Jump to content

FBI Moneypak... Cannot resolve by myself. PLEASE HELP! :/


Recommended Posts

It is 1am EST and I started this project for a friend at 330pm.  I have been working at it almost nonstop and I am at my wits end.  I do malware removal as a side business and this one has me stumped.  I Usually get all the infections myself using the regular tools.  I mind is numb and I need help.

 

Windows XP

Let me first state what is going on and what i have done:

 

safemode, ALL options go bluescreen.

Have tried several copies of Kaspersky rescue disc, they wont load on this laptop.

tried hitman pro kickstart.  tried to get it to run, it would not.  This is a business laptop, have to ctrl+alt+del to get to login box if that matters

finally got it to run by hitting ctrl shift esc while screen was locked.  it went back to desktop long enough for me to open flash drive and double click kickstart, the screen lock popped up and then kickstart came up and was able to run WITH the lock running. did not recognize any threats.

 

restarted and hit ctrl shift esc about two hours later after trying the same things over and over again and lock didnt run! so i ran mbam... 75% through after about an hour and a half screen lock pops up and cant finish scan.  I will be up watching this for a reply I gotta have this done by 9am... so hopefully people are still awake and helpful :) I am having trouble recalling everything I did, but I can run any programs and provide logs whenever needed. 

Thanks a ton in advance and I hope you guys/gals can help.

 

here is the FRST log if needed

FRST.txt

Link to post
Share on other sites

  • Replies 56
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
Well, there is the ZeroAccess rootkit on the box. That isn´t easy to see and less easy to kill.
 
 
Fix with FRST
  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    HKLM\...\Run: []  [x]HKLM\...\Winlogon: [Shell] Explorer.exe, "C:\Documents and Settings\sdemilio\Local Settings\Application Data\KB9865930\KB9865930.exe" [x ] ()Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\RECYCLER\S-1-5-18\$f1cc9c6bef780aa6a0240b5ae202cd8a\n. ATTENTION! ====> ZeroAccessC:\Documents and Settings\sdemilio\Local Settings\Application Data\KB9865930C:\RECYCLER\S-1-5-18\$f1cc9c6bef780aa6a0240b5ae202cd8asearch: User32.dll


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Link to post
Share on other sites

Thanks a ton for the reply so soon.   I appreciate it a lot.  Here is the fixlog.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-06-2013Ran by SYSTEM at 2013-06-19 06:03:31 Run:3Running from D:\Boot Mode: Recovery==============================================HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon => Key deleted successfully.HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.C:\Documents and Settings\sdemilio\Local Settings\Application Data\KB9865930 => Moved successfully.C:\RECYCLER\S-1-5-18\$f1cc9c6bef780aa6a0240b5ae202cd8a => File/Directory not found.==== End of Fixlog ====
Link to post
Share on other sites

Startup Windows now.

 

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Link to post
Share on other sites

Yep. Still getting the lock screen.  Here is the new FRST log

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-06-2013Ran by SYSTEM on 19-06-2013 07:25:29Running from D:\Microsoft Windows XP (X86) OS Language: English(US)Internet Explorer Version 8Boot Mode: RecoveryThe current controlset is ControlSet001[b]ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.[/b]==================== Registry (Whitelisted) ==================HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]HKLM\...\Run: [LenovoFSC] C:\Program Files\Lenovo\FanSpeedControl\LenovoFSC.exe [40960 2008-09-26] ()HKLM\...\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor [818240 2012-02-28] (Lenovo Group Limited)HKLM\...\Run: [PWRAGD] C:\PROGRA~1\ThinkPad\UTILIT~1\DPMHost.exe [72256 2009-04-03] ()HKLM\...\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [487424 2008-11-24] (Lenovo Group Limited)HKLM\...\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup [103768 2009-09-13] (Citrix Systems, Inc.)HKLM\...\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow [746792 2009-04-16] (Trend Micro Inc.)HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]HKLM\...\Run: [Alcmtr] ALCMTR.EXE [x]HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2270504 2011-05-19] (Synaptics Incorporated)HKLM\...\Run: [RotateImage] C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe [31744 2008-10-30] (Ricoh co.,Ltd.)HKLM\...\Run: [TpShocks] TpShocks.exe [x]HKLM\...\Run: [IMSS] "C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [111640 2010-03-25] ()HKLM\...\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe [101440 2011-10-20] (Lenovo Group Limited)HKLM\...\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" [401408 2009-12-01] (Intel Corporation)HKLM\...\Run: [SAP_WUS_UNT] "C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe" [226672 2010-11-26] (SAP AG)HKLM\...\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe" [6928 1999-10-12] (IBM Corporation)HKLM\...\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" [15632 1999-10-12] (IBM Corporation)HKLM\...\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN [47888 1999-10-12] (IBM Corporation)HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [316032 2010-12-14] (Conexant systems, Inc.)HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)HKU\Administrator\...\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe" [x]HKU\Administrator\...\Run: [Spark] C:\Program Files\Spark\Spark.exe [x]Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnkShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnkShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageTray.lnkShortcutTarget: ImageTray.lnk -> C:\WINDOWS\Installer\{93A2E63B-3B57-4B81-8362-BF07C0BFD00E}\NewShortcut13_7A980C5EC2914FFB94675638C5EF4554.exe (Macrovision Corporation)Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Print Screen Deluxe.lnkShortcutTarget: Print Screen Deluxe.lnk -> \\Ny-wb-2536\c$\Program Files\American Systems\Print Screen Deluxe\prntscrn.exe (No File)Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnkShortcutTarget: VPN Client.lnk -> C:\WINDOWS\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico ()Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnkShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)Startup: C:\Documents and Settings\sdemilio\Start Menu\Programs\Startup\Dropbox.lnkShortcutTarget: Dropbox.lnk -> B:\Documents and Settings\Default User\Application Data\Dropbox\bin\Dropbox.exe (No File)BootExecute: autocheck autochk * sprestrt========================== Services (Whitelisted) =================S2 Akamai; c:\program files\common files\akamai/netsession_win_ca0e279.dll [4561152 2013-03-25] (Akamai Technologies, Inc.)S2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation)S2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1504304 2006-11-10] (Cisco Systems, Inc.)S3 Cwbrxd; C:\WINDOWS\CWBRXD.EXE [51472 1999-10-12] (IBM Corporation)S2 ImageNow Automatic Update 6.2; C:\Program Files\ImageNow6\bin\inausvc.exe [3870720 2008-10-15] (Perceptive Software, Inc.)S2 LENOVO.CAMMUTE; C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe [50536 2010-04-20] (Lenovo Group Limited)S2 Lenovo.micmute; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [101736 2011-07-12] (Lenovo Group Limited)S2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel)S2 ntrtscan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [1332520 2009-04-15] (Trend Micro Inc.)S2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe [263536 2010-11-26] (SAP AG)S2 Power Manager DBC Service; C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [69632 2012-02-28] ()S2 PwmEWSvc; C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE [244800 2012-02-28] (Lenovo Group Limited)S2 SAService; C:\Windows\system32\SAsrv.exe [446592 2010-11-18] (Conexant Systems, Inc.)S2 SUService; c:\program files\lenovo\system update\suservice.exe [28672 2011-07-25] (Lenovo Group Limited)S3 TMBMServer; C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe [341256 2009-03-12] (Trend Micro Inc.)S2 tmlisten; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [1246848 2009-04-21] (Trend Micro Inc.)S3 TmProxy; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [652552 2009-02-23] (Trend Micro Inc.)S2 TPHKLOAD; C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe [131432 2011-07-12] (Lenovo Group Limited)S2 TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [1155072 2008-11-24] (Lenovo Group Limited)S2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel)S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]S2 SessionLauncher; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [x]==================== Drivers (Whitelisted) ====================S2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [21361 2010-09-02] (Cisco Systems, Inc.)S3 BTKRNL; C:\Windows\System32\DRIVERS\btkrnl.sys [933416 2011-04-05] (Broadcom Corporation.)S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [51752 2011-04-05] (Broadcom Corporation.)S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)S3 cpudrv; C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2009-12-18] ()S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5315 2005-05-17] (Cisco Systems, Inc.)S2 CVPNDRVA; C:\WINDOWS\system32\Drivers\CVPNDRVA.sys [305788 2006-11-10] (Cisco Systems, Inc.)S3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [126864 2006-10-02] (Deterministic Networks, Inc.)S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c5132.sys [203944 2012-01-11] (Intel Corporation)S3 e1kexpress; C:\Windows\System32\DRIVERS\e1k5132.sys [167080 2009-12-10] (Intel Corporation)S3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)S3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [210304 2009-06-30] (Conexant Systems, Inc.)S3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [986240 2009-06-30] (Conexant Systems, Inc.)S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-06-18] (Malwarebytes Corporation)S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-14] (Microsoft Corporation)S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)S3 NETwNx32; C:\Windows\System32\DRIVERS\NETwNx32.sys [7473152 2011-08-03] (Intel Corporation)S3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16768 2006-09-14] (Primax Electronics Ltd.)S3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [14592 2006-10-14] (Primax Electronics Ltd.)S2 pmem; C:\WINDOWS\System32\drivers\pmemnt.sys [7012 2010-03-04] (Microsoft Corporation)S3 pmxdrv; C:\WINDOWS\system32\drivers\pmxdrv.sys [816792 2011-08-31] ()S2 risdxc; C:\Windows\System32\DRIVERS\risdxc86.sys [76288 2011-05-25] (REDC)S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [11136 2008-04-14] (Microsoft Corporation)S0 stmtpm; C:\Windows\System32\DRIVERS\stm_tpm.sys [21504 2007-06-08] (STMicroelectronics, INC)S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [15232 2008-04-14] (Microsoft Corporation)S3 SuperIO; C:\Windows\System32\DRIVERS\spio.sys [5760 2008-03-06] ()S2 tmactmon; C:\WINDOWS\system32\drivers\tmactmon.sys [59472 2010-07-19] (Trend Micro Inc.)S2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [163408 2010-07-19] (Trend Micro Inc.)S2 tmevtmgr; C:\WINDOWS\system32\drivers\tmevtmgr.sys [51792 2010-07-19] (Trend Micro Inc.)S2 TmFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [262416 2011-07-12] (Trend Micro Inc.)S2 TmPreFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [36624 2011-07-12] (Trend Micro Inc.)S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [78352 2009-02-23] (Trend Micro Inc.)S1 TPHKDRV; C:\Windows\System32\DRIVERS\TPHKDRV.sys [17844 2008-05-12] (Lenovo Group Limited)S1 TPPWRIF; C:\Windows\System32\drivers\Tppwrif.sys [12144 2012-02-28] (Lenovo Group Limited)S2 VSApiNt; C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys [1405720 2011-07-12] (Trend Micro Inc.)S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-14] (Microsoft Corporation)S3 yukonwxp; C:\Windows\System32\DRIVERS\yk51x86.sys [289024 2008-06-27] (Marvell)S4 Abiosdsk; No ImagePathS4 Atdisk; No ImagePathS1 Changer; No ImagePathS1 lbrtfdc; No ImagePathS1 PCIDump; No ImagePathS3 PDCOMP; No ImagePathS3 PDFRAME; No ImagePathS3 PDRELI; No ImagePathS3 PDRFRAME; No ImagePathS4 Simbad; No ImagePathS3 WDICA; No ImagePathS1 WS2IFSL; ==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-06-19 03:29 - 2013-06-19 03:29 - 00020480 ____A C:\Uninstall.dat2013-06-19 03:29 - 2013-06-19 03:29 - 00002576 ____A C:\Uninstall.dat-journal2013-06-19 03:28 - 2013-06-19 03:28 - 00000000 ____D C:\Plugins2013-06-19 03:28 - 2013-06-19 03:28 - 00000000 ____D C:\Language2013-06-19 00:47 - 2013-06-19 00:47 - 00002205 ____A C:\Documents and Settings\NetworkService\Local Settings\Application Data\OfflineVaultPH.log2013-06-18 23:46 - 2013-06-18 23:46 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys2013-06-18 22:41 - 2013-06-18 23:25 - 00000000 ____D C:\FRST2013-06-18 17:36 - 2013-06-18 17:37 - 00004177 ____A C:\Windows\KB2839229.log2013-06-18 17:35 - 2013-06-18 17:35 - 00004334 ____A C:\Windows\KB2829361.log2013-06-18 17:29 - 2013-06-18 17:41 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro2013-05-23 16:28 - 2013-05-23 16:28 - 00312560 ____A (SUPERAdBlocker.com and SUPERAntiSpyware.com) C:\RUNSAS.EXE2013-05-23 16:21 - 2013-05-23 16:21 - 00048880 ____A (SUPERAdBlocker.com) C:\SASTask.exe2013-05-23 16:11 - 2013-05-23 16:11 - 00119056 ____A (SUPERAntiSpyware.com) C:\SASCore.exe2013-05-23 16:05 - 2013-05-23 16:05 - 00388368 ____A (SUPERAntiSpyware.com) C:\SSUpdate.exe2013-05-23 15:59 - 2013-05-23 15:59 - 00144144 ____A (SUPERAntiSpyware.com) C:\SASCTXMN.DLL==================== One Month Modified Files and Folders ========2013-06-19 06:14 - 2008-07-21 18:01 - 01834976 ____A C:\Windows\WindowsUpdate.log2013-06-19 06:13 - 2012-06-22 08:44 - 00000062 __ASH C:\Documents and Settings\sdemilio\Local Settings\desktop.ini2013-06-19 06:13 - 2011-08-31 13:16 - 00000000 ____D C:\Program Files\Common Files\Akamai2013-06-19 06:13 - 2010-03-04 17:25 - 00000000 __SHD C:\Windows\CSC2013-06-19 06:13 - 2008-07-21 18:05 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini2013-06-19 06:13 - 2008-07-21 18:05 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini2013-06-19 06:13 - 2008-07-21 18:05 - 00000006 ___AH C:\Windows\Tasks\SA.DAT2013-06-19 06:13 - 2008-07-21 10:58 - 00000159 ____A C:\Windows\wiadebug.log2013-06-19 06:13 - 2008-07-21 10:58 - 00000049 ____A C:\Windows\wiaservc.log2013-06-19 03:29 - 2013-06-19 03:29 - 00020480 ____A C:\Uninstall.dat2013-06-19 03:29 - 2013-06-19 03:29 - 00002576 ____A C:\Uninstall.dat-journal2013-06-19 03:28 - 2013-06-19 03:28 - 00000000 ____D C:\Plugins2013-06-19 03:28 - 2013-06-19 03:28 - 00000000 ____D C:\Language2013-06-19 02:11 - 2010-03-04 16:40 - 00000302 ____A C:\Windows\Tasks\PMTask.job2013-06-19 02:08 - 2008-07-21 18:50 - 00002300 ____A C:\Windows\System32\wpa.dbl2013-06-19 00:47 - 2013-06-19 00:47 - 00002205 ____A C:\Documents and Settings\NetworkService\Local Settings\Application Data\OfflineVaultPH.log2013-06-19 00:45 - 2011-03-08 11:31 - 02326484 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\OfflineVaultPH.log2013-06-19 00:33 - 2012-12-04 17:19 - 00000366 ___AH C:\Windows\Tasks\MpIdleTask.job2013-06-18 23:56 - 2012-12-13 10:40 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job2013-06-18 23:47 - 2012-07-12 16:13 - 00000000 ___RD C:\Documents and Settings\sdemilio\My Documents\Dropbox2013-06-18 23:47 - 2012-07-12 16:10 - 00000000 ____D C:\Documents and Settings\sdemilio\Application Data\Dropbox2013-06-18 23:46 - 2013-06-18 23:46 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys2013-06-18 23:46 - 2012-02-21 16:06 - 00000791 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk2013-06-18 23:46 - 2012-02-21 16:06 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware2013-06-18 23:25 - 2013-06-18 22:41 - 00000000 ____D C:\FRST2013-06-18 20:41 - 2012-06-22 08:55 - 05243135 ____A C:\Documents and Settings\sdemilio\Local Settings\Application Data\OfflineVaultPH.log2013-06-18 20:30 - 2008-07-21 18:05 - 00032622 ____A C:\Windows\SchedLgU.Txt2013-06-18 19:34 - 2013-01-10 11:10 - 00770664 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat2013-06-18 19:34 - 2012-06-22 08:44 - 00000178 ___SH C:\Documents and Settings\sdemilio\ntuser.ini2013-06-18 19:31 - 2012-07-12 16:13 - 00001034 ____A C:\Documents and Settings\sdemilio\Desktop\Dropbox.lnk2013-06-18 19:11 - 2011-08-26 01:49 - 00001324 ____A C:\Windows\System32\d3d9caps.dat2013-06-18 18:24 - 2008-07-21 10:55 - 00720500 ____A C:\Windows\System32\PerfStringBackup.INI2013-06-18 17:41 - 2013-06-18 17:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro2013-06-18 17:37 - 2013-06-18 17:36 - 00004177 ____A C:\Windows\KB2839229.log2013-06-18 17:35 - 2013-06-18 17:35 - 00004334 ____A C:\Windows\KB2829361.log2013-06-18 17:25 - 2011-08-25 18:52 - 00587878 ____A C:\Windows\setupapi.log2013-05-23 16:28 - 2013-05-23 16:28 - 00312560 ____A (SUPERAdBlocker.com and SUPERAntiSpyware.com) C:\RUNSAS.EXE2013-05-23 16:21 - 2013-05-23 16:21 - 00048880 ____A (SUPERAdBlocker.com) C:\SASTask.exe2013-05-23 16:11 - 2013-05-23 16:11 - 00119056 ____A (SUPERAntiSpyware.com) C:\SASCore.exe2013-05-23 16:05 - 2013-05-23 16:05 - 00388368 ____A (SUPERAntiSpyware.com) C:\SSUpdate.exe2013-05-23 15:59 - 2013-05-23 15:59 - 00144144 ____A (SUPERAntiSpyware.com) C:\SASCTXMN.DLL==================== Known DLLs (Whitelisted) ================================ Bamital & volsnap Check =================C:\Windows\explorer.exe => MD5 is legitC:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll[2008-04-14 05:42] - [2012-10-03 00:58] - 0614912 ____A (Microsoft Corporation) eb0513f4f6c08bdaecff77216f2b6a47 C:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== EXE ASSOCIATION =====================HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK==================== Restore Points (XP) =====================RP: -> 2013-06-18 21:09 - 028672 _restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP2 ==================== Memory info =========================== Percentage of memory in use: 8%Total physical RAM: 3493.16 MBAvailable physical RAM: 3203.48 MBTotal Pagefile: 3315.32 MBAvailable Pagefile: 3241.6 MBTotal Virtual: 2047.88 MBAvailable Virtual: 1992.39 MB==================== Drives ================================Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFSDrive c: (Preload) (Fixed) (Total:298.09 GB) (Free:266.71 GB) NTFS ==>[Drive with boot components (Windows XP)]Drive d: (HITMANPRO) (Removable) (Total:1.91 GB) (Free:1.86 GB) FAT32Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS==================== MBR & Partition Table ==========================================================================Disk: 0 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 25D525D4)Partition 1: (Active) - (Size=298 GB) - (Type=07 NTFS)========================================================Disk: 1 (Size: 2 GB) (Disk ID: 3BB450A2)Partition 1: (Active) - (Size=2 GB) - (Type=0B)==================== End Of Log ============================
Link to post
Share on other sites

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

In Windows XP: Please boot to BartPe and run FRST.

 

Type the following in the edit box after "Search:" User32.dll

Click Search button and post the log (Search.txt) it makes to your reply.

Link to post
Share on other sites

here are the search results

Farbar Recovery Scan Tool (x86) Version: 19-06-2013Ran by SYSTEM at 2013-06-19 07:35:31Running from D:\Boot Mode: Recovery================== Search: "User32.dll" ===================C:\WINDOWS\system32\user32.dll[2008-04-14 05:42] - [2012-10-03 00:58] - 0614912 ____A (Microsoft Corporation) eb0513f4f6c08bdaecff77216f2b6a47 C:\WINDOWS\system32\dllcache\user32.dll[2008-04-14 05:42] - [2012-10-03 00:58] - 0614912 ____A (Microsoft Corporation) eb0513f4f6c08bdaecff77216f2b6a47 === End Of Search ===
Link to post
Share on other sites

Yeah, I figured as much:)  I am pretty decent at cleaning infections, but this one stumped me.  Everything I know from prior experience failed.  One reason I would like to get more familiar with figuring out logs from these programs.

The last time I had to deal with this on someones machine, safemode worked... :) Here is the new log:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-06-2013Ran by SYSTEM on 19-06-2013 07:48:33Running from D:\Microsoft Windows XP (X86) OS Language: English(US)Internet Explorer Version 8Boot Mode: RecoveryThe current controlset is ControlSet001[b]ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.[/b]==================== Registry (All) ===========================HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]HKLM\...\Run: [LenovoFSC] C:\Program Files\Lenovo\FanSpeedControl\LenovoFSC.exe [40960 2008-09-26] ()HKLM\...\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor [818240 2012-02-28] (Lenovo Group Limited)HKLM\...\Run: [PWRAGD] C:\PROGRA~1\ThinkPad\UTILIT~1\DPMHost.exe [72256 2009-04-03] ()HKLM\...\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [487424 2008-11-24] (Lenovo Group Limited)HKLM\...\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup [103768 2009-09-13] (Citrix Systems, Inc.)HKLM\...\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow [746792 2009-04-16] (Trend Micro Inc.)HKLM\...\Run: [RTHDCPL] RTHDCPL.EXE [x]HKLM\...\Run: [Alcmtr] ALCMTR.EXE [x]HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2270504 2011-05-19] (Synaptics Incorporated)HKLM\...\Run: [RotateImage] C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe [31744 2008-10-30] (Ricoh co.,Ltd.)HKLM\...\Run: [TpShocks] TpShocks.exe [x]HKLM\...\Run: [IMSS] "C:\Program Files\Intel\Intel(R) Management Engine Components\IMSS\PIconStartup.exe" [111640 2010-03-25] ()HKLM\...\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe [101440 2011-10-20] (Lenovo Group Limited)HKLM\...\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe" [401408 2009-12-01] (Intel Corporation)HKLM\...\Run: [SAP_WUS_UNT] "C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapSetupUserNotificationTool.exe" [226672 2010-11-26] (SAP AG)HKLM\...\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe" [6928 1999-10-12] (IBM Corporation)HKLM\...\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe" [15632 1999-10-12] (IBM Corporation)HKLM\...\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN [47888 1999-10-12] (IBM Corporation)HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [316032 2010-12-14] (Conexant systems, Inc.)HKLM\...\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe [142616 2011-09-20] (Intel Corporation)HKLM\...\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe [183576 2011-09-20] (Intel Corporation)HKLM\...\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe [167704 2011-09-20] (Intel Corporation)HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe, [26112 2008-04-14] (Microsoft Corporation)HKLM\...\Winlogon: [Shell] Explorer.exe [1033728 2008-04-14] (Microsoft Corporation)HKLM\...\Winlogon: [UIHost] logonui.exe [514560 2008-04-14] (Microsoft Corporation)Winlogon\Notify\crypt32chain: crypt32.dll (Microsoft Corporation)Winlogon\Notify\cryptnet: cryptnet.dll (Microsoft Corporation)Winlogon\Notify\cscdll: cscdll.dll (Microsoft Corporation)Winlogon\Notify\dimsntfy: %SystemRoot%\System32\dimsntfy.dll (Microsoft Corporation)Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)Winlogon\Notify\ScCertProp: wlnotify.dll (Microsoft Corporation)Winlogon\Notify\Schedule: wlnotify.dll (Microsoft Corporation)Winlogon\Notify\sclgntfy: sclgntfy.dll (Microsoft Corporation)Winlogon\Notify\SensLogn: WlNotify.dll (Microsoft Corporation)Winlogon\Notify\termsrv: wlnotify.dll (Microsoft Corporation)Winlogon\Notify\wlballoon: wlnotify.dll (Microsoft Corporation)HKU\Administrator\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [ 2008-04-14] (Microsoft Corporation)HKU\Administrator\...\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Akamai\netsession_win.exe" [x]HKU\Administrator\...\Run: [Spark] C:\Program Files\Spark\Spark.exe [x]HKU\sdemilio\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [ 2008-04-14] (Microsoft Corporation)Lsa: [Authentication Packages] msv1_0Lsa: [Notification Packages] scecliStartup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnkShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnkShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageTray.lnkShortcutTarget: ImageTray.lnk -> C:\WINDOWS\Installer\{93A2E63B-3B57-4B81-8362-BF07C0BFD00E}\NewShortcut13_7A980C5EC2914FFB94675638C5EF4554.exe (Macrovision Corporation)Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Print Screen Deluxe.lnkShortcutTarget: Print Screen Deluxe.lnk -> \\Ny-wb-2536\c$\Program Files\American Systems\Print Screen Deluxe\prntscrn.exe (No File)Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnkShortcutTarget: VPN Client.lnk -> C:\WINDOWS\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico ()Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnkShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)Startup: C:\Documents and Settings\sdemilio\Start Menu\Programs\Startup\Dropbox.lnkShortcutTarget: Dropbox.lnk -> B:\Documents and Settings\Default User\Application Data\Dropbox\bin\Dropbox.exe (No File)SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)BootExecute: autocheck autochk * sprestrt==================== Services (All) ========================S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [251400 2013-01-10] (Adobe Systems Incorporated)S2 Akamai; c:\program files\common files\akamai/netsession_win_ca0e279.dll [4561152 2013-03-25] (Akamai Technologies, Inc.)S4 Alerter; C:\Windows\system32\alrsvc.dll [17408 2008-04-14] (Microsoft Corporation)S3 ALG; C:\Windows\System32\alg.exe [44544 2008-04-14] (Microsoft Corporation)S3 AppMgmt; C:\Windows\System32\appmgmts.dll [167936 2008-04-14] (Microsoft Corporation)S3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [35160 2010-03-18] (Microsoft Corporation)S2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation)S2 AudioSrv; C:\Windows\System32\audiosrv.dll [42496 2008-04-14] (Microsoft Corporation)S3 BITS; C:\WINDOWS\system32\qmgr.dll [409088 2008-04-14] (Microsoft Corporation)S2 Browser; C:\Windows\System32\browser.dll [78336 2012-07-06] (Microsoft Corporation)S2 btwdins; C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe [365912 2011-04-05] (Broadcom Corporation.)S3 CiSvc; C:\Windows\system32\cisvc.exe [5632 2008-04-14] (Microsoft Corporation)S4 ClipSrv; C:\Windows\system32\clipsrv.exe [33280 2008-04-14] (Microsoft Corporation)S4 clr_optimization_v2.0.50727_32; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [69632 2008-07-25] (Microsoft Corporation)S2 clr_optimization_v4.0.30319_32; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [130384 2010-03-18] (Microsoft Corporation)S3 COMSysApp; C:\WINDOWS\system32\dllhost.exe [5120 2008-04-14] (Microsoft Corporation)S2 CryptSvc; C:\Windows\System32\cryptsvc.dll [62464 2008-04-14] (Microsoft Corporation)S2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1504304 2006-11-10] (Cisco Systems, Inc.)S3 Cwbrxd; C:\WINDOWS\CWBRXD.EXE [51472 1999-10-12] (IBM Corporation)S2 DcomLaunch; C:\Windows\system32\rpcss.dll [401408 2009-02-09] (Microsoft Corporation)S2 Dhcp; C:\Windows\System32\dhcpcsvc.dll [126976 2008-04-14] (Microsoft Corporation)S3 dmadmin; C:\Windows\System32\dmadmin.exe [224768 2008-04-14] (Microsoft Corp., Veritas Software)S2 dmserver; C:\Windows\System32\dmserver.dll [23552 2008-04-14] (Microsoft Corp.)S2 Dnscache; C:\Windows\System32\dnsrslvr.dll [45568 2009-04-20] (Microsoft Corporation)S3 Dot3svc; C:\Windows\System32\dot3svc.dll [132096 2008-04-14] (Microsoft Corporation)S2 DozeSvc; C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE [292200 2012-02-28] (Lenovo.)S3 EapHost; C:\Windows\System32\eapsvc.dll [33792 2008-04-14] (Microsoft Corporation)S2 ERSvc; C:\Windows\System32\ersvc.dll [23040 2008-04-14] (Microsoft Corporation)S2 Eventlog; C:\Windows\system32\services.exe [110592 2009-02-06] (Microsoft Corporation)S3 EventSystem; C:\WINDOWS\system32\es.dll [253952 2008-07-07] (Microsoft Corporation)S3 FastUserSwitchingCompatibility; C:\Windows\System32\shsvcs.dll [135168 2009-07-27] (Microsoft Corporation)S2 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [46104 2008-07-29] (Microsoft Corporation)S3 gusvc; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [136120 2007-01-03] (Google)S2 helpsvc; C:\Windows\PCHealth\HelpCtr\Binaries\pchsvc.dll [38400 2008-04-14] (Microsoft Corporation)S2 HidServ; C:\Windows\System32\hidserv.dll [21504 2008-04-14] (Microsoft Corporation)S3 hkmsvc; C:\Windows\System32\kmsvc.dll [61440 2008-04-14] (Microsoft Corporation)S3 HTTPFilter; C:\Windows\System32\w3ssl.dll [15872 2008-04-14] (Microsoft Corporation)S2 IBMPMSVC; C:\Windows\system32\ibmpmsvc.exe [40512 2012-02-29] (Lenovo.)S3 idsvc; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [881664 2008-07-29] (Microsoft Corporation)S2 ImageNow Automatic Update 6.2; C:\Program Files\ImageNow6\bin\inausvc.exe [3870720 2008-10-15] (Perceptive Software, Inc.)S3 ImapiService; C:\WINDOWS\system32\imapi.exe [150528 2008-04-14] (Microsoft Corporation)S2 IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [112152 2007-01-04] (InterVideo)S2 LanmanServer; C:\Windows\System32\srvsvc.dll [99840 2010-08-27] (Microsoft Corporation)S2 lanmanworkstation; C:\Windows\System32\wkssvc.dll [132096 2009-06-10] (Microsoft Corporation)S2 LENOVO.CAMMUTE; C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe [50536 2010-04-20] (Lenovo Group Limited)S2 Lenovo.micmute; C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe [101736 2011-07-12] (Lenovo Group Limited)S2 LmHosts; C:\Windows\System32\lmhsvc.dll [13824 2008-04-14] (Microsoft Corporation)S2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel)S2 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation)S4 Messenger; C:\Windows\System32\msgsvc.dll [33792 2008-04-14] (Microsoft Corporation)S3 mnmsrvc; C:\WINDOWS\system32\mnmsrvc.exe [32768 2008-04-14] (Microsoft Corporation)S3 MSDTC; C:\WINDOWS\system32\msdtc.exe [6144 2008-04-14] (Microsoft Corporation)S3 MSIServer; C:\Windows\System32\msiexec.exe [95744 2008-05-19] (Microsoft Corporation)S3 napagent; C:\Windows\System32\qagentrt.dll [291328 2008-04-14] (Microsoft Corporation)S4 NetDDE; C:\Windows\system32\netdde.exe [111104 2008-04-14] (Microsoft Corporation)S4 NetDDEdsdm; C:\Windows\system32\netdde.exe [111104 2008-04-14] (Microsoft Corporation)S2 Netlogon; C:\Windows\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)S3 Netman; C:\Windows\System32\netman.dll [198144 2008-04-14] (Microsoft Corporation)S4 NetTcpPortSharing; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [124240 2010-03-18] (Microsoft Corporation)S3 Nla; C:\Windows\System32\mswsock.dll [245248 2008-06-20] (Microsoft Corporation)S3 NtLmSsp; C:\Windows\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)S3 NtmsSvc; C:\Windows\system32\ntmssvc.dll [435200 2008-04-14] (Microsoft Corporation)S2 ntrtscan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [1332520 2009-04-15] (Trend Micro Inc.)S2 NWSAPAutoWorkstationUpdateSvc; C:\Program Files\SAP\SAPsetup\setup\Updater\NwSapAutoWorkstationUpdateService.exe [263536 2010-11-26] (SAP AG)S3 odserv; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [440696 2011-07-20] (Microsoft Corporation)S3 ose; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [145184 2006-10-26] (Microsoft Corporation)S2 PlugPlay; C:\Windows\system32\services.exe [110592 2009-02-06] (Microsoft Corporation)S2 PolicyAgent; C:\Windows\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)S2 Power Manager DBC Service; C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [69632 2012-02-28] ()S2 ProtectedStorage; C:\Windows\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)S2 PwmEWSvc; C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE [244800 2012-02-28] (Lenovo Group Limited)S3 RasAuto; C:\Windows\System32\rasauto.dll [88576 2008-04-14] (Microsoft Corporation)S3 RasMan; C:\Windows\System32\rasmans.dll [186368 2008-04-14] (Microsoft Corporation)S3 RDSessMgr; C:\WINDOWS\system32\sessmgr.exe [141312 2008-04-14] (Microsoft Corporation)S4 RemoteAccess; C:\Windows\System32\mprdim.dll [53248 2008-04-14] (Microsoft Corporation)S2 RemoteRegistry; C:\Windows\system32\regsvc.dll [59904 2008-04-14] (Microsoft Corporation)S3 RoxMediaDB10; C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [1120752 2008-04-25] (Sonic Solutions)S3 RpcLocator; C:\Windows\system32\locator.exe [75264 2008-04-14] (Microsoft Corporation)S2 RpcSs; C:\Windows\system32\rpcss.dll [401408 2009-02-09] (Microsoft Corporation)S3 RSVP; C:\Windows\system32\rsvp.exe [132608 2001-08-23] (Microsoft Corporation)S2 SamSs; C:\Windows\system32\lsass.exe [13312 2008-04-14] (Microsoft Corporation)S2 SAService; C:\Windows\system32\SAsrv.exe [446592 2010-11-18] (Conexant Systems, Inc.)S3 SCardSvr; C:\Windows\System32\SCardSvr.exe [95744 2008-04-14] (Microsoft Corporation)S2 Schedule; C:\Windows\system32\schedsvc.dll [192512 2008-04-14] (Microsoft Corporation)S2 seclogon; C:\Windows\System32\seclogon.dll [18944 2008-04-14] (Microsoft Corporation)S2 SENS; C:\Windows\system32\sens.dll [39424 2008-04-14] (Microsoft Corporation)S2 ShellHWDetection; C:\Windows\System32\shsvcs.dll [135168 2009-07-27] (Microsoft Corporation)S2 Spooler; C:\Windows\system32\spoolsv.exe [58880 2010-08-17] (Microsoft Corporation)S2 srservice; C:\WINDOWS\system32\srsvc.dll [171008 2008-04-14] (Microsoft Corporation)S3 SSDPSRV; C:\Windows\System32\ssdpsrv.dll [71680 2008-04-14] (Microsoft Corporation)S2 stisvc; C:\Windows\system32\wiaservc.dll [333824 2008-04-14] (Microsoft Corporation)S3 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [74384 2008-03-24] (MicroVision Development, Inc.)S2 SUService; c:\program files\lenovo\system update\suservice.exe [28672 2011-07-25] (Lenovo Group Limited)S3 SwPrv; C:\WINDOWS\system32\dllhost.exe [5120 2008-04-14] (Microsoft Corporation)S3 SysmonLog; C:\Windows\system32\smlogsvc.exe [89600 2008-04-14] (Microsoft Corporation)S3 TapiSrv; C:\Windows\System32\tapisrv.dll [249856 2008-04-14] (Microsoft Corporation)S3 TermService; C:\Windows\System32\termsrv.dll [295424 2008-04-14] (Microsoft Corporation)S2 Themes; C:\Windows\System32\shsvcs.dll [135168 2009-07-27] (Microsoft Corporation)S2 ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [746808 2008-06-13] (Lenovo Group Limited)S4 TlntSvr; C:\WINDOWS\system32\tlntsvr.exe [73216 2008-04-14] (Microsoft Corporation)S3 TMBMServer; C:\Program Files\Trend Micro\OfficeScan Client\..\BM\TMBMSRV.exe [341256 2009-03-12] (Trend Micro Inc.)S2 tmlisten; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [1246848 2009-04-21] (Trend Micro Inc.)S3 TmProxy; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [652552 2009-02-23] (Trend Micro Inc.)S3 TPHDEXLGSVC; C:\Windows\System32\TPHDEXLG.exe [39976 2009-10-09] (Lenovo.)S2 TPHKLOAD; C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe [131432 2011-07-12] (Lenovo Group Limited)S2 TPHKSVC; C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [142696 2011-07-12] (Lenovo Group Limited)S2 TrkWks; C:\Windows\system32\trkwks.dll [90112 2008-04-14] (Microsoft Corporation)S2 TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [1155072 2008-11-24] (Lenovo Group Limited)S2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel)S3 upnphost; C:\Windows\System32\upnphost.dll [185856 2008-04-14] (Microsoft Corporation)S3 UPS; C:\Windows\System32\ups.exe [18432 2008-04-14] (Microsoft Corporation)S3 VSS; C:\Windows\System32\vssvc.exe [289792 2008-04-14] (Microsoft Corporation)S2 W32Time; C:\WINDOWS\system32\w32time.dll [175104 2008-04-14] (Microsoft Corporation)S2 WebClient; C:\Windows\System32\webclnt.dll [68096 2008-04-14] (Microsoft Corporation)S2 winmgmt; C:\Windows\system32\wbem\WMIsvc.dll [144896 2008-04-14] (Microsoft Corporation)S3 WinRM; C:\Windows\system32\WsmSvc.dll [1107456 2009-10-09] (Microsoft Corporation)S3 WmdmPmSN; C:\WINDOWS\system32\MsPMSNSv.dll [27136 2006-10-18] (Microsoft Corporation)S3 Wmi; C:\Windows\System32\advapi32.dll [617472 2009-02-09] (Microsoft Corporation)S3 WmiApSrv; C:\WINDOWS\system32\wbem\wmiapsrv.exe [126464 2008-04-14] (Microsoft Corporation)S2 WMPNetworkSvc; C:\Program Files\Windows Media Player\WMPNetwk.exe [913408 2006-10-18] (Microsoft Corporation)S3 WPFFontCache_v0400; C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [753504 2010-03-18] (Microsoft Corporation)S2 WSearch; C:\Windows\system32\SearchIndexer.exe [439808 2008-05-26] (Microsoft Corporation)S2 wuauserv; C:\WINDOWS\system32\wuauserv.dll [6656 2008-04-14] (Microsoft Corporation)S3 WudfSvc; C:\Windows\System32\WUDFSvc.dll [55808 2006-09-28] (Microsoft Corporation)S2 WZCSVC; C:\Windows\System32\wzcsvc.dll [483840 2008-04-14] (Microsoft Corporation)S3 xmlprov; C:\Windows\System32\xmlprov.dll [129024 2008-04-14] (Microsoft Corporation)S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]S2 SessionLauncher; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [x]==================== Drivers (All) ==========================S3 5U877; C:\Windows\System32\DRIVERS\5U877.sys [132096 2011-03-04] (Ricoh co.,Ltd.)S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-23] (Microsoft Corporation)S0 ACPI; C:\Windows\System32\DRIVERS\ACPI.sys [187776 2008-04-14] (Microsoft Corporation)S0 ACPIEC; C:\Windows\System32\DRIVERS\ACPIEC.sys [11648 2001-08-23] (Microsoft Corporation)S4 adpu160m; C:\Windows\system32\DRIVERS\adpu160m.sys [101888 2001-08-23] (Microsoft Corporation)S3 aec; C:\Windows\System32\drivers\aec.sys [142592 2008-04-14] (Microsoft Corporation)S2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [21361 2010-09-02] (Cisco Systems, Inc.)S1 AFD; C:\Windows\System32\drivers\afd.sys [138496 2011-08-17] (Microsoft Corporation)S4 agp440; C:\Windows\system32\DRIVERS\agp440.sys [42368 2008-04-14] (Microsoft Corporation)S4 agpCPQ; C:\Windows\system32\DRIVERS\agpCPQ.sys [44928 2008-04-14] (Microsoft Corporation)S4 Aha154x; C:\Windows\system32\DRIVERS\aha154x.sys [12800 2001-08-23] (Microsoft Corporation)S4 aic78u2; C:\Windows\system32\DRIVERS\aic78u2.sys [55168 2001-08-23] (Microsoft Corporation)S4 aic78xx; C:\Windows\system32\DRIVERS\aic78xx.sys [56960 2001-08-23] (Microsoft Corporation)S4 AliIde; C:\Windows\system32\DRIVERS\aliide.sys [5248 2001-08-23] (Acer Laboratories Inc.)S4 alim1541; C:\Windows\system32\DRIVERS\alim1541.sys [42752 2008-04-14] (Microsoft Corporation)S4 amdagp; C:\Windows\system32\DRIVERS\amdagp.sys [43008 2008-04-14] (Advanced Micro Devices, Inc.)S4 amsint; C:\Windows\system32\DRIVERS\amsint.sys [12032 2001-08-23] (Microsoft Corporation)S3 Arp1394; C:\Windows\System32\DRIVERS\arp1394.sys [60800 2008-04-14] (Microsoft Corporation)S4 asc; C:\Windows\system32\DRIVERS\asc.sys [26496 2001-08-23] (Advanced System Products, Inc.)S4 asc3350p; C:\Windows\system32\DRIVERS\asc3350p.sys [22400 2001-08-23] (Microsoft Corporation)S4 asc3550; C:\Windows\system32\DRIVERS\asc3550.sys [14848 2001-08-23] (Advanced System Products, Inc.)S3 AsyncMac; C:\Windows\System32\DRIVERS\asyncmac.sys [14336 2008-04-14] (Microsoft Corporation)S0 atapi; C:\Windows\System32\DRIVERS\atapi.sys [96512 2008-04-14] (Microsoft Corporation)S3 Atmarpc; C:\Windows\System32\DRIVERS\atmarpc.sys [59904 2008-04-14] (Microsoft Corporation)S3 audstub; C:\Windows\System32\DRIVERS\audstub.sys [3072 2001-08-17] (Microsoft Corporation)S1 Beep; C:\Windows\System32\Drivers\Beep.sys [4224 2001-08-23] (Microsoft Corporation)S3 BTKRNL; C:\Windows\System32\DRIVERS\btkrnl.sys [933416 2011-04-05] (Broadcom Corporation.)S3 BTWUSB; C:\Windows\System32\Drivers\btwusb.sys [51752 2011-04-05] (Broadcom Corporation.)S4 cbidf; C:\Windows\system32\DRIVERS\cbidf2k.sys [13952 2001-08-23] (Microsoft Corporation)S4 cbidf2k; C:\Windows\System32\Drivers\cbidf2k.sys [13952 2001-08-23] (Microsoft Corporation)S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)S4 cd20xrnt; C:\Windows\system32\DRIVERS\cd20xrnt.sys [7680 2001-08-23] (Microsoft Corporation)S1 Cdaudio; C:\Windows\System32\Drivers\Cdaudio.sys [18688 2001-08-23] (Microsoft Corporation)S4 Cdfs; C:\Windows\System32\Drivers\Cdfs.sys [63744 2008-04-14] (Microsoft Corporation)S1 Cdrom; C:\Windows\System32\DRIVERS\cdrom.sys [62976 2008-04-14] (Microsoft Corporation)S3 CmBatt; C:\Windows\System32\DRIVERS\CmBatt.sys [13952 2008-04-14] (Microsoft Corporation)S4 CmdIde; C:\Windows\system32\DRIVERS\cmdide.sys [6656 2001-08-23] (CMD Technology, Inc.)S3 CnxtHdAudService; C:\Windows\System32\drivers\CHDRT32.sys [1280640 2011-10-03] (Conexant Systems Inc.)S0 Compbatt; C:\Windows\System32\DRIVERS\compbatt.sys [10240 2008-04-14] (Microsoft Corporation)S4 Cpqarray; C:\Windows\system32\DRIVERS\cpqarray.sys [14976 2001-08-23] (Microsoft Corporation)S3 cpudrv; C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2009-12-18] ()S1 ctxusbm; C:\Windows\System32\DRIVERS\ctxusbm.sys [65584 2009-09-08] (Citrix Systems, Inc.)S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5315 2005-05-17] (Cisco Systems, Inc.)S2 CVPNDRVA; C:\WINDOWS\system32\Drivers\CVPNDRVA.sys [305788 2006-11-10] (Cisco Systems, Inc.)S4 dac2w2k; C:\Windows\system32\DRIVERS\dac2w2k.sys [179584 2001-08-23] (Mylex Corporation)S4 dac960nt; C:\Windows\system32\DRIVERS\dac960nt.sys [14720 2001-08-23] (Microsoft Corporation)S0 Disk; C:\Windows\System32\DRIVERS\disk.sys [36352 2008-04-14] (Microsoft Corporation)S2 DLABMFSM; C:\Windows\System32\DLA\DLABMFSM.SYS [35064 2007-06-18] (Roxio)S2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [32472 2007-06-18] (Roxio)S1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [12856 2007-02-09] (Roxio)S2 DLADResM; C:\Windows\System32\DLA\DLADResM.SYS [9400 2007-06-18] (Roxio)S2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [105048 2007-06-18] (Roxio)S2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [26744 2007-06-18] (Roxio)S2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [14520 2007-06-18] (Roxio)S1 DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [28120 2007-02-09] (Roxio)S2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [93752 2007-06-18] (Roxio)S2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [98136 2007-06-18] (Roxio)S4 dmboot; C:\Windows\System32\drivers\dmboot.sys [799744 2008-04-14] (Microsoft Corp., Veritas Software)S0 dmio; C:\Windows\System32\DRIVERS\dmio.sys [153344 2008-04-14] (Microsoft Corp., Veritas Software)S0 dmload; C:\Windows\System32\Drivers\dmload.sys [5888 2001-08-23] (Microsoft Corp., Veritas Software.)S3 DMusic; C:\Windows\System32\drivers\DMusic.sys [52864 2008-04-14] (Microsoft Corporation)S3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [126864 2006-10-02] (Deterministic Networks, Inc.)S0 DozeHDD; C:\Windows\System32\DRIVERS\DozeHDD.sys [25968 2012-02-28] (Lenovo.)S4 dpti2o; C:\Windows\system32\DRIVERS\dpti2o.sys [20192 2001-08-23] (Microsoft Corporation)S3 drmkaud; C:\Windows\System32\drivers\drmkaud.sys [2944 2008-04-14] (Microsoft Corporation)S0 DRVMCDB; C:\Windows\System32\Drivers\DRVMCDB.SYS [99848 2007-03-12] (Sonic Solutions)S2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [51768 2007-02-09] (Roxio)S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c5132.sys [203944 2012-01-11] (Intel Corporation)S3 e1kexpress; C:\Windows\System32\DRIVERS\e1k5132.sys [167080 2009-12-10] (Intel Corporation)S4 Fastfat; C:\Windows\System32\Drivers\Fastfat.sys [143744 2008-04-14] (Microsoft Corporation)S1 Fdc; C:\Windows\System32\Drivers\Fdc.sys [27392 2008-04-14] (Microsoft Corporation)S1 Fips; C:\Windows\System32\Drivers\Fips.sys [44544 2008-04-14] (Microsoft Corporation)S1 Flpydisk; C:\Windows\System32\Drivers\Flpydisk.sys [20480 2008-04-14] (Microsoft Corporation)S0 FltMgr; C:\Windows\System32\DRIVERS\fltMgr.sys [129792 2008-04-14] (Microsoft Corporation)S1 Fs_Rec; C:\Windows\System32\Drivers\Fs_Rec.sys [7936 2001-08-23] (Microsoft Corporation)S0 Ftdisk; C:\Windows\System32\DRIVERS\ftdisk.sys [125056 2001-08-23] (Microsoft Corporation)S3 Gpc; C:\Windows\System32\DRIVERS\msgpc.sys [35072 2008-04-14] (Microsoft Corporation)S3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)S3 HECI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)S3 HidUsb; C:\Windows\System32\DRIVERS\hidusb.sys [10368 2008-04-14] (Microsoft Corporation)S4 hpn; C:\Windows\system32\DRIVERS\hpn.sys [25952 2001-08-23] (Microsoft Corporation)S3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [210304 2009-06-30] (Conexant Systems, Inc.)S3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [986240 2009-06-30] (Conexant Systems, Inc.)S3 HTTP; C:\Windows\System32\Drivers\HTTP.sys [265728 2009-10-20] (Microsoft Corporation)S1 i2omgmt; C:\Windows\System32\Drivers\i2omgmt.sys [8576 2008-04-14] (Microsoft Corporation)S4 i2omp; C:\Windows\system32\DRIVERS\i2omp.sys [18560 2008-04-14] (Microsoft Corporation)S1 i8042prt; C:\Windows\System32\DRIVERS\i8042prt.sys [52480 2008-04-14] (Microsoft Corporation)S3 ialm; C:\Windows\System32\DRIVERS\igxpmp32.sys [2176768 2011-09-20] (Intel Corporation)S3 IBMPMDRV; C:\Windows\System32\DRIVERS\ibmpmdrv.sys [35272 2012-02-29] (Lenovo.)S1 Imapi; C:\Windows\System32\DRIVERS\imapi.sys [42112 2008-04-14] (Microsoft Corporation)S3 Impcd; C:\Windows\System32\DRIVERS\Impcd.sys [132480 2010-02-27] (Intel Corporation)S4 ini910u; C:\Windows\system32\DRIVERS\ini910u.sys [16000 2001-08-23] (Microsoft Corporation)S3 IntcAzAudAddService; C:\Windows\System32\drivers\RtkHDAud.sys [4813824 2008-09-09] (Realtek Semiconductor Corp.)S3 IntcDAud; C:\Windows\System32\DRIVERS\IntcDAud.sys [260864 2011-05-11] (Intel(R) Corporation)S4 IntelIde; C:\Windows\system32\DRIVERS\intelide.sys [5504 2008-04-14] (Microsoft Corporation)S1 intelppm; C:\Windows\System32\DRIVERS\intelppm.sys [36352 2008-04-14] (Microsoft Corporation)S3 Ip6Fw; C:\Windows\System32\DRIVERS\Ip6Fw.sys [36608 2008-04-14] (Microsoft Corporation)S3 IpFilterDriver; C:\Windows\System32\DRIVERS\ipfltdrv.sys [32896 2001-08-23] (Microsoft Corporation)S3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [20864 2008-04-14] (Microsoft Corporation)S3 IpNat; C:\Windows\System32\DRIVERS\ipnat.sys [152832 2008-04-14] (Microsoft Corporation)S1 IPSec; C:\Windows\System32\DRIVERS\ipsec.sys [75264 2008-04-14] (Microsoft Corporation)S3 IRENUM; C:\Windows\System32\DRIVERS\irenum.sys [11264 2008-04-14] (Microsoft Corporation)S0 isapnp; C:\Windows\System32\DRIVERS\isapnp.sys [37248 2008-04-14] (Microsoft Corporation)S1 Kbdclass; C:\Windows\System32\DRIVERS\kbdclass.sys [24576 2008-04-14] (Microsoft Corporation)S1 kbdhid; C:\Windows\System32\DRIVERS\kbdhid.sys [14592 2008-04-14] (Microsoft Corporation)S3 kmixer; C:\Windows\System32\drivers\kmixer.sys [172416 2008-04-14] (Microsoft Corporation)S0 KSecDD; C:\Windows\System32\Drivers\KSecDD.sys [92928 2009-06-24] (Microsoft Corporation)S1 lenovo.smi; C:\Windows\System32\DRIVERS\smiif32.sys [13680 2010-09-07] (Lenovo Group Limited)S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-06-18] (Malwarebytes Corporation)S2 mdmxsdk; C:\Windows\System32\DRIVERS\mdmxsdk.sys [12672 2006-06-18] (Conexant)S1 mnmdd; C:\Windows\System32\Drivers\mnmdd.sys [4224 2001-08-23] (Microsoft Corporation)S3 Modem; C:\Windows\System32\Drivers\Modem.sys [30080 2008-04-14] (Microsoft Corporation)S1 Mouclass; C:\Windows\System32\DRIVERS\mouclass.sys [23040 2008-04-14] (Microsoft Corporation)S3 mouhid; C:\Windows\System32\DRIVERS\mouhid.sys [12160 2001-08-23] (Microsoft Corporation)S0 MountMgr; C:\Windows\System32\Drivers\MountMgr.sys [42368 2008-04-14] (Microsoft Corporation)S4 mraid35x; C:\Windows\system32\DRIVERS\mraid35x.sys [17280 2001-08-23] (American Megatrends Inc.)S3 MRxDAV; C:\Windows\System32\DRIVERS\mrxdav.sys [180608 2008-04-14] (Microsoft Corporation)S1 MRxSmb; C:\Windows\System32\DRIVERS\mrxsmb.sys [456320 2011-07-15] (Microsoft Corporation)S1 Msfs; C:\Windows\System32\Drivers\Msfs.sys [19072 2008-04-14] (Microsoft Corporation)S3 MSKSSRV; C:\Windows\System32\drivers\MSKSSRV.sys [7552 2008-04-14] (Microsoft Corporation)S3 MSPCLOCK; C:\Windows\System32\drivers\MSPCLOCK.sys [5376 2008-04-14] (Microsoft Corporation)S3 MSPQM; C:\Windows\System32\drivers\MSPQM.sys [4992 2008-04-14] (Microsoft Corporation)S3 mssmbios; C:\Windows\System32\DRIVERS\mssmbios.sys [15488 2008-04-14] (Microsoft Corporation)S3 MSTEE; C:\Windows\System32\drivers\MSTEE.sys [5504 2008-04-14] (Microsoft Corporation)S0 Mup; C:\Windows\System32\Drivers\Mup.sys [105472 2011-04-21] (Microsoft Corporation)S3 NABTSFEC; C:\Windows\System32\DRIVERS\NABTSFEC.sys [85248 2008-04-14] (Microsoft Corporation)S0 NDIS; C:\Windows\System32\Drivers\NDIS.sys [182656 2008-04-14] (Microsoft Corporation)S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)S3 NdisTapi; C:\Windows\System32\DRIVERS\ndistapi.sys [10496 2011-07-08] (Microsoft Corporation)S3 Ndisuio; C:\Windows\System32\DRIVERS\ndisuio.sys [14592 2008-04-14] (Microsoft Corporation)S3 NdisWan; C:\Windows\System32\DRIVERS\ndiswan.sys [91520 2008-04-14] (Microsoft Corporation)S3 NDProxy; C:\Windows\System32\Drivers\NDProxy.sys [40960 2010-11-02] (Microsoft Corporation)S1 NetBIOS; C:\Windows\System32\DRIVERS\netbios.sys [34688 2008-04-14] (Microsoft Corporation)S1 NetBT; C:\Windows\System32\DRIVERS\netbt.sys [162816 2008-04-14] (Microsoft Corporation)S3 NETwNx32; C:\Windows\System32\DRIVERS\NETwNx32.sys [7473152 2011-08-03] (Intel Corporation)S3 NIC1394; C:\Windows\System32\DRIVERS\nic1394.sys [61824 2008-04-14] (Microsoft Corporation)S1 Npfs; C:\Windows\System32\Drivers\Npfs.sys [30848 2008-04-14] (Microsoft Corporation)S4 Ntfs; C:\Windows\System32\Drivers\Ntfs.sys [574976 2008-04-14] (Microsoft Corporation)S1 Null; C:\Windows\System32\Drivers\Null.sys [2944 2001-08-23] (Microsoft Corporation)S3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [12416 2001-08-23] (Microsoft Corporation)S3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [32512 2001-08-23] (Microsoft Corporation)S0 ohci1394; C:\Windows\System32\DRIVERS\ohci1394.sys [61696 2008-04-14] (Microsoft Corporation)S3 Parport; C:\Windows\System32\DRIVERS\parport.sys [80128 2008-04-14] (Microsoft Corporation)S0 PartMgr; C:\Windows\System32\Drivers\PartMgr.sys [19712 2008-04-14] (Microsoft Corporation)S4 ParVdm; C:\Windows\System32\Drivers\ParVdm.sys [6784 2001-08-23] (Microsoft Corporation)S0 PCI; C:\Windows\System32\DRIVERS\pci.sys [68224 2008-04-14] (Microsoft Corporation)S0 PCIIde; C:\Windows\System32\DRIVERS\pciide.sys [3328 2001-08-17] (Microsoft Corporation)S0 Pcmcia; C:\Windows\System32\DRIVERS\pcmcia.sys [120192 2008-04-14] (Microsoft Corporation)S3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16768 2006-09-14] (Primax Electronics Ltd.)S3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [14592 2006-10-14] (Primax Electronics Ltd.)S4 perc2; C:\Windows\system32\DRIVERS\perc2.sys [27296 2001-08-23] (Microsoft Corporation)S4 perc2hib; C:\Windows\system32\DRIVERS\perc2hib.sys [5504 2001-08-23] (Microsoft Corporation)S2 pmem; C:\WINDOWS\System32\drivers\pmemnt.sys [7012 2010-03-04] (Microsoft Corporation)S3 pmxdrv; C:\WINDOWS\system32\drivers\pmxdrv.sys [816792 2011-08-31] ()S3 PptpMiniport; C:\Windows\System32\DRIVERS\raspptp.sys [48384 2008-04-14] (Microsoft Corporation)S3 psadd; C:\Windows\System32\DRIVERS\psadd.sys [30144 2008-04-09] (Lenovo (United States) Inc.)S3 PSched; C:\Windows\System32\DRIVERS\psched.sys [69120 2008-04-14] (Microsoft Corporation)S3 Ptilink; C:\Windows\System32\DRIVERS\ptilink.sys [17792 2001-08-23] (Parallel Technologies, Inc.)S0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [44944 2008-04-08] (Sonic Solutions)S4 ql1080; C:\Windows\system32\DRIVERS\ql1080.sys [40320 2001-08-23] (QLogic Corporation)S4 Ql10wnt; C:\Windows\system32\DRIVERS\ql10wnt.sys [33152 2001-08-23] (Microsoft Corporation)S4 ql12160; C:\Windows\system32\DRIVERS\ql12160.sys [45312 2001-08-23] (QLogic Corporation)S4 ql1240; C:\Windows\system32\DRIVERS\ql1240.sys [40448 2001-08-23] (Microsoft Corporation)S4 ql1280; C:\Windows\system32\DRIVERS\ql1280.sys [49024 2001-08-23] (QLogic Corporation)S1 RasAcd; C:\Windows\System32\DRIVERS\rasacd.sys [8832 2001-08-23] (Microsoft Corporation)S3 Rasl2tp; C:\Windows\System32\DRIVERS\rasl2tp.sys [51328 2008-04-14] (Microsoft Corporation)S3 RasPppoe; C:\Windows\System32\DRIVERS\raspppoe.sys [41472 2008-04-14] (Microsoft Corporation)S3 Raspti; C:\Windows\System32\DRIVERS\raspti.sys [16512 2001-08-23] (Microsoft Corporation)S1 Rdbss; C:\Windows\System32\DRIVERS\rdbss.sys [175744 2008-04-14] (Microsoft Corporation)S1 RDPCDD; C:\Windows\System32\DRIVERS\RDPCDD.sys [4224 2001-08-23] (Microsoft Corporation)S3 rdpdr; C:\Windows\System32\DRIVERS\rdpdr.sys [196224 2008-04-14] (Microsoft Corporation)S3 RDPWD; C:\Windows\System32\Drivers\RDPWD.sys [139784 2012-07-04] (Microsoft Corporation)S1 redbook; C:\Windows\System32\DRIVERS\redbook.sys [57600 2008-04-13] (Microsoft Corporation)S2 rimspci; C:\Windows\System32\DRIVERS\rimspe86.sys [45056 2009-02-12] (REDC)S2 risdxc; C:\Windows\System32\DRIVERS\risdxc86.sys [76288 2011-05-25] (REDC)S3 RTL8192se; C:\Windows\System32\DRIVERS\rtl8192se.sys [873576 2010-06-28] (Realtek Semiconductor Corporation                           )S3 sdbus; C:\Windows\System32\DRIVERS\sdbus.sys [80384 2009-05-14] (Microsoft Corporation)S3 Secdrv; C:\Windows\System32\DRIVERS\secdrv.sys [20480 2008-04-13] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)S3 Serenum; C:\Windows\System32\DRIVERS\serenum.sys [15744 2008-04-14] (Microsoft Corporation)S1 Serial; C:\Windows\System32\DRIVERS\serial.sys [64512 2008-04-14] (Microsoft Corporation)S1 Sfloppy; C:\Windows\System32\Drivers\Sfloppy.sys [11392 2008-04-14] (Microsoft Corporation)S0 Shockprf; C:\Windows\System32\DRIVERS\Apsx86.sys [120360 2009-10-09] (Lenovo.)S4 sisagp; C:\Windows\system32\DRIVERS\sisagp.sys [40960 2008-04-14] (Silicon Integrated Systems Corporation)S3 SLIP; C:\Windows\System32\DRIVERS\SLIP.sys [11136 2008-04-14] (Microsoft Corporation)S4 Sparrow; C:\Windows\system32\DRIVERS\sparrow.sys [19072 2001-08-23] (Adaptec, Inc.)S3 splitter; C:\Windows\System32\drivers\splitter.sys [6272 2008-04-14] (Microsoft Corporation)S0 sr; C:\Windows\System32\DRIVERS\sr.sys [73472 2008-04-14] (Microsoft Corporation)S3 Srv; C:\Windows\System32\DRIVERS\srv.sys [357888 2011-02-17] (Microsoft Corporation)S3 ssmirrdr; C:\Windows\System32\DRIVERS\ssmirrdr.sys [10112 2012-06-14] (support.com, Inc)S0 stmtpm; C:\Windows\System32\DRIVERS\stm_tpm.sys [21504 2007-06-08] (STMicroelectronics, INC)S3 streamip; C:\Windows\System32\DRIVERS\StreamIP.sys [15232 2008-04-14] (Microsoft Corporation)S3 SuperIO; C:\Windows\System32\DRIVERS\spio.sys [5760 2008-03-06] ()S3 swenum; C:\Windows\System32\DRIVERS\swenum.sys [4352 2008-04-14] (Microsoft Corporation)S3 swmidi; C:\Windows\System32\drivers\swmidi.sys [56576 2008-04-14] (Microsoft Corporation)S4 symc810; C:\Windows\system32\DRIVERS\symc810.sys [16256 2001-08-23] (Symbios Logic Inc.)S4 symc8xx; C:\Windows\system32\DRIVERS\symc8xx.sys [32640 2001-08-23] (LSI Logic)S4 sym_hi; C:\Windows\system32\DRIVERS\sym_hi.sys [28384 2001-08-23] (LSI Logic)S4 sym_u3; C:\Windows\system32\DRIVERS\sym_u3.sys [30688 2001-08-23] (LSI Logic)S3 SynTP; C:\Windows\System32\DRIVERS\SynTP.sys [1346608 2011-05-19] (Synaptics Incorporated)S3 sysaudio; C:\Windows\System32\drivers\sysaudio.sys [60800 2008-04-14] (Microsoft Corporation)S1 Tcpip; C:\Windows\System32\DRIVERS\tcpip.sys [361600 2008-06-20] (Microsoft Corporation)S3 TDPIPE; C:\Windows\System32\Drivers\TDPIPE.sys [12040 2008-04-14] (Microsoft Corporation)S3 TDTCP; C:\Windows\System32\Drivers\TDTCP.sys [21896 2008-04-14] (Microsoft Corporation)S1 TermDD; C:\Windows\System32\DRIVERS\termdd.sys [40840 2008-04-14] (Microsoft Corporation)S2 tmactmon; C:\WINDOWS\system32\drivers\tmactmon.sys [59472 2010-07-19] (Trend Micro Inc.)S2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [163408 2010-07-19] (Trend Micro Inc.)S2 tmevtmgr; C:\WINDOWS\system32\drivers\tmevtmgr.sys [51792 2010-07-19] (Trend Micro Inc.)S2 TmFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [262416 2011-07-12] (Trend Micro Inc.)S2 TmPreFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [36624 2011-07-12] (Trend Micro Inc.)S1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [78352 2009-02-23] (Trend Micro Inc.)S4 TosIde; C:\Windows\system32\DRIVERS\toside.sys [4992 2001-08-23] (Microsoft Corporation)S0 TPDIGIMN; C:\Windows\System32\DRIVERS\ApsHM86.sys [20520 2009-10-09] (Lenovo.)S1 TPHKDRV; C:\Windows\System32\DRIVERS\TPHKDRV.sys [17844 2008-05-12] (Lenovo Group Limited)S1 TPPWRIF; C:\Windows\System32\drivers\Tppwrif.sys [12144 2012-02-28] (Lenovo Group Limited)S3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [37184 2008-07-16] (Lenovo (United States) Inc.)S4 Udfs; C:\Windows\System32\Drivers\Udfs.sys [66048 2008-04-14] (Microsoft Corporation)S4 ultra; C:\Windows\system32\DRIVERS\ultra.sys [36736 2001-08-23] (Promise Technology, Inc.)S3 Update; C:\Windows\System32\DRIVERS\update.sys [384768 2008-04-14] (Microsoft Corporation)S3 usbccgp; C:\Windows\System32\DRIVERS\usbccgp.sys [32128 2008-04-14] (Microsoft Corporation)S3 usbehci; C:\Windows\System32\DRIVERS\usbehci.sys [30208 2008-04-14] (Microsoft Corporation)S3 usbhub; C:\Windows\System32\DRIVERS\usbhub.sys [59520 2008-04-14] (Microsoft Corporation)S3 USBSTOR; C:\Windows\System32\DRIVERS\USBSTOR.SYS [26368 2008-04-14] (Microsoft Corporation)S3 usbuhci; C:\Windows\System32\DRIVERS\usbuhci.sys [20608 2008-04-14] (Microsoft Corporation)S3 usbvideo; C:\Windows\System32\Drivers\usbvideo.sys [121984 2008-04-14] (Microsoft Corporation)S1 VgaSave; C:\Windows\System32\drivers\vga.sys [20992 2008-04-14] (Microsoft Corporation)S4 viaagp; C:\Windows\system32\DRIVERS\viaagp.sys [42240 2008-04-14] (Microsoft Corporation)S4 ViaIde; C:\Windows\system32\DRIVERS\viaide.sys [5376 2008-04-14] (Microsoft Corporation)S0 VolSnap; C:\Windows\System32\Drivers\VolSnap.sys [52352 2008-04-14] (Microsoft Corporation)S2 VSApiNt; C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys [1405720 2011-07-12] (Trend Micro Inc.)S3 Wanarp; C:\Windows\System32\DRIVERS\wanarp.sys [34560 2008-04-14] (Microsoft Corporation)S3 Wdf01000; C:\Windows\System32\Drivers\wdf01000.sys [444136 2009-07-14] (Microsoft Corporation)S3 wdmaud; C:\Windows\System32\drivers\wdmaud.sys [83072 2008-04-14] (Microsoft Corporation)S3 winachsf; C:\Windows\System32\DRIVERS\HSF_CNXT.sys [731264 2009-06-30] (Conexant Systems, Inc.)S3 Winsock; No ImagePathS1 WmiAcpi; C:\Windows\System32\DRIVERS\wmiacpi.sys [8832 2008-04-14] (Microsoft Corporation)S3 WSTCODEC; C:\Windows\System32\DRIVERS\WSTCODEC.SYS [19200 2008-04-14] (Microsoft Corporation)S3 WudfPf; C:\Windows\System32\DRIVERS\WudfPf.sys [77568 2006-09-28] (Microsoft Corporation)S3 WudfRd; C:\Windows\System32\DRIVERS\wudfrd.sys [82944 2006-09-28] (Microsoft Corporation)S3 yukonwxp; C:\Windows\System32\DRIVERS\yk51x86.sys [289024 2008-06-27] (Marvell)S4 Abiosdsk; No ImagePathS4 Atdisk; No ImagePathS1 Changer; No ImagePathS1 lbrtfdc; No ImagePathS1 PCIDump; No ImagePathS3 PDCOMP; No ImagePathS3 PDFRAME; No ImagePathS3 PDRELI; No ImagePathS3 PDRFRAME; No ImagePathS4 Simbad; No ImagePathS3 WDICA; No ImagePathS1 WS2IFSL; ==================== NetSvcs (Whitelisted) ======================================= One Month Created Files and Folders ========2013-06-19 03:29 - 2013-06-19 03:29 - 00020480 ____A C:\Uninstall.dat2013-06-19 03:29 - 2013-06-19 03:29 - 00002576 ____A C:\Uninstall.dat-journal2013-06-19 03:28 - 2013-06-19 03:28 - 00000000 ____D C:\Plugins2013-06-19 03:28 - 2013-06-19 03:28 - 00000000 ____D C:\Language2013-06-19 00:47 - 2013-06-19 00:47 - 00002205 ____A C:\Documents and Settings\NetworkService\Local Settings\Application Data\OfflineVaultPH.log2013-06-18 23:46 - 2013-06-18 23:46 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys2013-06-18 22:41 - 2013-06-18 23:25 - 00000000 ____D C:\FRST2013-06-18 17:36 - 2013-06-18 17:37 - 00004177 ____A C:\Windows\KB2839229.log2013-06-18 17:35 - 2013-06-18 17:35 - 00004334 ____A C:\Windows\KB2829361.log2013-06-18 17:29 - 2013-06-18 17:41 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro2013-05-23 16:28 - 2013-05-23 16:28 - 00312560 ____A (SUPERAdBlocker.com and SUPERAntiSpyware.com) C:\RUNSAS.EXE2013-05-23 16:21 - 2013-05-23 16:21 - 00048880 ____A (SUPERAdBlocker.com) C:\SASTask.exe2013-05-23 16:11 - 2013-05-23 16:11 - 00119056 ____A (SUPERAntiSpyware.com) C:\SASCore.exe2013-05-23 16:05 - 2013-05-23 16:05 - 00388368 ____A (SUPERAntiSpyware.com) C:\SSUpdate.exe2013-05-23 15:59 - 2013-05-23 15:59 - 00144144 ____A (SUPERAntiSpyware.com) C:\SASCTXMN.DLL==================== One Month Modified Files and Folders ========2013-06-19 06:14 - 2008-07-21 18:01 - 01834976 ____A C:\Windows\WindowsUpdate.log2013-06-19 06:13 - 2012-06-22 08:44 - 00000062 __ASH C:\Documents and Settings\sdemilio\Local Settings\desktop.ini2013-06-19 06:13 - 2011-08-31 13:16 - 00000000 ____D C:\Program Files\Common Files\Akamai2013-06-19 06:13 - 2010-03-04 17:25 - 00000000 __SHD C:\Windows\CSC2013-06-19 06:13 - 2008-07-21 18:05 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini2013-06-19 06:13 - 2008-07-21 18:05 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini2013-06-19 06:13 - 2008-07-21 18:05 - 00000006 ___AH C:\Windows\Tasks\SA.DAT2013-06-19 06:13 - 2008-07-21 10:58 - 00000159 ____A C:\Windows\wiadebug.log2013-06-19 06:13 - 2008-07-21 10:58 - 00000049 ____A C:\Windows\wiaservc.log2013-06-19 03:29 - 2013-06-19 03:29 - 00020480 ____A C:\Uninstall.dat2013-06-19 03:29 - 2013-06-19 03:29 - 00002576 ____A C:\Uninstall.dat-journal2013-06-19 03:28 - 2013-06-19 03:28 - 00000000 ____D C:\Plugins2013-06-19 03:28 - 2013-06-19 03:28 - 00000000 ____D C:\Language2013-06-19 02:11 - 2010-03-04 16:40 - 00000302 ____A C:\Windows\Tasks\PMTask.job2013-06-19 02:08 - 2008-07-21 18:50 - 00002300 ____A C:\Windows\System32\wpa.dbl2013-06-19 00:47 - 2013-06-19 00:47 - 00002205 ____A C:\Documents and Settings\NetworkService\Local Settings\Application Data\OfflineVaultPH.log2013-06-19 00:45 - 2011-03-08 11:31 - 02326484 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\OfflineVaultPH.log2013-06-19 00:33 - 2012-12-04 17:19 - 00000366 ___AH C:\Windows\Tasks\MpIdleTask.job2013-06-18 23:56 - 2012-12-13 10:40 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job2013-06-18 23:47 - 2012-07-12 16:13 - 00000000 ___RD C:\Documents and Settings\sdemilio\My Documents\Dropbox2013-06-18 23:47 - 2012-07-12 16:10 - 00000000 ____D C:\Documents and Settings\sdemilio\Application Data\Dropbox2013-06-18 23:46 - 2013-06-18 23:46 - 00040776 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys2013-06-18 23:46 - 2012-02-21 16:06 - 00000791 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk2013-06-18 23:46 - 2012-02-21 16:06 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware2013-06-18 23:25 - 2013-06-18 22:41 - 00000000 ____D C:\FRST2013-06-18 20:41 - 2012-06-22 08:55 - 05243135 ____A C:\Documents and Settings\sdemilio\Local Settings\Application Data\OfflineVaultPH.log2013-06-18 20:30 - 2008-07-21 18:05 - 00032622 ____A C:\Windows\SchedLgU.Txt2013-06-18 19:34 - 2013-01-10 11:10 - 00770664 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat2013-06-18 19:34 - 2012-06-22 08:44 - 00000178 ___SH C:\Documents and Settings\sdemilio\ntuser.ini2013-06-18 19:31 - 2012-07-12 16:13 - 00001034 ____A C:\Documents and Settings\sdemilio\Desktop\Dropbox.lnk2013-06-18 19:11 - 2011-08-26 01:49 - 00001324 ____A C:\Windows\System32\d3d9caps.dat2013-06-18 18:24 - 2008-07-21 10:55 - 00720500 ____A C:\Windows\System32\PerfStringBackup.INI2013-06-18 17:41 - 2013-06-18 17:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\HitmanPro2013-06-18 17:37 - 2013-06-18 17:36 - 00004177 ____A C:\Windows\KB2839229.log2013-06-18 17:35 - 2013-06-18 17:35 - 00004334 ____A C:\Windows\KB2829361.log2013-06-18 17:25 - 2011-08-25 18:52 - 00587878 ____A C:\Windows\setupapi.log2013-05-23 16:28 - 2013-05-23 16:28 - 00312560 ____A (SUPERAdBlocker.com and SUPERAntiSpyware.com) C:\RUNSAS.EXE2013-05-23 16:21 - 2013-05-23 16:21 - 00048880 ____A (SUPERAdBlocker.com) C:\SASTask.exe2013-05-23 16:11 - 2013-05-23 16:11 - 00119056 ____A (SUPERAntiSpyware.com) C:\SASCore.exe2013-05-23 16:05 - 2013-05-23 16:05 - 00388368 ____A (SUPERAntiSpyware.com) C:\SSUpdate.exe2013-05-23 15:59 - 2013-05-23 15:59 - 00144144 ____A (SUPERAntiSpyware.com) C:\SASCTXMN.DLL==================== Known DLLs (Whitelisted) ================================ Bamital & volsnap Check =================C:\Windows\explorer.exe => MD5 is legitC:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll[2008-04-14 05:42] - [2012-10-03 00:58] - 0614912 ____A (Microsoft Corporation) eb0513f4f6c08bdaecff77216f2b6a47 C:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit==================== EXE ASSOCIATION =====================HKLM\...\.exe: exefile => OKHKLM\...\exefile\DefaultIcon: %1 => OKHKLM\...\exefile\open\command: "%1" %* => OK==================== Restore Points (XP) =====================RP: -> 2013-06-18 21:09 - 028672 _restore{7471DDEE-C517-42CF-B462-8B6EFDC18CC5}\RP2 ==================== Memory info =========================== Percentage of memory in use: 9%Total physical RAM: 3493.16 MBAvailable physical RAM: 3149.47 MBTotal Pagefile: 3315.32 MBAvailable Pagefile: 3233.35 MBTotal Virtual: 2047.88 MBAvailable Virtual: 1992.39 MB==================== Drives ================================Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFSDrive c: (Preload) (Fixed) (Total:298.09 GB) (Free:266.71 GB) NTFS ==>[Drive with boot components (Windows XP)]Drive d: (HITMANPRO) (Removable) (Total:1.91 GB) (Free:1.86 GB) FAT32Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS==================== MBR & Partition Table ==========================================================================Disk: 0 (MBR Code: Windows XP) (Size: 298 GB) (Disk ID: 25D525D4)Partition 1: (Active) - (Size=298 GB) - (Type=07 NTFS)========================================================Disk: 1 (Size: 2 GB) (Disk ID: 3BB450A2)Partition 1: (Active) - (Size=2 GB) - (Type=0B)==================== End Of Log ============================
Link to post
Share on other sites

I´ll have a look at it. Meanwhile do the following. I did some research in our internals and found out that this malware hides in well known places.

 

 

Fix with FRST

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    Reg: reg query /s hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonReg: reg query /s hkcr\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32Reg: reg query /s hkcr\CLSID\{28949824-6737-0594-0930-223283753445}\InProcServer32Reg: reg query /s HKLM\SYSTEM\CurrentControlSet\Services\winmgmtSaveMbr: Drive=0


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Link to post
Share on other sites

And here is the latest:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-06-2013Ran by SYSTEM at 2013-06-19 08:11:34 Run:4Running from D:\Boot Mode: Recovery=======================================================  reg query /s hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon =========Error:  Invalid key name========= End of Reg: ==================  reg query /s hkcr\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32 =========Error:  Invalid key name========= End of Reg: ==================  reg query /s hkcr\CLSID\{28949824-6737-0594-0930-223283753445}\InProcServer32 =========Error:  Invalid key name========= End of Reg: ==================  reg query /s HKLM\SYSTEM\CurrentControlSet\Services\winmgmt =========Error:  Invalid key name========= End of Reg: =========MBRDUMP.txt is made successfully.==== End of Fixlog ====
Link to post
Share on other sites

I found the error.

Re-run the FRST fix with the following fixlist.txt:

Reg: reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /sReg: reg query "hkcr\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32" /sReg: reg query "hkcr\CLSID\{28949824-6737-0594-0930-223283753445}\InProcServer32" /sReg: reg query "HKLM\SYSTEM\CurrentControlSet\Services\winmgmt" /s
Link to post
Share on other sites

This looks a lot better

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-06-2013Ran by SYSTEM at 2013-06-19 08:28:36 Run:5Running from D:\Boot Mode: Recovery=======================================================  reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s =========! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon    AutoRestartShell	REG_DWORD	0x1    DefaultUserName	REG_SZ	sdemilio    LegalNoticeCaption	REG_SZ	    LegalNoticeText	REG_SZ	    PowerdownAfterShutdown	REG_SZ	0    ReportBootOk	REG_SZ	1    Shell	REG_SZ	Explorer.exe    ShutdownWithoutLogon	REG_SZ	0    System	REG_SZ	    Userinit	REG_SZ	C:\WINDOWS\system32\userinit.exe,    VmApplet	REG_SZ	rundll32 shell32,Control_RunDLL "sysdm.cpl"    SfcQuota	REG_DWORD	0xffffffff    allocatecdroms	REG_SZ	0    allocatedasd	REG_SZ	0    allocatefloppies	REG_SZ	0    cachedlogonscount	REG_SZ	10    forceunlocklogon	REG_DWORD	0x0    passwordexpirywarning	REG_DWORD	0xe    scremoveoption	REG_SZ	0    AllowMultipleTSSessions	REG_DWORD	0x0    UIHost	REG_EXPAND_SZ	logonui.exe    LogonType	REG_DWORD	0x0    DebugServerCommand	REG_SZ	no    SFCDisable	REG_DWORD	0x0    WinStationsDisabled	REG_SZ	0    HibernationPreviouslyEnabled	REG_DWORD	0x1    ShowLogonOptions	REG_DWORD	0x1    AltDefaultUserName	REG_SZ	sdemilio    AltDefaultDomainName	REG_SZ	HORNELL    DefaultDomainName	REG_SZ	HORNELL    DisableCAD	REG_DWORD	0x0    AutoAdminLogon	REG_SZ	0    DCacheUpdate	REG_BINARY	1C4F82A5D56CCE01    CachePrimaryDomain	REG_SZ	HORNELLHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache    HORNELL	REG_SZ	corp.arizonaicedt.comHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensionsHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}    <NO NAME>	REG_SZ	Wireless    ProcessGroupPolicy	REG_SZ	ProcessWIRELESSPolicy    DllName	REG_EXPAND_SZ	gptext.dll    NoUserPolicy	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}    <NO NAME>	REG_SZ	Group Policy Environment    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyEnviron    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyEnviron    ProcessGroupPolicyEx 0	REG_SZ	    EventSources	REG_SZ	(Group Policy Environment,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-1    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}    <NO NAME>	REG_SZ	Group Policy Local Users and Groups    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyLocUsAndGroups    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyLocUsAndGroups    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExLocUsAndGroups    EventSources	REG_SZ	(Group Policy Local Users and Groups,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-2    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}    <NO NAME>	REG_SZ	Group Policy Device Settings    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyDevices    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyDevices    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExDevices    EventSources	REG_SZ	(Group Policy Device Settings,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-3    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}    <NO NAME>	REG_SZ	Folder Redirection    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyEx    DllName	REG_EXPAND_SZ	fdeploy.dll    NoMachinePolicy	REG_DWORD	0x1    NoSlowLink	REG_DWORD	0x1    PerUserLocalSettings	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x0    NoBackgroundPolicy	REG_DWORD	0x0    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy    EventSources	REG_MULTI_SZ	(Folder Redirection,Application)\0\0HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}    Status	REG_DWORD	0x0    RsopStatus	REG_DWORD	0x0    LastPolicyTime	REG_DWORD	0x104a162    PrevSlowLink	REG_DWORD	0x0    PrevRsopLogging	REG_DWORD	0x1    ForceRefreshFG	REG_DWORD	0x0HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}    <NO NAME>	REG_SZ	Microsoft Disk Quota    NoMachinePolicy	REG_DWORD	0x0    NoUserPolicy	REG_DWORD	0x1    NoSlowLink	REG_DWORD	0x1    NoBackgroundPolicy	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x1    PerUserLocalSettings	REG_DWORD	0x0    RequiresSuccessfulRegistry	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x0    DllName	REG_EXPAND_SZ	dskquota.dll    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}    <NO NAME>	REG_SZ	Group Policy Network Options    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyNetworkOptions    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyNetworkOptions    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExNetworkOptions    EventSources	REG_SZ	(Group Policy Network Options,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-4    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}    <NO NAME>	REG_SZ	QoS Packet Scheduler    ProcessGroupPolicy	REG_SZ	ProcessPSCHEDPolicy    DllName	REG_EXPAND_SZ	gptext.dll    NoUserPolicy	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}    <NO NAME>	REG_SZ	Scripts    ProcessGroupPolicy	REG_SZ	ProcessScriptsGroupPolicy    ProcessGroupPolicyEx	REG_SZ	ProcessScriptsGroupPolicyEx    GenerateGroupPolicy	REG_SZ	GenerateScriptsGroupPolicy    DllName	REG_EXPAND_SZ	gptext.dll    NoSlowLink	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x1    NotifyLinkTransition	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}    <NO NAME>	REG_SZ	Internet Explorer Zonemapping    DllName	REG_SZ	C:\WINDOWS\system32\iedkcs32.dll    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyForZoneMap    NoGPOListChanges	REG_DWORD	0x1    RequiresSucessfulRegistry	REG_DWORD	0x1    DisplayName	REG_SZ	@C:\WINDOWS\system32\iedkcs32.dll.mui,-3051    RequiresSuccessfulRegistry	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}    <NO NAME>	REG_SZ	Group Policy Drive Maps    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyDrives    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyDrives    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExDrives    EventSources	REG_SZ	(Group Policy Drive Maps,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-5    PerUserLocalSettings	REG_DWORD	0x1    NoBackgroundPolicy	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}    <NO NAME>	REG_SZ	Group Policy Folders    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyFolders    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyFolders    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExFolders    EventSources	REG_SZ	(Group Policy Folders,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-6    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_SZ	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}    <NO NAME>	REG_SZ	Group Policy Network Shares    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyNetShares    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyNetShares    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExNetShares    EventSources	REG_SZ	(Group Policy Network Shares,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-7    NoUserPolicy	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}    <NO NAME>	REG_SZ	Group Policy Files    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyFiles    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyFiles    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExFiles    EventSources	REG_SZ	(Group Policy Files,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-8    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}    <NO NAME>	REG_SZ	Group Policy Data Sources    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyDataSources    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyDataSources    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExDataSources    EventSources	REG_SZ	(Group Policy Data Sources,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-9    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}    <NO NAME>	REG_SZ	Group Policy Ini Files    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyIniFile    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyIniFile    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExIniFile    EventSources	REG_SZ	(Group Policy Ini Files,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-10    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}    <NO NAME>	REG_SZ	Windows Search Group Policy Extension    DllName	REG_EXPAND_SZ	%SystemRoot%\System32\srchadmin.dll    EnableAsynchronousProcessing	REG_DWORD	0x1    NoBackgroundPolicy	REG_DWORD	0x0    NoGPOListChanges	REG_DWORD	0x1    NoMachinePolicy	REG_DWORD	0x0    NoSlowLink	REG_DWORD	0x0    NoUserPolicy	REG_DWORD	0x0    PerUserLocalSettings	REG_DWORD	0x0    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy    RequiresSuccessfulRegistry	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}    <NO NAME>	REG_SZ	Internet Explorer User Accelerators    DisplayName	REG_SZ	@C:\WINDOWS\system32\iedkcs32.dll.mui,-3051    DllName	REG_SZ	C:\WINDOWS\system32\iedkcs32.dll    NoGPOListChanges	REG_DWORD	0x1    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyForActivities    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyForActivitiesEx    RequiresSuccessfulRegistry	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}    ProcessGroupPolicy	REG_SZ	SceProcessSecurityPolicyGPO    GenerateGroupPolicy	REG_SZ	SceGenerateGroupPolicy    ExtensionRsopPlanningDebugLevel	REG_DWORD	0x1    ProcessGroupPolicyEx	REG_SZ	SceProcessSecurityPolicyGPOEx    ExtensionDebugLevel	REG_DWORD	0x1    DllName	REG_EXPAND_SZ	scecli.dll    <NO NAME>	REG_SZ	Security    NoUserPolicy	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1    MaxNoGPOListChangesInterval	REG_DWORD	0x3c0    PreviousPolicyAreas	REG_DWORD	0x1    Status	REG_DWORD	0x0    RsopStatus	REG_DWORD	0x0    LastPolicyTime	REG_DWORD	0x1084e11    PrevSlowLink	REG_DWORD	0x0    PrevRsopLogging	REG_DWORD	0x1    ForceRefreshFG	REG_DWORD	0x0HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}    <NO NAME>	REG_SZ	Group Policy Services    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyServices    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyServices    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExServices    EventSources	REG_SZ	(Group Policy Services,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-11    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyEx    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy    DllName	REG_SZ	C:\WINDOWS\system32\iedkcs32.dll    <NO NAME>	REG_SZ	Internet Explorer Branding    NoSlowLink	REG_DWORD	0x1    NoBackgroundPolicy	REG_DWORD	0x0    NoGPOListChanges	REG_DWORD	0x1    NoMachinePolicy	REG_DWORD	0x1    DisplayName	REG_SZ	@C:\WINDOWS\system32\iedkcs32.dll.mui,-3014HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}    <NO NAME>	REG_SZ	Group Policy Folder Options    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyFolderOptions    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyFolderOptions    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExFolderOptions    EventSources	REG_SZ	(Group Policy Folder Options,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-12    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}    <NO NAME>	REG_SZ	Group Policy Scheduled Tasks    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicySchedTasks    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicySchedTasks    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExSchedTasks    EventSources	REG_SZ	(Group Policy Scheduled Tasks,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-13    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}    <NO NAME>	REG_SZ	Group Policy Registry    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyRegistry    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyRegistry    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExRegistry    EventSources	REG_SZ	(Group Policy Registry,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-14    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}    ProcessGroupPolicy	REG_SZ	SceProcessEFSRecoveryGPO    DllName	REG_EXPAND_SZ	scecli.dll    <NO NAME>	REG_SZ	EFS recovery    NoUserPolicy	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x1    RequiresSuccessfulRegistry	REG_DWORD	0x1    Status	REG_DWORD	0x0    RsopStatus	REG_DWORD	0x80070032    LastPolicyTime	REG_DWORD	0x104a162    PrevSlowLink	REG_DWORD	0x0    PrevRsopLogging	REG_DWORD	0x1    ForceRefreshFG	REG_DWORD	0x0HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}    <NO NAME>	REG_SZ	802.3 Group Policy    DisplayName	REG_EXPAND_SZ	@dot3gpclnt.dll,-100    ProcessGroupPolicyEx	REG_SZ	ProcessLANPolicyEx    GenerateGroupPolicy	REG_SZ	GenerateLANPolicy    DllName	REG_EXPAND_SZ	dot3gpclnt.dll    NoUserPolicy	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}    <NO NAME>	REG_SZ	Group Policy Printers    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyPrinters    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyPrinters    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExPrinters    EventSources	REG_SZ	(Group Policy Printers,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-16    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}    <NO NAME>	REG_SZ	Group Policy Shortcuts    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyShortcuts    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyShortcuts    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExShortcuts    EventSources	REG_SZ	(Group Policy Shortcuts,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-17    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}    <NO NAME>	REG_SZ	Microsoft Offline Files    DllName	REG_EXPAND_SZ	%SystemRoot%\System32\cscui.dll    EnableAsynchronousProcessing	REG_DWORD	0x0    NoBackgroundPolicy	REG_DWORD	0x0    NoGPOListChanges	REG_DWORD	0x0    NoMachinePolicy	REG_DWORD	0x0    NoSlowLink	REG_DWORD	0x0    NoUserPolicy	REG_DWORD	0x1    PerUserLocalSettings	REG_DWORD	0x0    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicy    RequiresSuccessfulRegistry	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}    <NO NAME>	REG_SZ	Software Installation    DllName	REG_EXPAND_SZ	appmgmts.dll    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyObjectsEx    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicy    NoBackgroundPolicy	REG_DWORD	0x0    RequiresSucessfulRegistry	REG_DWORD	0x0    NoSlowLink	REG_DWORD	0x1    PerUserLocalSettings	REG_DWORD	0x1    EventSources	REG_MULTI_SZ	(Application Management,Application)\0(MsiInstaller,Application)\0\0HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}    <NO NAME>	REG_SZ	Internet Explorer Machine Accelerators    DisplayName	REG_SZ	@C:\WINDOWS\system32\iedkcs32.dll.mui,-3051    DllName	REG_SZ	C:\WINDOWS\system32\iedkcs32.dll    NoGPOListChanges	REG_DWORD	0x1    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyForActivities    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyForActivitiesEx    RequiresSuccessfulRegistry	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}    <NO NAME>	REG_SZ	IP Security    ProcessGroupPolicy	REG_SZ	ProcessIPSECPolicy    DllName	REG_EXPAND_SZ	gptext.dll    NoUserPolicy	REG_DWORD	0x1    NoGPOListChanges	REG_DWORD	0x0HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}    <NO NAME>	REG_SZ	Group Policy Internet Settings    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyShortcuts    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyInternet    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExInternet    EventSources	REG_SZ	(Group Policy Internet Settings,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-18    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}    <NO NAME>	REG_SZ	Group Policy Start Menu Settings    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyStartMenu    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyStartMenu    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExStartMenu    EventSources	REG_SZ	(Group Policy Start Menu Settings,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-19    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}    <NO NAME>	REG_SZ	Group Policy Regional Options    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyRegionOptions    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyRegionOptions    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExRegionOptions    EventSources	REG_SZ	(Group Policy Regional Options,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-20    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}    <NO NAME>	REG_SZ	Group Policy Power Options    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyPowerOptions    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyPowerOptions    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExPowerOptions    EventSources	REG_SZ	(Group Policy Power Options,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-21    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}    <NO NAME>	REG_SZ	Group Policy Applications    ProcessGroupPolicy	REG_SZ	ProcessGroupPolicyApplications    DllName	REG_EXPAND_SZ	gpprefcl.dll    GenerateGroupPolicy	REG_SZ	GenerateGroupPolicyApplications    ProcessGroupPolicyEx	REG_SZ	ProcessGroupPolicyExApplications    EventSources	REG_SZ	(Group Policy Applications,Application)    DisplayName	REG_EXPAND_SZ	@gpprefcl.dll,-15    PerUserLocalSettings	REG_DWORD	0x1    EnableAsynchronousProcessing	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain    Asynchronous	REG_DWORD	0x0    Impersonate	REG_DWORD	0x0    DllName	REG_EXPAND_SZ	crypt32.dll    Logoff	REG_SZ	ChainWlxLogoffEventHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet    Asynchronous	REG_DWORD	0x0    Impersonate	REG_DWORD	0x0    DllName	REG_EXPAND_SZ	cryptnet.dll    Logoff	REG_SZ	CryptnetWlxLogoffEventHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll    DLLName	REG_SZ	cscdll.dll    Logon	REG_SZ	WinlogonLogonEvent    Logoff	REG_SZ	WinlogonLogoffEvent    ScreenSaver	REG_SZ	WinlogonScreenSaverEvent    Startup	REG_SZ	WinlogonStartupEvent    Shutdown	REG_SZ	WinlogonShutdownEvent    StartShell	REG_SZ	WinlogonStartShellEvent    Impersonate	REG_DWORD	0x0    Asynchronous	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy    Asynchronous	REG_DWORD	0x1    DllName	REG_EXPAND_SZ	%SystemRoot%\System32\dimsntfy.dll    Startup	REG_SZ	WlDimsStartup    Shutdown	REG_SZ	WlDimsShutdown    Logon	REG_SZ	WlDimsLogon    Logoff	REG_SZ	WlDimsLogoff    StartShell	REG_SZ	WlDimsStartShell    Lock	REG_SZ	WlDimsLock    Unlock	REG_SZ	WlDimsUnlockHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui    <NO NAME>	REG_SZ	    DLLName	REG_SZ	igfxdev.dll    Asynchronous	REG_DWORD	0x1    Impersonate	REG_DWORD	0x1    Unlock	REG_SZ	WinlogonUnlockEventHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp    DLLName	REG_SZ	wlnotify.dll    Logon	REG_SZ	SCardStartCertProp    Logoff	REG_SZ	SCardStopCertProp    Lock	REG_SZ	SCardSuspendCertProp    Unlock	REG_SZ	SCardResumeCertProp    Enabled	REG_DWORD	0x1    Impersonate	REG_DWORD	0x1    Asynchronous	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule    Asynchronous	REG_DWORD	0x0    DllName	REG_EXPAND_SZ	wlnotify.dll    Impersonate	REG_DWORD	0x0    StartShell	REG_SZ	SchedStartShell    Logoff	REG_SZ	SchedEventLogOffHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy    Logoff	REG_SZ	WLEventLogoff    Impersonate	REG_DWORD	0x0    Asynchronous	REG_DWORD	0x1    DllName	REG_EXPAND_SZ	sclgntfy.dllHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn    DLLName	REG_SZ	WlNotify.dll    Lock	REG_SZ	SensLockEvent    Logon	REG_SZ	SensLogonEvent    Logoff	REG_SZ	SensLogoffEvent    Safe	REG_DWORD	0x1    MaxWait	REG_DWORD	0x258    StartScreenSaver	REG_SZ	SensStartScreenSaverEvent    StopScreenSaver	REG_SZ	SensStopScreenSaverEvent    Startup	REG_SZ	SensStartupEvent    Shutdown	REG_SZ	SensShutdownEvent    StartShell	REG_SZ	SensStartShellEvent    PostShell	REG_SZ	SensPostShellEvent    Disconnect	REG_SZ	SensDisconnectEvent    Reconnect	REG_SZ	SensReconnectEvent    Unlock	REG_SZ	SensUnlockEvent    Impersonate	REG_DWORD	0x1    Asynchronous	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv    Asynchronous	REG_DWORD	0x0    DllName	REG_EXPAND_SZ	wlnotify.dll    Impersonate	REG_DWORD	0x0    Logoff	REG_SZ	TSEventLogoff    Logon	REG_SZ	TSEventLogon    PostShell	REG_SZ	TSEventPostShell    Shutdown	REG_SZ	TSEventShutdown    StartShell	REG_SZ	TSEventStartShell    Startup	REG_SZ	TSEventStartup    MaxWait	REG_DWORD	0x258    Reconnect	REG_SZ	TSEventReconnect    Disconnect	REG_SZ	TSEventDisconnectHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon    DLLName	REG_SZ	wlnotify.dll    Logon	REG_SZ	RegisterTicketExpiredNotificationEvent    Logoff	REG_SZ	UnregisterTicketExpiredNotificationEvent    Impersonate	REG_DWORD	0x1    Asynchronous	REG_DWORD	0x1HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList    HelpAssistant	REG_DWORD	0x0    TsInternetUser	REG_DWORD	0x0    SQLAgentCmdExec	REG_DWORD	0x0    NetShowServices	REG_DWORD	0x0    IWAM_	REG_DWORD	0x10000    IUSR_	REG_DWORD	0x10000    VUSR_	REG_DWORD	0x10000    ASPNET	REG_DWORD	0x0========= End of Reg: ==================  reg query "hkcr\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32" /s =========! REG.EXE VERSION 3.0HKEY_CLASSES_ROOT\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32    ThreadingModel	REG_SZ	Apartment    <NO NAME>	REG_EXPAND_SZ	cscui.dll========= End of Reg: ==================  reg query "hkcr\CLSID\{28949824-6737-0594-0930-223283753445}\InProcServer32" /s =========Error:  The system was unable to find the specified registry key or value========= End of Reg: ==================  reg query "HKLM\SYSTEM\CurrentControlSet\Services\winmgmt" /s =========Error:  The system was unable to find the specified registry key or value========= End of Reg: ============= End of Fixlog ====
Link to post
Share on other sites

Looks pretty empty in here:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-06-2013Ran by SYSTEM at 2013-06-19 08:39:11 Run:6Running from D:\Boot Mode: Recovery================================================== End of Fixlog ====
Link to post
Share on other sites

That is REALLY bad - let´s try to get this all fixed:

 

Download the attached winmgmt.zip and extract it to the root of your usb flash device.

 

Then, run FRST with the following fix.

REG: reg restore "HKLM\SYSTEM\CurrentControlSet\Services\winmgmt" D:\winmgmt.hivREG: reg query "HKLM\SYSTEM\CurrentControlSet\Services\winmgmt" /sCMD: fixmbrCMD: fixboot c:SaveMbr: Drive=0

winmgmt.zip

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-06-2013

Ran by SYSTEM at 2013-06-19 08:59:45 Run:8

Running from D:\

Boot Mode: Recovery

==============================================

========= reg restore "HKLM\SYSTEM\CurrentControlSet\Services\winmgmt" D:\winmgmt.hiv =========

Error: The system was unable to find the specified registry key or value

========= End of Reg: =========

========= reg query "HKLM\SYSTEM\CurrentControlSet\Services\winmgmt" /s =========

Error: The system was unable to find the specified registry key or value

========= End of Reg: =========

========= fixmbr =========

'fixmbr' is not recognized as an internal or external command,

operable program or batch file.

========= End of CMD: =========

========= fixboot c: =========

'fixboot' is not recognized as an internal or external command,

operable program or batch file.

========= End of CMD: =========

MBRDUMP.txt is made successfully.

==== End of Fixlog ====

Link to post
Share on other sites

now we have something?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-06-2013Ran by SYSTEM at 2013-06-19 09:07:40 Run:9Running from D:\Boot Mode: Recovery=======================================================  reg query "HKLM\SYSTEM\ControlSet001\Services\winmgmt" /s =========! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt    Type	REG_DWORD	0x20    Start	REG_DWORD	0x2    ErrorControl	REG_DWORD	0x0    ImagePath	REG_EXPAND_SZ	%systemroot%\system32\svchost.exe -k netsvcs    DisplayName	REG_SZ	Windows Management Instrumentation    DependOnService	REG_MULTI_SZ	RPCSS\0\0    DependOnGroup	REG_MULTI_SZ	\0    ObjectName	REG_SZ	LocalSystem    FailureActions	REG_BINARY	80510100000000000000000002000000030003000100000060EA00000100000060EA0000    Description	REG_SZ	Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters    ServiceDll	REG_EXPAND_SZ	%SystemRoot%\system32\wbem\WMIsvc.dll    ServiceMain	REG_SZ	ServiceMainHKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Security    Security	REG_BINARY	01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000========= End of Reg: ==================  reg query "HKLM\SYSTEM\ControlSet002\Services\winmgmt" /s =========! REG.EXE VERSION 3.0HKEY_LOCAL_MACHINE\System\ControlSet002\Services\winmgmt    Type	REG_DWORD	0x20    Start	REG_DWORD	0x2    ErrorControl	REG_DWORD	0x0    ImagePath	REG_EXPAND_SZ	%systemroot%\system32\svchost.exe -k netsvcs    DisplayName	REG_SZ	Windows Management Instrumentation    DependOnService	REG_MULTI_SZ	RPCSS\0\0    DependOnGroup	REG_MULTI_SZ	\0    ObjectName	REG_SZ	LocalSystem    FailureActions	REG_BINARY	80510100000000000000000002000000030003000100000060EA00000100000060EA0000    Description	REG_SZ	Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.HKEY_LOCAL_MACHINE\System\ControlSet002\Services\winmgmt\Parameters    ServiceDll	REG_EXPAND_SZ	%SystemRoot%\system32\wbem\WMIsvc.dll    ServiceMain	REG_SZ	ServiceMainHKEY_LOCAL_MACHINE\System\ControlSet002\Services\winmgmt\Security    Security	REG_BINARY	01001480900000009C000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020060000400000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D01020001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000========= End of Reg: ============= End of Fixlog ====
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.