsiproxy>
<NTDS>
<Ntfs>
<ntrigdigi>
<Null>
<nvraid>
<nvstor>
<nv_agp>
<ohci1394>
<Parport>
<partmgr>
<Parvdm>
<pci>
<pciide>
<pcmcia>
<PlugPlay>
<PolicyAgent>
<Processor>
<ProfSvc>
<ql2300>
<ql40xx>
<Ramdisk>
<RasAcd>
<RasAuto>
<RasMan>
<rdbss>
<rdpdr>
<RemoteAccess>
<RpcSs>
<sacdrv>
<sacsvr>
<SamSs>
<sbp2port>
<Serenum>
<Serial>
<sermouse>
<sfloppy>
<SharedAccess>
<sisagp>
<SiSRaid2>
<SiSRaid4>
<swenum>
<swprv>
<Symc8xx>
<Sym_hi>
<Sym_u3>
<TBS>
<tcpip>
<tdx>
<TermDD>
<TrustedInstaller>
<TSDDD>
<uagp35>
<udfs>
<uliagpkx>
<uliahci>
<UlSata>
<ulsata2>
<umbus>
<usb>
<usbccgp>
<usbehci>
<usbhub>
<usbohci>
<usbprint>
<USBSTOR>
<usbuhci>
<vds>
<VgaSave>
<viaagp>
<ViaC7>
<viaide>
<volmgr>
<volmgrx>
<volsnap>
<vsmraid>
<VSS>
<W32Time>
<W3SVC>
<WacomPen>
<wbengine>
<WcsPlugInService>
<Wd>
<Wdf01000>
<WimFsf>
<WinHttpAutoProxySvc>
<Winmgmt>
<WinSock2>
<WmiAcpi>
<WmiApRpl>
<wmiApSrv>
<ws2ifsl>


\ControlSet001\Services\ACPI> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\drivers\acpi.sys
\ControlSet001\Services\ACPI> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\adp94xx> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\adp94xx.sys
\ControlSet001\Services\adp94xx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\adpahci> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\adpahci.sys
\ControlSet001\Services\adpahci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\adpu160m> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\adpu160m.sys
\ControlSet001\Services\adpu160m> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\adpu320> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\adpu320.sys
\ControlSet001\Services\adpu320> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\AFD> Value <ImagePath> of type REG_EXPAND_SZ, data length 74 [0x4a]
\SystemRoot\system32\drivers\afd.sys
\ControlSet001\Services\AFD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\agp440> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\agp440.sys
\ControlSet001\Services\agp440> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\aic78xx> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\djsvs.sys
\ControlSet001\Services\aic78xx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\aliide> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\aliide.sys
\ControlSet001\Services\aliide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\amdagp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\amdagp.sys
\ControlSet001\Services\amdagp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\amdide> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\amdide.sys
\ControlSet001\Services\amdide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\AmdK7> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\amdk7.sys
\ControlSet001\Services\AmdK7> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\AmdK8> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\amdk8.sys
\ControlSet001\Services\AmdK8> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\arc> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
system32\drivers\arc.sys
\ControlSet001\Services\arc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\arcsas> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\arcsas.sys
\ControlSet001\Services\arcsas> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\atapi> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\atapi.sys
\ControlSet001\Services\atapi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\BFE> Value <ImagePath> of type REG_EXPAND_SZ, data length 118 [0x76]
%systemroot%\system32\svchost.exe -k LocalServiceNoNetwork
\ControlSet001\Services\BFE> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\bowser> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\bowser.sys
\ControlSet001\Services\bowser> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BrFiltLo> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brfiltlo.sys
\ControlSet001\Services\BrFiltLo> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BrFiltUp> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brfiltup.sys
\ControlSet001\Services\BrFiltUp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Brserid> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\brserid.sys
\ControlSet001\Services\Brserid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BrSerWdm> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brserwdm.sys
\ControlSet001\Services\BrSerWdm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BrUsbMdm> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brusbmdm.sys
\ControlSet001\Services\BrUsbMdm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BrUsbSer> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\brusbser.sys
\ControlSet001\Services\BrUsbSer> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\BTHMODEM> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\bthmodem.sys
\ControlSet001\Services\BTHMODEM> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\cdfs> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\DRIVERS\cdfs.sys
\ControlSet001\Services\cdfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\cdrom> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\cdrom.sys
\ControlSet001\Services\cdrom> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\CLFS> Value <ImagePath> of type REG_EXPAND_SZ, data length 36 [0x24]
System32\CLFS.sys
\ControlSet001\Services\CLFS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\cmdide> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\cmdide.sys
\ControlSet001\Services\cmdide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Compbatt> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\compbatt.sys
\ControlSet001\Services\Compbatt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Crusoe> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\crusoe.sys
\ControlSet001\Services\Crusoe> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\CryptSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\system32\svchost.exe -k NetworkService
\ControlSet001\Services\CryptSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\DcomLaunch> Value <ImagePath> of type REG_EXPAND_SZ, data length 96 [0x60]
%SystemRoot%\system32\svchost.exe -k DcomLaunch
\ControlSet001\Services\DcomLaunch> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\DfsC> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
System32\Drivers\dfsc.sys
\ControlSet001\Services\DfsC> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\Dhcp> Value <ImagePath> of type REG_EXPAND_SZ, data length 130 [0x82]
x:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\Dhcp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\disk> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\drivers\disk.sys
\ControlSet001\Services\disk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Dnscache> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\system32\svchost.exe -k NetworkService
\ControlSet001\Services\Dnscache> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\elxstor> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\elxstor.sys
\ControlSet001\Services\elxstor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\fastfat> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\FBWF> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\DRIVERS\fbwf.sys
\ControlSet001\Services\FBWF> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\fdc> Value <ImagePath> of type REG_EXPAND_SZ, data length 74 [0x4a]
\SystemRoot\system32\drivers\fdc.sys
\ControlSet001\Services\fdc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\flpydisk> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\flpydisk.sys
\ControlSet001\Services\flpydisk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\FltMgr> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\fltmgr.sys
\ControlSet001\Services\FltMgr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Fs_Rec> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\fvevol> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\DRIVERS\fvevol.sys
\ControlSet001\Services\fvevol> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\gagp30kx> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\gagp30kx.sys
\ControlSet001\Services\gagp30kx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\gpsvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\gpsvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\HDAudBus> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\hdaudbus.sys
\ControlSet001\Services\HDAudBus> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\HidBth> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\hidbth.sys
\ControlSet001\Services\HidBth> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\HidIr> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\hidir.sys
\ControlSet001\Services\HidIr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\hidserv> Value <ImagePath> of type REG_EXPAND_SZ, data length 132 [0x84]
%SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
\ControlSet001\Services\hidserv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\HidUsb> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\hidusb.sys
\ControlSet001\Services\HidUsb> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\HpCISSs> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\hpcisss.sys
\ControlSet001\Services\HpCISSs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\i2omp> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\i2omp.sys
\ControlSet001\Services\i2omp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\i8042prt> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\i8042prt.sys
\ControlSet001\Services\i8042prt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\iaStor> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\iastor.sys
\ControlSet001\Services\iaStor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\iaStorV> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\iastorv.sys
\ControlSet001\Services\iaStorV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\iirsp> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\drivers\iirsp.sys
\ControlSet001\Services\iirsp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\IKEEXT> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\IKEEXT> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\intelide> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\intelide.sys
\ControlSet001\Services\intelide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\intelppm> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\intelppm.sys
\ControlSet001\Services\intelppm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\IPMIDRV> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\ipmidrv.sys
\ControlSet001\Services\IPMIDRV> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\isapnp> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\isapnp.sys
\ControlSet001\Services\isapnp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\iScsiPrt> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\msiscsi.sys
\ControlSet001\Services\iScsiPrt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\iteatapi> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\iteatapi.sys
\ControlSet001\Services\iteatapi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\iteraid> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\iteraid.sys
\ControlSet001\Services\iteraid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\kbdclass> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\kbdclass.sys
\ControlSet001\Services\kbdclass> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\kbdhid> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\kbdhid.sys
\ControlSet001\Services\kbdhid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\KeyIso> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%SystemRoot%\system32\lsass.exe
\ControlSet001\Services\KeyIso> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\KSecDD> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\Drivers\ksecdd.sys
\ControlSet001\Services\KSecDD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\LanmanWorkstation> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\System32\svchost.exe -k LocalService
\ControlSet001\Services\LanmanWorkstation> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\lmhosts> Value <ImagePath> of type REG_EXPAND_SZ, data length 134 [0x86]
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
\ControlSet001\Services\lmhosts> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\LSI_FC> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\lsi_fc.sys
\ControlSet001\Services\LSI_FC> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\LSI_SAS> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\lsi_sas.sys
\ControlSet001\Services\LSI_SAS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\LSI_SCSI> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\lsi_scsi.sys
\ControlSet001\Services\LSI_SCSI> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\megasas> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\megasas.sys
\ControlSet001\Services\megasas> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\mouclass> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\mouclass.sys
\ControlSet001\Services\mouclass> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\mouhid> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\mouhid.sys
\ControlSet001\Services\mouhid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MountMgr> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
System32\drivers\mountmgr.sys
\ControlSet001\Services\MountMgr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\mpsdrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\drivers\mpsdrv.sys
\ControlSet001\Services\mpsdrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\MpsSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 118 [0x76]
%SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork
\ControlSet001\Services\MpsSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Mraid35x> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\mraid35x.sys
\ControlSet001\Services\Mraid35x> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\mrxsmb> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\mrxsmb.sys
\ControlSet001\Services\mrxsmb> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\mrxsmb10> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\mrxsmb10.sys
\ControlSet001\Services\mrxsmb10> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\mrxsmb20> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\DRIVERS\mrxsmb20.sys
\ControlSet001\Services\mrxsmb20> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\msahci> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\msahci.sys
\ControlSet001\Services\msahci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Msfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\msisadrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\msisadrv.sys
\ControlSet001\Services\msisadrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\MsRPC> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\mssmbios> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\mssmbios.sys
\ControlSet001\Services\mssmbios> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Mup> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
System32\Drivers\mup.sys
\ControlSet001\Services\Mup> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\NDIS> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\drivers\ndis.sys
\ControlSet001\Services\NDIS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\NDProxy> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\netbt> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
System32\DRIVERS\netbt.sys
\ControlSet001\Services\netbt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Netlogon> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%systemroot%\system32\lsass.exe
\ControlSet001\Services\Netlogon> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\nfrd960> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\nfrd960.sys
\ControlSet001\Services\nfrd960> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\NlaSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 104 [0x68]
%SystemRoot%\System32\svchost.exe -k NetworkService
\ControlSet001\Services\NlaSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Npfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\nsi> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%systemroot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\nsi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\nsiproxy> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\nsiproxy.sys
\ControlSet001\Services\nsiproxy> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\Ntfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ntrigdigi> Value <ImagePath> of type REG_EXPAND_SZ, data length 86 [0x56]
\SystemRoot\system32\drivers\ntrigdigi.sys
\ControlSet001\Services\ntrigdigi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Null> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\nvraid> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\nvraid.sys
\ControlSet001\Services\nvraid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\nvstor> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\nvstor.sys
\ControlSet001\Services\nvstor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\nv_agp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\nv_agp.sys
\ControlSet001\Services\nv_agp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ohci1394> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\ohci1394.sys
\ControlSet001\Services\ohci1394> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Parport> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\parport.sys
\ControlSet001\Services\Parport> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\partmgr> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
System32\drivers\partmgr.sys
\ControlSet001\Services\partmgr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Parvdm> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\parvdm.sys
\ControlSet001\Services\Parvdm> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\pci> Value <ImagePath> of type REG_EXPAND_SZ, data length 50 [0x32]
system32\drivers\pci.sys
\ControlSet001\Services\pci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\pciide> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\pciide.sys
\ControlSet001\Services\pciide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\pcmcia> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\pcmcia.sys
\ControlSet001\Services\pcmcia> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\PlugPlay> Value <ImagePath> of type REG_EXPAND_SZ, data length 96 [0x60]
%SystemRoot%\system32\svchost.exe -k DcomLaunch
\ControlSet001\Services\PlugPlay> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\PolicyAgent> Value <ImagePath> of type REG_EXPAND_SZ, data length 138 [0x8a]
%SystemRoot%\system32\svchost.exe -k NetworkServiceNetworkRestricted
\ControlSet001\Services\PolicyAgent> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\Processor> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\processr.sys
\ControlSet001\Services\Processor> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ProfSvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\ProfSvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\ql2300> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\ql2300.sys
\ControlSet001\Services\ql2300> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\ql40xx> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\ql40xx.sys
\ControlSet001\Services\ql40xx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Ramdisk> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\DRIVERS\ramdisk.sys
\ControlSet001\Services\Ramdisk> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\RasAcd> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
System32\DRIVERS\rasacd.sys
\ControlSet001\Services\RasAcd> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\RasAuto> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\RasAuto> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\RasMan> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\RasMan> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\rdbss> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
system32\DRIVERS\rdbss.sys
\ControlSet001\Services\rdbss> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\rdpdr> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\rdpdr.sys
\ControlSet001\Services\rdpdr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\RpcSs> Value <ImagePath> of type REG_EXPAND_SZ, data length 86 [0x56]
%SystemRoot%\system32\svchost.exe -k rpcss
\ControlSet001\Services\RpcSs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\sacdrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\DRIVERS\sacdrv.sys
\ControlSet001\Services\sacdrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\sacsvr> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%SystemRoot%\System32\svchost.exe -k netsvcs
\ControlSet001\Services\sacsvr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\SamSs> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%SystemRoot%\system32\lsass.exe
\ControlSet001\Services\SamSs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\sbp2port> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\sbp2port.sys
\ControlSet001\Services\sbp2port> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Serenum> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\serenum.sys
\ControlSet001\Services\Serenum> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Serial> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\serial.sys
\ControlSet001\Services\Serial> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\sermouse> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\sermouse.sys
\ControlSet001\Services\sermouse> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\sfloppy> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\sfloppy.sys
\ControlSet001\Services\sfloppy> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\sisagp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\sisagp.sys
\ControlSet001\Services\sisagp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\SiSRaid2> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\sisraid2.sys
\ControlSet001\Services\SiSRaid2> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\SiSRaid4> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\sisraid4.sys
\ControlSet001\Services\SiSRaid4> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\swenum> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\swenum.sys
\ControlSet001\Services\swenum> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\swprv> Value <ImagePath> of type REG_EXPAND_SZ, data length 86 [0x56]
%SystemRoot%\System32\svchost.exe -k swprv
\ControlSet001\Services\swprv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Symc8xx> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\symc8xx.sys
\ControlSet001\Services\Symc8xx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Sym_hi> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\sym_hi.sys
\ControlSet001\Services\Sym_hi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Sym_u3> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\sym_u3.sys
\ControlSet001\Services\Sym_u3> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\TBS> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\System32\svchost.exe -k LocalService
\ControlSet001\Services\TBS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\tcpip> Value <ImagePath> of type REG_EXPAND_SZ, data length 54 [0x36]
System32\drivers\tcpip.sys
\ControlSet001\Services\tcpip> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\tdx> Value <ImagePath> of type REG_EXPAND_SZ, data length 76 [0x4c]
%SystemRoot%\System32\drivers\tdx.sys
\ControlSet001\Services\tdx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\TermDD> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\termdd.sys
\ControlSet001\Services\TermDD> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\TrustedInstaller> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%SystemRoot%\servicing\TrustedInstaller.exe
\ControlSet001\Services\TrustedInstaller> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\uagp35> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\uagp35.sys
\ControlSet001\Services\uagp35> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\udfs> Value <ImagePath> of type REG_EXPAND_SZ, data length 52 [0x34]
system32\DRIVERS\udfs.sys
\ControlSet001\Services\udfs> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004

\ControlSet001\Services\uliagpkx> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\uliagpkx.sys
\ControlSet001\Services\uliagpkx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\uliahci> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\uliahci.sys
\ControlSet001\Services\uliahci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\UlSata> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\ulsata.sys
\ControlSet001\Services\UlSata> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\ulsata2> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\ulsata2.sys
\ControlSet001\Services\ulsata2> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\umbus> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\umbus.sys
\ControlSet001\Services\umbus> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbccgp> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\usbccgp.sys
\ControlSet001\Services\usbccgp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbehci> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\usbehci.sys
\ControlSet001\Services\usbehci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbhub> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\usbhub.sys
\ControlSet001\Services\usbhub> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbohci> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\usbohci.sys
\ControlSet001\Services\usbohci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbprint> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\usbprint.sys
\ControlSet001\Services\usbprint> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\USBSTOR> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\usbstor.sys
\ControlSet001\Services\USBSTOR> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\usbuhci> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\usbuhci.sys
\ControlSet001\Services\usbuhci> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\vds> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
%SystemRoot%\System32\vds.exe
\ControlSet001\Services\vds> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\VgaSave> Value <ImagePath> of type REG_EXPAND_SZ, data length 74 [0x4a]
\SystemRoot\System32\drivers\vga.sys
\ControlSet001\Services\VgaSave> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000001

\ControlSet001\Services\viaagp> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
\SystemRoot\system32\drivers\viaagp.sys
\ControlSet001\Services\viaagp> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ViaC7> Value <ImagePath> of type REG_EXPAND_SZ, data length 78 [0x4e]
\SystemRoot\system32\drivers\viac7.sys
\ControlSet001\Services\ViaC7> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\viaide> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\viaide.sys
\ControlSet001\Services\viaide> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\volmgr> Value <ImagePath> of type REG_EXPAND_SZ, data length 56 [0x38]
system32\drivers\volmgr.sys
\ControlSet001\Services\volmgr> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\volmgrx> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
System32\drivers\volmgrx.sys
\ControlSet001\Services\volmgrx> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\volsnap> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\volsnap.sys
\ControlSet001\Services\volsnap> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\vsmraid> Value <ImagePath> of type REG_EXPAND_SZ, data length 58 [0x3a]
system32\drivers\vsmraid.sys
\ControlSet001\Services\vsmraid> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\VSS> Value <ImagePath> of type REG_EXPAND_SZ, data length 64 [0x40]
%systemroot%\system32\vssvc.exe
\ControlSet001\Services\VSS> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\W32Time> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\W32Time> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WacomPen> Value <ImagePath> of type REG_EXPAND_SZ, data length 84 [0x54]
\SystemRoot\system32\drivers\wacompen.sys
\ControlSet001\Services\WacomPen> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\wbengine> Value <ImagePath> of type REG_EXPAND_SZ, data length 74 [0x4a]
"%systemroot%\system32\wbengine.exe"
\ControlSet001\Services\wbengine> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\WcsPlugInService> Value <ImagePath> of type REG_EXPAND_SZ, data length 88 [0x58]
%SystemRoot%\system32\svchost.exe -k wcssvc
\ControlSet001\Services\WcsPlugInService> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Wd> Value <ImagePath> of type REG_EXPAND_SZ, data length 48 [0x30]
system32\drivers\wd.sys
\ControlSet001\Services\Wd> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\Wdf01000> Value <ImagePath> of type REG_EXPAND_SZ, data length 60 [0x3c]
system32\drivers\Wdf01000.sys
\ControlSet001\Services\Wdf01000> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\WimFsf> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000000

\ControlSet001\Services\WinHttpAutoProxySvc> Value <ImagePath> of type REG_EXPAND_SZ, data length 100 [0x64]
%SystemRoot%\system32\svchost.exe -k LocalService
\ControlSet001\Services\WinHttpAutoProxySvc> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\Winmgmt> Value <ImagePath> of type REG_EXPAND_SZ, data length 90 [0x5a]
%systemroot%\system32\svchost.exe -k netsvcs
\ControlSet001\Services\Winmgmt> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000002

\ControlSet001\Services\WmiAcpi> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\wmiacpi.sys
\ControlSet001\Services\WmiAcpi> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\wmiApSrv> Value <ImagePath> of type REG_EXPAND_SZ, data length 80 [0x50]
%systemroot%\system32\wbem\WmiApSrv.exe
\ControlSet001\Services\wmiApSrv> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000003

\ControlSet001\Services\ws2ifsl> Value <ImagePath> of type REG_EXPAND_SZ, data length 82 [0x52]
\SystemRoot\system32\drivers\ws2ifsl.sys
\ControlSet001\Services\ws2ifsl> Value <Start> of type REG_DWORD, data length 4 [0x4]
0x00000004
_______________

The post was too long & wouldn't post so I am putting the REPORT file in another post after this one.
Minidump zip attached. Thanks!

Attached Files


Edited by iamerror, 27 May 2011 - 07:16 PM.

"Thou art dead." Poetic injustice.

#13 iamerror

iamerror
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:ny
  • Local time:12:01 AM

Posted 27 May 2011 - 07:13 PM

REPORT

___________________

REPORT

Fri May 27 19:38:24 UTC 2011
Driver report for /mnt/sda3/Windows/System32/drivers

0349be02f329f4f48f1d48097fd65974 1394bus.sys
Microsoft Corporation

e55b4931f47afff03478acabad40329e 197B281.sys
a`"?StringFileInfoBCompanyNameiTSystemsL$FileDescriptionProtectionWare(bFileVersionaInternalNamesfgssPLegalCopyrightItSystemsCorp.Allrightsreserved.@OriginalFilenamesfdgadexe<ProductNameITSoftWare,bProductVersionqeDVarFileInfo$Translation<?xm

ec818aed40e3359fe49ddb1700151e56 ACEDRV09.sys
aHXVS_VERSION_INFOtaaNStringFileInfo*bLCompanyNameProtectSoftwareGmbHFileDescriptionFilterDriverProtectDisc>FileVersion,,,.aInternalNameDriver.LegalCopyright©Copyright-ProtectSoftwareGmbH>vOriginalFilenamehwctrl.drv:vProductVersion,,,DVarFileInfo$Translationa*

82b296ae1892fe3dbee00c9cf92f8ac7 acpi.sys
Microsoft Corporation

2edc5bbac6c651ece337bde8ed97c9fb adp94xx.sys
Adaptec

b84088ca3cdca97da44a984c6ce1ccad adpahci.sys
Adaptec

7880c67bccc27c86fd05aa2afb5ea469 adpu160m.sys
Adaptec

9ae713f8e30efc2abccd84904333df4d adpu320.sys
Adaptec

a201207363aa900abf1a388468688570 afd.sys
Microsoft Corporation

8b10ce1c1f9f1d47e4deb1a547a00cd4 AGP440.sys
Microsoft Corporation

e32a92e1574a467f7c762922f6162d76 aliide.sys
Acer Laboratories

848f27e5b27c1c253f6cefdc1a5d8f21 AMDAGP.SYS
Microsoft Corporation

b52b576cb0099a62f87214f371031561 amdide.sys
Microsoft Corporation

dc487885bcef9f28eece6fac0e5ddfc5 amdk7.sys
Microsoft Corporation

0ca0071da4315b00fc1328ca86b425da amdk8.sys
Microsoft Corporation

1de27858a431a5749e0f3df54ba935b9 Apfiltr.sys
Alps Electric

957f7540b5e7f602e44648c7de5a1c05 arcsas.sys
Adaptec

5f673180268bb1fdb69c99b6619fe379 arc.sys
Adaptec

53b202abee6455406254444303e87be1 asyncmac.sys
Microsoft Corporation

e03e8c99d15d0381e02743c36afc7c6f atapi.sys
Microsoft Corporation

5bd29d71b0c25ca021fc55f0710884d7 ataport.sys
Microsoft Corporation

e642b131fb74caf4bb8a014f31113142 atikmdag.sys
ATI Technologies

a7f31519efda39d9c4669aaa5475d38f AVFilter.sys
PC Tools

8ff38af73a478a01fd3065adbbef401c AVHook.sys
PC Tools

e7510743a3d54e96eea34dbf5255fd5e AVRec.sys
PC Tools

2b8a5a8879238c3ba9a89a8e3ac4e45d battc.sys
Microsoft Corporation

7bd70aeed0d975285a1b20bd012ebf4e bcm42rly.sys
Broadcom Corporation

fa6707a346cd122407f3b0bad1c47639 BCMWL6.SYS
Broadcom Corporation

9f5f8f2318dfa3974a6f6a5602733929 bdasup.sys
Microsoft Corporation

67e506b75bd5326a3ec7b70bd014dfb6 beep.sys
Microsoft Corporation

74b442b2be1260b7588c136177ceac66 bowser.sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys
Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys
Brother Industries

b1564976d98e91fc764d5dc28a0297da bridge.sys
Microsoft Corporation

b304e75cff293029eddf094246747113 BrSerId.sys
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys
Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys
Brother Industries

ad07c1ec6665b8b35741ab91200c6b68 bthmodem.sys
Microsoft Corporation

7add03e75beb9e6dd102c3081d29840a cdfs.sys
Microsoft Corporation

c716c877a528fae6d352a7430ae0a4a4 cdr4_xp.sys
Sonic Solutions

17cd01a8b4d0a1e6cbf4bb07cd57043c cdralw2k.sys
Sonic Solutions

6b4bffb9becd728097024276430db314 cdrom.sys
Microsoft Corporation

e5d4133f37219dbcfe102bc61072589d circlass.sys
Microsoft Corporation

0767b09c74d935a590b4879d14463b64 Classpnp.sys
Microsoft Corporation

99afc3795b58cc478fbbbcdc658fcb56 CmBatt.sys
Microsoft Corporation

c177dd90b5dc1dcaa96ccece752e6f0f cmdide.sys
CMD Technology

6afef0b60fa25de07c0968983ee4f60a compbatt.sys
Microsoft Corporation

36975327ef03949cc378ab01e316b574 crashdmp.sys
Microsoft Corporation

2a213ae086bbec5e937553c7d9a2b22c crcdisk.sys
Microsoft Corporation

22a7f883508176489f559ee745b5bf5d crusoe.sys
Microsoft Corporation

218d8ae46c88e82014f5d73d0236d9b2 dfsc.sys
Microsoft Corporation

494075282e23d838f43a4c9fb7143959 Diskdump.sys
Microsoft Corporation

5d4aefc3386920236a548271f8f1af6a disk.sys
Microsoft Corporation

ae1fdf7bf7bb6c6a70f67699d880592a djsvs.sys
Adaptec

97fef831ab90bee128c9af390e243f80 drmkaud.sys
Microsoft Corporation

7be5a3c671a2cb56e94403bfc2020a0d drmk.sys
Microsoft Corporation

c67ebf9c05531c406e1e079ff669a2e6 Dumpata.sys
Microsoft Corporation

eaaafef04fbb45665c9576e525d45a12 dxapi.sys
Microsoft Corporation

c68ac676b0ef30cfbb1080adce49eb1f dxgkrnl.sys
Microsoft Corporation

c8d5369bfe193b5fb53337dce77ce314 dxg.sys
Microsoft Corporation

7505290504c8e2d172fa378cc0497bcc e1e6032.sys
Intel Corporation

f88fb26547fd2ce6d0a5af2985892c48 E1G60I32.sys
Intel Corporation

7f64ea048dcfac7acf8b4d7b4e6fe371 ecache.sys
Microsoft Corporation

e8f3f21a71720c84bcf423b80028359f elxstor.sys
Emulex

22b408651f9123527bcee54b4f6c5cae exfat.sys
Microsoft Corporation

1e9b9a70d332103c52995e957dc09ef8 fastfat.sys
Microsoft Corporation

63bdada84951b9c03e641800e176898a fdc.sys
Microsoft Corporation

a8c0139a884861e3aae9cfe73b208a9f fileinfo.sys
Microsoft Corporation

0ae429a696aecbc5970e3cf2c62635ae filetrace.sys
Microsoft Corporation

6603957eff5ec62d25075ea8ac27de68 flpydisk.sys
Microsoft Corporation

01334f9ea68e6877c4ef05d3ea8abb05 fltMgr.sys
Microsoft Corporation

65ea8b77b5851854f0c55c43fa51a198 fs_rec.sys
Microsoft Corporation

73594dbc99e22958150192ee99bc48ce FWPKCLNT.SYS
Microsoft Corporation

4e1cd0a45c50a8882616cae5bf82f3c5 GAGP30KX.SYS
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

062452b7ffd68c8c042a6261fe8dff4a hdaudbus.sys
Microsoft Corporation

1338520e78d90154ed6be8f84de5fceb hidbth.sys
Microsoft Corporation

5961cadb7cad938368d2028725ef771d hidclass.sys
Microsoft Corporation

d8df3722d5e961baa1292aa2f12827e2 hidir.sys
Microsoft Corporation

175444d3a01ca45d0e1c5dc5f48df7cd hidparse.sys
Microsoft Corporation

cca4b519b17e23a00b826c55716809cc hidusb.sys
Microsoft Corporation

df353b401001246853763c4b7aaa6f50 HpCISSs.sys
Hewlett-Packard

f870aa3e254628ebeafe754108d664de http.sys
Microsoft Corporation

8420bf9ad8ae0b4a96f30bd7c8fb9adf i2omgmt.sys
Microsoft Corporation

324c2152ff2c61abae92d09f3cca4d63 i2omp.sys
Microsoft Corporation

22d56c8184586b7a1f6fa60be5f5a2bd i8042prt.sys
Microsoft Corporation

2358c53f30cb9dcd1d3843c4e2f299b2 iaStor.sys
Intel Corporation

c957bf4b5d80b46c5017bf0101e6c906 iaStorV.sys
Intel Corporation

9378d57e2b96c0a185d844770ad49948 igdkmd32.sys
Intel Corporation

2d077bf86e843f901d8db709c95b49a5 iirsp.sys
Intel Corp

98d303ccb3415e9202e82043b37d66dc IntcHdmi.sys
Intel Corporation

59b00efb24ead979becf413703bb1fac intelide.sys
Microsoft Corporation

224191001e78c89dfa78924c3ea595ff intelppm.sys
Microsoft Corporation

62c265c38769b864cb25b4bcf62df6c3 ipfltdrv.sys
Microsoft Corporation

40f34f8aba2a015d780e4b09138b6c17 IPMIDrv.sys
Microsoft Corporation

8793643a67b42cec66490b2a0cf92d68 ipnat.sys
Microsoft Corporation

e50a95179211b12946f7e035d60af560 irda.sys
Microsoft Corporation

109c0dfb82c3632fbd11949b73aeeac9 irenum.sys
Microsoft Corporation

2f8ece2699e7e2070545e9b0960a8ed2 isapnp.sys
Microsoft Corporation

bced60d16156e428f8df8cf27b0df150 iteatapi.sys
Integrated Technology Express

8bcd857c7932ad005d5f9c89329da2e1 itecir.sys
?bStringFileInfoB@CompanyNameITETech.Inc.j!FileDescriptionITEConsumerIRDriverforeHome`FileVersion...builtby:WinDDKvInternalNameitecir.sysh"LegalCopyrightCopyright©ITETech.Inc.>vOriginalFilenameitecir.sysb!ProductNameITEConsumerIRDriverforeHomeBProductVersion...DVarFileInfo$Translationt

06fa654504a498c30adca8bec4e87e7e iteraid.sys
Integrated Technology Express

a67e8cfcad7d4f8b35643d6c79ba64c3 k57nd60x.sys
Broadcom Corporation

37605e0a8cf00cbba538e753e4344c6e kbdclass.sys
Microsoft Corporation

ede59ec70e25c24581add1fbec7325f7 kbdhid.sys
Microsoft Corporation

86165728af9bf72d6442a894fdfb4f8b ksecdd.sys
Microsoft Corporation

ef73c1e29fbe7b0fd0274bf4394e346a ks.sys
Microsoft Corporation

5353218b3265e3b8190335059f697a11 lgusbbus.sys
tH&VS_VERSION_INFO?StringFileInfobbCommentsHCompanyNameLGElectronicsInc.BrFileDescriptionlgusbbus.sysbFileVersionVer..aInternalNameUSBBUSh"LegalCopyrightLGElectronicsInc.Seoul,Korea.l"LegalTrademarksLGElectronicsInc.Seoul,Korea.BrOriginalFilenamelgusbbus.sysPrivateBuildd"ProductNameLGCDMAUSBMultifunctionDriverbProductVersionVer.SpecialBuildDVarFileInfo$Translationt

7dd3eefc62a1ef44e5f940fa651ed9ed lgusbdiag.sys
tHDVS_VERSION_INFO?StringFileInfobbCommentsHCompanyNameLGElectronicsInc.DFileDescriptionlgusbdiag.sysbFileVersionVer.nInternalNameLGUSBDIAGh"LegalCopyrightLGElectronicsInc.Seoul,Korea.l"LegalTrademarksLGElectronicsInc.Seoul,Korea.DOriginalFilenamelgusbdiag.sysPrivateBuild^ProductNameLGCDMAUSBDiagnosticsDriverbProductVersionVer.SpecialBuildDVarFileInfo$Translationt

083031a78822eccbd7510bccd3e20d4c lgusbmodem.sys
tH`HVS_VERSION_INFO?StringFileInfobbCommentsHCompanyNameLGElectronicsInc.FFileDescriptionlgusbmodem.sysbFileVersionVer.vInternalNameLGUSBMODEMh"LegalCopyrightLGElectronicsInc.Seoul,Korea.l"LegalTrademarksLGElectronicsInc.Seoul,Korea.FOriginalFilenamelgusbmodem.sysPrivateBuildRProductNameLGCDMAUSBModemDriverbProductVersionVer.SpecialBuildDVarFileInfo$Translationt

d1c5883087a0c3f1344d9d55a44901f6 lltdio.sys
Microsoft Corporation

a2262fb9f28935e862b4db46438c80d2 lsi_fc.sys
LSI Logic

30d73327d390f72a62f32c103daf1d6d lsi_sas.sys
LSI Logic

e1e36fefd45849a95f1ab81de0159fe3 lsi_scsi.sys
LSI Logic

8f5c7426567798e62a3b3614965d62cc luafv.sys
Microsoft Corporation

d68e165c3123aba3b1282eddb4213bd8 mbamswissarmy.sys
Malwarebytes Corporation

b271ec02e71271a2da28b3b7bc4e4f15 mcd.sys
Microsoft Corporation

d153b14fc6598eae8422a2037553adce megasas.sys
LSI Logic

e13b5ea0f51ba5b1512ec671393d09ba modem.sys
Microsoft Corporation

0a9bb33b56e294f686abb7c1e4e2d8a8 monitor.sys
Microsoft Corporation

5bf6a1326a335c5298477754a506d263 mouclass.sys
Microsoft Corporation

93b8d4869e12cfbe663915502900876f mouhid.sys
Microsoft Corporation

bdafc88aa6b92f7842416ea6a48e1600 mountmgr.sys
Microsoft Corporation

583a41f26278d9e0ea548163d6139397 mpio.sys
Microsoft Corporation

22241feba9b2defa669c8cb0a8dd7d2e mpsdrv.sys
Microsoft Corporation

4fbbb70d30fd20ec51f80061703b001e Mraid35x.sys
LSI Logic

82cea0395524aacfeb58ba1448e8325c mrxdav.sys
Microsoft Corporation

2a4901aff069944fa945ed5bbf4dcde3 mrxsmb10.sys
Microsoft Corporation

28b3f1ab44bdd4432c041581412f17d9 mrxsmb20.sys
Microsoft Corporation

454341e652bdf5e01b0f2140232b073e mrxsmb.sys
Microsoft Corporation

2681302b63b318cbea6c82902ac5428c msahci.sys
Microsoft Corporation

3fc82a2ae4cc149165a94699183d3028 msdsm.sys
Microsoft Corporation

a9927f4a46b816c92f461acb90cf8515 msfs.sys
Microsoft Corporation

0f400e306f385c56317357d6dea56f62 msisadrv.sys
Microsoft Corporation

232fa340531d940aac623b121a595034 msiscsi.sys
Microsoft Corporation

d8c63d34d9c9e56c059e24ec7185cc07 mskssrv.sys
Microsoft Corporation

1d373c90d62ddb641d50e55b9e78d65e mspclock.sys
Microsoft Corporation

b572da05bf4e098d4bba3a4734fb505b mspqm.sys
Microsoft Corporation

b49456d70555de905c311bcda6ec6adb msrpc.sys
Microsoft Corporation

e384487cb84be41d09711c30ca79646c mssmbios.sys
Microsoft Corporation

7199c1eec1e4993caf96b8c0a26bd58a mstee.sys
Microsoft Corporation

6a57b5733d4cb702c8ea4542e836b96c mup.sys
Microsoft Corporation

0df9cc7b5cc173f545723f23e68fac93 nchssvad.sys
H`LLVS_VERSION_INFO?btStringFileInfob@CompanyNameNCHSwiftSoundRFileDescriptionVirtualAudioDevicebFileVersion...:rInternalNamenchssvad.sysLegalCopyrightCopyright©NCHSwiftSound.Allrightsreserved.BrOriginalFilenamenchssvad.sysj%ProductNameNCHSwiftSoundVirtualAudioDevicebProductVersion...DVarFileInfo$Translationt*

1357274d1883f68300aeadd15d7bbb42 ndis.sys
Microsoft Corporation

0e186e90404980569fb449ba7519ae61 ndistapi.sys
Microsoft Corporation

d6973aa34c4d5d76c0430b181c3cd389 ndisuio.sys
Microsoft Corporation

818f648618ae34f729fdb47ec68345c3 ndiswan.sys
Microsoft Corporation

71dab552b41936358f3b541ae5997fb3 ndproxy.sys
Microsoft Corporation

bcd093a5a6777cf626434568dc7dba78 netbios.sys
Microsoft Corporation

ecd64230a59cbd93c85f1cd1cab9f3f6 netbt.sys
Microsoft Corporation

063ee4d3cb88a14eab9901875cee98b1 netio.sys
Microsoft Corporation

2e7fb731d4790a1bc6270accefacb36e nfrd960.sys
IBM Corp

d36f239d7cce1931598e8fb90a0dbc26 npfs.sys
Microsoft Corporation

609773e344a97410ce4ebf74a8914fcf nsiproxy.sys
Microsoft Corporation

6a4a98cee84cf9e99564510dda4baa47 ntfs.sys
Microsoft Corporation

e875c093aec0c978a90f30c9e0dfbb72 ntrigdigi.sys
N-trig Innovative Technologies

c5dbbcda07d780bda9b685df333bb41e null.sys
Microsoft Corporation

055081fd5076401c1ee1bcab08d81911 NV_AGP.SYS
Microsoft Corporation

e69e946f80c1c31c53003bfbf50cbb7c nvraid.sys
NVIDIA Corporation

9e0ba19a28c498a6d323d065db76dffc nvstor.sys
NVIDIA Corporation

85c44fdff9cf7e72a40dcb7ec06a4416 nwifi.sys
Microsoft Corporation

ec528056b89d15755abb624e55949e44 OA001Afx.sys
Creative Technology

9b7cd7151a7c4009c383396155f02b95 OA001Ufd.sys
Creative Technology

cdcdad303a9208cf3513400ef2a05f80 OA001Vid.sys
Creative Technology

6f310e890d46e246e0e261a63d9b36b4 ohci1394.sys
Microsoft Corporation

99514faa8df93d34b5589187db3aa0ba pacer.sys
Microsoft Corporation

0fa9b5055484649d63c303fe404e5f4d parport.sys
Microsoft Corporation

57389fa59a36d96b3eb09d0cb91e9cdc partmgr.sys
Microsoft Corporation

4f9a6a8a31413180d0fcb279ad5d8112 parvdm.sys
Microsoft Corporation

b2fc76090ef1003463ccb07cabb35cff pciide.sys
Microsoft Corporation

24f15b0c541ae19b3b523d40c092084b pciidex.sys
Microsoft Corporation

941dc1d19e7e8620f40bbc206981efdb pci.sys
Microsoft Corporation

e6f3fb1b86aa519e7698ad05e58b04e5 pcmcia.sys
Microsoft Corporation

3379e7a840de135fb7a829e03bc9cc25 PCTAppEvent.sys
PC Tools

aa9cfa67850893fbb168b9c4e4c86952 PCTCore.sys
PC Tools

6349f6ed9c623b44b52ea3c63c831a92 PEAuth.sys
Microsoft Corporation

218286724ec530ff252648369e05b090 portcls.sys
Microsoft Corporation

0e3cef5d28b40cf273281d620c50700a processr.sys
Microsoft Corporation

03e0fe281823ba64b3782f5b38950e73 pxhelp20.sys
Sonic Solutions

ccdac889326317792480c0a67156a1ec ql2300.sys
QLogic Corporation

81a7e5c076e59995d54bc1ed3a16e60b ql40xx.sys
QLogic Corporation

9f5e0e1926014d17486901c88eca2db7 qwavedrv.sys
Microsoft Corporation

147d7f9c556d259924351feb0de606c3 rasacd.sys
Microsoft Corporation

a214adbaf4cb47dd2728859ef31f26b0 rasl2tp.sys
Microsoft Corporation

509a98dd18af4375e1fc40bc175f1def raspppoe.sys
Microsoft Corporation

ecfffaec0c1ecd8dbc77f39070ea1db1 raspptp.sys
Microsoft Corporation

2005f4a1e05fa09389ac85840f0a9e4d rassstp.sys
Microsoft Corporation

b14c9d5b9add2f84f70570bbbfaa7935 rdbss.sys
Microsoft Corporation

89e59be9a564262a3fb6c4f4f1cd9899 RDPCDD.sys
Microsoft Corporation

0245418224cfa77bf4b41c2fe0622258 rdpdr.sys
Microsoft Corporation

9d91fe5286f748862ecffa05f8a0710c RDPENCDD.sys
Microsoft Corporation

30bfbdfb7f95559ede971f9ddb9a00ba rdpwd.sys
Microsoft Corporation

c2ef513bbe069f0d4ee0938a76f975d3 rimmptsk.sys
Ricoh Company

c398bca91216755b098679a8da8a2300 rimsptsk.sys
Ricoh Company

2a2554cb24506e0a0508fc395c4a1b42 rixdptsk.sys
Ricoh Company

eec7ee5675294b03e88aa868540007c1 rmcast.sys
Microsoft Corporation

d9225d107e40d0fa5c5069446759c8e9 RNDISMP.sys
Microsoft Corporation

75e8a6bfa7374aba833ae92bf41ae4e6 rootmdm.sys
Microsoft Corporation

9c508f4074a39e8b4b31d27198146fad rspndr.sys
Microsoft Corporation

3ce8f073a557e172b330109436984e30 sbp2port.sys
Microsoft Corporation

6f5ca34ae885645acf8a20d564db976c scsiport.sys
Microsoft Corporation

8f36b54688c31eed4580129040c6a3d3 sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

68e44e331d46f0fb38f0863a84cd1a31 serenum.sys
Microsoft Corporation

c70d69a918b178d3c3b06339b40c2e1b serial.sys
Microsoft Corporation

8af3d28a879bf75db53a0ee7a4289624 sermouse.sys
Microsoft Corporation

3efa810bdca87f6ecc24f9832243fe86 sffdisk.sys
Microsoft Corporation

b86dfcd55294a0495571a27b861e6ef3 sffp_mmc.sys
Microsoft Corporation

9f66a46c55d6f1ccabc79bb7afccc545 sffp_sd.sys
Microsoft Corporation

46ed8e91793b2e6f848015445a0ac188 sfloppy.sys
Microsoft Corporation

08072b2fb92477fc813271a84b3a8698 SISAGP.SYS
Microsoft Corporation

cedd6f4e7d84e9f98b34b3fe988373aa sisraid2.sys
Silicon Integrated Systems

df843c528c4f69d12ce41ce462e973a7 sisraid4.sys
Silicon Integrated Systems

7b75299a4d201d6a6533603d6914ab04 smb.sys
Microsoft Corporation

a7d7ea1771d2ed6f39a8063e79b6c3e8 smclib.sys
Microsoft Corporation

7aebdeef071fe28b0eef2cdd69102bff spldr.sys
Microsoft Corporation

a7f8bad9590addc425b4003e94780dfa spsys.sys
Microsoft Corporation

d15959d9f69f0d39a0153e9c244f20dd srv2.sys
Microsoft Corporation

faa0d553a49e85008c6bb3781987c574 srvnet.sys
Microsoft Corporation

ff3cbc13db84d81f56931bc922cc37c4 srv.sys
Microsoft Corporation

47e55afe1ed1d5aff09690db226f4a7a Storport.sys
Microsoft Corporation

70a92e46a2f459cdede3ca558cb26b6a stream.sys
Microsoft Corporation

805b1fc7e25613ce2dc93c0759d0aa30 stwrt.sys
n?btStringFileInfoBnCompanyNameIDT,Inc.BrFileDescriptionIDTPCAudiobFileVersion...bInternalNameIDTPCAh"LegalCopyrightCopyright-IDT,Inc.<nOriginalFilenamestwrt.sys:rProductNameIDTPCAudio<bProductVersion...BrLegalTrademarksIDTPCAudiol*CommentsAllRightsReserved-IDT,Inc.DVarFileInfo$Translationt

7ba58ecf0c0a9a69d44b3dca62becf56 swenum.sys
Microsoft Corporation

192aa3ac01df071b541094f251deed10 symc8xx.sys
LSI Logic

8c8eb8c76736ebaf3b13b633b2e64125 sym_hi.sys
LSI Logic

8072af52b5fd103bbba387a1e49f62cb sym_u3.sys
LSI Logic

1239fd18895040d97b7cdbc19bc2075e tape.sys
Microsoft Corporation

608c345a255d82a6289c2d468eb41fd7 tcpipreg.sys
Microsoft Corporation

a474879afa4a596b3a531f3e69730dbf tcpip.sys
Microsoft Corporation

77937eff009ac696b90e09f671f9d0a4 tdi.sys
Microsoft Corporation

5dcf5e267be67a1ae926f2df77fbcc56 tdpipe.sys
Microsoft Corporation

389c63e32b3cefed425b61ed92d3f021 tdtcp.sys
Microsoft Corporation

76b06eb8a01fc8624d699e7045303e54 tdx.sys
Microsoft Corporation

3cad38910468eab9a6479e2f01db43c7 termdd.sys
Microsoft Corporation

dcf0f056a2e4f52287264f5ab29cf206 tssecsrv.sys
Microsoft Corporation

caecc0120ac49e3d2f758b9169872d38 TUNMP.SYS
Microsoft Corporation

300db877ac094feab0be7688c3454a9c tunnel.sys
Microsoft Corporation

c3ade15414120033a36c0f293d4a4121 UAGP35.SYS
Microsoft Corporation

d9728af68c4c7693cb100b8441cbdec6 udfs.sys
Microsoft Corporation

6d72ef05921abdf59fc45c7ebfe7e8dd ULIAGPKX.SYS
Microsoft Corporation

3cd4ea35a6221b85dcc25daa46313f8d uliahci.sys
ULi Electronics

38c3c6e62b157a6bc46594fada45c62b ulsata2.sys
Promise Technology

8514d0e5cd0534467c5fc61be94a569f ulsata.sys
Promise Technology

32cff9f809ae9aed85464492bf3e32d2 umbus.sys
Microsoft Corporation

88bd96a1baeed33ee8bdf9499c07a841 umpass.sys
Microsoft Corporation

830d5d8456b822c1247c1e59b4c464fa usb8023.sys
Microsoft Corporation

eae017d3aa298374a1967b96c379c5ab USBCAMD2.sys
Microsoft Corporation

d06f193f3e9cc3b356df97f6a43c054a USBCAMD.sys
Microsoft Corporation

caf811ae4c147ffcd5b51750c7f09142 usbccgp.sys
Microsoft Corporation

e9476e6c486e76bc4898074768fb7131 usbcir.sys
Microsoft Corporation

790fdac6d0c762df9047c3c625a6ff6c usbd.sys
Microsoft Corporation

79e96c23a97ce7b8f14d310da2db0c9b usbehci.sys
Microsoft Corporation

4673bbcb006af60e7abddbe7a130ba42 usbhub.sys
Microsoft Corporation

38dbc7dd6cc5a72011f187425384388b usbohci.sys
Microsoft Corporation

a1c100a87d981ad0774fbc0b4b82e913 usbport.sys
Microsoft Corporation

e75c4b5269091d15a2e7dc0b6d35f2f5 usbprint.sys
Microsoft Corporation

a508c9bd8724980512136b039bba65e9 usbscan.sys
Microsoft Corporation

be3da31c191bc222d9ad503c5224f2ad USBSTOR.SYS
Microsoft Corporation

814d653efc4d48be3b04a307eceff56f usbuhci.sys
Microsoft Corporation

7d92be0028ecdedec74617009084b5ef vgapnp.sys
Microsoft Corporation

2e93ac0a1d8c79d019db6c51f036636c vga.sys
Microsoft Corporation

d5929a28bdff4367a12caf06af901971 VIAAGP.SYS
Microsoft Corporation

56a4de5f02f2e88182b0981119b4dd98 viac7.sys
Microsoft Corporation

689547ce911998d1e0da7a5992e025fc viaide.sys
VIA Technologies

c048d2c33d27441a0cdcaae2651eb03d videoprt.sys
Microsoft Corporation

69503668ac66c77c6cd7af86fbdf8c43 volmgr.sys
Microsoft Corporation

23e41b834759917bfd6b9a0d625d0c28 volmgrx.sys
Microsoft Corporation

147281c01fcb1df9252de2a10d5e7093 volsnap.sys
Microsoft Corporation

d984439746d42b30fc65a4c3546c6829 vsmraid.sys
VIA Technologies

48dfee8f1af7c8235d4e626f0c4fe031 wacompen.sys
Microsoft Corporation

55201897378cca7af8b5efd874374a26 wanarp.sys
Microsoft Corporation

4a5c31e2c1646034e6a60eba4c747ff6 watchdog.sys
Microsoft Corporation

b6f0a7ad6d4bd325fbcd8bac96cd8d96 Wdf01000.sys
Microsoft Corporation

b4fc6dd9167b058e6dbe6cb14acfa2cb WdfLdr.sys
Microsoft Corporation

afc5ad65b991c1e205cf25cfdbf7a6f4 wd.sys
Microsoft Corporation

2e7255d172df0b8283cdfb7b433b864e wmiacpi.sys
Microsoft Corporation

c546864eed786304762d030febf6b411 wmilib.sys
Microsoft Corporation

de9d36f91a4df3d911626643debf11ea WpdUsb.sys
Microsoft Corporation

e3a3cb253c0ec2494d4a61f5e43a389c ws2ifsl.sys
Microsoft Corporation

13b5f255e90624a5ba0441d39cfb6be2 WUDFPf.sys
Microsoft Corporation

ac13cb789d93412106b0fb6c7eb2bcb6 WUDFRd.sys
Microsoft Corporation

Edited by JSntgRvr, 27 May 2011 - 09:24 PM.

"Thou art dead." Poetic injustice.

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:01 AM

Posted 27 May 2011 - 10:34 PM

I have checked the above reports and have noticed that certain drivers, although being showed to be loaded at startup throughout the registry, these are missing in the drivers' folder. Lets search for them.

Delete the filefind.txt in the USB drive.

Boot to xPUD

  • Press File
  • Expand mnt
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    ramdisk.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    fbwf.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    fvevol.sys

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    sacdrv.sys

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt

Post the new filefind.txt in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:01 AM

Posted 27 May 2011 - 10:36 PM

??

Edited by JSntgRvr, 27 May 2011 - 10:37 PM.
Duplicated

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users