139D2E78.exe

Started by ovaunda, May 17, 2013, 05:54:24 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1 2
User actions

ovaunda

May 17, 2013, 05:54:24 PM
I have what appears to be a virus. When logging into Windows XP I receive the command prompt box that says C:\...\My Documents\139d2e78.exe is not recognized as an internal or external command. Closing the command prompt does nothing and Windows does not load so I am unable to download and run any requested utilities. I am also unable to run Windows in Safe Mode so I guess the first step would be repairing Safe Mode. It was recommended that I come here for help. HELP!

:sos:

Corrine

#1
May 17, 2013, 05:58:53 PM
Hi, ovaunda.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Since you are able to access the Internet via Safe Mode with Networking, please provide the requested logs in Log Posting Instructions.

Thank you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

ovaunda

#2
May 17, 2013, 06:00:42 PM
I am accessing the internet on another computer. I am not able to log in to the infected computer at all so I cannot download or install any requested programs to provide logs. Logging in opens the Command Prompt with the message mentioned above.

Corrine

#3
May 17, 2013, 07:04:46 PM
My apology.  I read "unable" as able to logon to Safe Mode.  Please follow the instructions here for running Windows Defender Offline.  You will need a writable CD or DVD or a USB stick so you can "write" (save) Windows Defender Offline to it and boot your computer from that media to scan.

Following that, please provide a copy of the logs in the Log Posting Instructions topic. 



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

ovaunda

#4
May 17, 2013, 11:13:57 PM
 Results of screen317's Security Check version 0.99.63 
Windows XP Service Pack 3 x86   
Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled! 
AVG AntiVirus Free Edition 2013   
Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
Malwarebytes Anti-Malware version 1.75.0.1300 
TuneUp Utilities 2007   
Java 7 Update 17 
Java version out of Date!
Adobe Reader 10.1.3 Adobe Reader out of Date! 
Mozilla Thunderbird (17.0.5)
````````Process Check: objlist.exe by Laurent````````[/u] 
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C:: 9%
````````````````````End of Log``````````````````````[/u]

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.17.2
Run by Dale Ova at 17:11:39 on 2013-05-17
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2550.1856 [GMT -6:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\PCPitstop\SuperShield\PCPitstopRTService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dale Ova\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dale Ova\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dale Ova\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\DALEOV~1\LOCALS~1\Temp\nsk29.tmp\ns2A.tmp
C:\DOCUME~1\DALEOV~1\LOCALS~1\Temp\nsk29.tmp\MBR.DAT
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uWinlogon: Shell = cmd.exe
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - LocalServer32 - <no file>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\12.2.5.34\AVG Secure Search_toolbar.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\12.2.5.34\AVG Secure Search_toolbar.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Facebook Update] "c:\documents and settings\dale ova\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [Google Update] "c:\documents and settings\dale ova\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [cdloader] "c:\documents and settings\dale ova\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users.windows\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
mRun: [ROC_ROC_NT] "c:\program files\avg secure search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
mRun: [PC MaticRT] c:\program files\pcpitstop\supershield\PCMaticRT.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
TCP: NameServer = 204.17.177.10 204.17.177.20
TCP: Interfaces\{189311DD-A463-4ACE-A8C5-FCEF2283BEAC} : DHCPNameServer = 204.17.177.10 204.17.177.20
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\12.2.6\ViProtocol.dll
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-8-9 245048]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 96568]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 182072]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-8-27 27496]
R1 RapportCerberus_50414;RapportCerberus_50414;c:\documents and settings\all users.windows\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_50414.sys [2013-3-14 316984]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-2-13 102680]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2013-1-15 22064]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-4-25 4936752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-4-18 283136]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\pcpitstop\supershield\PCPitstopRTService.exe [2013-1-3 3835656]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-2-13 1124184]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2013-1-3 66344]
R3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2010-11-9 22176]
S3 ASTSRV;AST HighEnd Service;c:\windows\system32\ASTSRV.EXE [2010-12-5 57344]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-5-16 41584]
S3 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [2010-3-25 57344]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-12-11 90864]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-2-13 102008]
S3 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-2-13 173880]
S3 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
S3 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files\common files\avg secure search\vtoolbarupdater\12.2.6\ToolbarUpdater.exe [2012-8-27 722528]
.
=============== Created Last 30 ================
.
2013-05-17 01:13:41   41584   ----a-w-   c:\windows\system32\drivers\gfiark.sys
.
==================== Find3M  ====================
.
2013-04-16 22:17:15   920064   ----a-w-   c:\windows\system32\wininet.dll
2013-04-16 22:17:14   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55   385024   ----a-w-   c:\windows\system32\html.iec
2013-04-10 01:31:19   1876352   ----a-w-   c:\windows\system32\win32k.sys
2013-04-04 20:50:32   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-03-29 08:53:48   208184   ----a-w-   c:\windows\system32\drivers\avgidsdriverx.sys
2013-03-21 09:08:24   182072   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2013-03-14 12:49:08   94112   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2013-03-14 12:49:05   861088   -c--a-w-   c:\windows\system32\npDeployJava1.dll
2013-03-14 12:49:05   782240   -c--a-w-   c:\windows\system32\deployJava1.dll
2013-03-14 12:49:05   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2013-03-08 08:36:22   293376   ----a-w-   c:\windows\system32\winsrv.dll
2013-03-07 01:32:25   2149888   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:30   2028544   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2013-03-01 16:32:20   22328   ----a-w-   c:\windows\system32\drivers\avgidsshimx.sys
2013-02-27 07:56:51   2067456   ----a-w-   c:\windows\system32\mstscax.dll
.
============= FINISH: 17:12:03.57 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\Harddisk0\DP(2)0x1f60800-0x94d377200+2
Install Date: 11/29/2010 10:13:00 PM
System Uptime: 5/17/2013 4:51:05 PM (1 hours ago)
.
Motherboard: Dell Inc.           |  | 0XF954
Processor:               Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 3794/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 20.064 GiB free.
D: is CDROM ()
E: is FIXED (FAT32) - 466 GiB total, 382.937 GiB free.
F: is FIXED (FAT) - 0 GiB total, 0.004 GiB free.
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP951: 5/12/2013 9:34:25 PM - System Checkpoint
RP952: 5/13/2013 10:08:01 PM - System Checkpoint
RP953: 5/14/2013 10:09:15 PM - System Checkpoint
RP954: 5/15/2013 3:00:19 AM - Software Distribution Service 3.0
RP955: 5/16/2013 3:04:19 AM - System Checkpoint
RP956: 5/17/2013 3:19:09 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Professional
Adobe AIR
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.3)
Alien Skin Bokeh
Alien Skin Exposure
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 2013
Bonjour
Broadcom Gigabit Integrated Controller
Brother MFL-Pro Suite
CameraHelperMsi
Color Efex Pro 3.0 Complete
Compatibility Pack for the 2007 Office system
Corel Paint Shop Pro X
Distortion Control Data
Dropbox
erLT
Facebook Video Calling 1.2.0.287
Flickr Uploadr 3.2.1
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Image Resizer Powertoy for Windows XP
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
iTunes
Java 7 Update 17
Java Auto Updater
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
magicJack
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mozilla Thunderbird 17.0.5 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NEF Codec
Nikon Message Center 2
PaperPort Image Printer
PC Matic 1.1.0.33
PC Pitstop Driver Alert2 2.0.0.0
PC Pitstop SuperShield 1.0.0.34
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Picture Control Utility
PowerDVD
Quicken 2008
Rapport
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
ScanSoft PaperPort 11
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Silver Efex Pro
Skype™ 5.10
SoundMAX
TomTom HOME Visual Studio Merge Modules
Topaz DeNoise 5
TuneUp Utilities 2007
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
WebFldrs XP
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WinZip 12.0
.
==== Event Viewer Messages From Past Week ========
.
5/17/2013 9:16:16 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/17/2013 5:00:36 PM, error: Service Control Manager [7034]  - The Bonjour Service service terminated unexpectedly.  It has done this 1 time(s).
5/17/2013 2:43:32 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  PCIIde
5/17/2013 12:19:36 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AVGIDSDriver AVGIDSShim Avgldx86 Fips intelppm sbaphd
5/17/2013 12:19:36 PM, error: Service Control Manager [7001]  - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error:  A device attached to the system is not functioning.
5/16/2013 6:23:34 PM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'DP(1)0x7e00-0x1f58a00+1'.  It has stopped monitoring the volume.
5/10/2013 7:59:08 AM, error: Service Control Manager [7009]  - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
5/10/2013 7:59:08 AM, error: Service Control Manager [7000]  - The IMAPI CD-Burning COM Service service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
5/10/2013 7:58:10 AM, error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for FailureActions with the following error:  Access is denied.
5/10/2013 7:56:54 AM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'DP(2)0x1f60800-0x94d377200+2'.  It has stopped monitoring the volume.
.
==== End Of File ===========================

Corrine

#5
May 18, 2013, 12:02:44 AM
Good job, ovaunda!

Before I address the out-dated vulnerable programs, let's give you some more breathing room.

Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:

  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click "Yes" to continue scanning for malware.

  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

ovaunda

#6
May 18, 2013, 12:47:23 AM
ComboFix 13-05-16.02 - Dale Ova 05/17/2013  18:25:32.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2550.1921 [GMT -6:00]
Running from: c:\documents and settings\Dale Ova\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 0 bytes in 2 streams.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\2433f433
c:\documents and settings\Dale Ova\Application Data\2433f433
c:\windows\system32\Cache
c:\windows\system32\Cache\011d282d3ead06c3.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\8ebb978c7d10c2ac.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c18fb6fdadb20e7c.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\URTTemp
E:\autorun.inf
E:\Setup.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-18 to 2013-05-18  )))))))))))))))))))))))))))))))
.
.
2013-05-17 01:13 . 2013-04-11 17:06   41584   ----a-w-   c:\windows\system32\drivers\gfiark.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-16 22:17 . 2004-08-04 12:00   920064   ----a-w-   c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-04 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-04 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-04 12:00   385024   ----a-w-   c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-04 12:00   1876352   ----a-w-   c:\windows\system32\win32k.sys
2013-04-04 20:50 . 2010-11-30 06:03   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-03-29 08:53 . 2011-12-23 19:32   208184   ----a-w-   c:\windows\system32\drivers\avgidsdriverx.sys
2013-03-21 09:08 . 2010-11-10 05:20   182072   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2013-03-14 12:49 . 2013-03-14 12:49   94112   ----a-w-   c:\windows\system32\WindowsAccessBridge.dll
2013-03-14 12:49 . 2013-03-14 12:49   143872   ----a-w-   c:\windows\system32\javacpl.cpl
2013-03-14 12:49 . 2012-06-15 18:20   861088   -c--a-w-   c:\windows\system32\npDeployJava1.dll
2013-03-14 12:49 . 2010-12-09 01:18   782240   -c--a-w-   c:\windows\system32\deployJava1.dll
2013-03-08 08:36 . 2004-08-04 12:00   293376   ----a-w-   c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2004-08-04 12:00   2149888   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59   2028544   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2013-03-01 16:32 . 2011-12-23 19:32   22328   ----a-w-   c:\windows\system32\drivers\avgidsshimx.sys
2013-02-27 07:56 . 2010-11-30 05:04   2067456   ----a-w-   c:\windows\system32\mstscax.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-10-01 23:54   1734240   ----a-w-   c:\program files\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\12.2.5.34\AVG Secure Search_toolbar.dll" [2012-10-01 1734240]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\documents and settings\Dale Ova\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\documents and settings\Dale Ova\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-15 00:32   94208   ----a-w-   c:\documents and settings\Dale Ova\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Documents and Settings\\Dale Ova\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Documents and Settings\\Dale Ova\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Dale Ova\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Documents and Settings\\Dale Ova\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2013\\avgemcx.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\SYSTEM32\DRIVERS\avgidshx.sys [4/19/2012 4:50 AM 60216]
R0 Avglogx;AVG Logging Driver;c:\windows\SYSTEM32\DRIVERS\avglogx.sys [8/9/2012 1:56 PM 245048]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [9/7/2010 4:48 AM 39224]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\SYSTEM32\DRIVERS\avgidsdriverx.sys [12/23/2011 1:32 PM 208184]
R1 AVGIDSShim;AVGIDSShim;c:\windows\SYSTEM32\DRIVERS\avgidsshimx.sys [12/23/2011 1:32 PM 22328]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [9/7/2010 4:48 AM 170808]
R1 Avgtdix;AVG TDI Driver;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [11/9/2010 11:20 PM 182072]
R1 avgtp;avgtp;c:\windows\SYSTEM32\DRIVERS\avgtpx86.sys [8/27/2012 1:53 AM 27496]
R1 RapportCerberus_50414;RapportCerberus_50414;c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_50414.sys [3/14/2013 3:29 AM 316984]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2/13/2013 9:19 AM 102680]
R1 sbaphd;sbaphd;c:\windows\SYSTEM32\DRIVERS\sbaphd.sys [1/15/2013 8:12 AM 22064]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [4/25/2013 1:41 PM 4936752]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [4/18/2013 4:34 AM 283136]
R2 PCPitstop Realtime;PCPitstop Realtime;c:\program files\PCPitstop\SuperShield\PCPitstopRTService.exe [1/3/2013 2:43 PM 3835656]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2/13/2013 9:18 AM 1124184]
R2 sbapifs;sbapifs;c:\windows\SYSTEM32\DRIVERS\sbapifs.sys [1/3/2013 2:55 PM 66344]
R3 CompFilter;UVCCompositeFilter;c:\windows\SYSTEM32\DRIVERS\lvbusflt.sys [11/9/2010 8:46 PM 22176]
S3 ASTSRV;AST HighEnd Service;c:\windows\SYSTEM32\ASTSRV.EXE [12/5/2010 3:50 PM 57344]
S3 gfiark;gfiark;c:\windows\SYSTEM32\DRIVERS\gfiark.sys [5/16/2013 7:13 PM 41584]
S3 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SYSTEM32\nlssrv32.exe [3/25/2010 9:49 AM 57344]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [12/11/2010 2:58 PM 90864]
S3 RapportKELL;RapportKELL;c:\windows\SYSTEM32\DRIVERS\RapportKELL.sys [2/13/2013 9:19 AM 102008]
S3 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2/13/2013 9:19 AM 173880]
S3 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [8/19/2011 3:26 AM 450848]
S3 vToolbarUpdater12.2.6;vToolbarUpdater12.2.6;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe [8/27/2012 1:53 AM 722528]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 04:51]
.
2013-05-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1757981266-1532298954-682003330-1003Core.job
- c:\documents and settings\Dale Ova\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-11-12 22:38]
.
2013-05-17 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1757981266-1532298954-682003330-1003UA.job
- c:\documents and settings\Dale Ova\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-11-12 22:38]
.
2013-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1532298954-682003330-1003Core.job
- c:\documents and settings\Dale Ova\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-08 04:02]
.
2013-05-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-1532298954-682003330-1003UA.job
- c:\documents and settings\Dale Ova\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-12-08 04:02]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.6\ViProtocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Apple Mobile Device]
"ImagePath"="\"c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASTCC]
"ImagePath"="c:\windows\SYSTEM32\astsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASTSRV]
"ImagePath"="c:\windows\system32\ASTSRV.EXE"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avg]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVGIDSAgent]
"ImagePath"="\"c:\program files\AVG\AVG2013\avgidsagent.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVGIDSDriver]
"ImagePath"="system32\DRIVERS\avgidsdriverx.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVGIDSHX]
"ImagePath"="system32\DRIVERS\avgidshx.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AVGIDSShim]
"ImagePath"="system32\DRIVERS\avgidsshimx.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avgldx86]
"ImagePath"="system32\DRIVERS\avgldx86.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avglogx]
"ImagePath"="system32\DRIVERS\avglogx.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avgmfx86]
"ImagePath"="system32\DRIVERS\avgmfx86.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avgrkx86]
"ImagePath"="system32\DRIVERS\avgrkx86.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Avgtdix]
"ImagePath"="system32\DRIVERS\avgtdix.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avgtp]
"ImagePath"="\??\c:\windows\system32\drivers\avgtpx86.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avgwd]
"ImagePath"="\"c:\program files\AVG\AVG2013\avgwdsvc.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b57w2k]
"ImagePath"="system32\DRIVERS\b57xp32.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]
"ServiceDll"="%systemroot%\system32\qmgr.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bonjour Service]
"ImagePath"="\"c:\program files\Bonjour\mDNSResponder.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BrScnUsb]
"ImagePath"="system32\DRIVERS\BrScnUsb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BrSerIf]
"ImagePath"="System32\Drivers\BrSerIf.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BrUsbSer]
"ImagePath"="System32\Drivers\BrUsbSer.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\c:\docume~1\DALEOV~1\LOCALS~1\Temp\catchme.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE]
"ImagePath"="system32\DRIVERS\CCDECODE.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Compbatt]
"ImagePath"="system32\DRIVERS\compbatt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CompFilter]
"ImagePath"="system32\DRIVERS\lvbusflt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]
"ImagePath"="%SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dot4]
"ImagePath"="system32\DRIVERS\Dot4.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot4 HPH11]
"ImagePath"="system32\DRIVERS\hphid411.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot4Print]
"ImagePath"="system32\DRIVERS\Dot4Prt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot4Print HPH11]
"ImagePath"="system32\DRIVERS\hphipr11.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot4Storage HPH11]
"ImagePath"="System32\Drivers\hphs2k11.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dot4usb]
"ImagePath"="system32\DRIVERS\dot4usb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot4Usb HPH11]
"ImagePath"="System32\drivers\hphius11.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FilterService]
"ImagePath"="system32\DRIVERS\lvuvcflt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM]
"ImagePath"="system32\DRIVERS\GEARAspiWDM.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gfiark]
"ImagePath"="system32\drivers\gfiark.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gupdate]
"ImagePath"="\"c:\program files\Google\Update\GoogleUpdate.exe\" /svc"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gupdatem]
"ImagePath"="\"c:\program files\Google\Update\GoogleUpdate.exe\" /medsvc"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc]
"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidBatt]
"ImagePath"="system32\DRIVERS\HidBatt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hidusb]
"ImagePath"="system32\DRIVERS\hidusb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ialm]
"ImagePath"="system32\DRIVERS\ialmnt5.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]
"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\drivers\ip6fw.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service]
"ImagePath"="\"c:\program files\iPod\bin\iPodService.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]
"ImagePath"="\"c:\program files\Java\jre7\bin\jqs.exe\" -service -config \"c:\program files\Java\jre7\lib\deploy\jqs\jqs.conf\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lvpopflt]
"ImagePath"="system32\DRIVERS\lvpopflt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVPr2Mon]
"ImagePath"="system32\DRIVERS\LVPr2Mon.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVRS]
"ImagePath"="system32\DRIVERS\lvrs.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVUSBSta]
"ImagePath"="system32\drivers\LVUSBSta.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVUVC]
"ImagePath"="system32\DRIVERS\lvuvc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nlsX86cc]
"ImagePath"="c:\windows\system32\nlssrv32.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NuidFltr]
"ImagePath"="system32\DRIVERS\NuidFltr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCPitstop Realtime]
"ImagePath"="c:\program files\PCPitstop\SuperShield\PCPitstopRTService.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCPitstop Scheduling]
"ImagePath"="c:\program files\PCPitstop\PCPitstopScheduleService.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPH11]
"ImagePath"="c:\windows\system32\HPHipm11.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RapportCerberus_50414]
"ImagePath"="\??\c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_50414.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RapportEI]
"ImagePath"="\??\c:\program files\Trusteer\Rapport\bin\RapportEI.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RapportKELL]
"ImagePath"="System32\Drivers\RapportKELL.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RapportMgmtService]
"ImagePath"="\"c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RapportPG]
"ImagePath"="\??\c:\program files\Trusteer\Rapport\bin\RapportPG.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sbaphd]
"ImagePath"="system32\drivers\sbaphd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sbapifs]
"ImagePath"="system32\drivers\sbapifs.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\senfilt]
"ImagePath"="system32\drivers\senfilt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SkypeUpdate]
"ImagePath"="\"c:\program files\Skype\Updater\Updater.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP]
"ImagePath"="system32\DRIVERS\SLIP.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\smwdm]
"ImagePath"="system32\drivers\smwdm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip]
"ImagePath"="system32\DRIVERS\StreamIP.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{3B411328-12B2-47A0-A788-DE61F341E75E}"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swwd]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UMVPFSrv]
"ImagePath"="c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBAAPL]
"ImagePath"="System32\Drivers\usbaapl.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbaudio]
"ImagePath"="system32\drivers\usbaudio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbvideo]
"ImagePath"="System32\Drivers\usbvideo.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UxTuneUp]
"ServiceDll"="%SystemRoot%\System32\uxtuneup.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vToolbarUpdater12.2.6]
"ImagePath"="c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\12.2.6\ToolbarUpdater.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wdf01000]
"ImagePath"="system32\DRIVERS\Wdf01000.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\mspmsnsv.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]
"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC]
"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="%systemroot%\system32\wuauserv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{07171AC2-0D2A-427d-BCE5-B6C2D6C7058B}]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{189311DD-A463-4ACE-A8C5-FCEF2283BEAC}]
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{2C2534FF-EF25-4227-9C76-CD837D3D0BE7}]
.
Completion time: 2013-05-17  18:46:08
ComboFix-quarantined-files.txt  2013-05-18 00:46
.
Pre-Run: 21,490,409,472 bytes free
Post-Run: 21,799,972,864 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 497252EDE382484A487EE15D8B65BA54

Corrine

#7
May 18, 2013, 01:06:56 AM
Hi, ovaunda.

Do you have access to the administrator account?

Quotedisk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

ovaunda

#8
May 18, 2013, 01:12:40 AM
I only have one user account and it is assigned administrator rights. How do I access the administrator account?

Corrine

#9
May 18, 2013, 01:20:52 AM
That's fine then.  I don't usually see that line in a log. 

There's a lot there that I'd like to research and it will take me a fair amount of time, which I won't have tonight.  So, in the meantime, it would be helpful if you ran an online scan, which will provide a "second opinion". 

Please go here to run an on-line scan from ESET.

  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

ovaunda

#10
May 18, 2013, 02:04:44 AM
Thanks for your help so far. Long process, would not load in IE so had to use the installer in Chrome and running now.

ovaunda

#11
May 18, 2013, 05:21:46 AM
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=0b97e3651b273c42b234e39bbb844dc8
# engine=13855
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-05-18 05:19:22
# local_time=2013-05-17 11:19:22 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1039 16777213 100 92 0 55037946 0 0
# scanned=153099
# found=3
# cleaned=0
# scan_time=12492
sh=9B0EAE929C1A49762F470FCC311440813C62D8E9 ft=0 fh=0000000000000000 vn="Java/Exploit.Agent.OEZ trojan" ac=I fn="C:\Documents and Settings\Dale Ova\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\32\b9580e0-307a323f"
sh=890368473ECBC404DCD42FF0C6C38397102F59C0 ft=1 fh=4c7db45bf4256cb3 vn="Win32/PrcView application" ac=I fn="C:\Documents and Settings\Dale Ova\My Documents\Downloads\SmitfraudFix\Process.exe"
sh=904552C6D3D62C2C2897565F3DAD5FF5F92A4500 ft=1 fh=78f1739f17135b7d vn="Win32/Shutdown.NAA application" ac=I fn="C:\Documents and Settings\Dale Ova\My Documents\Downloads\SmitfraudFix\restart.exe"
sh=D07F0F83B6B36984DE97FDB422430C77586E3A6B ft=1 fh=38f672b5d0868b48 vn="multiple threats" ac=I fn="C:\System Volume Information\_restore{4EF88B12-5691-4997-89BE-5D1C93B6411C}\RP958\A2402520.exe"
sh=890368473ECBC404DCD42FF0C6C38397102F59C0 ft=1 fh=4c7db45bf4256cb3 vn="Win32/PrcView application" ac=I fn="C:\WINDOWS\SYSTEM32\Process.exe"

Corrine

#12
May 18, 2013, 03:00:12 PM
Hi, ovaunda.  Thank you.  We'll take care of the one finding by ESET in a bit. 

1.  You must have quite an old collection in your downloads folder as I haven't seen signs of S!Ri's SmitfraudFix for some time.  That finding by ESET is a f/p but you can delete the SmitfraudFix file from your Downloads folder!

2.  It appears from the leftovers that you had Sunbelt software installed on this computer at one time.  Please run the CounterSpy and VIPRE removal tool: http://www.sunbelt-software.com/ihs/cs&vclean.exe.  After running, you will need to restart your computer.

3.  Adobe:  The current version of Adobe Acrobat & Adobe Reader is 11.0.02.  Please uninstall the following:

Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader

Next, update Adobe Reader to version XI (11.0.02), available here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.

Note: UNcheck any pre-checked additional options presented with the update. They are not part of the software update and are completely optional.

4.  Java:  Personally, I removed Java from my computer some time ago.  If you still need Java, please update to the latest version:  Java Version 7 Update 21.   (See Critical Oracle Java Security Update Released for ensuring you have the security setting to High.)

5.  Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:

Code Select

ClearJavaCache::


  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.





  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.






Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

ovaunda

#13
May 18, 2013, 04:12:22 PM
Attempting to uninstall in Add/Remove Programs returns the error:

The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

I cannot run any updates for the same reason.

Corrine

#14
May 18, 2013, 04:39:42 PM
 See if this Microsoft Fix it solves that problem:  Fix problems with programs that can't be installed or uninstalled.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages1 2
User actions