Jump to content

Ok - another one of thosetopics.


Recommended Posts

Hi all,

We'll - I'm in safe mode.. :D This fake virus program has me at my end. I've tried everything on the stickies, posts of similar issues and nothing is working. Attached is my Win32KDiag.txt - I must have downloaded and tried to run combofix, MBAM etc 5 times to no avail. I'm running XP professional. Any help would be appreciated.

Log file is located at: C:\Documents and Settings\SmithPJ\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP474.tmp\ZAP474.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\ZAP9D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F.tmp\ZAP9F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\I386\WIN9XMIG\MSNEXPLR\MSNEXPLR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1409082233-2052111302-725345543-500\S-1-5-21-1409082233-2052111302-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2373621041-469255773-220526481-34194\S-1-5-21-2373621041-469255773-220526481-34194

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Apple Computer\iTunes\iTunes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{96D91804-E578-4594-B2BA-7ED0D9B99693}\{96D91804-E578-4594-B2BA-7ED0D9B99693}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intel\Wireless\Wireless

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DPEPVQVE\DPEPVQVE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ext

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\file

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\tmp\si\si

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ThinkVantage\Client Security\Client Security

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Access Connections\Received Files\Received Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\4NS54DUP\4NS54DUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\OVCDEDKN\OVCDEDKN

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SBSXURGH\SBSXURGH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 63488 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\DswMedia\DswMedia

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\Prefs\Prefs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\WinFox\WinFox

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

  • Staff

Hi frustratedibm and welcome to Malwarebytes.

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

-screen317

Link to post
Share on other sites

Hey thanks for the quick response. Here is the output

Log file is located at: C:\Documents and Settings\SmithPJ\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP474.tmp\ZAP474.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP474.tmp\ZAP474.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\ZAP9D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\ZAP9D.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F.tmp\ZAP9F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F.tmp\ZAP9F.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\I386\WIN9XMIG\MSNEXPLR\MSNEXPLR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\I386\WIN9XMIG\MSNEXPLR\MSNEXPLR

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1409082233-2052111302-725345543-500\S-1-5-21-1409082233-2052111302-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1409082233-2052111302-725345543-500\S-1-5-21-1409082233-2052111302-725345543-500

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2373621041-469255773-220526481-34194\S-1-5-21-2373621041-469255773-220526481-34194

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2373621041-469255773-220526481-34194\S-1-5-21-2373621041-469255773-220526481-34194

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Apple Computer\iTunes\iTunes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Apple Computer\iTunes\iTunes

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{96D91804-E578-4594-B2BA-7ED0D9B99693}\{96D91804-E578-4594-B2BA-7ED0D9B99693}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{96D91804-E578-4594-B2BA-7ED0D9B99693}\{96D91804-E578-4594-B2BA-7ED0D9B99693}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intel\Wireless\Wireless

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intel\Wireless\Wireless

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DPEPVQVE\DPEPVQVE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DPEPVQVE\DPEPVQVE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ext

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ext

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\file

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\file

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\tmp\tmp

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\tmp\tmp

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\tmp\si\si

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\tmp\si\si

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ThinkVantage\Client Security\Client Security

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ThinkVantage\Client Security\Client Security

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Access Connections\Received Files\Received Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Access Connections\Received Files\Received Files

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\4NS54DUP\4NS54DUP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\4NS54DUP\4NS54DUP

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\OVCDEDKN\OVCDEDKN

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\OVCDEDKN\OVCDEDKN

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SBSXURGH\SBSXURGH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SBSXURGH\SBSXURGH

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 08:00:00 63488 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\DswMedia\DswMedia

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\DswMedia\DswMedia

Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\Prefs\Prefs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\Prefs\Prefs

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\WinFox\WinFox

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\WinFox\WinFox

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

Link to post
Share on other sites

  • Staff

Please don't bump your topics. It only serves to flood my inbox.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

We need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\system32\dllcache\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running ComboFix.

-screen317

Link to post
Share on other sites

Hey there! ok - here goes..

Avenger log is below and combofix didn't run - message "Windows cannot open program because it's been prevented by software restriction policy. blah blah" I'm no longer in safe mode.

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)

Thu Aug 27 21:03:11 2009

21:03:11: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\system32\dllcache\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Right after I posted combofix updated and ran.. here is the log.

ComboFix 09-08-27.02 - SmithPJ 08/27/2009 21:32.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.609 [GMT -4:00]

Running from: c:\documents and settings\SmithPJ\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\djos.exe

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\All Users\Application Data\tynevur._sy

c:\documents and settings\All Users\Documents\duqysojepy.bat

c:\documents and settings\All Users\Documents\tadame.dll

c:\documents and settings\SmithPJ\Cookies\rijurikeqo.bat

c:\documents and settings\SmithPJ\Local Settings\Application Data\ojyceni.vbs

c:\documents and settings\SmithPJ\Local Settings\Application Data\rylokov.exe

c:\documents and settings\SmithPJ\Local Settings\Application Data\ysyfa.exe

C:\kvhwftjn.exe

C:\lcbckjms.exe

c:\program files\Common Files\faheqafi.sys

c:\program files\Common Files\isoh.reg

c:\recycler\S-1-5-21-1409082233-2052111302-725345543-500

C:\sdlb.exe

c:\windows\Installer\WMEncoder.msi

c:\windows\jyrigi.pif

c:\windows\rerenili.dl

c:\windows\system32\~.exe

c:\windows\system32\braviax.exe

c:\windows\system32\runog.sys

c:\windows\system32\wisdstr.exe

C:\yihw.exe

----- BITS: Possible infected sites -----

hxxp://155.16.59.74

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))

.

2009-08-26 22:59 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-26 22:59 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 22:55 . 2009-08-26 22:55 -------- d-sh--we c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

2009-08-25 21:52 . 2009-08-25 21:52 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2009-08-25 21:35 . 2009-08-26 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-25 19:31 . 2009-08-25 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder

2009-08-25 19:31 . 2009-08-25 19:31 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-25 18:46 . 2009-08-25 18:46 -------- d-sh--w- c:\documents and settings\SmithPJ\IECompatCache

2009-08-25 18:29 . 2009-08-25 18:31 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\MalwareRemovalBot

2009-08-25 18:11 . 2009-08-25 18:11 45056 -c--a-w- C:\dvrdiqbe.exe

2009-08-25 18:11 . 2009-08-25 18:11 705 -c--a-w- C:\cuopy.exe

2009-08-25 18:11 . 2009-08-25 18:11 26112 -c--a-w- C:\sndanmiw.exe

2009-08-25 18:11 . 2009-08-25 18:11 198150 -c--a-w- C:\jybmkssu.exe

2009-08-20 14:48 . 2009-08-20 14:48 -------- d-sh--w- c:\documents and settings\SmithPJ\PrivacIE

2009-08-20 14:35 . 2009-08-20 14:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-08-20 14:35 . 2009-08-20 14:35 -------- d-sh--w- c:\documents and settings\SmithPJ\IETldCache

2009-08-20 14:16 . 2009-08-20 14:19 -------- dc-h--w- c:\windows\ie8

2009-08-19 19:20 . 2009-08-19 20:36 -------- d-----w- c:\program files\Shared

2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\Malwarebytes

2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-06 21:22 . 2009-08-06 21:22 19466 ----a-w- c:\documents and settings\SmithPJ\Local Settings\Application Data\uhidabexa.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-26 23:30 . 2007-10-23 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-25 21:19 . 2006-09-05 13:52 -------- d-----w- c:\program files\Symantec

2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-24 18:29 . 2007-10-03 17:52 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\.purple

2009-08-06 21:22 . 2009-08-06 21:22 13954 ----a-w- c:\documents and settings\All Users\Application Data\qyfiwoqoc.dat

2009-08-06 20:48 . 2009-07-07 01:43 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\HPAppData

2009-08-05 16:05 . 2009-07-09 19:43 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\Meeting Center

2009-07-23 12:50 . 2009-07-23 12:49 -------- d-----w- c:\program files\iTunes

2009-07-23 12:50 . 2009-07-23 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-23 12:49 . 2009-07-23 12:49 -------- d-----w- c:\program files\iPod

2009-07-23 12:49 . 2008-11-04 05:08 -------- d-----w- c:\program files\Common Files\Apple

2009-07-23 12:46 . 2009-07-23 12:46 -------- d-----w- c:\program files\QuickTime

2009-07-23 12:44 . 2008-11-04 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-23 12:41 . 2009-07-23 12:41 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-07-16 12:30 . 2009-07-15 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-16 12:30 . 2009-07-15 12:49 -------- d-----w- c:\program files\NOS

2009-07-09 19:43 . 2009-07-09 19:43 -------- d-----w- c:\program files\Meeting Center

2009-07-09 16:16 . 2009-07-23 12:43 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-11-04 05:09 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 01:18 . 2009-07-08 01:18 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\ieSpell

2009-07-08 01:18 . 2009-07-08 01:18 -------- d-----w- c:\program files\ieSpell

2009-07-07 02:04 . 2009-07-07 00:55 186633 ----a-w- c:\windows\hpwins23.dat

2009-07-07 01:21 . 2007-12-11 16:13 394624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-07 01:20 . 2009-07-07 01:20 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\HP

2009-07-07 01:18 . 2009-07-07 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG

2009-07-07 01:13 . 2009-07-07 01:00 -------- d-----w- c:\program files\HP

2009-07-07 01:13 . 2008-02-08 17:20 -------- d-----w- c:\program files\Hewlett-Packard

2009-07-07 01:13 . 2009-07-07 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-07-07 01:12 . 2009-07-07 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant

2009-07-07 01:02 . 2009-07-07 01:02 -------- d-----w- c:\program files\Common Files\HP

2004-08-04 12:00 . 2006-09-05 16:03 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-20 68856]

"MeetingLauncher"="c:\program files\Meeting Center\Modules\Launcher\mcLauncher.exe" [2009-06-25 456000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 136768]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"configmsi"="rmdir" [X]

"supportdir"="rmdir" [X]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]

2006-06-19 07:06 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2004-12-16 23:33 24672 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 01:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-34194\Scripts\Logon\0\0]

"Script"=PerotLogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63435\Scripts\Logon\0\0]

"Script"=PerotLogon.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk

backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\marimba\\tuner\\lib\\jre\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8888:TCP"= 8888:TCP:CMS

"7717:TCP"= 7717:TCP:MARIMBA (TCP 7717)

"7717:UDP"= 7717:UDP:MARIMBA (UDP 7717)

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"3389:UDP"= 3389:UDP:Remote Desktop (UDP)

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/5/2006 4:15 PM 85760]

R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/5/2006 4:15 PM 4736]

R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [9/7/2006 1:54 PM 4442]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/26/2009 6:59 PM 232720]

R2 RemoteClientManagementServiceProvider;Remote Client Management Service Provider;c:\program files\marimba\tuner\Tuner.exe [3/31/2006 3:54 PM 36953]

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [11/13/2007 3:07 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [11/13/2007 3:07 PM 670128]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [11/13/2007 3:07 PM 2041904]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/26/2009 6:59 PM 19096]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [11/13/2007 3:07 PM 14924]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2008-06-11 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-07 06:13]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKCU-Run-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

Notify-NavLogon - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = https://train.ps.net/

uInternet Settings,ProxyServer = internet.ps.net:80

uInternet Settings,ProxyOverride = *.ps.net;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

Trusted Zone: marimba.com\www

Trusted Zone: perotsystems.com

Trusted Zone: ps.net

Trusted Zone: ps.net\*.crm

Trusted Zone: ps.net\crm

Trusted Zone: ps.net\fusion

Trusted Zone: ps.net\inizio2

Trusted Zone: ps.net\projecttest

Trusted Zone: ps.net\psctx1

Trusted Zone: ps.net\ptcprint

Trusted Zone: ps.net\train

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-27 21:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\tphklock.dll

c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'explorer.exe'(3264)

c:\windows\system32\PROCHLP.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\system32\IPSSVC.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe

c:\program files\Lenovo\System Update\SUService.exe

c:\windows\system32\TPHDEXLG.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\ati2evxx.exe

c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe

c:\program files\McAfee\Common Framework\Mctray.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe

c:\program files\marimba\tuner\lib\minituner.exe

.

**************************************************************************

.

Completion time: 2009-08-28 21:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-28 01:43

Pre-Run: 53,846,712,320 bytes free

Post-Run: 53,761,376,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

289 --- E O F --- 2009-01-09 14:16

Link to post
Share on other sites

  • Staff

Hi,

Could you post the logs from MBAM please?

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://www.malwarebytes.org/forums/index.php?showtopic=22625
Collect::
C:\dvrdiqbe.exe
C:\cuopy.exe
C:\sndanmiw.exe
C:\jybmkssu.exe
FCOPY::
C:\windows\system32\eventlog.dll | C:\WINDOWS\system32\dllcache\eventlog.dll

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Next, update MBAM, run a Quick Scan, and post its log.

-screen317

Link to post
Share on other sites

Hey Chris,

Here goes - A lot of info coming. This is the first MBAM run..

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 2

8/28/2009 10:21:55 AM

mbam-log-2009-08-28 (10-21-55).txt

Scan type: Quick Scan

Objects scanned: 102207

Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 3

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{42bf5d80-4fe5-40f3-a360-88fcf562f8f7} (Adware.Deepdive) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:

C:\cuopy.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\dvrdiqbe.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\jybmkssu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\sndanmiw.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Log\2009 Aug 25 - 02_29_43 PM_281.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Log\2009 Aug 25 - 02_31_06 PM_484.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

C:\WINDOWS\mark_32.dll (Adware.Deepdive) -> Quarantined and deleted successfully.

C:\Program Files\Shared\lib.dll (Adware.Deepdive) -> Quarantined and deleted successfully.

C:\Documents and Settings\SmithPJ\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Here is the second.. :-

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 2

8/28/2009 11:02:49 AM

mbam-log-2009-08-28 (11-02-49).txt

Scan type: Full Scan (C:\|)

Objects scanned: 166064

Time elapsed: 31 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 13

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\Quarantine\C\kvhwftjn.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\lcbckjms.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\yihw.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078007.exe (Trojan.Banker) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078163.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078164.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078173.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078174.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078371.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078372.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078373.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078374.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Here is the final I ran yesterday to make sure I was clean

Malwarebytes' Anti-Malware 1.40

Database version: 2708

Windows 5.1.2600 Service Pack 2

8/28/2009 7:01:39 PM

mbam-log-2009-08-28 (19-01-39).txt

Scan type: Full Scan (C:\|)

Objects scanned: 174281

Time elapsed: 33 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Here is the last ComboFix log and below that the last MBAM run.

ComboFix 09-08-29.01 - SmithPJ 08/29/2009 21:03.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.571 [GMT -4:00]

Running from: c:\documents and settings\SmithPJ\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\SmithPJ\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\system32\eventlog.dll --> c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))

.

2009-08-30 01:03 . 2004-08-04 12:00 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll

2009-08-28 14:15 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-28 14:15 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-26 22:55 . 2009-08-26 22:55 -------- d-sh--we c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

2009-08-25 21:52 . 2009-08-25 21:52 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2009-08-25 21:35 . 2009-08-28 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-25 19:31 . 2009-08-25 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder

2009-08-25 19:31 . 2009-08-25 19:31 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-25 18:46 . 2009-08-25 18:46 -------- d-sh--w- c:\documents and settings\SmithPJ\IECompatCache

2009-08-20 14:48 . 2009-08-20 14:48 -------- d-sh--w- c:\documents and settings\SmithPJ\PrivacIE

2009-08-20 14:35 . 2009-08-20 14:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-08-20 14:35 . 2009-08-20 14:35 -------- d-sh--w- c:\documents and settings\SmithPJ\IETldCache

2009-08-20 14:16 . 2009-08-20 14:19 -------- dc-h--w- c:\windows\ie8

2009-08-19 19:20 . 2009-08-28 14:21 -------- d-----w- c:\program files\Shared

2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\Malwarebytes

2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-06 21:22 . 2009-08-06 21:22 19466 ----a-w- c:\documents and settings\SmithPJ\Local Settings\Application Data\uhidabexa.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-28 19:33 . 2007-10-03 17:52 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\.purple

2009-08-26 23:30 . 2007-10-23 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-25 21:19 . 2006-09-05 13:52 -------- d-----w- c:\program files\Symantec

2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\program files\Symantec AntiVirus

2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-08-06 21:22 . 2009-08-06 21:22 13954 ----a-w- c:\documents and settings\All Users\Application Data\qyfiwoqoc.dat

2009-08-06 20:48 . 2009-07-07 01:43 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\HPAppData

2009-08-05 16:05 . 2009-07-09 19:43 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\Meeting Center

2009-07-23 12:50 . 2009-07-23 12:49 -------- d-----w- c:\program files\iTunes

2009-07-23 12:50 . 2009-07-23 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-23 12:49 . 2009-07-23 12:49 -------- d-----w- c:\program files\iPod

2009-07-23 12:49 . 2008-11-04 05:08 -------- d-----w- c:\program files\Common Files\Apple

2009-07-23 12:46 . 2009-07-23 12:46 -------- d-----w- c:\program files\QuickTime

2009-07-23 12:44 . 2008-11-04 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-07-23 12:41 . 2009-07-23 12:41 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-07-16 12:30 . 2009-07-15 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-07-16 12:30 . 2009-07-15 12:49 -------- d-----w- c:\program files\NOS

2009-07-09 19:43 . 2009-07-09 19:43 -------- d-----w- c:\program files\Meeting Center

2009-07-09 16:16 . 2009-07-23 12:43 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-11-04 05:09 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-07-08 01:18 . 2009-07-08 01:18 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\ieSpell

2009-07-08 01:18 . 2009-07-08 01:18 -------- d-----w- c:\program files\ieSpell

2009-07-07 02:04 . 2009-07-07 00:55 186633 ----a-w- c:\windows\hpwins23.dat

2009-07-07 01:21 . 2007-12-11 16:13 394624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-07-07 01:20 . 2009-07-07 01:20 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\HP

2009-07-07 01:18 . 2009-07-07 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG

2009-07-07 01:13 . 2009-07-07 01:00 -------- d-----w- c:\program files\HP

2009-07-07 01:13 . 2008-02-08 17:20 -------- d-----w- c:\program files\Hewlett-Packard

2009-07-07 01:13 . 2009-07-07 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\HP

2009-07-07 01:12 . 2009-07-07 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant

2009-07-07 01:02 . 2009-07-07 01:02 -------- d-----w- c:\program files\Common Files\HP

2004-08-04 12:00 . 2006-09-05 16:03 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-20 68856]

"MeetingLauncher"="c:\program files\Meeting Center\Modules\Launcher\mcLauncher.exe" [2009-06-25 456000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 136768]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"configmsi"="rmdir" [X]

"supportdir"="rmdir" [X]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]

2006-06-19 07:06 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]

2004-12-16 23:33 24672 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2005-12-01 01:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-34194\Scripts\Logon\0\0]

"Script"=PerotLogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63435\Scripts\Logon\0\0]

"Script"=PerotLogon.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk

backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\marimba\\tuner\\lib\\jre\\bin\\java.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=

"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8888:TCP"= 8888:TCP:CMS

"7717:TCP"= 7717:TCP:MARIMBA (TCP 7717)

"7717:UDP"= 7717:UDP:MARIMBA (UDP 7717)

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"3389:UDP"= 3389:UDP:Remote Desktop (UDP)

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/5/2006 4:15 PM 85760]

R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/5/2006 4:15 PM 4736]

R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [9/7/2006 1:54 PM 4442]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/28/2009 10:15 AM 232720]

R2 RemoteClientManagementServiceProvider;Remote Client Management Service Provider;c:\program files\marimba\tuner\Tuner.exe [3/31/2006 3:54 PM 36953]

R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [11/13/2007 3:07 PM 17456]

R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [11/13/2007 3:07 PM 670128]

R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [11/13/2007 3:07 PM 2041904]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/28/2009 10:15 AM 19096]

S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [11/13/2007 3:07 PM 14924]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2008-06-11 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-07 06:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = https://train.ps.net/

uInternet Settings,ProxyServer = internet.ps.net:80

uInternet Settings,ProxyOverride = *.ps.net;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

Trusted Zone: marimba.com\www

Trusted Zone: perotsystems.com

Trusted Zone: ps.net

Trusted Zone: ps.net\*.crm

Trusted Zone: ps.net\crm

Trusted Zone: ps.net\fusion

Trusted Zone: ps.net\inizio2

Trusted Zone: ps.net\projecttest

Trusted Zone: ps.net\psctx1

Trusted Zone: ps.net\ptcprint

Trusted Zone: ps.net\train

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-29 21:08

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\SmithPJ\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\agp440]

"ImagePath"="system32\DRIVERS\agp440.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\agpCPQ]

"ImagePath"="system32\DRIVERS\agpCPQ.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]

"ImagePath"="system32\DRIVERS\aha154x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]

"ImagePath"="system32\DRIVERS\aic78u2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]

"ImagePath"="system32\DRIVERS\aic78xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]

"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]

"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]

"ImagePath"="system32\DRIVERS\aliide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\alim1541]

"ImagePath"="system32\DRIVERS\alim1541.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amdagp]

"ImagePath"="system32\DRIVERS\amdagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]

"ImagePath"="system32\DRIVERS\amsint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Apple Mobile Device]

"ImagePath"="\"c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]

"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]

"ImagePath"="system32\DRIVERS\asc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]

"ImagePath"="system32\DRIVERS\asc3350p.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]

"ImagePath"="system32\DRIVERS\asc3550.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_1.1.4322]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aspi32]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]

"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]

"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]

"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ati HotKey Poller]

"ImagePath"="%SystemRoot%\system32\Ati2evxx.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ati2mtag]

"ImagePath"="system32\DRIVERS\ati2mtag.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atierecord]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]

"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atmeltpm]

"ImagePath"="system32\DRIVERS\atmeltpm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]

"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]

"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]

"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]

"ServiceDll"="%systemroot%\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bonjour Service]

"ImagePath"="\"c:\program files\Bonjour\mDNSResponder.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]

"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

"ImagePath"="\??\c:\docume~1\SmithPJ\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf]

"ImagePath"="system32\DRIVERS\cbidf2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE]

"ImagePath"="system32\DRIVERS\CCDECODE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

"ImagePath"="system32\DRIVERS\cd20xrnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]

"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]

"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]

"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]

"ImagePath"="c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmBatt]

"ImagePath"="system32\DRIVERS\CmBatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

"ImagePath"="system32\DRIVERS\cmdide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Compbatt]

"ImagePath"="system32\DRIVERS\compbatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]

"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

"ImagePath"="system32\DRIVERS\cpqarray.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]

"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

"ImagePath"="system32\DRIVERS\dac2w2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

"ImagePath"="system32\DRIVERS\dac960nt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DCamUSBEMPIA]

"ImagePath"="system32\DRIVERS\emDevice.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]

"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]

"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]

"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]

"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]

"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]

"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]

"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]

"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]

"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]

"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

"ImagePath"="system32\DRIVERS\dpti2o.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]

"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e1express]

"ImagePath"="system32\DRIVERS\e1e5132.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]

"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]

"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]

"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EvtEng]

"ImagePath"="c:\program files\Intel\Wireless\Bin\EvtEng.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FiltUSBEMPIA]

"ImagePath"="system32\DRIVERS\emFilter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]

"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]

"ImagePath"="c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]

"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FW1]

"ImagePath"="system32\DRIVERS\fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM]

"ImagePath"="system32\DRIVERS\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]

"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc]

"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]

"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]

"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]

"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb]

"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

"ImagePath"="system32\DRIVERS\hpn.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqcxs08]

"ServiceDll"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqddsvc]

"ServiceDll"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPSLPSVC]

"ServiceDll"="c:\program files\Hewlett-Packard\Digital Imaging\bin\HPSLPSVC32.DLL"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412]

"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12]

"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12]

"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSF_DPV]

"ImagePath"="system32\DRIVERS\hsx_dpv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSXHWAZL]

"ImagePath"="system32\DRIVERS\hsxhwazl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]

"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]

"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

"ImagePath"="system32\DRIVERS\i2omp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]

"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IBMPMDRV]

"ImagePath"="system32\DRIVERS\ibmpmdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IBMPMSVC]

"ImagePath"="%SystemRoot%\system32\ibmpmsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]

"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]

"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]

"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]

"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

"ImagePath"="system32\DRIVERS\ini910u.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]

"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]

"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]

"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]

"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]

"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]

"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service]

"ImagePath"="\"c:\program files\iPod\bin\iPodService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]

"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSSVC]

"ImagePath"="%SystemRoot%\system32\IPSSVC.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\irda]

"ImagePath"="system32\DRIVERS\irda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]

"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Irmon]

"ServiceDll"="%SystemRoot%\System32\irmon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]

"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]

"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]

"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]

"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]

"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]

"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVcKap]

"ImagePath"="system32\DRIVERS\LVcKap.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVMVDrv]

"ImagePath"="system32\DRIVERS\LVMVDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVPr2Mon]

"ImagePath"="system32\drivers\LVPr2Mon.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVPrcSrv]

"ImagePath"="c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVSrvLauncher]

"ImagePath"="c:\program files\Common Files\Logitech\SrvLnch\SrvLnch.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVUSBSta]

"ImagePath"="system32\DRIVERS\LVUSBSta.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MaxBackServiceInt]

"ImagePath"="\"c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MBAMProtector]

"ImagePath"="\??\c:\windows\system32\drivers\mbam.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MBAMService]

"ImagePath"="\"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McAfeeFramework]

"ImagePath"="\"c:\program files\McAfee\Common Framework\FrameworkService.exe\" /ServiceStart"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDM]

"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mdmxsdk]

"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]

"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]

"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]

"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]

"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

"ImagePath"="system32\DRIVERS\mraid35x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]

"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]

"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]

"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]

"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]

"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]

"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]

"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]

"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]

"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MXOPSWD]

"ImagePath"="system32\DRIVERS\mxopswd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]

"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]

"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]

"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]

"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]

"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Net Driver HPZ12]

"ServiceDll"="c:\windows\system32\HPZinw12.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]

"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]

"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]

"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]

"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]

"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]

"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETw4x32]

"ImagePath"="system32\DRIVERS\NETw4x32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]

"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSCIRDA]

"ImagePath"="system32\DRIVERS\nscirda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]

"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]

"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]

"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMVA]

"ImagePath"="system32\DRIVERS\OMVA.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose]

"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Outlook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]

"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]

"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]

"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]

"ImagePath"="system32\DRIVERS\pcmcia.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

"ImagePath"="system32\DRIVERS\perc2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

"ImagePath"="system32\DRIVERS\perc2hib.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PID_0928]

"ImagePath"="system32\DRIVERS\LV561AV.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]

"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmem]

"ImagePath"="\??\c:\windows\System32\drivers\pmemnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPZ12]

"ServiceDll"="c:\windows\system32\HPZipm12.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]

"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCDD]

"ImagePath"="system32\DRIVERS\PROCDD.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\psadd]

"ImagePath"="\??\c:\windows\system32\Drivers\psadd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsaSrv]

"ImagePath"="c:\windows\system32\PsaSrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]

"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]

"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]

"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

"ImagePath"="system32\DRIVERS\ql1080.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

"ImagePath"="system32\DRIVERS\ql10wnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

"ImagePath"="system32\DRIVERS\ql12160.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

"ImagePath"="system32\DRIVERS\ql1240.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

"ImagePath"="system32\DRIVERS\ql1280.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]

"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]

"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasirda]

"ImagePath"="system32\DRIVERS\rasirda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]

"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]

"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]

"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]

"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]

"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]

"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]

"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]

"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]

"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RegSrvc]

"ImagePath"="c:\program files\Intel\Wireless\Bin\RegSrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]

"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteClientManagementServiceProvider]

"ImagePath"="c:\program files\marimba\tuner\Tuner.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]

"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimSerPort]

"ImagePath"="system32\DRIVERS\RimSerial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimUsb]

"ImagePath"="System32\Drivers\RimUsb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ROOTMODEM]

"ImagePath"="System32\Drivers\RootMdm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]

"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]

"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]

"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S24EventMonitor]

"ImagePath"="c:\program files\Intel\Wireless\Bin\S24EvMon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\s24trans]

"ImagePath"="system32\DRIVERS\s24trans.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScanUSBEMPIA]

"ImagePath"="system32\DRIVERS\emScan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Scap]

"ImagePath"="System32\DRIVERS\Scap.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]

"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]

"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]

"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]

"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]

"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serenum]

"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]

"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]

"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShockMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Shockprf]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sisagp]

"ImagePath"="system32\DRIVERS\sisagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP]

"ImagePath"="system32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Smapint]

"ImagePath"="System32\drivers\Smapint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

"ImagePath"="system32\DRIVERS\sparrow.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]

"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]

"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]

"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]

"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]

"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SR_Service]

"ImagePath"="\"c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SR_WatchDog]

"ImagePath"="\"c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]

"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\StillCam]

"ImagePath"="system32\DRIVERS\serscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]

"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip]

"ImagePath"="system32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SUService]

"ImagePath"="c:\program files\lenovo\system update\suservice.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]

"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]

"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]

"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{1FE22711-C519-4C0B-B736-644201A8A239}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

"ImagePath"="system32\DRIVERS\symc810.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

"ImagePath"="system32\DRIVERS\symc8xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

"ImagePath"="system32\DRIVERS\sym_hi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

"ImagePath"="system32\DRIVERS\sym_u3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SynTP]

"ImagePath"="system32\DRIVERS\SynTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]

"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]

"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]

"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]

"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSMAPI]

"ImagePath"="System32\drivers\TDSMAPI.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]

"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]

"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]

"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

"ImagePath"="system32\DRIVERS\toside.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TPHDEXLGSVC]

"ImagePath"="System32\TPHDEXLG.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TPHKDRV]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TPPWRIF]

"ImagePath"="System32\drivers\Tppwrif.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]

"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSMAPIP]

"ImagePath"="System32\drivers\TSMAPIP.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TVT Scheduler]

"ImagePath"="\"c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

"ImagePath"="system32\DRIVERS\ultra.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]

"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]

"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]

"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBAAPL]

"ImagePath"="System32\Drivers\usbaapl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]

"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]

"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]

"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]

"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]

"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]

"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]

"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb_rndisx]

"ImagePath"="system32\DRIVERS\usb8023x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]

"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\viaagp]

"ImagePath"="system32\DRIVERS\viaagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

"ImagePath"="system32\DRIVERS\viaide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VPN-1]

"ImagePath"="\SystemRoot\System32\drivers\vpn.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]

"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]

"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\w39n51]

"ImagePath"="system32\DRIVERS\w39n51.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]

"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]

"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]

"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winachsf]

"ImagePath"="system32\DRIVERS\hsx_cnxt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]

"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]

"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]

"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]

"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]

"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]

"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC]

"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]

"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]

"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]

"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]

"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1AA7D35E-4BB4-4512-AC76-986264985BF9}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B9009E6F-811D-45AC-B33A-CB8D0E8A2E4E}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{D7888C3B-175F-4952-9FA8-3F14B459892C}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{E2B1D01B-52B8-4BDA-AAEB-FF89FCA2161D}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{EEDACB50-F432-4F56-9A69-E9886FD41B7D}]

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\tphklock.dll

c:\program files\Lenovo\AwayTask\AwayNotify.dll

c:\windows\system32\notifyf2.dll

- - - - - - - > 'explorer.exe'(1700)

c:\windows\system32\PROCHLP.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-08-30 21:10

ComboFix-quarantined-files.txt 2009-08-30 01:10

ComboFix2.txt 2009-08-28 01:43

Pre-Run: 53,543,481,344 bytes free

Post-Run: 53,701,079,040 bytes free

898 --- E O F --- 2009-01-09 14:16

MBAM

Malwarebytes' Anti-Malware 1.40

Database version: 2714

Windows 5.1.2600 Service Pack 2

8/29/2009 9:22:51 PM

mbam-log-2009-08-29 (21-22-51).txt

Scan type: Quick Scan

Objects scanned: 102685

Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thanks again for all your help

Pete

Link to post
Share on other sites

  • Staff

Hi Pete,

Please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hey Chris,

Here we go - Both reports below. My systems is running much better and has been for a while but things like my secur client etc stopped working after I ran combofix.

Scanning Report

Sunday, August 30, 2009 23:03:59 - 23:52:45

Computer name: PSCSMITHPJ02

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

14 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Adrevolver (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Trojan.Dropper.Kobcka.Gen.1 (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078005.DLL (Renamed & Submitted)

Trojan.Generic.1901833 (virus)

C:\DOCUMENTS AND SETTINGS\SMITHPJ\APPLICATION DATA\KINGSTON\SECURETRAVELER.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 51905

System: 3827

Not scanned: 10

Actions:

Disinfected: 12

Renamed: 2

Deleted: 0

Not cleaned: 0

Submitted: 2

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\WINLOGON.EXE

C:\PROGRAM FILES\CHECKPOINT\SECUREMOTE\BIN\SR_SERVICE.EXE

C:\DOCUMENTS AND SETTINGS\SMITHPJ\MY DOCUMENTS\ROOTREPEAL.EXE

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

Link to post
Share on other sites

  • Staff

Good to hear.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio

Comodo

Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one. ;)

All of the following are excellent free antiviruses. Be sure to only install one.

AVG

AntiVir

avast!.

3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.