Need help with conficker worm!!!!

peku006 · Nov 16, 2010

Hi John

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

Thanks peku006

dallak · Nov 16, 2010

MBR log

peku, here it is, thanks! Please advise.

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 147):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7C0C000 \WINDOWS\system32\KDCOM.DLL
0xF7B1C000 \WINDOWS\system32\BOOTVID.dll
0xF770C000 ipukke.sys
0xF76BD000 ACPI.sys
0xF7C0E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF76AC000 pci.sys
0xF771C000 isapnp.sys
0xF772C000 ohci1394.sys
0xF773C000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7B20000 compbatt.sys
0xF7B24000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7CD4000 pciide.sys
0xF798C000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF768E000 pcmcia.sys
0xF774C000 MountMgr.sys
0xF766F000 ftdisk.sys
0xF7C10000 dmload.sys
0xF7649000 dmio.sys
0xF7B28000 ACPIEC.sys
0xF7CD5000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7994000 PartMgr.sys
0xF775C000 VolSnap.sys
0xF7631000 atapi.sys
0xF776C000 disk.sys
0xF777C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7611000 fltmgr.sys
0xF75FF000 sr.sys
0xF75E9000 DRVMCDB.SYS
0xF778C000 PxHelp20.sys
0xF75D2000 KSecDD.sys
0xF7545000 Ntfs.sys
0xF7518000 NDIS.sys
0xF74FE000 Mup.sys
0xF779C000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF78DC000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7343000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF732F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7307000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF72C9000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF6C7B000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
0xF7A1C000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6C57000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A24000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6C2F000 \SystemRoot\system32\drivers\tifm21.sys
0xF6C1B000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF7BF0000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF78EC000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7A2C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6C02000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xF7A34000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF78FC000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7C30000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF790C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF791C000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6BDF000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7CE3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7C38000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF7AAC000 \SystemRoot\System32\Drivers\Modem.SYS
0xF77FC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF74D6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6BC8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF780C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF781C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7AB4000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6BB7000 \SystemRoot\system32\DRIVERS\psched.sys
0xF782C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7ABC000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7AC4000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7ACC000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xF6B87000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF783C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7C3A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6B01000 \SystemRoot\system32\DRIVERS\update.sys
0xF74BA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF784C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA3B3000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA38F000 \SystemRoot\system32\drivers\portcls.sys
0xF786C000 \SystemRoot\system32\drivers\drmk.sys
0xF787C000 \SystemRoot\system32\DRIVERS\Tvs.sys
0xF7ADC000 \SystemRoot\system32\DRIVERS\tsxt_kern_i386.sys
0xF7AEC000 \SystemRoot\system32\DRIVERS\wowhd_kern_i386.sys
0xF788C000 \SystemRoot\system32\DRIVERS\csiidecoder_kern_i386.sys
0xAA27C000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7C44000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF797C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7C6A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7E34000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C6C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF79C4000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF79CC000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF79D4000 \SystemRoot\System32\drivers\vga.sys
0xF7C6E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C70000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAA223000 \SystemRoot\System32\Drivers\meiudf.sys
0xAA212000 \SystemRoot\System32\Drivers\Udfs.SYS
0xF79DC000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79E4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7C04000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA1FF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA1A6000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF77AC000 \SystemRoot\system32\drivers\mfetdik.sys
0xAA158000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA130000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF77BC000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA06E000 \SystemRoot\System32\drivers\afd.sys
0xF77CC000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF6B73000 \SystemRoot\System32\Drivers\TPwSav.sys
0xAA043000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF77DC000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA9FD3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF77EC000 \SystemRoot\System32\Drivers\Fips.SYS
0xF79EC000 \SystemRoot\System32\Drivers\tcusb.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7BC8000 \SystemRoot\System32\drivers\Dxapi.sys
0xF79F4000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7D66000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAA0A0000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF7DC4000 \SystemRoot\System32\DLA\DLADResN.SYS
0xA9E55000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xA9ED3000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7CA4000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF7CA6000 \??\C:\WINDOWS\system32\drivers\TBiosDrv.sys
0xF7A54000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xA9E3D000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xA9E27000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xF7A6C000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xA9E7F000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xA9F83000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9EDF000 \SystemRoot\system32\DRIVERS\netdevio.sys
0xA9BA2000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7C14000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA9A32000 \SystemRoot\system32\DRIVERS\srv.sys
0xA960D000 \SystemRoot\system32\drivers\wdmaud.sys
0xA99BA000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7A0C000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA922A000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA93CD000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8AFE000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 62):
0 System Idle Process
4 System
872 C:\WINDOWS\system32\smss.exe
936 csrss.exe
960 C:\WINDOWS\system32\winlogon.exe
1004 C:\WINDOWS\system32\services.exe
1016 C:\WINDOWS\system32\lsass.exe
1208 C:\WINDOWS\system32\svchost.exe
1276 svchost.exe
1316 C:\WINDOWS\system32\svchost.exe
1372 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
1408 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
1444 svchost.exe
1628 svchost.exe
1880 C:\WINDOWS\system32\spoolsv.exe
300 svchost.exe
344 C:\WINDOWS\system32\drivers\CDANTSRV.EXE
132 C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
472 C:\WINDOWS\system32\DVDRAMSV.exe
524 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
572 C:\WINDOWS\system32\inetsrv\inetinfo.exe
640 C:\Program Files\Java\jre6\bin\jqs.exe
664 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
692 C:\WINDOWS\system32\svchost.exe
732 C:\WINDOWS\system32\svchost.exe
772 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
1064 C:\WINDOWS\system32\svchost.exe
1240 C:\Toshiba\IVP\swupdate\swupdtmr.exe
1588 alg.exe
564 C:\WINDOWS\explorer.exe
1984 C:\WINDOWS\system32\igfxtray.exe
2008 C:\WINDOWS\system32\hkcmd.exe
2016 C:\WINDOWS\system32\igfxpers.exe
2116 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
2124 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
2140 C:\Program Files\Apoint2K\Apoint.exe
2148 C:\WINDOWS\agrsmmsg.exe
2176 C:\Program Files\Toshiba\Tvs\TvsTray.exe
2200 C:\Program Files\Toshiba\E-KEY\CeEKey.exe
2208 C:\WINDOWS\system32\TPSMain.exe
2224 C:\Program Files\Toshiba\Touch and Launch\PadExe.exe
2244 C:\WINDOWS\system32\ZoomingHook.exe
2420 C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
2436 C:\Program Files\Toshiba\TouchPad\TPTray.exe
2444 C:\WINDOWS\system32\TCtrlIOHook.exe
2580 C:\WINDOWS\system32\TDispVol.exe
2692 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
2832 C:\WINDOWS\system32\TPSBattM.exe
2836 C:\Program Files\SHARP\Sharpdesk\IndexTray.exe
2852 C:\Program Files\Apoint2K\ApntEx.exe
2864 C:\Program Files\SHARP\Sharpdesk\Indexer.exe
3000 C:\Program Files\SHARP\Sharpdesk\SharpTray.exe
3252 C:\Program Files\HP\HP Software Update\hpwuschd2.exe
3744 C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
3752 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
3760 C:\WINDOWS\system32\ctfmon.exe
3900 C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
3912 C:\WINDOWS\system32\RAMASST.exe
2308 C:\Program Files\Internet Explorer\iexplore.exe
2356 C:\Program Files\Internet Explorer\iexplore.exe
3032 C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
884 C:\Documents and Settings\john\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS541040G9SA00, Rev: MB2OC60R

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: 31D100779DE502702C374F7C15687B56FCFD5528

Done!

peku006 · Nov 16, 2010

Hi John

Download The Avenger by Swandog46 from here.
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
Code:
```
Files to delete:
C:\WINDOWS\system32\mxpcivny.dll

Drivers to delete:
jxrdfklf
mwyujbz
riphdxo
```
In the avenger window, click the Paste Script from Clipboard,

button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log your next reply.

Thanks peku006

dallak · Nov 16, 2010

avenger log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\mxpcivny.dll" not found!
Deletion of file "C:\WINDOWS\system32\mxpcivny.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "jxrdfklf" deleted successfully.
Driver "mwyujbz" deleted successfully.
Driver "riphdxo" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

peku006 · Nov 16, 2010

Hi John

:Uninstall ComboFix:

turn off all active protection software
push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box ComboFix /Uninstall and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

next...
download a fresh copy of Combofix and save it to your desktop and try to run it.

Thanks peku006

dallak · Nov 17, 2010

combofix

peku,

sorry for taking so long to reply, I was out of the office. I got a little farther with combofix. Got the blue screen, got the 3 lines of text where it tells you it could take 10 minutes or longer to scan depending on how infected your computer is. Cursor goes back to the left and starts blinking but it gets stuck there. I waited a very long time and my only course is to power down the computer again. Can't open task manager or any program. Can't shut down combofix either. I did the removal first like you told me too. I tried it in safe mode with the same result.

combofix took care of my problem last time you guys helped me. Would be nice if we can figure out a way to get it to run.

let me know your thoughts, thanks again!!!!!!!!!!!!!

John

peku006 · Nov 18, 2010

Hi John

OK..but I'm not quite sure why combofix is not working, I need more "information"

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:

Code:

:reg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

:regfind
jxrdfklf
mwyujbz
riphdxo

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

I'd like you to check a file for Viruses.

Go to VirusTotal or Jotti's

C:\WINDOWS\system32\drivers\ctnius.sys

Click to expand...

Copy/Paste file into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Copy and Paste results in your next reply.

Please reply with

SystemLook.txt along with the jotti's results

Thanks peku006

dallak · Nov 18, 2010

systemlook log

I am working on the virus check. Here is systemlook log:

SystemLook 04.09.10 by jpshortstuff
Log created at 11:45 on 18/11/2010 by John
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp480n5]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPIEC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adpu160m]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AegisP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AgereSoftModem]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Aha154x]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78u2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78xx]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AliIde]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ApfiltrService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Arp1394]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3350p]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASCTRM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASP.NET_1.1.4322]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AsyncMac]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Atdisk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Atmarpc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\audstub]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BattC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Beep]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\C-Dilla]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\C-DillaSrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdfs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CFSvcs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Changer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmBatt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmdIde]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Compbatt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dac960nt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dalgz]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLABOIOM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLACDBHM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLADResN]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLAIFS_M]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLAOPIOM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLAPoolM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLARTL_N]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLAUDFAM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DLAUDF_M]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmboot]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmload]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMusic]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dot3svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dpti2o]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drmkaud]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DRVMCDB]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DRVNDDM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DVD-RAM_Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\e1express]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EapHost]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EngineServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EPSON_PM_RPCV4_01]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EvtEng]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fastfat]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fdc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FdRedir]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FileDisk2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fips]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FLEXnet Licensing Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Flpydisk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FltMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache3.0.0.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ftdisk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gpc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HDAudBus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidUsb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hkmsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hpn]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IDriverT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Imapi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetaccs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ini910u]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Inport]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntcAzAudAddService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelIde]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelppm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ip6Fw]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpInIp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\isapnp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kbdclass]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KSecDD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lbd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MDM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\meiudf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mfetdik]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmdd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Modem]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mouclass]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MountMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mraid35x]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxSmb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Msfs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSKSSRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSPCLOCK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSPQM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\myAgtSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisTapi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDProxy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Net Driver HPZ12]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdevio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETw5x32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NIC1394]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\njznx]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntfs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTFSDRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Null]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NwlnkFlt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NwlnkFwd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ohci1394]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Outlook]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\P3]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Parport]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PartMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ParVdm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIDump]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCIIde]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PDRELI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perc2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perc2hib]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfNet]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfOS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfProc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pml Driver HPZ12]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PSched]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ptilink]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PxHelp20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ql1080]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ql12160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ql1240]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ql1280]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAcd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rasl2tp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasPppoe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Raspti]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdbss]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPCDD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPDD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdpdr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPWD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\redbook]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RegSrvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RimUsb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RimVSerPort]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ROOTMODEM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RoxLiveShare9]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcapd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\S24EventMonitor]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s24trans]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScsiPort]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sdbus]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Secdrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Serial]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sffdisk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sffp_sd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Simbad]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smihlp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SolidWorks Licensing Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SONYPVU1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sparrow]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\splitter]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Srv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StillCam]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swenum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swmidi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SwPrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Swupdtmr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\symc810]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\symc8xx]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sym_hi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sym_u3]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysaudio]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TBiosDrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcUsb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDTCP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tifm21]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TosIde]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPwSav]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TSDDD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tvs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Udfs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ultra]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Update]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbehci]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbprint]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbscan]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbuhci]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VgaSave]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vhareut]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ViaIde]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VolSnap]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vxd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w39n51]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wanarp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wanatw]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDICA]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wdmaud]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinTrust]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykxkeb]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{67F17C15-BFAA-4FFE-A787-A71449028CC8}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C0C6EE0E-425C-4CB7-8CC6-1FF28B11005D}]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CCCBBBEE-AC1A-41A8-BA75-D8041DD75B28}]

========== regfind ==========

Searching for "jxrdfklf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem

FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger

Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS

Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov

BITS wuauserv ShellHWDetection helpsvc WmdmPmSN napagent hkmsvc mwyujbz jxrdfklf riphdxo dalgz

ykxkeb njznx vhareut"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JXRDFKLF]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_JXRDFKLF\0000]
"Service"="jxrdfklf"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JXRDFKLF]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_JXRDFKLF\0000]
"Service"="jxrdfklf"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JXRDFKLF]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_JXRDFKLF\0000]
"Service"="jxrdfklf"

Searching for "mwyujbz"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem

FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger

Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS

Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov

BITS wuauserv ShellHWDetection helpsvc WmdmPmSN napagent hkmsvc mwyujbz jxrdfklf riphdxo dalgz

ykxkeb njznx vhareut"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MWYUJBZ]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MWYUJBZ\0000]
"Service"="mwyujbz"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MWYUJBZ]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MWYUJBZ\0000]
"Service"="mwyujbz"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MWYUJBZ]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MWYUJBZ\0000]
"Service"="mwyujbz"

Searching for "riphdxo"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem

FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger

Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS

Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov

BITS wuauserv ShellHWDetection helpsvc WmdmPmSN napagent hkmsvc mwyujbz jxrdfklf riphdxo dalgz

ykxkeb njznx vhareut"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RIPHDXO]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RIPHDXO\0000]
"Service"="riphdxo"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RIPHDXO]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RIPHDXO\0000]
"Service"="riphdxo"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIPHDXO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIPHDXO\0000]
"Service"="riphdxo"

-= EOF =-

dallak · Nov 18, 2010

virus scan

either conficker won't let me navigate to either site or both sites are down. Get the screen that IE cannot display the webpage for both sites.

dallak · Nov 18, 2010

virusscan and jotti

tried both with Firefox and it says it can't locate the servers.

peku006 · Nov 19, 2010

Hi John
ok......we can check that file later

will continue with this........

1. Download the FixDownadup.exe file from here
2. Save the file to a convenient location, such as your Windows desktop.

NOTE : If you are on a network or if you have a full-time connection to the Internet, disconnect the computer to the network or to the Internet connection.

3. Close all the running programs.

4. Locate the file that you just downloaded.
5. Double-click the FixDownadup.exe file to start the removal tool.
6. Click Start to begin the process, and then allow the tool to run.

NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.

7. Restart the computer.
8. Run the removal tool again to ensure that the system is clean.
9. Install patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability by choosing your operating system.
10. If you are on a network or if you have a full-time connection to the Internet, reconnect the computer to the network or to the Internet connection.

after that run mbam again

Please reply with

Malwarebytes' Anti-Malware Log

Thanks peku006

dallak · Nov 19, 2010

fixdownadup

peku006,

This is very frustrating. Ran fixdownadup as you instructed (twice). Worm wouldn't let me navigate to symantec so I had to download it from another computer. It detected something, so I ran it again. Then for fun I attempted to navigate to Symantec and it worked. But less than an hour later, I was unable to navigate to these sites and MB picked up an infection again. It's lurking and regenerating!!! Aliens in my computer!!!!!!!!!! Here are MB log and fixdownadup log.

HELP!!!!!!!!!!!!!!!!!!

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5153

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/19/2010 11:48:34 AM
mbam-log-2010-11-19 (11-48-34).txt

Scan type: Full scan (C:\|)
Objects scanned: 259140
Time elapsed: 1 hour(s), 7 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mxpcivny.dll (Worm.Conficker) -> Quarantined and deleted successfully.

Here is fixdownadup log:

Symantec W32.Downadup Removal Tool 1.1.0.7
process: svchost.exe, thread: 0000015C (terminated)
process: svchost.exe, thread: 00000F90 (terminated)
process: svchost.exe, thread: 00000A9C (terminated)
process: svchost.exe, thread: 00000FE0 (terminated)
process: svchost.exe, thread: 00000944 (terminated)
process: svchost.exe, thread: 0000080C (terminated)
process: svchost.exe, thread: 00000700 (terminated)
process: svchost.exe, thread: 000001F4 (terminated)
process: svchost.exe (terminated)

ERROR: Can't change ACL/permissions for file C:\Documents and Settings\john kallas\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db; file not scanned

ERROR: Can't change ACL/permissions for file C:\Documents and Settings\john kallas\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow; file not scanned

registry: HKLM\system\CurrentControlSet\Services\BITS: Start (value set to 0x00000003 (3))
registry: HKLM\system\CurrentControlSet\Services\wuauserv: Start (value set to 0x00000002 (2))
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}\AutoStart (value set to "")

W32.Downadup has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 81528
The number of deleted threat files: 0
The number of threat processes terminated: 1
The number of threat threads terminated: 8
The number of registry entries fixed: 3

The system requires a reboot but was not rebooted.
To clean up all remnants of the threat from the system it must be rebooted.

peku006 · Nov 20, 2010

Hi John
yeah ,it comes back

Download OTS by Oldtimer to your Desktop and double-click on it to extract the files.
- NOTE: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Click the Scan All Users checkbox on the toolbar.
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Close Notepad (saving the change if necessry).

Thanks peku006

dallak · Nov 20, 2010

Ots

I will do this first thing, Monday.

Thanks!

dallak · Nov 23, 2010

OTS log

Peku006, sorry for taking so long, I have been away from the office. Here is the OTS log. Had to splint into two posts. Let me know if you see anything unusual.

Code:

OTS logfile created on: 11/23/2010 12:08:55 PM - Run 1
OTS by OldTimer - Version 3.1.40.1     Folder = C:\Documents and Settings\john\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,014.00 Mb Total Physical Memory | 625.00 Mb Available Physical Memory | 62.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.08 Gb Total Space | 4.51 Gb Free Space | 12.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: JOHN
Current User Name: john
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\john\Desktop\OTS.exe -> [2010/11/23 12:07:53 | 000,642,048 | ---- | M] (OldTimer Tools)
acrotray.exe -> C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe -> [2008/06/11 21:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.)
inetinfo.exe -> C:\WINDOWS\system32\inetsrv\inetinfo.exe -> [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
e_s40rp7.exe -> C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -> [2007/01/11 03:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION)
isuspm.exe -> C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -> [2006/09/11 03:40:32 | 000,218,032 | ---- | M] (Macrovision Corporation)
tdispvol.exe -> C:\WINDOWS\system32\TDispVol.exe -> [2005/12/27 19:34:34 | 000,073,728 | ---- | M] (TOSHIBA Corporation)
tptray.exe -> C:\Program Files\Toshiba\TouchPad\TPTray.exe -> [2005/12/13 18:28:56 | 000,053,248 | ---- | M] (COMPAL ELECTRONIC INC.)
tctrliohook.exe -> C:\WINDOWS\system32\TCtrlIOHook.exe -> [2005/12/05 16:50:22 | 000,028,672 | ---- | M] (TOSHIBA)
zcfgsvc.exe -> C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe -> [2005/12/05 14:37:40 | 000,667,718 | ---- | M] (Intel Corporation)
ceekey.exe -> C:\Program Files\Toshiba\E-KEY\CeEKey.exe -> [2005/12/01 13:13:42 | 000,671,744 | ---- | M] (COMPAL ELECTRONIC INC.)
tvstray.exe -> C:\Program Files\Toshiba\Tvs\TvsTray.exe -> [2005/11/30 14:25:22 | 000,073,728 | ---- | M] (TOSHIBA Corporation)
dot1xcfg.exe -> C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe -> [2005/11/28 13:37:52 | 000,397,381 | ---- | M] (Intel Corporation)
s24evmon.exe -> C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -> [2005/11/28 13:31:32 | 000,540,745 | ---- | M] (Intel Corporation )
evteng.exe -> C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -> [2005/11/28 13:29:00 | 000,114,753 | ---- | M] (Intel Corporation)
regsrvc.exe -> C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -> [2005/11/28 13:28:14 | 000,217,164 | ---- | M] (Intel Corporation)
sharptray.exe -> C:\Program Files\SHARP\Sharpdesk\SharpTray.exe -> [2005/11/05 19:47:24 | 000,032,768 | ---- | M] (SHARP CORPORATION)
indexer.exe -> C:\Program Files\SHARP\Sharpdesk\Indexer.exe -> [2005/11/05 19:34:44 | 000,184,320 | ---- | M] (SHARP CORPORATION)
indextray.exe -> C:\Program Files\SHARP\Sharpdesk\IndexTray.exe -> [2005/11/05 19:32:54 | 000,106,496 | ---- | M] (SHARP CORPORATION)
dlactrlw.exe -> C:\WINDOWS\system32\DLA\DLACTRLW.EXE -> [2005/10/06 07:20:00 | 000,122,940 | ---- | M] (Sonic Solutions)
padexe.exe -> C:\Program Files\Toshiba\Touch and Launch\PadExe.exe -> [2005/07/15 12:52:42 | 001,077,322 | ---- | M] (TOSHIBA)
swupdtmr.exe -> c:\Toshiba\IVP\swupdate\swupdtmr.exe -> [2005/07/12 19:14:42 | 000,040,960 | ---- | M] ()
zoominghook.exe -> C:\WINDOWS\system32\ZoomingHook.exe -> [2005/06/06 11:58:44 | 000,024,576 | ---- | M] (TOSHIBA)
tpsmain.exe -> C:\WINDOWS\system32\TPSMain.exe -> [2005/05/31 19:16:44 | 000,282,624 | ---- | M] (TOSHIBA Corporation)
tpsbattm.exe -> C:\WINDOWS\system32\TPSBattM.exe -> [2005/05/31 19:16:24 | 000,045,056 | ---- | M] (TOSHIBA Corporation)
smoothview.exe -> C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe -> [2005/04/26 18:13:20 | 000,122,880 | ---- | M] (TOSHIBA Corporation)
cfsvcs.exe -> C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -> [2005/01/17 18:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION)
toscdspd.exe -> C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe -> [2004/12/30 02:32:20 | 000,065,536 | ---- | M] (TOSHIBA)
ramasst.exe -> C:\WINDOWS\system32\RAMASST.exe -> [2004/08/28 02:37:00 | 000,155,648 | ---- | M] (Matsushita Electric Industrial Co., Ltd.)
dvdramsv.exe -> C:\WINDOWS\system32\DVDRAMSV.exe -> [2004/08/28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.)
cdantsrv.exe -> C:\WINDOWS\system32\drivers\CDANTSRV.EXE -> [2001/09/10 21:08:50 | 000,032,256 | ---- | M] (C-Dilla Ltd)
 
[Modules - Safe List]
ots.exe -> C:\Documents and Settings\john\Desktop\OTS.exe -> [2010/11/23 12:07:53 | 000,642,048 | ---- | M] (OldTimer Tools)
comctl32.dll -> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll -> [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation)
tdispvol.dll -> C:\WINDOWS\system32\TDispVol.dll -> [2002/03/03 06:40:00 | 000,045,056 | ---- | M] ()
 
[Win32 Services - Safe List]
(RoxLiveShare9) LiveShare P2P Server 9 [Auto | Stopped] -> C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -> File not found
(PEVSystemStart) PEVSystemStart [Auto | Stopped] -> C:\conremoval\PEV.cfx -> File not found
(myAgtSvc) McAfee Virus and Spyware Protection Service [Auto | Stopped] -> C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe -> File not found
(HidServ) Human Interface Device Access [Disabled | Stopped] -> C:\WINDOWS\System32\hidserv.dll -> File not found
(EngineServer) EngineServer [Auto | Stopped] -> C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe -> File not found
(SolidWorks Licensing Service) SolidWorks Licensing Service [On_Demand | Stopped] -> C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe -> [2010/09/01 10:23:24 | 000,079,360 | ---- | M] (SolidWorks)
(FLEXnet Licensing Service) FLEXnet Licensing Service [On_Demand | Stopped] -> C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> [2009/06/15 15:02:53 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.)
(W3SVC) World Wide Web Publishing [Auto | Running] -> C:\WINDOWS\system32\inetsrv\inetinfo.exe -> [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation)
(SMTPSVC) Simple Mail Transfer Protocol (SMTP) [Auto | Running] -> C:\WINDOWS\system32\inetsrv\inetinfo.exe -> [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation)
(IISADMIN) IIS Admin [Auto | Running] -> C:\WINDOWS\system32\inetsrv\inetinfo.exe -> [2008/04/13 18:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation)
(rpcapd) Remote Packet Capture Protocol v.0 (experimental) [On_Demand | Stopped] -> C:\Program Files\WinPcap\rpcapd.exe -> [2007/11/06 14:22:26 | 000,092,792 | ---- | M] (CACE Technologies)
(EPSON_PM_RPCV4_01) EPSON V3 Service4(01) [Auto | Running] -> C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE -> [2007/01/11 03:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION)
(S24EventMonitor) Intel(R) PROSet/Wireless Service [Auto | Running] -> C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -> [2005/11/28 13:31:32 | 000,540,745 | ---- | M] (Intel Corporation )
(EvtEng) Intel(R) PROSet/Wireless Event Log [Auto | Running] -> C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -> [2005/11/28 13:29:00 | 000,114,753 | ---- | M] (Intel Corporation)
(RegSrvc) Intel(R) PROSet/Wireless Registry Service [Auto | Running] -> C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -> [2005/11/28 13:28:14 | 000,217,164 | ---- | M] (Intel Corporation)
(Swupdtmr) Swupdtmr [Auto | Running] -> c:\Toshiba\IVP\swupdate\swupdtmr.exe -> [2005/07/12 19:14:42 | 000,040,960 | ---- | M] ()
(CFSvcs) ConfigFree Service [Auto | Running] -> C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -> [2005/01/17 18:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION)
(DVD-RAM_Service) DVD-RAM_Service [Auto | Running] -> C:\WINDOWS\system32\DVDRAMSV.exe -> [2004/08/28 02:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.)
(C-DillaSrv) C-DillaSrv [Auto | Running] -> C:\WINDOWS\system32\drivers\CDANTSRV.EXE -> [2001/09/10 21:08:50 | 000,032,256 | ---- | M] (C-Dilla Ltd)
 
[Driver Services - Safe List]
(smihlp) SMI helper driver [Kernel | Auto | Stopped] -> C:\Program Files\Protector Suite QL\smihlp.sys -> File not found
(Lbd) Lbd [File_System | Boot | Stopped] -> C:\WINDOWS\System32\DRIVERS\Lbd.sys -> File not found
(FileDisk2) FileDisk Protector Kernel Driver [Kernel | Auto | Stopped] -> C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys -> File not found
(FdRedir) FdRedir [File_System | Auto | Stopped] -> C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys -> File not found
(catchme) catchme [Kernel | On_Demand | Stopped] -> C:\DOCUME~1\john\LOCALS~1\Temp\catchme.sys -> File not found
(NETw5x32) Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\NETw5x32.sys -> [2010/05/31 12:58:35 | 006,608,512 | ---- | M] (Intel Corporation)
(mfetdik) McAfee Inc. mfetdik [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\mfetdik.sys -> [2009/12/15 14:29:52 | 000,055,304 | ---- | M] (McAfee, Inc.)
(nm) Network Monitor Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\nmnt.sys -> [2008/04/13 12:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\hdaudbus.sys -> [2008/04/13 10:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(e1express) Intel(R) PRO/1000 PCI Express Network Connection Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\e1e5132.sys -> [2007/12/11 23:34:40 | 000,242,320 | ---- | M] (Intel Corporation)
(NPF) NetGroup Packet Filter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\npf.sys -> [2007/11/06 14:22:06 | 000,034,064 | ---- | M] (CACE Technologies)
(ASCTRM) ASCTRM [Kernel | Auto | Running] -> C:\WINDOWS\System32\drivers\asctrm.sys -> [2005/12/29 14:21:07 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider)
(TcUsb) TC USB Kernel Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\tcusb.sys -> [2005/12/16 17:40:32 | 000,028,800 | ---- | M] (UPEK Inc.)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\RtkHDAud.Sys -> [2005/12/09 18:48:40 | 004,123,136 | ---- | M] (Realtek Semiconductor Corp.)
(w39n51) Intel(R) PRO/Wireless 3945ABG Adapter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\w39n51.sys -> [2005/12/05 03:55:30 | 001,428,096 | ---- | M] (Intel® Corporation)
(TPwSav) Common Driver [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\TPwSav.sys -> [2005/12/01 12:55:24 | 000,011,264 | ---- | M] (TOSHIBA )
(Tvs) TOSHIBA Virtual Sound with SRS technologies [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\Tvs.sys -> [2005/11/30 13:01:02 | 000,043,392 | ---- | M] (TOSHIBA Corporation)
(tifm21) tifm21 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\tifm21.sys -> [2005/11/30 12:12:36 | 000,162,560 | ---- | M] (Texas Instruments)
(s24trans) WLAN Transport [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\s24trans.sys -> [2005/11/28 14:09:26 | 000,013,568 | ---- | M] (Intel Corporation)
(AgereSoftModem) TOSHIBA V92 Software Modem [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\AGRSM.sys -> [2005/11/15 11:00:22 | 001,122,656 | ---- | M] (Agere Systems)
(DLAUDFAM) DLAUDFAM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -> [2005/10/06 07:20:00 | 000,094,332 | ---- | M] (Sonic Solutions)
(DLAUDF_M) DLAUDF_M [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -> [2005/10/06 07:20:00 | 000,087,036 | ---- | M] (Sonic Solutions)
(DLAIFS_M) DLAIFS_M [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -> [2005/10/06 07:20:00 | 000,086,524 | ---- | M] (Sonic Solutions)
(DLABOIOM) DLABOIOM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLABOIOM.SYS -> [2005/10/06 07:20:00 | 000,025,628 | ---- | M] (Sonic Solutions)
(DLAOPIOM) DLAOPIOM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -> [2005/10/06 07:20:00 | 000,014,684 | ---- | M] (Sonic Solutions)
(DLAPoolM) DLAPoolM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAPoolM.SYS -> [2005/10/06 07:20:00 | 000,006,364 | ---- | M] (Sonic Solutions)
(DLADResN) DLADResN [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLADResN.SYS -> [2005/10/06 07:20:00 | 000,002,496 | ---- | M] (Sonic Solutions)
(DRVMCDB) DRVMCDB [Kernel | Boot | Running] -> C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -> [2005/09/12 05:30:00 | 000,089,264 | ---- | M] (Sonic Solutions)
(DLACDBHM) DLACDBHM [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLACDBHM.SYS -> [2005/08/25 14:16:52 | 000,005,628 | ---- | M] (Sonic Solutions)
(DLARTL_N) DLARTL_N [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLARTL_N.SYS -> [2005/08/25 14:16:16 | 000,022,684 | ---- | M] (Sonic Solutions)
(DRVNDDM) DRVNDDM [File_System | Auto | Running] -> C:\WINDOWS\system32\drivers\DRVNDDM.SYS -> [2005/08/12 07:20:00 | 000,040,544 | ---- | M] (Sonic Solutions)
(meiudf) meiudf [File_System | System | Running] -> C:\WINDOWS\system32\drivers\meiudf.sys -> [2005/06/02 05:33:00 | 000,102,384 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.)
(ApfiltrService) Alps Pointing-device Filter Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\Apfiltr.sys -> [2004/11/15 18:22:08 | 000,101,874 | ---- | M] (Alps Electric Co., Ltd.)
(TBiosDrv) TBiosDrv [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\tbiosdrv.sys -> [2003/06/11 10:53:22 | 000,006,867 | ---- | M] ()
(Netdevio) TOSHIBA Network Device Usermode I/O Protocol [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\Netdevio.sys -> [2003/01/29 16:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.)
(wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\wanatw4.sys -> [2003/01/10 14:13:04 | 000,033,588 | R--- | M] (America Online, Inc.)
(C-Dilla) C-Dilla [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\CDANT.SYS -> [2001/09/10 21:09:46 | 000,057,392 | ---- | M] (Macrovision)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
HKEY_USERS\.DEFAULT\: "ProxyOverride" -> 192.168.1.*;127.0.0.*;192.168.0.*;192.168.2.* -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
HKEY_USERS\S-1-5-18\: "ProxyOverride" -> 192.168.1.*;127.0.0.*;192.168.0.*;192.168.2.* -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
HKEY_USERS\S-1-5-19\: Main\\"Start Page" -> http://www.toshibadirect.com/dpdstart -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
HKEY_USERS\S-1-5-20\: Main\\"Start Page" -> http://www.toshibadirect.com/dpdstart -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\] > -> -> 
HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\: Main\\"Start Page" -> http://www.google.com/webhp?rls=ig -> 
HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\: "ProxyEnable" -> 0 -> 
HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\: "ProxyOverride" -> 192.168.1.*;127.0.0.*;192.168.0.*;192.168.2.* -> 
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\john\Application Data\Mozilla\FireFox\Profiles\8kgpj2zy.default\prefs.js -> 
extensions.enabledItems -> {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 ->
extensions.enabledItems -> jqs@sun.com:1.0 ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions ->  -> 
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2010/11/18 11:53:37 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/11/23 11:48:34 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
  -> C:\Documents and Settings\john\Application Data\Mozilla\Extensions -> [2010/11/18 11:53:45 | 000,000,000 | ---D | M]
  -> C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\8kgpj2zy.default\extensions -> [2010/11/18 11:53:50 | 000,000,000 | ---D | M]
No name found   -> C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\8kgpj2zy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} -> [2010/11/18 11:53:50 | 000,000,000 | ---D | M]
  -> C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\8kgpj2zy.default\extensions\staged-xpis -> [2010/11/18 11:53:50 | 000,000,000 | ---D | M]
< FireFox Extensions [Program Folders] > -> 
  -> C:\Program Files\Mozilla Firefox\extensions -> [2010/05/03 15:14:07 | 000,000,000 | ---D | M]
Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} -> [2010/05/03 15:14:08 | 000,000,000 | ---D | M]
< HOSTS File > ([2010/07/27 09:06:07 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 14:31:02 | 001,879,896 | ---- | M] (Safer Networking Limited)
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> C:\WINDOWS\system32\DLA\DLASHX_W.DLL [DriveLetterAccess] -> [2005/10/06 07:20:00 | 000,110,652 | ---- | M] (Sonic Solutions)
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> [2008/06/11 21:42:44 | 000,345,480 | ---- | M] (Adobe Systems Incorporated)
{F4971EE7-DAA0-4053-9964-665D8EE6A077} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [SmartSelect Class] -> [2008/06/11 21:42:44 | 000,345,480 | ---- | M] (Adobe Systems Incorporated)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar -> 
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF] -> [2008/06/11 21:42:44 | 000,345,480 | ---- | M] (Adobe Systems Incorporated)
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [Adobe PDF] -> [2008/06/11 21:42:44 | 000,345,480 | ---- | M] (Adobe Systems Incorporated)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"Acrobat Assistant 8.0" -> C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe ["C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"] -> [2008/06/11 21:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.)
"Adobe Acrobat Speed Launcher" -> C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe ["C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"] -> [2008/06/12 01:25:18 | 000,037,232 | ---- | M] (Adobe Systems Incorporated)
"CeEKEY" -> C:\Program Files\Toshiba\E-KEY\CeEKey.exe [C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe] -> [2005/12/01 13:13:42 | 000,671,744 | ---- | M] (COMPAL ELECTRONIC INC.)
"DLA" -> C:\WINDOWS\system32\DLA\DLACTRLW.EXE [C:\WINDOWS\System32\DLA\DLACTRLW.EXE] -> [2005/10/06 07:20:00 | 000,122,940 | ---- | M] (Sonic Solutions)
"Indexer" -> C:\Program Files\Sharp\Sharpdesk\Indexer.exe ["C:\Program Files\Sharp\Sharpdesk\Indexer.exe"] -> [2005/11/05 19:34:44 | 000,184,320 | ---- | M] (SHARP CORPORATION)
"IndexTray" -> C:\Program Files\Sharp\Sharpdesk\IndexTray.exe ["C:\Program Files\Sharp\Sharpdesk\IndexTray.exe"] -> [2005/11/05 19:32:54 | 000,106,496 | ---- | M] (SHARP CORPORATION)
"IntelZeroConfig" -> C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe ["C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"] -> [2005/12/05 14:37:40 | 000,667,718 | ---- | M] (Intel Corporation)
"MVS Splash" -> C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe ["C:\Program Files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" /LOGON] -> File not found
"PadTouch" -> C:\Program Files\Toshiba\Touch and Launch\PadExe.exe [C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe] -> [2005/07/15 12:52:42 | 001,077,322 | ---- | M] (TOSHIBA)
"Pinger" -> c:\toshiba\ivp\ism\pinger.exe [c:\toshiba\ivp\ism\pinger.exe /run] -> [2005/03/17 19:37:26 | 000,151,552 | ---- | M] (TOSHIBA Corporation)
"SharpTray" -> C:\Program Files\Sharp\Sharpdesk\SharpTray.exe ["C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"] -> [2005/11/05 19:47:24 | 000,032,768 | ---- | M] (SHARP CORPORATION)
"SmoothView" -> C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe [C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe] -> [2005/04/26 18:13:20 | 000,122,880 | ---- | M] (TOSHIBA Corporation)
"TCtryIOHook" -> C:\WINDOWS\System32\TCtrlIOHook.exe [TCtrlIOHook.exe] -> [2005/12/05 16:50:22 | 000,028,672 | ---- | M] (TOSHIBA)
"TDispVol" -> C:\WINDOWS\System32\TDispVol.exe [TDispVol.exe] -> [2005/12/27 19:34:34 | 000,073,728 | ---- | M] (TOSHIBA Corporation)
"TPNF" -> C:\Program Files\Toshiba\TouchPad\TPTray.exe [C:\Program Files\TOSHIBA\TouchPad\TPTray.exe] -> [2005/12/13 18:28:56 | 000,053,248 | ---- | M] (COMPAL ELECTRONIC INC.)
"TPSMain" -> C:\WINDOWS\System32\TPSMain.exe [TPSMain.exe] -> [2005/05/31 19:16:44 | 000,282,624 | ---- | M] (TOSHIBA Corporation)
"Tvs" -> C:\Program Files\Toshiba\Tvs\TvsTray.exe [C:\Program Files\Toshiba\Tvs\TvsTray.exe] -> [2005/11/30 14:25:22 | 000,073,728 | ---- | M] (TOSHIBA Corporation)
"TypeRegChecker" -> C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe ["C:\Program Files\Sharp\Sharpdesk\TypeRegChecker.exe"] -> [2005/11/05 19:35:22 | 000,057,344 | ---- | M] (SHARP CORPORATION)
"ZoomingHook" -> C:\WINDOWS\System32\ZoomingHook.exe [ZoomingHook.exe] -> [2005/06/06 11:58:44 | 000,024,576 | ---- | M] (TOSHIBA)
< Run [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"ISUSPM" -> C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler] -> [2006/09/11 03:40:32 | 000,218,032 | ---- | M] (Macrovision Corporation)
"TOSCDSPD" -> C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe [C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe] -> [2004/12/30 02:32:20 | 000,065,536 | ---- | M] (TOSHIBA)
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk -> C:\WINDOWS\system32\RAMASST.exe -> [2004/08/28 02:37:00 | 000,155,648 | ---- | M] (Matsushita Electric Industrial Co., Ltd.)
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> 
< john Startup Folder > -> C:\Documents and Settings\john\Start Menu\Programs\Startup -> 
< john kallas Startup Folder > -> C:\Documents and Settings\john kallas\Start Menu\Programs\Startup -> 
< johnk Startup Folder > -> C:\Documents and Settings\johnk\Start Menu\Programs\Startup -> 
< McAfeeMVSUser Startup Folder > -> C:\Documents and Settings\McAfeeMVSUser\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
\Infodelivery\Restrictions\\"NoUpdateCheck" ->  [1] -> File not found
< Software Policy Settings [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoCDBurning" ->  [0] -> File not found
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"LinkResolveIgnoreLinkInfo" ->  [0] -> File not found
\\"NoResolveSearch" ->  [1] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"LinkResolveIgnoreLinkInfo" ->  [0] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\Software\Microsoft\Internet Explorer\MenuExt\ -> 
&Google Search -> C:\Program Files\Google\GoogleToolbar1.dll [res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html] -> [2005/12/29 13:51:51 | 000,720,896 | ---- | M] (Google Inc.)
Append Link Target to Existing PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html] -> [2008/06/11 21:42:44 | 000,345,480 | ---- | M] (Adobe Systems Incorporated)
Append to Existing PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html] -> [2008/06/11 21:42:44 | 000,345,480 | ---- | M] (Adobe Systems Incorporated)
Backward Links -> C:\Program Files\Google\GoogleToolbar1.dll [res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html] -> [2005/12/29 13:51:51 | 000,720,896 | ---- | M] (Google Inc.)
Cached Snapshot of Page -> C:\Program Files\Google\GoogleToolbar1.dll [res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html] -> [2005/12/29 13:51:51 | 000,720,896 | ---- | M] (Google Inc.)
Convert Link Target to Adobe PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html] -> [2008/06/11 21:42:44 | 000,345,480 | ---- | M] (Adobe Systems Incorporated)
Convert to Adobe PDF -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html] -> [2008/06/11 21:42:44 | 000,345,480 | ---- | M] (Adobe Systems Incorporated)
Similar Pages -> C:\Program Files\Google\GoogleToolbar1.dll [res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html] -> [2005/12/29 13:51:51 | 000,720,896 | ---- | M] (Google Inc.)
Translate into English -> C:\Program Files\Google\GoogleToolbar1.dll [res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html] -> [2005/12/29 13:51:51 | 000,720,896 | ---- | M] (Google Inc.)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_20.dll [Menu: Sun Java Console] -> [2010/04/12 16:29:21 | 000,136,992 | ---- | M] (Sun Microsystems, Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2009/01/26 14:31:02 | 001,879,896 | ---- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_20.dll [Sun Java Console] -> [2010/04/12 16:29:21 | 000,136,992 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_20.dll [Sun Java Console] -> [2010/04/12 16:29:21 | 000,136,992 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_20.dll [Sun Java Console] -> [2010/04/12 16:29:21 | 000,136,992 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 18 domain(s) found. -> 
//about.htm/ .[myui] -> Trusted sites -> 
//Exclude.htm/ .[myui] -> Trusted sites -> 
//LanguageSelection.htm/ .[myui] -> Trusted sites -> 
//Message.htm/ .[myui] -> Trusted sites -> 
//MyAgttryCmd.htm/ .[myui] -> Trusted sites -> 
//MyAgttryNag.htm/ .[myui] -> Trusted sites -> 
//MyNotification.htm/ .[myui] -> Trusted sites -> 
//NOCLessUpdate.htm/ .[myui] -> Trusted sites -> 
//quarantine.htm/ .[myui] -> Trusted sites -> 
//ScanNow.htm/ .[myui] -> Trusted sites -> 
//strings.vbs/ .[myui] -> Trusted sites -> 
//Template.htm/ .[myui] -> Trusted sites -> 
//Update.htm/ .[myui] -> Trusted sites -> 
//VirFound.htm/ .[myui] -> Trusted sites -> 
www_isqft.com [https] -> Trusted sites -> 
*_mcafee.com [http] -> Trusted sites -> 
*_mcafee.com [https] -> Trusted sites -> 
betavscan_mcafeeasap.com [http] -> Trusted sites -> 
betavscan_mcafeeasap.com [https] -> Trusted sites -> 
vs_mcafeeasap.com [http] -> Trusted sites -> 
vs_mcafeeasap.com [https] -> Trusted sites -> 
www_mcafeeasap.com [http] -> Trusted sites -> 
www_mcafeeasap.com [https] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4819 domain(s) found. -> 
www_isqft.com [https] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4819 domain(s) found. -> 
www_isqft.com [https] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4818 domain(s) found. -> 
www_isqft.com [https] -> Trusted sites -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\] > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{02BCC737-B171-4746-94C9-0D8A0B2C0089} [HKLM] -> http://office.microsoft.com/sites/production/ieawsdc32.cab [Microsoft Office Template and Media Control] -> 
{5ED80217-570B-4DA9-BF44-BE107C0EC166} [HKLM] -> http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab [Windows Live Safety Center Base Module] -> 
{6414512B-B978-451D-A0D8-FCFDF33E833C} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280770706517 [WUWebControl Class] -> 
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [HKLM] -> http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280770671086 [MUWebControl Class] -> 
{7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> http://download.eset.com/special/eos/OnlineScanner.cab [OnlineScanner Control] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab [Java Plug-in 1.6.0_20] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] -> 
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [Reg Error: Value error.] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.254 -> 
Domain -> SmithEng.local -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{C0C6EE0E-425C-4CB7-8CC6-1FF28B11005D}\\DhcpNameServer -> 192.168.0.1   (Intel(R) PRO/1000 PL Network Connection) -> 
{CCCBBBEE-AC1A-41A8-BA75-D8041DD75B28}\\DhcpNameServer -> 192.168.1.254   (Intel(R) PRO/Wireless 3945ABG Network Connection) -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
igfxcui -> C:\WINDOWS\System32\igfxdev.dll -> [2005/11/28 15:51:04 | 000,135,168 | ---- | M] (Intel Corporation)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe [C:\Program Files\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe [C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe [C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe [C:\Program Files\HP\Digital Imaging\bin\hpofxs08.exe:*:Enabled:hpofxs08.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe [C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hposid01.exe [C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqfxt08.exe:*:Enabled:hpqfxt08.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe [C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe:*:Enabled:hpqgpc01.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe [C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe:*:Enabled:hpqgplgtupl.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe [C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe [C:\Program Files\HP\Digital Imaging\bin\hpqusgh.exe:*:Enabled:hpqusgh.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe [C:\Program Files\HP\Digital Imaging\bin\hpqusgm.exe:*:Enabled:hpqusgm.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" -> C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe [C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe] -> File not found
"C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe" -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe [C:\Program Files\HP\Digital Imaging\Smart Web Printing\SmartWebPrintExe.exe:*:Enabled:smartwebprintexe.exe] -> File not found
"C:\Program Files\HP\HP Software Update\hpwucli.exe" -> C:\Program Files\HP\HP Software Update\hpwucli.exe [C:\Program Files\HP\HP Software Update\hpwucli.exe:*:Enabled:hpwucli.exe] -> File not found
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" -> C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent] -> File not found
"C:\Program Files\SHARP\Sharpdesk\FTPServer.exe" -> C:\Program Files\SHARP\Sharpdesk\FTPServer.exe [C:\Program Files\SHARP\Sharpdesk\FTPServer.exe:*:Enabled:Network Scanner Tool] -> [2005/11/05 19:04:26 | 000,688,128 | ---- | M] (SHARP CORPORATION)
"C:\WINDOWS\system32\mmc.exe" -> C:\WINDOWS\System32\mmc.exe [C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console] -> [2008/04/13 18:12:25 | 001,414,656 | ---- | M] (Microsoft Corporation)
"D:\setup\hpznui01.exe" -> D:\setup\hpznui01.exe [D:\setup\hpznui01.exe:*:Enabled:hpznui01.exe] -> File not found
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" -> C:\Program Files\Common Files\AOL\Loader\aolload.exe [C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader] -> [2004/10/14 16:33:08 | 000,012,888 | ---- | M] (America Online, Inc.)
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" -> C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent] -> File not found
"C:\Program Files\SHARP\Sharpdesk\FTPServer.exe" -> C:\Program Files\SHARP\Sharpdesk\FTPServer.exe [C:\Program Files\SHARP\Sharpdesk\FTPServer.exe:*:Enabled:Network Scanner Tool] -> [2005/11/05 19:04:26 | 000,688,128 | ---- | M] (SHARP CORPORATION)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" -> C:\TOSHIBA\IVP\ISM\pinger.exe [C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger] -> [2005/03/17 19:37:26 | 000,151,552 | ---- | M] (TOSHIBA Corporation)
"C:\TOSHIBA\ivp\NetInt\Netint.exe" -> C:\TOSHIBA\ivp\NetInt\Netint.exe [C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine] -> [2004/11/03 17:06:34 | 000,462,848 | ---- | M] (TOSHIBA Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_USERS\S-1-5-21-231871864-4208583636-2575965058-1167\SOFTWARE\Classes\<extension>\ -> 
.exe [@ = exefile] -> Reg Error: Key error. -> File not found

dallak · Nov 23, 2010

OTS log Part 2

[Files/Folders - Created Within 30 Days]
OTS.exe -> C:\Documents and Settings\john\Desktop\OTS.exe -> [2010/11/23 12:07:42 | 000,642,048 | ---- | C] (OldTimer Tools)
conremoval -> C:\conremoval -> [2010/11/19 16:17:22 | 000,000,000 | --SD | C]
SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2010/11/19 14:04:48 | 000,212,480 | ---- | C] (SteelWerX)
SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2010/11/19 14:04:48 | 000,161,792 | ---- | C] (SteelWerX)
SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2010/11/19 14:04:48 | 000,136,704 | ---- | C] (SteelWerX)
NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2010/11/19 14:04:48 | 000,031,232 | ---- | C] (NirSoft)
Qoobox -> C:\Qoobox -> [2010/11/19 14:04:36 | 000,000,000 | ---D | C]
windows-kb890830-v3.13.exe -> C:\Documents and Settings\john\Desktop\windows-kb890830-v3.13.exe -> [2010/11/19 13:41:22 | 011,843,016 | ---- | C] (Microsoft Corporation)
Mozilla -> C:\Documents and Settings\john\Local Settings\Application Data\Mozilla -> [2010/11/18 11:53:35 | 000,000,000 | ---D | C]
fixit -> C:\fixit -> [2010/11/17 15:35:43 | 000,000,000 | --SD | C]
Rooter$ -> C:\Rooter$ -> [2010/11/16 11:32:06 | 000,000,000 | ---D | C]
Rooter.exe -> C:\Documents and Settings\john\Desktop\Rooter.exe -> [2010/11/16 11:30:59 | 000,173,119 | ---- | C] (Eric_71)
RootRepeal.exe -> C:\Documents and Settings\john\Desktop\RootRepeal.exe -> [2010/11/16 10:10:18 | 000,472,064 | ---- | C] ( )
TDSSKiller.exe -> C:\Documents and Settings\john\Desktop\TDSSKiller.exe -> [2010/11/12 13:20:12 | 001,330,776 | ---- | C] (Kaspersky Lab ZAO)
McAfee -> C:\Documents and Settings\john\Desktop\McAfee -> [2010/11/10 15:21:58 | 000,000,000 | ---D | C]
trend micro -> C:\Program Files\trend micro -> [2010/11/09 13:50:37 | 000,000,000 | ---D | C]
rsit -> C:\rsit -> [2010/11/09 13:50:34 | 000,000,000 | ---D | C]
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/11/08 13:53:10 | 000,038,224 | ---- | C] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/11/08 13:52:52 | 000,020,952 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2010/11/08 13:51:36 | 000,000,000 | ---D | C]
mbam-setup-1.46.exe -> C:\Documents and Settings\john\Desktop\mbam-setup-1.46.exe -> [2010/11/08 13:50:30 | 006,153,352 | ---- | C] (Malwarebytes Corporation )
2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->

[Files/Folders - Modified Within 30 Days]
OTS.exe -> C:\Documents and Settings\john\Desktop\OTS.exe -> [2010/11/23 12:07:53 | 000,642,048 | ---- | M] (OldTimer Tools)
Adobe Reader 9.lnk -> C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk -> [2010/11/23 11:48:36 | 000,001,769 | ---- | M] ()
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/11/23 11:46:57 | 000,001,158 | ---- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/11/23 11:46:07 | 000,002,048 | --S- | M] ()
AppleSoftwareUpdate.job -> C:\WINDOWS\tasks\AppleSoftwareUpdate.job -> [2010/11/20 23:41:01 | 000,000,284 | ---- | M] ()
conremoval.exe -> C:\Documents and Settings\john\Desktop\conremoval.exe -> [2010/11/19 14:13:23 | 003,911,939 | R--- | M] ()
windows-kb890830-v3.13.exe -> C:\Documents and Settings\john\Desktop\windows-kb890830-v3.13.exe -> [2010/11/19 13:41:22 | 011,843,016 | ---- | M] (Microsoft Corporation)
Microsoft Office Word 2003.lnk -> C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk -> [2010/11/19 09:44:29 | 000,002,515 | ---- | M] ()
SystemLook.exe -> C:\Documents and Settings\john\Desktop\SystemLook.exe -> [2010/11/18 11:45:16 | 000,075,264 | ---- | M] ()
complaint form.pdf -> C:\Documents and Settings\john\Desktop\complaint form.pdf -> [2010/11/17 16:18:51 | 000,118,747 | ---- | M] ()
MBRCheck.exe -> C:\Documents and Settings\john\Desktop\MBRCheck.exe -> [2010/11/16 13:10:10 | 000,080,384 | ---- | M] ()
Rooter.exe -> C:\Documents and Settings\john\Desktop\Rooter.exe -> [2010/11/16 11:31:02 | 000,173,119 | ---- | M] (Eric_71)
fixdownadup.exe -> C:\Documents and Settings\john\Desktop\fixdownadup.exe -> [2010/11/12 15:43:51 | 002,348,928 | ---- | M] ()
Launch Microsoft Office Outlook.lnk -> C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk -> [2010/11/10 15:58:22 | 000,000,832 | ---- | M] ()
MCPR.exe -> C:\Documents and Settings\john\Desktop\MCPR.exe -> [2010/11/10 15:31:30 | 001,373,616 | ---- | M] ()
Logfile.pdf -> C:\Documents and Settings\john\Desktop\Logfile.pdf -> [2010/11/09 13:57:52 | 000,044,548 | ---- | M] ()
Logfile.doc -> C:\Documents and Settings\john\Desktop\Logfile.doc -> [2010/11/09 13:57:41 | 000,098,816 | ---- | M] ()
info.pdf -> C:\Documents and Settings\john\Desktop\info.pdf -> [2010/11/09 13:56:31 | 000,036,434 | ---- | M] ()
info.doc -> C:\Documents and Settings\john\Desktop\info.doc -> [2010/11/09 13:55:43 | 000,092,672 | ---- | M] ()
RSIT.exe -> C:\Documents and Settings\john\Desktop\RSIT.exe -> [2010/11/09 13:50:19 | 000,339,991 | ---- | M] ()
Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2010/11/08 13:53:13 | 000,000,736 | ---- | M] ()
mbam-setup-1.46.exe -> C:\Documents and Settings\john\Desktop\mbam-setup-1.46.exe -> [2010/11/08 13:50:31 | 006,153,352 | ---- | M] (Malwarebytes Corporation )
scan.com -> C:\Documents and Settings\john\Desktop\scan.com -> [2010/11/08 13:36:18 | 000,630,272 | ---- | M] ()
dds.scr -> C:\Documents and Settings\john\Desktop\dds.scr -> [2010/11/08 13:28:58 | 000,630,272 | ---- | M] ()
TDSSKiller.exe -> C:\Documents and Settings\john\Desktop\TDSSKiller.exe -> [2010/11/08 10:55:10 | 001,330,776 | ---- | M] (Kaspersky Lab ZAO)
gmer.exe -> C:\Documents and Settings\john\Desktop\gmer.exe -> [2010/11/08 10:32:38 | 000,296,448 | ---- | M] ()
perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2010/11/08 07:46:02 | 000,495,580 | ---- | M] ()
perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2010/11/08 07:46:02 | 000,090,626 | ---- | M] ()
MBR.exe -> C:\WINDOWS\MBR.exe -> [2010/11/08 01:20:24 | 000,089,088 | ---- | M] ()
Microsoft Office Excel 2003.lnk -> C:\Documents and Settings\john\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003.lnk -> [2010/11/02 08:02:23 | 000,002,513 | ---- | M] ()
bug2.pdf -> C:\Documents and Settings\john\Desktop\bug2.pdf -> [2010/11/01 09:17:09 | 000,051,045 | ---- | M] ()
bug1.pdf -> C:\Documents and Settings\john\Desktop\bug1.pdf -> [2010/11/01 09:16:42 | 000,098,865 | ---- | M] ()
pool.bin -> C:\WINDOWS\System32\pool.bin -> [2010/11/01 07:43:41 | 000,000,256 | ---- | M] ()
2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp ->
18 C:\Documents and Settings\john\Local Settings\temp\*.tmp files -> C:\Documents and Settings\john\Local Settings\temp\*.tmp ->
1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->

[Files - No Company Name]
conremoval.exe -> C:\Documents and Settings\john\Desktop\conremoval.exe -> [2010/11/19 14:13:23 | 003,911,939 | R--- | C] ()
PEV.exe -> C:\WINDOWS\PEV.exe -> [2010/11/19 14:04:48 | 000,256,512 | ---- | C] ()
sed.exe -> C:\WINDOWS\sed.exe -> [2010/11/19 14:04:48 | 000,098,816 | ---- | C] ()
MBR.exe -> C:\WINDOWS\MBR.exe -> [2010/11/19 14:04:48 | 000,089,088 | ---- | C] ()
grep.exe -> C:\WINDOWS\grep.exe -> [2010/11/19 14:04:48 | 000,080,412 | ---- | C] ()
zip.exe -> C:\WINDOWS\zip.exe -> [2010/11/19 14:04:48 | 000,068,096 | ---- | C] ()
fixdownadup.exe -> C:\Documents and Settings\john\Desktop\fixdownadup.exe -> [2010/11/19 08:15:29 | 002,348,928 | ---- | C] ()
SystemLook.exe -> C:\Documents and Settings\john\Desktop\SystemLook.exe -> [2010/11/18 11:45:15 | 000,075,264 | ---- | C] ()
complaint form.pdf -> C:\Documents and Settings\john\Desktop\complaint form.pdf -> [2010/11/17 16:18:51 | 000,118,747 | ---- | C] ()
avenger.exe -> C:\Documents and Settings\john\Desktop\avenger.exe -> [2010/11/16 14:44:16 | 000,731,136 | ---- | C] ()
MBRCheck.exe -> C:\Documents and Settings\john\Desktop\MBRCheck.exe -> [2010/11/16 13:10:09 | 000,080,384 | ---- | C] ()
gmer.exe -> C:\Documents and Settings\john\Desktop\gmer.exe -> [2010/11/11 09:12:34 | 000,296,448 | ---- | C] ()
MCPR.exe -> C:\Documents and Settings\john\Desktop\MCPR.exe -> [2010/11/10 15:31:30 | 001,373,616 | ---- | C] ()
Logfile.pdf -> C:\Documents and Settings\john\Desktop\Logfile.pdf -> [2010/11/09 13:57:47 | 000,044,548 | ---- | C] ()
Logfile.doc -> C:\Documents and Settings\john\Desktop\Logfile.doc -> [2010/11/09 13:57:41 | 000,098,816 | ---- | C] ()
info.pdf -> C:\Documents and Settings\john\Desktop\info.pdf -> [2010/11/09 13:56:31 | 000,036,434 | ---- | C] ()
info.doc -> C:\Documents and Settings\john\Desktop\info.doc -> [2010/11/09 13:55:43 | 000,092,672 | ---- | C] ()
RSIT.exe -> C:\Documents and Settings\john\Desktop\RSIT.exe -> [2010/11/09 13:50:16 | 000,339,991 | ---- | C] ()
Malwarebytes' Anti-Malware.lnk -> C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk -> [2010/11/08 13:53:13 | 000,000,736 | ---- | C] ()
scan.com -> C:\Documents and Settings\john\Desktop\scan.com -> [2010/11/08 13:35:59 | 000,630,272 | ---- | C] ()
dds.scr -> C:\Documents and Settings\john\Desktop\dds.scr -> [2010/11/08 13:23:50 | 000,630,272 | ---- | C] ()
bug2.pdf -> C:\Documents and Settings\john\Desktop\bug2.pdf -> [2010/11/01 09:17:01 | 000,051,045 | ---- | C] ()
bug1.pdf -> C:\Documents and Settings\john\Desktop\bug1.pdf -> [2010/11/01 09:16:42 | 000,098,865 | ---- | C] ()
housecall.guid.cache -> C:\Documents and Settings\john\Local Settings\Application Data\housecall.guid.cache -> [2010/07/12 14:05:11 | 000,000,036 | ---- | C] ()
hitmanpro35.sys -> C:\WINDOWS\System32\drivers\hitmanpro35.sys -> [2010/07/08 10:45:32 | 000,016,968 | ---- | C] ()
TPTray.INI -> C:\WINDOWS\TPTray.INI -> [2010/02/26 13:16:22 | 000,000,000 | ---- | C] ()
BBMS_EXCEPTION.txt -> C:\Documents and Settings\john\Application Data\BBMS_EXCEPTION.txt -> [2010/01/22 10:50:32 | 000,000,364 | ---- | C] ()
eDrawingOfficeAutomator.INI -> C:\WINDOWS\eDrawingOfficeAutomator.INI -> [2009/10/20 09:40:22 | 000,000,000 | ---- | C] ()
$_hpcst$.hpc -> C:\Documents and Settings\john\Application Data\$_hpcst$.hpc -> [2009/08/28 12:13:40 | 000,002,528 | ---- | C] ()
WirelessFTP.INI -> C:\WINDOWS\WirelessFTP.INI -> [2009/08/27 15:11:33 | 000,000,098 | ---- | C] ()
ccolwiz.ini -> C:\WINDOWS\ccolwiz.ini -> [2009/08/27 12:37:22 | 000,000,152 | ---- | C] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\john\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2009/08/27 11:48:07 | 000,007,168 | ---- | C] ()
fontlst2.opf -> C:\Documents and Settings\john\Application Data\fontlst2.opf -> [2009/08/26 19:03:14 | 000,594,638 | ---- | C] ()
_isusr32.dll -> C:\WINDOWS\_isusr32.dll -> [2009/08/26 18:32:46 | 000,159,744 | ---- | C] ()
_isusr2k.dll -> C:\WINDOWS\System32\_isusr2k.dll -> [2009/08/26 18:32:39 | 000,045,056 | ---- | C] ()
ush2.dll -> C:\WINDOWS\System32\ush2.dll -> [2009/08/26 18:32:38 | 000,122,880 | ---- | C] ()
OGACheckControl.dll -> C:\WINDOWS\System32\OGACheckControl.dll -> [2009/08/03 14:07:42 | 000,403,816 | ---- | C] ()
hpzinstall.log -> C:\Documents and Settings\All Users\Application Data\hpzinstall.log -> [2009/05/18 11:18:15 | 000,009,731 | ---- | C] ()
smtpctrs.ini -> C:\WINDOWS\System32\smtpctrs.ini -> [2008/02/05 08:54:40 | 000,021,791 | ---- | C] ()
ntfsdrct.ini -> C:\WINDOWS\System32\ntfsdrct.ini -> [2008/02/05 08:54:40 | 000,001,037 | ---- | C] ()
w3ctrs.ini -> C:\WINDOWS\System32\w3ctrs.ini -> [2008/02/05 08:54:02 | 000,038,576 | ---- | C] ()
axperf.ini -> C:\WINDOWS\System32\axperf.ini -> [2008/02/05 08:54:02 | 000,010,225 | ---- | C] ()
infoctrs.ini -> C:\WINDOWS\System32\infoctrs.ini -> [2008/02/05 08:54:01 | 000,011,435 | ---- | C] ()
dirsaver.ini -> C:\WINDOWS\dirsaver.ini -> [2008/01/28 15:19:37 | 000,000,012 | ---- | C] ()
msoffice.ini -> C:\WINDOWS\msoffice.ini -> [2008/01/28 15:07:27 | 000,000,002 | ---- | C] ()
smscfg.ini -> C:\WINDOWS\smscfg.ini -> [2008/01/28 14:52:29 | 000,000,061 | ---- | C] ()
IVIresizeW7.dll -> C:\WINDOWS\System32\IVIresizeW7.dll -> [2008/01/28 14:50:06 | 000,204,800 | ---- | C] ()
IVIresizeA6.dll -> C:\WINDOWS\System32\IVIresizeA6.dll -> [2008/01/28 14:50:06 | 000,200,704 | ---- | C] ()
IVIresizeP6.dll -> C:\WINDOWS\System32\IVIresizeP6.dll -> [2008/01/28 14:50:06 | 000,192,512 | ---- | C] ()
IVIresizeM6.dll -> C:\WINDOWS\System32\IVIresizeM6.dll -> [2008/01/28 14:50:06 | 000,192,512 | ---- | C] ()
IVIresizePX.dll -> C:\WINDOWS\System32\IVIresizePX.dll -> [2008/01/28 14:50:06 | 000,188,416 | ---- | C] ()
IVIresize.dll -> C:\WINDOWS\System32\IVIresize.dll -> [2008/01/28 14:50:06 | 000,020,480 | ---- | C] ()
pthreadVC.dll -> C:\WINDOWS\System32\pthreadVC.dll -> [2007/11/06 14:19:28 | 000,053,299 | ---- | C] ()
mxpcivny.dll -> C:\WINDOWS\System32\mxpcivny.dll -> [2007/04/18 10:25:36 | 000,167,071 | RHS- | C] ()
TDispVol.dll -> C:\WINDOWS\System32\TDispVol.dll -> [2006/01/03 01:08:12 | 000,045,056 | ---- | C] ()
wininit.ini -> C:\WINDOWS\wininit.ini -> [2005/12/29 13:48:11 | 000,000,222 | ---- | C] ()
QUICKEN.INI -> C:\WINDOWS\QUICKEN.INI -> [2005/12/29 13:45:52 | 000,000,031 | ---- | C] ()
CSIIDecoder_kern_i386.sys -> C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys -> [2005/12/29 13:09:56 | 000,036,736 | ---- | C] ()
TSXT_kern_i386.sys -> C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys -> [2005/12/29 13:09:56 | 000,029,184 | ---- | C] ()
NDSTray.INI -> C:\WINDOWS\NDSTray.INI -> [2005/12/29 13:01:39 | 000,000,000 | ---- | C] ()
EBLib.DLL -> C:\WINDOWS\System32\EBLib.DLL -> [2005/12/29 13:01:29 | 000,032,768 | ---- | C] ()
tbiosdrv.sys -> C:\WINDOWS\System32\drivers\tbiosdrv.sys -> [2005/12/29 12:54:17 | 000,006,867 | ---- | C] ()
csellang.ini -> C:\WINDOWS\System32\csellang.ini -> [2005/12/29 12:44:17 | 000,128,113 | ---- | C] ()
csellang.dll -> C:\WINDOWS\System32\csellang.dll -> [2005/12/29 12:44:17 | 000,045,056 | ---- | C] ()
tosmreg.ini -> C:\WINDOWS\System32\tosmreg.ini -> [2005/12/29 12:44:17 | 000,010,165 | ---- | C] ()
cseltbl.ini -> C:\WINDOWS\System32\cseltbl.ini -> [2005/12/29 12:44:17 | 000,007,671 | ---- | C] ()
RtlCPAPI.dll -> C:\WINDOWS\System32\RtlCPAPI.dll -> [2005/12/29 12:35:08 | 000,135,168 | ---- | C] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2005/12/29 11:28:28 | 000,000,473 | ---- | C] ()
fxsperf.ini -> C:\WINDOWS\System32\fxsperf.ini -> [2005/12/29 11:19:47 | 000,001,793 | ---- | C] ()
ODBCINST.INI -> C:\WINDOWS\ODBCINST.INI -> [2005/12/29 03:15:37 | 000,004,161 | ---- | C] ()
OEMINFO.INI -> C:\WINDOWS\System32\OEMINFO.INI -> [2005/12/29 00:33:37 | 000,000,341 | ---- | C] ()
TPeculiarity.dll -> C:\WINDOWS\System32\TPeculiarity.dll -> [2005/12/09 16:36:30 | 000,028,672 | ---- | C] ()
px.ini -> C:\WINDOWS\System32\px.ini -> [2005/11/28 22:33:56 | 000,000,000 | ---- | C] ()
SPCtl.dll -> C:\WINDOWS\System32\SPCtl.dll -> [2005/11/23 15:55:42 | 000,024,576 | ---- | C] ()
HWS_Ctrl.dll -> C:\WINDOWS\System32\HWS_Ctrl.dll -> [2005/11/23 15:41:28 | 000,036,864 | ---- | C] ()
TCtrlIO.dll -> C:\WINDOWS\System32\TCtrlIO.dll -> [2005/11/23 13:42:16 | 000,028,672 | ---- | C] ()
Dart.PowerTCP.Aes.dll -> C:\WINDOWS\System32\Dart.PowerTCP.Aes.dll -> [2005/10/09 10:59:40 | 000,065,536 | ---- | C] ()
EKECioCtl.dll -> C:\WINDOWS\System32\EKECioCtl.dll -> [2005/09/15 16:04:06 | 000,024,576 | ---- | C] ()
tifmicon.dll -> C:\WINDOWS\System32\tifmicon.dll -> [2004/01/13 19:46:34 | 000,172,032 | ---- | C] ()
OUTLPERF.INI -> C:\WINDOWS\System32\OUTLPERF.INI -> [2003/01/07 17:05:08 | 000,002,695 | ---- | C] ()
< End of report >
[/code]

dallak · Nov 23, 2010

MBAM most recent log

peku006,

check out all of the instances now of conficker from Malwarebytes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5177

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/23/2010 4:20:06 PM
mbam-log-2010-11-23 (16-20-06).txt

Scan type: Quick scan
Objects scanned: 189585
Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\brdsd (Worm.Conficker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dalgz (Worm.Conficker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gfqjfcun (Worm.Conficker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\njznx (Worm.Conficker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcpqzrt (Worm.Conficker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vhareut (Worm.Conficker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ykxkeb (Worm.Conficker) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mxpcivny.dll (Worm.Conficker) -> Quarantined and deleted successfully.

peku006 · Nov 24, 2010

Hi John

"tricky worm".........we must try these tools

Follow the instructions here:
How to remove the Downadup and Conficker worm

When done post the contents of the C:\Win32.Worm.Downladup.Gen.log file as a reply to this topic

Thanks peku006

dallak · Nov 24, 2010

downladup.gen.log

here it is, probably got these results because I had run MBAM not too long ago. I feel like it will return though. Shall I continue with anything else?

Ok Loading BitDefender Engines
State 0
Sleeping 3 seconds...
Found so far : 0x0 files/regs
Searching for Downadup file ....
- System folder
- Temporary folder
- Program Files
- Application Data
Found so far : 0x0 files/regs
No Traces of Downadup Worm were found

peku006 · Nov 24, 2010

Hi John

please try combofix again

Need help with conficker worm!!!!

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

New member

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

New member

New member

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert