Jump to content

Malwarebytes, Hijack This!, etc. Won't Run - Suspected Rootkit


Phinizy
 Share

Recommended Posts

I believe I am infected with one of these relatively new viruses which, in addition to causing general havoc, specifically attack anti-virus programs and anti-spyware programs.

I hope you can help me get rid of these nasty things which some misguided, evil genius has spent countless hours creating. I wish these guys would use their programming talent for good rather than bad!

I was on the Facebook website when all of a sudden my Internet Explorer 7 browser crashed or exited unexplainably (I don't remember exactly which). I tried to open IE7 back up and it would open but not connect to the Internet.

I have Norton 360 Version 2.5.0.5 (includes Norton Anti-virus) and Webroot Spy Sweeper running continuously (resident).

On 8/21/09 Norton 360 detected and quarantined a "Packed Generic.233" and "Downloader" virus. My Norton scan of 8/28/09 says that "no viruses or spyware were detected."

But my Spy Sweeper program is messed up and I cannot use it to scan my computer. I tried uninstalling it and re-installing it, but no luck.

Also, my System Restore was turned off and I could not even access its menu to turn it back on.

Strangely enough, I can still use my Microsoft Office Outlook e-mail program and send and receive e-mail through the Internet. But, as I said, I can't access the Internet through my IE7 browser.

So, looking through the Internet to self-diagnose and self-repair this problem, I came across MalwareBytes, which seemed to be a great program and organization, with very helpful user forums.

I downloaded mbam-setup.exe and installed the program. It opened up and I clicked "Quick Scan". Then the program immediately exits (disappears). When I try to open it up again, I get the dialog box "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

When I uninstall Malwarebytes and then try to re-install, I get "An error occurred. Please report the following error code to the Malwaregbytes' Anti-Malware support team. Error code: 732 (0,0)". Then the program opens up and I click on "Quick Scan". The program immediately exits (disappears). I also tried renaming "mbam.exe" to "winlogon.exe" (as a post suggested), but I get a dialog box saying: "Cannot rename. Access denied."

I downloaded and installed RootRepeal rootkit removal software. I can run RootRepeal.exe but after a few seconds of scanning on the "Files" Tab on the C:\ drive, the program exits (disappears). It stops during the scanning of C:\windows\system32\.

I WAS able to complete the "Drivers", "Processess", "SSDT", "Stealth Objects", "Hidden Services", and "Shadow SSDT" scans. I will post these scans in my next post, if you wish to see them.

I downloaded and installed the Prevx 3.0 malware removal software. It ran once, but will no longer open.

I downloaded and installed the HiJack This! malware removal software. It ran once, but will no longer open. I get the dialog box saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." (Same thing with Prevx 3.0)

I believe I (somehow) was able to reinstall Hijack This! and get it to run some scans before it crashed and would not open again. I will post these scans ("hijackthis.log" and "startuplist.txt") in my next post, if you wish to see them.

I am an intermediate computer user and I thought I could solve this problem by myself. But, obviously, it's too deep for me. By the way, I'm using my wife's computer to access the Internet through Internet Explorer to post and download since my IE won't connect.

If you can make some suggestions and/or walk me through repairing my computer, I would greatly appreciate it.

Link to post
Share on other sites

Hello,

What is the Windows version/edition ? Xp , Vista, or ??

Yes, post what you have from the Rootrepeal log

Download and run Win32kDiag:

Link to post
Share on other sites

Hello Mr. Naggar -

Thanks so much for your quick response to my post. I have been trying to solve this problem by myself for over a week with no success, so I really appreciate your promptness.

My affected computer is Windows XP, Service Pack 3 (with security patches through August 2009).

I followed your directions to download and run Win32kDiag.exe. I tried to include the logs from RootRepeal and HijackThis! later in this post, but I received an Error Message from the Forum saying my post was too long. So I will send you these logs in separate posts. (By the way, what is the maximum length for a post so I won't have this problem again?)

Here's my log from Win32kDiag.txt:

Log file is located at: C:\Documents and Settings\Phinizy\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP147.tmp\ZAP147.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16E.tmp\ZAP16E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP191.tmp\ZAP191.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP375.tmp\ZAP375.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB3.tmp\ZAPB3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Finished!

Link to post
Share on other sites

Yes, post what you have from the Rootrepeal log.

I'm having trouble getting my logs to fit into a Post. I keep getting an error message "Sorry, your post was too long, please reduce it." I've tried this several times -- reducing the size of the Post -- and I keep getting the same error. So what is the limit -- characters, words, or kilobytes, etc? I've searched your Help and cannot find the answer. Under "Attachments" at the bottom of the screen it does say "Max. single upload size: 500k". So I'm going to attach my RootRepeal and Hijack This! logs to a post. I hope this is okay.

Can I "Attach" more that one file to upload at a time?

The first file is "Root Reveal - Drivers Report.txt" (52 KB)

Root_Reveal___Drivers_Report.txt

Link to post
Share on other sites

(Maurice Naggar @ Sep 3 2009, 03:39 PM) post_snapback.gifYes, post what you have from the Rootrepeal log.
I'm having trouble getting my logs to fit into a Post. I keep getting an error message "Sorry, your post was too long, please reduce it." I've tried this several times -- reducing the size of the Post -- and I keep getting the same error. So what is the limit -- characters, words, or kilobytes, etc? I've searched your Help and cannot find the answer. Under "Attachments" at the bottom of the screen it does say "Max. single upload size: 500k". So I'm going to attach my RootRepeal and Hijack This! logs to a post. I hope this is okay.

Can I "Attach" more that one file to upload at a time?

The first file is "Root Reveal - Drivers Report.txt" (52 KB)

I just looked at my last post (quoted above) and looked at my uploaded Attachment ("Root Reveal - Drivers Report.txt"). Yikes! It would seem to be incredibly hard to read, because all the lines are run together with no line wrap to separate the different entries. (If you would like me to try to re-send it (via post or e-mail), please let me know.) So now I'm going to try to post each log (via Cut & Paste) in a separate post.

Here's my Root Repeal - Hidden Services Report.txt

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/26 22:13

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================Hidden Services

-------------------

Service Name: ovfsthxitfnliyn

Image Path: C:\WINDOWS\system32\drivers\ovfsthxsmlqbayg.sys==EOF==

Link to post
Share on other sites

Yes, post what you have from the Rootrepeal log

Here's my Root Repeal- Processes Report - sorted by PID.txt

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/26 22:29

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Processes

-------------------

Path: System

PID: 4 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE

PID: 296 Status: -

Path: C:\DOCUME~1\Phinizy\LOCALS~1\Temp\Temporary Directory 3 for RootRepeal.zip\RootRepeal.exe

PID: 444 Status: -

Path: C:\Program Files\Bonjour\mDNSResponder.exe

PID: 600 Status: -

Path: C:\WINDOWS\system32\cisvc.exe

PID: 608 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 720 Status: -

Path: C:\WINDOWS\explorer.exe

PID: 916 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe

PID: 924 Status: -

Path: C:\WINDOWS\system32\searchprotocolhost.exe

PID: 948 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PID: 1064 Status: -

Path: C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

PID: 1112 Status: -

Path: C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

PID: 1232 Status: -

Path: C:\WINDOWS\system32\smss.exe

PID: 1260 Status: -

Path: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

PID: 1336 Status: -

Path: C:\WINDOWS\system32\csrss.exe

PID: 1352 Status: -

Path: C:\WINDOWS\system32\winlogon.exe

PID: 1384 Status: -

Path: C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

PID: 1416 Status: -

Path: C:\WINDOWS\system32\services.exe

PID: 1440 Status: -

Path: C:\WINDOWS\system32\lsass.exe

PID: 1452 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1636 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1704 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1744 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PID: 1796 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1900 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1928 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 1988 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe

PID: 2044 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 2108 Status: -

Path: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

PID: 2176 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 2196 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

PID: 2228 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

PID: 2236 Status: -

Path: C:\WINDOWS\system32\wuauclt.exe

PID: 2332 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

PID: 2372 Status: -

Path: C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE

PID: 2420 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe

PID: 2428 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

PID: 2464 Status: -

Path: C:\Program Files\Logitech\SetPoint\SetPoint.exe

PID: 2468 Status: -

Path: C:\WINDOWS\system32\cidaemon.exe

PID: 2864 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 2940 Status: -

Path: C:\WINDOWS\system32\svchost.exe

PID: 2996 Status: -

Path: C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe

PID: 3036 Status: -

Path: C:\WINDOWS\system32\searchindexer.exe

PID: 3124 Status: -

Path: C:\WINDOWS\system32\searchfilterhost.exe

PID: 3252 Status: -

Path: C:\WINDOWS\system32\alg.exe

PID: 3488 Status: -

Link to post
Share on other sites

Yes, post what you have from the Rootrepeal log.

Here's my Root Repeal - Shadow SSDT Report.txt (just showing HOOKED BY files) (3 KB)

I have a larger Report showing all files and their status (89 KB) -- if you want it.

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/26 22:14

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Shadow SSDT

-------------------

#: 013 Function Name: NtGdiBitBlt

Status: Hooked by "C:\WINDOWS\system32\drivers\CO_Mon.sys" at address 0xba484318

#: 292 Function Name: NtGdiStretchBlt

Status: Hooked by "C:\WINDOWS\system32\drivers\CO_Mon.sys" at address 0xba484560

#: 383 Function Name: NtUserGetAsyncKeyState

Status: Hooked by "C:\WINDOWS\system32\drivers\CO_Mon.sys" at address 0xba484854

#: 416 Function Name: NtUserGetKeyState

Status: Hooked by "C:\WINDOWS\system32\drivers\CO_Mon.sys" at address 0xba4848f0

#: 502 Function Name: NtUserSendInput

Status: Hooked by "C:\WINDOWS\system32\drivers\CO_Mon.sys" at address 0xba484c88

#: 549 Function Name: NtUserSetWindowsHookEx

Status: Hooked by "C:\WINDOWS\system32\drivers\CO_Mon.sys" at address 0xba484b0c

#: 570 Function Name: NtUserUnhookWindowsHookEx

Status: Hooked by "C:\WINDOWS\system32\drivers\CO_Mon.sys" at address 0xba484bf4

==EOF==

Link to post
Share on other sites

Yes, post what you have from the Rootrepeal log

Here's my Root Repeal - SSDT.txt Report (40 KB)

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/26 22:05

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

SSDT

-------------------

#: 000 Function Name: NtAcceptConnectPort

Status: Not hooked

#: 001 Function Name: NtAccessCheck

Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm

Status: Not hooked

#: 003 Function Name: NtAccessCheckByType

Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm

Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList

Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm

Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle

Status: Not hooked

#: 008 Function Name: NtAddAtom

Status: Not hooked

#: 009 Function Name: NtAddBootEntry

Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken

Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken

Status: Not hooked

#: 012 Function Name: NtAlertResumeThread

Status: Hooked by "<unknown>" at address 0x87c4acb8

#: 013 Function Name: NtAlertThread

Status: Hooked by "<unknown>" at address 0x8aebfec8

#: 014 Function Name: NtAllocateLocallyUniqueId

Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages

Status: Not hooked

#: 016 Function Name: NtAllocateUuids

Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "<unknown>" at address 0x8aae02b8

#: 018 Function Name: NtAreMappedFilesTheSame

Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject

Status: Not hooked

#: 020 Function Name: NtCallbackReturn

Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest

Status: Not hooked

#: 022 Function Name: NtCancelIoFile

Status: Not hooked

#: 023 Function Name: NtCancelTimer

Status: Not hooked

#: 024 Function Name: NtClearEvent

Status: Not hooked

#: 025 Function Name: NtClose

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498f34e

#: 026 Function Name: NtCloseObjectAuditAlarm

Status: Not hooked

#: 027 Function Name: NtCompactKeys

Status: Not hooked

#: 028 Function Name: NtCompareTokens

Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort

Status: Not hooked

#: 030 Function Name: NtCompressKey

Status: Not hooked

#: 031 Function Name: NtConnectPort

Status: Hooked by "<unknown>" at address 0x8ae1f248

#: 032 Function Name: NtContinue

Status: Not hooked

#: 033 Function Name: NtCreateDebugObject

Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject

Status: Not hooked

#: 035 Function Name: NtCreateEvent

Status: Not hooked

#: 036 Function Name: NtCreateEventPair

Status: Not hooked

#: 037 Function Name: NtCreateFile

Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion

Status: Not hooked

#: 039 Function Name: NtCreateJobObject

Status: Not hooked

#: 040 Function Name: NtCreateJobSet

Status: Not hooked

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498f144

#: 042 Function Name: NtCreateMailslotFile

Status: Not hooked

#: 043 Function Name: NtCreateMutant

Status: Hooked by "<unknown>" at address 0x8ab0ac80

#: 044 Function Name: NtCreateNamedPipeFile

Status: Not hooked

#: 045 Function Name: NtCreatePagingFile

Status: Not hooked

#: 046 Function Name: NtCreatePort

Status: Not hooked

#: 047 Function Name: NtCreateProcess

Status: Not hooked

#: 048 Function Name: NtCreateProcessEx

Status: Not hooked

#: 049 Function Name: NtCreateProfile

Status: Not hooked

#: 050 Function Name: NtCreateSection

Status: Not hooked

#: 051 Function Name: NtCreateSemaphore

Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Not hooked

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0x8aea7d98

#: 054 Function Name: NtCreateTimer

Status: Not hooked

#: 055 Function Name: NtCreateToken

Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort

Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "<unknown>" at address 0x87c49f08

#: 058 Function Name: NtDebugContinue

Status: Not hooked

#: 059 Function Name: NtDelayExecution

Status: Not hooked

#: 060 Function Name: NtDeleteAtom

Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry

Status: Not hooked

#: 062 Function Name: NtDeleteFile

Status: Not hooked

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498effc

#: 064 Function Name: NtDeleteObjectAuditAlarm

Status: Not hooked

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498f032

#: 066 Function Name: NtDeviceIoControlFile

Status: Not hooked

#: 067 Function Name: NtDisplayString

Status: Not hooked

#: 068 Function Name: NtDuplicateObject

Status: Not hooked

#: 069 Function Name: NtDuplicateToken

Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries

Status: Not hooked

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498ef42

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx

Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498ee9e

#: 074 Function Name: NtExtendSection

Status: Not hooked

#: 075 Function Name: NtFilterToken

Status: Not hooked

#: 076 Function Name: NtFindAtom

Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile

Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache

Status: Not hooked

#: 079 Function Name: NtFlushKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498ef96

#: 080 Function Name: NtFlushVirtualMemory

Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer

Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages

Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory

Status: Hooked by "<unknown>" at address 0x8ae47238

#: 084 Function Name: NtFsControlFile

Status: Not hooked

#: 085 Function Name: NtGetContextThread

Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState

Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent

Status: Not hooked

#: 088 Function Name: NtGetWriteWatch

Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken

Status: Hooked by "<unknown>" at address 0x8accbd80

#: 090 Function Name: NtImpersonateClientOfPort

Status: Not hooked

#: 091 Function Name: NtImpersonateThread

Status: Hooked by "<unknown>" at address 0x8ae3daf0

#: 092 Function Name: NtInitializeRegistry

Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction

Status: Not hooked

#: 094 Function Name: NtIsProcessInJob

Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic

Status: Not hooked

#: 096 Function Name: NtListenPort

Status: Not hooked

#: 097 Function Name: NtLoadDriver

Status: Not hooked

#: 098 Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498f4a2

#: 099 Function Name: NtLoadKey2

Status: Not hooked

#: 100 Function Name: NtLockFile

Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys

Status: Not hooked

#: 102 Function Name: NtLockRegistryKey

Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory

Status: Not hooked

#: 104 Function Name: NtMakePermanentObject

Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject

Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages

Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter

Status: Not hooked

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "<unknown>" at address 0x8aabe2d8

#: 109 Function Name: NtModifyBootEntry

Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile

Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey

Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys

Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject

Status: Not hooked

#: 114 Function Name: NtOpenEvent

Status: Hooked by "<unknown>" at address 0x8ac6d1d0

#: 115 Function Name: NtOpenEventPair

Status: Not hooked

#: 116 Function Name: NtOpenFile

Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion

Status: Not hooked

#: 118 Function Name: NtOpenJobObject

Status: Not hooked

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498f310

#: 120 Function Name: NtOpenMutant

Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm

Status: Not hooked

#: 122 Function Name: NtOpenProcess

Status: Not hooked

#: 123 Function Name: NtOpenProcessToken

Status: Hooked by "<unknown>" at address 0x8ab09208

#: 124 Function Name: NtOpenProcessTokenEx

Status: Not hooked

#: 125 Function Name: NtOpenSection

Status: Hooked by "<unknown>" at address 0x8ac5a3a8

#: 126 Function Name: NtOpenSemaphore

Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject

Status: Not hooked

#: 128 Function Name: NtOpenThread

Status: Not hooked

#: 129 Function Name: NtOpenThreadToken

Status: Hooked by "<unknown>" at address 0x8ac56fc0

#: 130 Function Name: NtOpenThreadTokenEx

Status: Not hooked

#: 131 Function Name: NtOpenTimer

Status: Not hooked

#: 132 Function Name: NtPlugPlayControl

Status: Not hooked

#: 133 Function Name: NtPowerInformation

Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck

Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm

Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm

Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory

Status: Not hooked

#: 138 Function Name: NtPulseEvent

Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile

Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder

Status: Not hooked

#: 141 Function Name: NtQueryBootOptions

Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState

Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale

Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage

Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile

Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject

Status: Not hooked

#: 147 Function Name: NtQueryEaFile

Status: Not hooked

#: 148 Function Name: NtQueryEvent

Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile

Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom

Status: Not hooked

#: 151 Function Name: NtQueryInformationFile

Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject

Status: Not hooked

#: 153 Function Name: NtQueryInformationPort

Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess

Status: Not hooked

#: 155 Function Name: NtQueryInformationThread

Status: Not hooked

#: 156 Function Name: NtQueryInformationToken

Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage

Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile

Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion

Status: Not hooked

#: 160 Function Name: NtQueryKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498eb8e

#: 161 Function Name: NtQueryMultipleValueKey

Status: Not hooked

#: 162 Function Name: NtQueryMutant

Status: Not hooked

#: 163 Function Name: NtQueryObject

Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys

Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter

Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile

Status: Not hooked

#: 167 Function Name: NtQuerySection

Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject

Status: Not hooked

#: 169 Function Name: NtQuerySemaphore

Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject

Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue

Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx

Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation

Status: Not hooked

#: 174 Function Name: NtQuerySystemTime

Status: Not hooked

#: 175 Function Name: NtQueryTimer

Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution

Status: Not hooked

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498ecb6

#: 178 Function Name: NtQueryVirtualMemory

Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile

Status: Not hooked

#: 180 Function Name: NtQueueApcThread

Status: Not hooked

#: 181 Function Name: NtRaiseException

Status: Not hooked

#: 182 Function Name: NtRaiseHardError

Status: Not hooked

#: 183 Function Name: NtReadFile

Status: Not hooked

#: 184 Function Name: NtReadFileScatter

Status: Not hooked

#: 185 Function Name: NtReadRequestData

Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory

Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort

Status: Not hooked

#: 188 Function Name: NtReleaseMutant

Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore

Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion

Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug

Status: Not hooked

#: 192 Function Name: NtRenameKey

Status: Not hooked

#: 193 Function Name: NtReplaceKey

Status: Not hooked

#: 194 Function Name: NtReplyPort

Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort

Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx

Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort

Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup

Status: Not hooked

#: 199 Function Name: NtRequestPort

Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort

Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency

Status: Not hooked

#: 202 Function Name: NtResetEvent

Status: Not hooked

#: 203 Function Name: NtResetWriteWatch

Status: Not hooked

#: 204 Function Name: NtRestoreKey

Status: Not hooked

#: 205 Function Name: NtResumeProcess

Status: Not hooked

#: 206 Function Name: NtResumeThread

Status: Hooked by "<unknown>" at address 0x8ac49b18

#: 207 Function Name: NtSaveKey

Status: Not hooked

#: 208 Function Name: NtSaveKeyEx

Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys

Status: Not hooked

#: 210 Function Name: NtSecureConnectPort

Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder

Status: Not hooked

#: 212 Function Name: NtSetBootOptions

Status: Not hooked

#: 213 Function Name: NtSetContextThread

Status: Hooked by "<unknown>" at address 0x87c54cc8

#: 214 Function Name: NtSetDebugFilterState

Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort

Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale

Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage

Status: Not hooked

#: 218 Function Name: NtSetEaFile

Status: Not hooked

#: 219 Function Name: NtSetEvent

Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority

Status: Not hooked

#: 221 Function Name: NtSetHighEventPair

Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair

Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject

Status: Not hooked

#: 224 Function Name: NtSetInformationFile

Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject

Status: Not hooked

#: 226 Function Name: NtSetInformationKey

Status: Not hooked

#: 227 Function Name: NtSetInformationObject

Status: Not hooked

#: 228 Function Name: NtSetInformationProcess

Status: Hooked by "<unknown>" at address 0x8aae2208

#: 229 Function Name: NtSetInformationThread

Status: Hooked by "<unknown>" at address 0x8ab4d2c0

#: 230 Function Name: NtSetInformationToken

Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile

Status: Not hooked

#: 232 Function Name: NtSetIoCompletion

Status: Not hooked

#: 233 Function Name: NtSetLdtEntries

Status: Not hooked

#: 234 Function Name: NtSetLowEventPair

Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair

Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile

Status: Not hooked

#: 237 Function Name: NtSetSecurityObject

Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue

Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx

Status: Not hooked

#: 240 Function Name: NtSetSystemInformation

Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState

Status: Not hooked

#: 242 Function Name: NtSetSystemTime

Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState

Status: Not hooked

#: 244 Function Name: NtSetTimer

Status: Not hooked

#: 245 Function Name: NtSetTimerResolution

Status: Not hooked

#: 246 Function Name: NtSetUuidSeed

Status: Not hooked

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498edda

#: 248 Function Name: NtSetVolumeInformationFile

Status: Not hooked

#: 249 Function Name: NtShutdownSystem

Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject

Status: Not hooked

#: 251 Function Name: NtStartProfile

Status: Not hooked

#: 252 Function Name: NtStopProfile

Status: Not hooked

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x8aae2ad0

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x8ac45c10

#: 255 Function Name: NtSystemDebugControl

Status: Not hooked

#: 256 Function Name: NtTerminateJobObject

Status: Not hooked

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\CO_Mon.sys" at address 0xba484760

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x8aea7a78

#: 259 Function Name: NtTestAlert

Status: Not hooked

#: 260 Function Name: NtTraceEvent

Status: Not hooked

#: 261 Function Name: NtTranslateFilePath

Status: Not hooked

#: 262 Function Name: NtUnloadDriver

Status: Not hooked

#: 263 Function Name: NtUnloadKey

Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xb498f5f2

#: 264 Function Name: NtUnloadKeyEx

Status: Not hooked

#: 265 Function Name: NtUnlockFile

Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory

Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection

Status: Hooked by "<unknown>" at address 0x8aec11d0

#: 268 Function Name: NtVdmControl

Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent

Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects

Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject

Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair

Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair

Status: Not hooked

#: 274 Function Name: NtWriteFile

Status: Not hooked

#: 275 Function Name: NtWriteFileGather

Status: Not hooked

#: 276 Function Name: NtWriteRequestData

Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0x8ac632e8

#: 278 Function Name: NtYieldExecution

Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent

Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent

Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent

Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent

Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess

Status: Not hooked

Link to post
Share on other sites

Yes, post what you have from the Rootrepeal log

Here's my Root Repeal - Stealth Objects Report.txt (1 KB)

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/26 22:24

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Stealth Objects (none)

==EOF==

Link to post
Share on other sites

Yes, post what you have from the Rootrepeal log.

I bet you would also like my Hijack This! logs! HJT would not open the second time I tried to open it up and I'm not sure if it did a complete scan the first time I ran it (these logs are below).

Here is my hijackthis.log (14 KB):

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:57:06 PM, on 8/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net/channel/START

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.del...amp;ibd=0080521

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /installquiet

O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] "C:\WINDOWS\KHALMNPR.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O10 - Unknown file in Winsock LSP: bmnet.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212186519578

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: BMUService - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe

O23 - Service: bmwebcfg - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: tcsd_win32.exe - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 14310 bytes

================================================================================

===============

And here's my startuplist.txt (10 KB):

StartupList report, 8/29/2008, 8:12:02 PM

StartupList version: 1.52.2

Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE

Detected: Windows XP SP3 (WinNT 5.01.2600)

Detected: Internet Explorer v7.00 (7.00.6000.16705)

* Using default options

==================================================

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SynTPEnh = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

NvCplDaemon = "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup

nwiz = "C:\WINDOWS\system32\nwiz.exe" /installquiet

NvMediaCenter = "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

IntelZeroConfig = "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

IntelWireless = "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

Acrobat Assistant 8.0 = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

(Default) =

Google Desktop Search = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

osCheck = "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"

Kernel and Hardware Abstraction Layer = "C:\WINDOWS\KHALMNPR.EXE"

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*

run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\system32\ssstars.scr

drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}

HP Print Enhancer - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll - {0347C33E-8762-4905-BF09-768834316C61}

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

NCO 2.0 IE BHO - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}

Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll - {6D53EC84-6AAE-4787-AEEE-F4628F01010C}

(no name) - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

(no name) - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

(no name) - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

(no name) - C:\Program Files\Dell\BAE\BAE.dll - {CA6319C0-31B7-401E-A518-A07C3DB8F777}

HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

wrSpySweeperFullSweep.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]

InProcServer32 = C:\PROGRA~1\Yahoo!\Common\yinsthelper.dll

CODEBASE = C:\Program Files\Yahoo!\Common\yinsthelper.dll

[WUWebControl Class]

InProcServer32 = C:\WINDOWS\system32\wuweb.dll

CODEBASE = http://www.update.microsoft.com/windowsupd...b?1212186519578

[symantec Download Manager]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\symdlmgr.dll

CODEBASE = https://webdl.symantec.com/activex/symdlmgr.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

Protocol #1: bmnet.dll (file MISSING)

Protocol #2: bmnet.dll (file MISSING)

Protocol #3: bmnet.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\system32\webcheck.dll

SysTray: C:\WINDOWS\system32\stobject.dll

WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------

End of report, 9,698 bytes

Report generated in 0.125 seconds

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

I hope that's everything. Please let me know if you need anything else.

Link to post
Share on other sites

You've done well. I frankly do not know the file-size limit for a reply textbox here. That is why I suggest that one does a Preview before doing a final Submit of a response.

I'm going to have you run a couple of tools. But first, turn off your Spysweeper and Norton/Symatec AV "real time" monitors.

Use this as a guide if needed, but do NOT turn off the firewall.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\WINDOWS\system32\drivers\ovfsthxsmlqbayg.sys
    c:\windows\sysguard.exe
    c:\windows\system32\sdra64.exe

    Drivers to delete:
    ovfsthxitfnliyn

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • ! Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the C:\Avenger.txt

and the C:\Combofix.txt

Link to post
Share on other sites

You've done well. I frankly do not know the file-size limit for a reply textbox here. That is why I suggest that one does a Preview before doing a final Submit of a response.

I had used "Preview" when I posted before and I got the same Error message about the post being "too long". I guess a Forum Administrator would know the answer to this question.

Hey Mr. Naggar -- Hooray and Halleluia!!! The Avenger and ComboFix programs that you instructed me to run must have helped a lot because I am actually writing this post on my -- the "affected" computer (a Dell Precision M6300 laptop) -- and not my wife's (remember my Internet Explorer would not connect to the internet before?)

I am assuming that I could now finish cleaning things up myself -- by running Malwarebytes, etc., but I thought I better follow through under your guidance.

So, per your instructions, here is my c:\avenger.txt log:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\drivers\ovfsthxsmlqbayg.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\ovfsthxsmlqbayg.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\sysguard.exe" not found!

Deletion of file "c:\windows\sysguard.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\sdra64.exe" not found!

Deletion of file "c:\windows\system32\sdra64.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxitfnliyn" not found!

Deletion of driver "ovfsthxitfnliyn" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"

Deletion of folder "D:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "e:\recycler"

Deletion of folder "e:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "f:\recycler"

Deletion of folder "f:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "g:\recycler"

Deletion of folder "g:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open folder "h:\recycler"

Deletion of folder "h:\recycler" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Completed script processing.

*******************

Finished! Terminate.

===================================================================

One of the intial dialog boxes I encountered when running ComboFix mentioned that it had "detected" that Prevx 3.0 was still "active". I thought that this was strange because I had previously uninstalled Prevx 3.0 and there was no mention of it in my Task Manager. So I opened up CCleaner and deleted a few references to it in the Registry Scan. I guess that must have satisfied ComboFix because it seemed to have run okay. I just wanted to mention this in case it might be a problem.

And so, here is my Combo-Fix log.txt:

ComboFix 09-09-03.02 - Phinizy 09/04/2009 13:41.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2493 [GMT -5:00]

Running from: c:\documents and settings\Phinizy\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Phinizy\APPLIC~1\.#

c:\docume~1\Phinizy\LOCALS~1\Temp\Temporary Directory 3 for SysinternalsSuite.zip\RootkitRevealer.exe

c:\docume~1\Phinizy\LOCALS~1\Temp\Temporary Directory 6 for RootRepeal.zip\RootRepeal.exe

c:\documents and settings\Phinizy\Local Settings\Temp\Temporary Directory 3 for SysinternalsSuite.zip\RootkitRevealer.exe

c:\documents and settings\Phinizy\Local Settings\Temp\Temporary Directory 6 for RootRepeal.zip\RootRepeal.exe

C:\p2hhr.bat

c:\windows\AegisP.inf

c:\windows\Installer\a6c5a2.msp

c:\windows\st_1241545608.exe

c:\windows\st_1241564036.exe

c:\windows\system32\p2hhr.bat

I:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SFC

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_sfc

((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))

.

2009-09-03 17:35 . 2009-09-03 18:08 -------- d-----w- C:\UBCD4Win

2009-09-02 22:00 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-02 21:59 . 2009-09-03 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-02 21:59 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-02 15:20 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-02 15:20 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-02 15:20 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-09-02 15:20 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-09-02 15:20 . 2009-09-02 15:20 -------- d-----w- c:\program files\Avira

2009-09-02 15:20 . 2009-09-02 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-31 17:21 . 2009-08-31 21:18 -------- d-----w- c:\docume~1\Phinizy\APPLIC~1\Webroot

2009-08-27 02:51 . 2009-08-31 19:37 15 ----a-w- c:\documents and settings\Phinizy\settings.dat

2009-08-27 02:21 . 2009-08-27 02:21 -------- d-----w- c:\documents and settings\Phinizy\Local Settings\Application Data\Help

2009-08-27 02:13 . 2009-08-27 02:13 -------- d--h--w- c:\windows\PIF

2009-08-26 18:13 . 2009-08-26 18:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-24 18:27 . 2009-08-24 18:27 -------- d-----w- c:\docume~1\Phinizy\APPLIC~1\Malwarebytes

2009-08-24 18:27 . 2009-08-24 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-24 13:46 . 2009-09-03 06:05 -------- d-----w- c:\program files\Prevx

2009-08-24 13:46 . 2009-08-24 13:46 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys

2009-08-24 13:46 . 2009-08-24 13:46 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys

2009-08-24 13:45 . 2009-09-02 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-08-23 23:02 . 2009-08-23 23:02 -------- d-----w- c:\program files\Webroot

2009-08-22 22:53 . 2009-08-31 19:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-13 22:50 . 2009-08-13 22:49 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-08 21:56 . 2009-08-08 21:56 -------- d-----w- c:\program files\iPod

2009-08-08 21:56 . 2009-08-08 21:57 -------- d-----w- c:\program files\iTunes

2009-08-08 21:56 . 2009-08-08 21:57 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-08-08 21:54 . 2009-08-08 21:54 -------- d-----w- c:\program files\QuickTime

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-04 18:47 . 2008-05-30 22:07 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-09-04 15:31 . 2008-05-21 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic

2009-09-02 16:37 . 2008-11-19 17:55 -------- d-----w- c:\program files\Screen Shot Deluxe 7.0

2009-08-31 06:15 . 2008-05-21 08:50 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-31 04:12 . 2009-08-31 04:12 503 ----a-w- c:\windows\system32\drivers\Shortcut to drivers.lnk

2009-08-23 23:00 . 2009-03-26 14:54 164 ----a-w- c:\windows\install.dat

2009-08-23 06:46 . 2008-08-18 19:14 -------- d-----w- c:\program files\Yahoo!

2009-08-20 16:28 . 2008-05-21 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-13 22:49 . 2008-05-21 08:48 -------- d-----w- c:\program files\Java

2009-08-08 21:56 . 2008-08-19 19:33 -------- d-----w- c:\program files\Common Files\Apple

2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-01 19:48 . 2008-10-31 14:32 -------- d-----w- c:\program files\Microsoft Silverlight

2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-11 22:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-13 20:26 . 2009-07-13 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Cingular

2009-06-29 16:12 . 2004-08-11 22:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2004-08-11 22:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-11 22:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-11 22:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-11 22:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-11 22:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:19 . 2004-08-11 22:11 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

.

------- Sigcheck -------

[7] 2004-08-04 10:00 55808 82B24CB70E5944E6E34662205A2A5B78 c:\windows\$NtServicePackUninstall$\eventlog.dll

[7] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\ServicePackFiles\i386\eventlog.dll

[-] 2008-04-14 00:11 62464 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\eventlog.dll

[7] 2008-04-14 00:11 56320 6D4FEB43EE538FC5428CC7F0565AA656 c:\windows\system32\dllcache\eventlog.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1024000]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]

"osCheck"="c:\program files\Norton 360 Premier Edition\osCheck.exe" [2008-02-26 988512]

"Kernel and Hardware Abstraction Layer"="c:\windows\KHALMNPR.EXE" [2008-02-29 76304]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-6 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=

"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [5/29/2008 3:04 PM 17792]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [8/24/2009 8:46 AM 22024]

R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [8/24/2009 8:46 AM 27656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/2/2009 10:20 AM 108289]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 5:42 PM 156968]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 2:37 PM 149352]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 7:19 PM 102448]

S2 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]

S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe [8/14/2008 1:25 AM 367088]

S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe [8/14/2008 1:24 AM 309744]

S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe [8/14/2008 1:24 AM 170480]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 9:32 PM 23888]

S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\Phinizy\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\Phinizy\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]

S3 HGKBFGS;HGKBFGS;c:\docume~1\Phinizy\LOCALS~1\Temp\HGKBFGS.exe --> c:\docume~1\Phinizy\LOCALS~1\Temp\HGKBFGS.exe [?]

S3 N;N;c:\docume~1\Phinizy\LOCALS~1\Temp\N.exe --> c:\docume~1\Phinizy\LOCALS~1\Temp\N.exe [?]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [8/14/2008 1:25 AM 313840]

S3 RoxMediaDB11;RoxMediaDB11;c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe [1/8/2009 1:52 AM 1122304]

S3 Symbionica: FaceSay Classroom update permissions manager. 1990.;Symbionica: FaceSay Classroom update permissions manager. 1990.;c:\program files\FaceSayClassroom\FaceSayClassroom_GetLatestVersion.exe -PermissionManagerRun --> c:\program files\FaceSayClassroom\FaceSayClassroom_GetLatestVersion.exe -PermissionManagerRun [?]

S3 WUQUBKJ;WUQUBKJ;c:\docume~1\Phinizy\LOCALS~1\Temp\WUQUBKJ.exe --> c:\docume~1\Phinizy\LOCALS~1\Temp\WUQUBKJ.exe [?]

S3 YXYXKUAI;YXYXKUAI;c:\docume~1\Phinizy\LOCALS~1\Temp\YXYXKUAI.exe --> c:\docume~1\Phinizy\LOCALS~1\Temp\YXYXKUAI.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

*NewlyCreated* - PPA

*NewlyCreated* - {79007602-0CDB-4405-9DBF-1257BB3226EE}

*Deregistered* - {79007602-0CDB-4405-9DBF-1257BB3226EE}

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.al.com/

uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-04 13:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

"ImagePath"="c:\progra~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symbionica: FaceSay Classroom update permissions manager. 1990.]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b57w2k]

"ImagePath"="system32\DRIVERS\b57xp32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]

"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]

"ServiceDll"="%systemroot%\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BMUService]

"ImagePath"="\"c:\program files\Memeo\AutoBackup\MemeoService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]

"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]

"ImagePath"="\??\c:\docume~1\Phinizy\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf]

"ImagePath"="\SystemRoot\system32\DRIVERS\cbidf2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE]

"ImagePath"="system32\DRIVERS\CCDECODE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]

"ImagePath"="\"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe\" /h ccCommon"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccSetMgr]

"ImagePath"="\"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe\" /h ccCommon"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

"ImagePath"="\SystemRoot\system32\DRIVERS\cd20xrnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]

"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]

"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]

"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]

"ImagePath"="c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CLTNetCnService]

"ImagePath"="\"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe\" /h ccCommon"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmBatt]

"ImagePath"="system32\DRIVERS\CmBatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

"ImagePath"="\SystemRoot\system32\DRIVERS\cmdide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COH_Mon]

"ImagePath"="\??\c:\windows\system32\Drivers\COH_Mon.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\comHost]

"ImagePath"="\"c:\program files\Common Files\Symantec Shared\VAScanner\comHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Compbatt]

"ImagePath"="system32\DRIVERS\compbatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]

"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CO_Mon]

"ImagePath"="\??\c:\windows\system32\drivers\CO_Mon.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

"ImagePath"="\SystemRoot\system32\DRIVERS\cpqarray.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]

"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CSIScanner]

"ImagePath"="\"c:\program files\Prevx\prevx.exe\" /service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

"ImagePath"="\SystemRoot\system32\DRIVERS\dac2w2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

"ImagePath"="\SystemRoot\system32\DRIVERS\dac960nt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]

"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]

"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]

"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Diskeeper]

"ImagePath"="\"c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLABMFSM]

"ImagePath"="System32\Drivers\DLABMFSM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLABOIOM]

"ImagePath"="System32\Drivers\DLABOIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLACDBHM]

"ImagePath"="System32\Drivers\DLACDBHM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLADResM]

"ImagePath"="System32\Drivers\DLADResM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAIFS_M]

"ImagePath"="System32\Drivers\DLAIFS_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAOPIOM]

"ImagePath"="System32\Drivers\DLAOPIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAPoolM]

"ImagePath"="System32\Drivers\DLAPoolM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLARTL_M]

"ImagePath"="System32\Drivers\DLARTL_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAUDFAM]

"ImagePath"="System32\Drivers\DLAUDFAM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAUDF_M]

"ImagePath"="System32\Drivers\DLAUDF_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]

"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]

"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]

"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]

"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]

"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]

"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]

"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc]

"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

"ImagePath"="\SystemRoot\system32\DRIVERS\dpti2o.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]

"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRVMCDB]

"ImagePath"="System32\Drivers\DRVMCDB.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRVNDDM]

"ImagePath"="System32\Drivers\DRVNDDM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\E100B]

"ImagePath"="system32\DRIVERS\e100b325.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost]

"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eeCtrl]

"ImagePath"="\??\c:\program files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EraserUtilRebootDrv]

"ImagePath"="\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]

"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]

"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]

"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EvtEng]

"ImagePath"="c:\program files\Intel\Wireless\Bin\EvtEng.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fax]

"ImagePath"="%systemroot%\system32\fxssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]

"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FLEXnet Licensing Service]

"ImagePath"="\"c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]

"ImagePath"="system32\drivers\fltmgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]

"ImagePath"="c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FreeAgentGoNext Service]

"ImagePath"="\"c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fsbl-standalone]

"ImagePath"="\??\c:\docume~1\Phinizy\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]

"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM]

"ImagePath"="System32\Drivers\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GoogleDesktopManager-010708-104812]

"ImagePath"="\"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]

"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\guardian2]

"ImagePath"="System32\Drivers\oz776.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc]

"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]

"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]

"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HGKBFGS]

"ImagePath"="c:\docume~1\Phinizy\LOCALS~1\Temp\HGKBFGS.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]

"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb]

"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]

"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

"ImagePath"="\SystemRoot\system32\DRIVERS\hpn.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqcxs08]

"ServiceDll"="c:\program files\HP\Digital Imaging\bin\hpqcxs08.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqddsvc]

"ServiceDll"="c:\program files\HP\Digital Imaging\bin\hpqddsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412]

"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12]

"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12]

"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSFHWAZL]

"ImagePath"="system32\DRIVERS\HSFHWAZL.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSF_DPV]

"ImagePath"="system32\DRIVERS\HSF_DPV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]

"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]

"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

"ImagePath"="\SystemRoot\system32\DRIVERS\i2omp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]

"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]

"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]

"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]

"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

"ImagePath"="\SystemRoot\system32\DRIVERS\ini910u.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]

"ImagePath"="\SystemRoot\system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]

"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iomdisk]

"ImagePath"="System32\DRIVERS\iomdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]

"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega App Services]

"ImagePath"="\"c:\progra~1\Iomega\System32\AppServices.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]

"ImagePath"="system32\drivers\ip6fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]

"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]

"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]

"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service]

"ImagePath"="\"c:\program files\iPod\bin\iPodService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]

"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]

"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]

"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]

"ImagePath"="\"c:\program files\Java\jre6\bin\jqs.exe\" -service -config \"c:\program files\Java\jre6\lib\deploy\jqs\jqs.conf\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]

"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]

"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]

"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]

"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]

"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LBTServ]

"ImagePath"="c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LHidFilt]

"ImagePath"="system32\DRIVERS\LHidFilt.Sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LHidKe]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LiveUpdate]

"ImagePath"="\"c:\program files\Symantec\LiveUpdate\LuComServer_3_4.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LiveUpdate Notice]

"ImagePath"="\"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe\" /h ccCommon"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]

"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMouFilt]

"ImagePath"="system32\DRIVERS\LMouFilt.Sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LUsbFilt]

"ImagePath"="System32\Drivers\LUsbFilt.Sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MarvinBus]

"ImagePath"="system32\DRIVERS\MarvinBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mdmxsdk]

"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]

"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]

"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mod7700]

"ImagePath"="System32\Drivers\dvb7700all.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]

"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]

"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPE]

"ImagePath"="system32\DRIVERS\MPE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

"ImagePath"="\SystemRoot\system32\DRIVERS\mraid35x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]

"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]

"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]

"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDV]

"ImagePath"="system32\DRIVERS\msdv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]

"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]

"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]

"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]

"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSSCNTRS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]

"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTAPE]

"ImagePath"="system32\DRIVERS\mstape.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]

"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N]

"ImagePath"="c:\docume~1\Phinizy\LOCALS~1\Temp\N.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]

"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]

"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG]

"ImagePath"="\??\c:\progra~1\COMMON~1\SYMANT~1\VIRUSD~1\20090904.009\NAVENG.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15]

"ImagePath"="\??\c:\progra~1\COMMON~1\SYMANT~1\VIRUSD~1\20090904.009\NAVEX15.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]

"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]

"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]

"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]

"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Net Driver HPZ12]

"ServiceDll"="c:\windows\system32\HPZinw12.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]

"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]

"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]

"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]

"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]

"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]

"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETw4x32]

"ImagePath"="system32\DRIVERS\NETw4x32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIC1394]

"ImagePath"="system32\DRIVERS\nic1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NICCONFIGSVC]

"ImagePath"="c:\program files\Dell\QuickSet\NICCONFIGSVC.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]

"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]

"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nv]

"ImagePath"="system32\DRIVERS\nv4_mini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NVSvc]

"ImagePath"="%SystemRoot%\system32\nvsvc32.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]

"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]

"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\odserv]

"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohci1394]

"ImagePath"="system32\DRIVERS\ohci1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose]

"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Outlook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parallel]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]

"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]

"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]

"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCTINDIS5]

"ImagePath"="\??\c:\windows\system32\PCTINDIS5.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

"ImagePath"="\SystemRoot\system32\DRIVERS\perc2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

"ImagePath"="\SystemRoot\system32\DRIVERS\perc2hib.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]

"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPZ12]

"ServiceDll"="c:\windows\system32\HPZipm12.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ppa]

"ImagePath"="system32\DRIVERS\ppa.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]

"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]

"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]

"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]

"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pxscan]

"ImagePath"="System32\drivers\pxscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pxsec]

"ImagePath"="System32\drivers\pxsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

"ImagePath"="\SystemRoot\system32\DRIVERS\ql1080.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

"ImagePath"="\SystemRoot\system32\DRIVERS\ql10wnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

"ImagePath"="\SystemRoot\system32\DRIVERS\ql12160.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

"ImagePath"="\SystemRoot\system32\DRIVERS\ql1240.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

"ImagePath"="\SystemRoot\system32\DRIVERS\ql1280.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]

"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]

"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]

"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]

"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]

"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]

"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]

"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]

"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]

"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]

"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]

"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RegSrvc]

"ImagePath"="c:\program files\Intel\Wireless\Bin\RegSrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]

"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]

"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rimmptsk]

"ImagePath"="system32\DRIVERS\rimmptsk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimSerPort]

"ImagePath"="system32\DRIVERS\RimSerial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rimsptsk]

"ImagePath"="system32\DRIVERS\rimsptsk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rismxdp]

"ImagePath"="system32\DRIVERS\rixdptsk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ROOTMODEM]

"ImagePath"="System32\Drivers\RootMdm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Roxio UPnP Renderer 11]

"ImagePath"="\"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Roxio Upnp Server 11]

"ImagePath"="\"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUpnpService11.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RoxLiveShare11]

"ImagePath"="\"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxLiveShare11.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RoxMediaDB11]

"ImagePath"="\"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxMediaDB11.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RoxWatch11]

"ImagePath"="\"c:\program files\Common Files\Roxio Shared\11.0\SharedCOM\RoxWatch11.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]

"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]

"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]

"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RxFilter]

"ImagePath"="system32\DRIVERS\RxFilter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S24EventMonitor]

"ImagePath"="c:\program files\Intel\Wireless\Bin\S24EvMon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\s24trans]

"ImagePath"="system32\DRIVERS\s24trans.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]

"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sbp2port]

"ImagePath"="system32\DRIVERS\sbp2port.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]

"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]

"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScsiPort]

"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdbus]

"ImagePath"="system32\DRIVERS\sdbus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]

"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]

"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]

"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]

"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]

"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sffdisk]

"ImagePath"="system32\DRIVERS\sffdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sffp_sd]

"ImagePath"="system32\DRIVERS\sffp_sd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]

"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sisagp]

"ImagePath"="\SystemRoot\system32\DRIVERS\sisagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP]

"ImagePath"="system32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

"ImagePath"="\SystemRoot\system32\DRIVERS\sparrow.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPBBCDrv]

"ImagePath"="\??\c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]

"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]

"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SQLWriter]

"ImagePath"="\"c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]

"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]

"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRTSP]

"ImagePath"="System32\Drivers\SRTSP.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRTSPL]

"ImagePath"="System32\Drivers\SRTSPL.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRTSPX]

"ImagePath"="System32\Drivers\SRTSPX.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]

"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]

"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ssmdrv]

"ImagePath"="system32\DRIVERS\ssmdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\STHDA]

"ImagePath"="system32\drivers\sthda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]

"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stllssvr]

"ImagePath"="\"c:\program files\Common Files\SureThing Shared\stllssvr.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip]

"ImagePath"="system32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]

"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]

"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]

"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{2F130D52-0BDB-47EB-AF81-1E09BA7E21E7}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swwd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symantec Core LC]

"ImagePath"="c:\progra~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symbionica: FaceSay Classroom update permissions manager. 1990.]

"ImagePath"="c:\program files\FaceSayClassroom\FaceSayClassroom_GetLatestVersion.exe -PermissionManagerRun"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

"ImagePath"="\SystemRoot\system32\DRIVERS\symc810.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

"ImagePath"="\SystemRoot\system32\DRIVERS\symc8xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMDNS]

"ImagePath"="\SystemRoot\System32\Drivers\SYMDNS.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymEvent]

"ImagePath"="\??\c:\windows\system32\Drivers\SYMEVENT.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMFW]

"ImagePath"="\SystemRoot\System32\Drivers\SYMFW.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMIDS]

"ImagePath"="\SystemRoot\System32\Drivers\SYMIDS.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMIDSCO]

"ImagePath"="\??\c:\progra~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20090826.001\SymIDSCo.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymIM]

"ImagePath"="system32\DRIVERS\SymIM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymIMMP]

"ImagePath"="system32\DRIVERS\SymIM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMNDIS]

"ImagePath"="\SystemRoot\System32\Drivers\SYMNDIS.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMREDRV]

"ImagePath"="\SystemRoot\System32\Drivers\SYMREDRV.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]

"ImagePath"="\SystemRoot\System32\Drivers\SYMTDI.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

"ImagePath"="\SystemRoot\system32\DRIVERS\sym_hi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

"ImagePath"="\SystemRoot\system32\DRIVERS\sym_u3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SynPS2Enable]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SynTP]

"ImagePath"="system32\DRIVERS\SynTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]

"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]

"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]

"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]

"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TcUsb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]

"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]

"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]

"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]

"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

"ImagePath"="\SystemRoot\system32\DRIVERS\toside.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]

"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UGatherer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UGTHRSVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

"ImagePath"="\SystemRoot\system32\DRIVERS\ultra.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]

"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]

"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]

"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]

"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]

"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]

"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]

"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]

"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]

"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]

"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb_rndisx]

"ImagePath"="system32\DRIVERS\usb8023x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]

"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\viaagp]

"ImagePath"="\SystemRoot\system32\DRIVERS\viaagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

"ImagePath"="\SystemRoot\system32\DRIVERS\viaide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]

"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\w32time]

"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]

"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WaveFDE]

"ImagePath"="system32\DRIVERS\WaveFDE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wdf01000]

"ImagePath"="system32\DRIVERS\Wdf01000.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]

"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]

"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebrootSpySweeperService]

"ImagePath"="\"c:\program files\Webroot\WebrootSecurity\SpySweeper.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winachsf]

"ImagePath"="system32\DRIVERS\HSF_CNXT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]

"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WLANKEEPER]

"ImagePath"="c:\program files\Intel\Wireless\Bin\WLKeeper.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]

"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]

"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiAcpi]

"ImagePath"="system32\DRIVERS\wmiacpi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]

"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]

"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]

"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSearch]

"ImagePath"="%systemroot%\system32\SearchIndexer.exe /Embedding"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSearchIdxPi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC]

"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]

"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]

"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]

"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]

"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WUQUBKJ]

"ImagePath"="c:\docume~1\Phinizy\LOCALS~1\Temp\WUQUBKJ.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]

"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]

"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\YXYXKUAI]

"ImagePath"="c:\docume~1\Phinizy\LOCALS~1\Temp\YXYXKUAI.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\_IOMEGA_ACTIVE_DISK_SERVICE_]

"ImagePath"="\"c:\program files\Iomega\AutoDisk\ADService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{6568C0B8-1ADC-4656-91B6-4637E2A72970}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{9FFA7888-009A-4933-883A-DD669E6F4BA8}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{A698625C-9EA6-4C6A-941F-F868C7992C53}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{A8803233-7495-4405-B7CC-11677F22B59A}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DAC6FF3B-201D-4ABD-A13C-D4933644CB52}]

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,0c,4a,80,8b,21,

6e,9a,be,2e,e8,e1,00,eb,16,2b,de,60,2f,04,36,53,6b,19,df,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,8a,da,b7,74,6d,

ba,5d,27,46,47,15,b0,92,4b,c7,ef,4c,38,27,46,94,f1,53,59,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,c5,a3,e9,14,b9,

47,3f,5e,7a,45,05,fd,91,e8,6f,31,f4,36,8f,bb,65,38,ba,a3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,8f,8a,31,25,57,

b1,ac,69,6b,65,49,6a,7e,99,74,f7,e9,bb,7f,88,7a,a8,97,56,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,d4,de,ac,95,65,

25,5c,44,e9,02,6c,fa,fb,1d,47,57,84,6b,1e,9f,70,01,e5,41,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,96,08,ac,c7,29,

1c,58,e1,50,93,e5,ab,ec,6a,4e,ab,42,36,34,a4,03,3b,b0,5e,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,5e,40,21,b3,0b,

83,ca,19,97,20,4e,9a,c7,f1,35,ee,e1,57,36,f1,18,97,76,73,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,cf,7a,3d,89,32,

52,9f,6c,aa,52,c6,00,84,3c,26,64,00,70,50,10,50,c0,68,12,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,7a,be,41,43,de,

69,c4,df,b2,46,9a,e2,1b,fe,1b,94,48,fb,e2,94,61,25,b1,aa,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,72,8c,b1,4c,51,

4f,4e,52,37,a4,aa,c3,a6,15,56,0a,35,9b,e2,15,60,f1,9d,56,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F5944B6F-BCF7-3A44-7C0A-9D7576073AA2}\InProcServer32*]

"iaghhmipbbemaepnkf"=hex:69,61,69,6b,70,6d,6b,70,68,6a,6f,70,69,61,6b,6d,67,6a,

00,73

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,e2,94,6e,ce,04,

89,74,9b,f8,31,0f,a9,5f,a0,ec,fb,74,cf,23,7e,b1,71,e8,8c,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,40,c6,1a,25,29,

e2,c1,f8,05,73,21,dd,54,d8,4a,c5,96,6e,58,65,53,62,23,24,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1392)

c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3508)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\searchindexer.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\windows\system32\wbem\wmiadap.exe

.

**************************************************************************

.

Completion time: 2009-09-04 13:52 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-04 18:52

Pre-Run: 91,455,561,728 bytes free

Post-Run: 91,464,314,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

1081 --- E O F --- 2008-12-17 20:30

Thank you very much!!!

Link to post
Share on other sites

Good going. But we are not done yet.

Your logs show 2 antvirus apps: Avira AntiVir and also Norton 360. If your susbscription to Norton has expired, or if it was only a trial edition, I'd urge you to un-install it.

Conversely, If you do have a current Norton license, then de-install Avira. Having 2 active antivirus programs leads to serious conflicts.

I suggest you update MBAM and do a scan, followed by a scan with Sysclean.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2746 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine

[*]Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package README 1st

[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:

[*]Sysclean Package

[*]Virus Pattern Files that will be a LPTxxx.ZIP file

[*]Spyware Pattern Files this is a SSAPIPTNxxx.ZIP

It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware)

Link to post
Share on other sites

Good going. But we are not done yet.

I guessed as much! I was afraid your were out of touch for this long Labor Day Weekend. Thanks for being available!

Your logs show 2 antvirus apps: Avira AntiVir and also Norton 360. If your susbscription to Norton has expired, or if it was only a trial edition, I'd urge you to un-install it.

Conversely, If you do have a current Norton license, then de-install Avira. Having 2 active antivirus programs leads to serious conflicts.

I was not running them concurrently, only Avira as an additional, occasional scan. Norton 360 is my primary antivirus (which I pay for). So, I uninstalled Avira AntiVir.

I suggest you update MBAM and do a scan, followed by a scan with Sysclean.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2746 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

I did this but Malwarebytes disappeared as soon as I clicked on Quick Scan. (before this I had uninstalled Malwarebytes -- because it was not working -- and installed a fresh copy. It updated to Definitions #2749.) I tried to open it again and I got a box saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I've seen that a lot before.

Should I go ahead and run the Trend Micro Cleanup Engine you suggested -- since I cannot run Malwarebytes.

I just wanted to check to make sure.

Thanks.

Link to post
Share on other sites

Go ahead and run the Sysclean, and let's hope it works. I'd like to see the log.

Here's my Sysclean.log below. I didn't see anything in the log which looked suspicious -- yet obviously I'm just a layman. Just some normal tracking cookies.

Per the ReadMe.txt file instructions for the Trend Micro Sysclean Package, I re-enabled my Norton 360 antivirus and performed a manual scan -- which picked up nothing except some more tracking cookies.

At the end of the sysclean.log it said "SSAPI requires the system to reboot." So I will reboot after sending you this Post.

I tried to open Malwarbytes (mbam.exe) but still no luck.

Thanks again for all your help. Happy Labor Day!

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-09-06, 20:58:59, Auto-clean mode specified.

2009-09-06, 20:59:00, Initialized Rootkit Driver version 2.2.0.1004.

2009-09-06, 20:59:00, Running scanner "C:\Documents and Settings\Phinizy\Desktop\Trend Micro Sysclean Package\TSC.BIN"...

2009-09-06, 20:59:25, Scanner "C:\Documents and Settings\Phinizy\Desktop\Trend Micro Sysclean Package\TSC.BIN" has finished running.

2009-09-06, 20:59:25, TSC Log:

Link to post
Share on other sites

The Sysclean run found absolutely nada, outside of advertising-related cookies. Clean results!!

You may well only have some occasional glitch with your browser at certain sites.

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

=

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :files
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :Commands
    [purity]
    [emptytemp]
    [reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Let's insure to remove the MBAM you now have and then get a new copy.

Download and run this utility. http://www.malwarebytes.org/mbam-clean.exe

It will ask to restart your computer (please allow it to).

Next, Please download & save Malwarebytes Anti-Malware from

http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or

http://www.besttechie.net/tools/mbam-setup.exe or

http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

Reply with copy of the OTL MovedFiles log

and MBAM scan log

and tell me, How is your system now ?

Link to post
Share on other sites

The Sysclean run found absolutely nada, outside of advertising-related cookies. Clean results!!

You may well only have some occasional glitch with your browser at certain sites.

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Oh yes, I've had these setting from the beginning.

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :files
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :Commands
    [purity]
    [emptytemp]
    [reboot]


I added i:\recycler after h:\recycler since my Seagate external USB hard drive (for backups) is labeled i:\

  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

I'm a little confused about which log file to send. Here is the file after first running OTL -- before rebooting? It's late and I'm tired and not sure. I will reboot again and send you another log.

All processes killed

========== FILES ==========

C:\RECYCLER\S-1-5-21-679438671-3680841387-3997752115-1008\Dc1 moved successfully.

C:\RECYCLER\S-1-5-21-679438671-3680841387-3997752115-1008 moved successfully.

C:\RECYCLER moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

i:\RECYCLER\S-1-5-21-679438671-3680841387-3997752115-500 moved successfully.

i:\RECYCLER\S-1-5-21-679438671-3680841387-3997752115-1008 moved successfully.

i:\RECYCLER moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User

->Temp folder emptied: 49152 bytes

->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 32969 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Phinizy

->Temp folder emptied: 12904368 bytes

->Temporary Internet Files folder emptied: 8862533 bytes

->Java cache emptied: 0 bytes

User: Phinizy Calhoun

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 3244049 bytes

File delete failed. C:\WINDOWS\temp\cc14.tmp scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\cc15.tmp scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\JETEABD.tmp scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1b4.dat scheduled to be deleted on reboot.

Windows Temp folder emptied: 317158 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 24.28 mb

OTL by OldTimer - Version 3.0.10.7 log created on 09072009_001245

Files\Folders moved on Reboot...

File\Folder C:\WINDOWS\temp\cc14.tmp not found!

File\Folder C:\WINDOWS\temp\cc15.tmp not found!

File\Folder C:\WINDOWS\temp\JETEABD.tmp not found!

C:\WINDOWS\temp\Perflib_Perfdata_1b4.dat moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

I'm a little confused about which log file to send. Here is the file after first running OTL -- before rebooting? It's late and I'm tired and not sure. I will reboot again and send you another log.

Okay, I've rebooted again -- just to make sure. Below is another log file - 09072009_001245.log. It looks almost exactly the same.

All processes killed

========== FILES ==========

C:\RECYCLER\S-1-5-21-679438671-3680841387-3997752115-1008\Dc1 moved successfully.

C:\RECYCLER\S-1-5-21-679438671-3680841387-3997752115-1008 moved successfully.

C:\RECYCLER moved successfully.

File\Folder D:\recycler not found.

File\Folder e:\recycler not found.

File\Folder f:\recycler not found.

File\Folder g:\recycler not found.

File\Folder h:\recycler not found.

i:\RECYCLER\S-1-5-21-679438671-3680841387-3997752115-500 moved successfully.

i:\RECYCLER\S-1-5-21-679438671-3680841387-3997752115-1008 moved successfully.

i:\RECYCLER moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User

->Temp folder emptied: 49152 bytes

->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 32969 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Phinizy

->Temp folder emptied: 12904368 bytes

->Temporary Internet Files folder emptied: 8862533 bytes

->Java cache emptied: 0 bytes

User: Phinizy Calhoun

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 3244049 bytes

File delete failed. C:\WINDOWS\temp\cc14.tmp scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\cc15.tmp scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\JETEABD.tmp scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1b4.dat scheduled to be deleted on reboot.

Windows Temp folder emptied: 317158 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 24.28 mb

OTL by OldTimer - Version 3.0.10.7 log created on 09072009_001245

Files\Folders moved on Reboot...

File\Folder C:\WINDOWS\temp\cc14.tmp not found!

File\Folder C:\WINDOWS\temp\cc15.tmp not found!

File\Folder C:\WINDOWS\temp\JETEABD.tmp not found!

C:\WINDOWS\temp\Perflib_Perfdata_1b4.dat moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

Let's insure to remove the MBAM you now have and then get a new copy.

Download and run this utility. http://www.malwarebytes.org/mbam-clean.exe

It will ask to restart your computer (please allow it to).

Next, Please download & save Malwarebytes Anti-Malware from

http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or

http://www.besttechie.net/tools/mbam-setup.exe or

http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.

I get this far following your instructions and then I get "An error has occurred. Please report the following error code to the Malwarebytes' Anti-Malware suport team. Error code: 732 (0,0)." I'm calling it a night and going to bed. Happy Labor Day!

  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately.

Reply with copy of the OTL MovedFiles log

and MBAM scan log

and tell me, How is your system now ?

Link to post
Share on other sites

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

As much as possible, please do your very best to NOT use QUOTE boxes as much as possible. The thread has already got way more lines than typical.

If there's an issue, just describe enough of it and try to keep it short.

To this point, I didn't think there was a leftover rootkit. But let's try to get a new log, this time from GMER.

Download GMER from here and Save the zip file to your Desktop.

Right Click the Zip and Select "Extract All"

Double-click gmer.exe to launch the program. (If you get an immediate message about rootkit activity, ignore and proceed with instructuions please)

Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, press the Copy button, then open NOTEPAD.

Paste the results here in your reply.

Link to post
Share on other sites

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-09-07 14:02:33

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT 8AC75E78 ZwAlertResumeThread

SSDT 8AC75750 ZwAlertThread

SSDT 87BFC9A8 ZwAllocateVirtualMemory

SSDT 8ACD0C80 ZwConnectPort

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB698E020]

SSDT 8AC71AC0 ZwCreateMutant

SSDT 8AD3B080 ZwCreateThread

SSDT 8AC780C0 ZwDebugActiveProcess

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB698E2A0]

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB698E800]

SSDT 87BFBDB0 ZwFreeVirtualMemory

SSDT 8AC71B90 ZwImpersonateAnonymousToken

SSDT 8AC76300 ZwImpersonateThread

SSDT 8AC57A50 ZwMapViewOfSection

SSDT 8AC76180 ZwOpenEvent

SSDT 8ADF7120 ZwOpenProcessToken

SSDT 8AC78180 ZwOpenSection

SSDT 87D43B38 ZwOpenThreadToken

SSDT 8AD3B120 ZwResumeThread

SSDT 8ACAFB78 ZwSetContextThread

SSDT 8AC8D640 ZwSetInformationProcess

SSDT 8AC75810 ZwSetInformationThread

SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB698EA50]

SSDT 8AC760C0 ZwSuspendProcess

SSDT 87BFBF08 ZwSuspendThread

SSDT \??\C:\WINDOWS\system32\drivers\CO_Mon.sys (Behavior Blocker v2007.1 WDM driver (2007.1.1.99)/Symantec Corporation) ZwTerminateProcess [0xBA424760]

SSDT 8ACA25D0 ZwTerminateThread

SSDT 8AC84120 ZwUnmapViewOfSection

SSDT 87BFC8D8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 4 Bytes CALL 129AFC01

.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 4 Bytes JMP C0F4B698

? win32k.sys:1 The system cannot find the file specified. !

? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[564] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[564] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[564] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\WINDOWS\System32\svchost.exe[1756] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\WINDOWS\System32\svchost.exe[1756] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\WINDOWS\System32\svchost.exe[1756] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 6CC1B328 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 6CC1B360 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 6CC1B2BC C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 6CC1B26B C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!AdjustWindowRectEx 7E42E7EA 5 Bytes JMP 6CC1B739 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 6CC1B30D C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 6CC1B286 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 6CC1B2D7 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 6CC1B2A1 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 6CC1B2F2 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!AdjustWindowRect 7E431140 5 Bytes JMP 6CC1B65E C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1948] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 6CC1B250 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\Program Files\internet explorer\iexplore.exe[2456] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E351F8F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351F10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E351F54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351E9C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351ED6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E351FCA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\internet explorer\iexplore.exe[2456] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E35218C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\WINDOWS\system32\SearchIndexer.exe[3112] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

IAT C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[564] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

IAT C:\WINDOWS\System32\svchost.exe[1756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

IAT C:\WINDOWS\System32\svchost.exe[1756] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

IAT C:\Program Files\internet explorer\iexplore.exe[2456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

IAT C:\Program Files\internet explorer\iexplore.exe[2456] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\985CE2D8.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device B1934D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [152] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [216] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [564] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [972] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1052] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [1072] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1696] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1756] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [1948] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2040] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\Program Files\internet explorer\iexplore.exe [2456] 0x35670000

Library \\?\globalroot\Device\__max++>\985CE2D8.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [2472] 0x35670000

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000072.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000113.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000129.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000218.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000290.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000423.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000471.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000482.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000507.sys:1 8704 bytes executable

ADS C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000527.sys:1 8704 bytes executable

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Make a note that you well may need to tweak your AV & possibly your firewall so that the following MBAM compononents are "trusted" (so that MBAM can actually complete it's connection to the MBAM servers)

C:\WINDOWS\system32\drivers\mbam.sys

C:\WINDOWS\system32\drivers\mbamswissarmy.sys

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref (Windows 2000/XP)

For this time, temporarily either disable or exit your Norton360 and SpySweeper if it is running.

For reference see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Now, try the MBAM Update & MBAM scan

Next, Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or

http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please include the following logs in your next reply:

the MBAM scan log

DDS.txt

I do not need Attach.txt

Link to post
Share on other sites

Per your instructions, I added the below files to my Norton 360 Firewall Program Rules to be "allowed" ("trusted"):

C:\WINDOWS\system32\drivers\mbam.sys

C:\WINDOWS\system32\drivers\mbamswissarmy.sys

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref (Windows 2000/XP)

I disabled my Norton 360 Antivirus and kept the Firewall enabled.

I uninstalled Malwarebytes using mbam-clean.exe and re-installed it using mbam-setup.exe. It looked like it installed normally and then it did an automatic on-line Update of the database to Version 2754. I opened the program and clicked on Quick Scan and it started to scan for about 2 seconds and then, poof, it disappeared. This is the same thing that has happened many times. I have NEVER been able to do a Malwarebytes scan or produce a log. There must be something very nasty in my computer that is preventing it from scanning.

Per your instructions, I downloaded and ran DDS. Below is my log:

DDS (Ver_09-07-30.01) - NTFSx86

Run by Phinizy at 15:43:55.23 on Mon 09/07/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2454 [GMT -5:00]

AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}

AV: Norton 360 Premier Edition *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}

FW: Norton 360 Premier Edition *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost -k DComLaunch

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Phinizy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://my.earthlink.net/

uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080521

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [synTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton 360 premier edition\osCheck.exe"

mRun: [Kernel and Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1225432262328

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2008-5-29 17792]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-8-24 22024]

R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-8-24 27656]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090907.002\NAVENG.SYS [2009-9-7 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090907.002\NAVEX15.SYS [2009-9-7 1323568]

S2 CSIScanner;CSIScanner;"c:\program files\prevx\prevx.exe" /service --> c:\program files\prevx\prevx.exe [?]

S2 Roxio Upnp Server 11;Roxio Upnp Server 11;c:\program files\roxio creator 2009\digital home 11\RoxioUpnpService11.exe [2008-8-14 367088]

S2 RoxLiveShare11;LiveShare P2P Server 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxLiveShare11.exe [2008-8-14 309744]

S2 RoxWatch11;Roxio Hard Drive Watcher 11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxWatch11.exe [2008-8-14 170480]

S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\webrootsecurity\spysweeper.exe" --> c:\program files\webroot\webrootsecurity\SpySweeper.exe [?]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]

S3 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\phinizy\locals~1\temp\f-secure\blacklight\fsbldrv.sys --> c:\docume~1\phinizy\locals~1\temp\f-secure\blacklight\fsbldrv.sys [?]

S3 HGKBFGS;HGKBFGS;c:\docume~1\phinizy\locals~1\temp\hgkbfgs.exe --> c:\docume~1\phinizy\locals~1\temp\HGKBFGS.exe [?]

S3 N;N;c:\docume~1\phinizy\locals~1\temp\n.exe --> c:\docume~1\phinizy\locals~1\temp\N.exe [?]

S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;c:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [2008-8-14 313840]

S3 RoxMediaDB11;RoxMediaDB11;c:\program files\common files\roxio shared\11.0\sharedcom\RoxMediaDB11.exe [2009-1-8 1122304]

S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-5-30 1245064]

S3 Symbionica: FaceSay Classroom update permissions manager. 1990.;Symbionica: FaceSay Classroom update permissions manager. 1990.;c:\program files\facesayclassroom\facesayclassroom_getlatestversion.exe -permissionmanagerrun --> c:\program files\facesayclassroom\FaceSayClassroom_GetLatestVersion.exe -PermissionManagerRun [?]

S3 WUQUBKJ;WUQUBKJ;c:\docume~1\phinizy\locals~1\temp\wuqubkj.exe --> c:\docume~1\phinizy\locals~1\temp\WUQUBKJ.exe [?]

S3 YXYXKUAI;YXYXKUAI;c:\docume~1\phinizy\locals~1\temp\yxyxkuai.exe --> c:\docume~1\phinizy\locals~1\temp\YXYXKUAI.exe [?]

=============== Created Last 30 ================

2009-09-07 15:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-07 15:27 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-09-07 15:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-09-07 00:12 <DIR> --d----- C:\_OTL

2009-09-04 13:51 <DIR> --d----- c:\windows\system32\dllcache\cache

2009-09-04 13:40 <DIR> a-dshr-- C:\cmdcons

2009-09-04 13:36 230,912 a------- c:\windows\PEV.exe

2009-09-04 13:36 161,792 a------- c:\windows\SWREG.exe

2009-09-04 13:36 98,816 a------- c:\windows\sed.exe

2009-09-04 13:36 <DIR> --ds---- C:\Combo-Fix

2009-09-03 12:35 <DIR> --d----- C:\UBCD4Win

2009-09-03 00:55 6,639,616 a------- c:\windows\system32\ZYMBXKMS

2009-09-02 10:20 55,656 a------- c:\windows\system32\drivers\avgntflt.sys

2009-09-02 10:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

2009-08-31 16:03 6,619,136 a------- c:\windows\system32\QKFLIZEQ

2009-08-31 16:00 6,619,136 a------- c:\windows\system32\ASBZQR

2009-08-31 14:45 6,619,136 a------- c:\windows\system32\XPJMWA

2009-08-31 12:21 <DIR> --d----- c:\docume~1\phinizy\applic~1\Webroot

2009-08-31 01:07 <DIR> --d----- c:\windows\system32\appmgmt

2009-08-30 23:12 503 a------- c:\windows\system32\drivers\Shortcut to drivers.lnk

2009-08-26 21:51 15 a------- c:\documents and settings\phinizy\settings.dat

2009-08-26 21:13 <DIR> --d-h--- c:\windows\PIF

2009-08-24 13:27 <DIR> --d----- c:\docume~1\phinizy\applic~1\Malwarebytes

2009-08-24 13:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-08-24 08:46 27,656 a------- c:\windows\system32\drivers\pxsec.sys

2009-08-24 08:46 22,024 a------- c:\windows\system32\drivers\pxscan.sys

2009-08-24 08:46 <DIR> --d----- c:\program files\Prevx

2009-08-24 08:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI

2009-08-23 18:02 <DIR> --d----- c:\program files\Webroot

2009-08-21 13:50 0 a--sh--- C:\145875804

2009-08-13 17:50 411,368 a------- c:\windows\system32\deploytk.dll

2009-08-13 17:05 0 a------- c:\windows\system32\

Link to post
Share on other sites

Hello Phinizy.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not Phinizy and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Whether it works or not, DO proceeed with running next tools & Combofix, as outlined below.

=

Your temp file areas are acumulating more suspect files. You need to flush temp files.

Also, I notice you have downloaded & used other tools, like Blacklight. Please stop and do not self-medicate.

  • Please double-click OTL.exe otlDesktopIcon.png to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :files
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler

    :Commands
    [purity]
    [emptytemp]
    [reboot]


  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.

If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop and SAVE it as cf.bat.

Link 1

Link 2

Link 3

* IMPORTANT !!! SAVE AS CF.BAT to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on CF.BAT & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the C:\Combofix.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.