Time for house cleaning instructions and help.

[tankedsecondchance]

Well, registry editor and task manager are back, i did the scan as you asked and here is the log it produced, but i couldn't get to virustotal.com and upload the file, although my other computer can go to that website this one is stuck at trying to get there to start with. other than that i noticed that Scotty and teatimer are reporting that something is attempting to change my host file from the my mvps host file to a completely empty one, i always denied the change, was that the right thing to do?

I have a small question, the old operating system i still have on here, the old xp installation, do all these fixes we are doing have any positive effect on it or is it just fixing this currently running one?

ComboFix 11-05-21.03 - Me 05/22/2011 1:27.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.323 [GMT 3:00]
Running from: c:\documents and settings\Me.TIM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me.TIM\Desktop\CFScript.txt
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-20 16:56 . 2011-05-20 17:00 -------- d-----w- C:\52d9b97d3a4e2130724323
2011-05-20 16:40 . 2011-05-18 20:10 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2011-05-18 15:47 . 2011-05-18 15:47 -------- d-----w- c:\documents and settings\Family
2011-05-16 18:12 . 2011-05-16 18:13 -------- d-----w- c:\program files\Ask.com
2011-05-16 18:12 . 2011-05-16 18:12 -------- d-----w- c:\program files\Foxit Software
2011-05-14 22:00 . 2011-05-14 22:00 -------- d-----w- C:\VritualRoot
2011-05-14 21:54 . 2011-05-14 21:54 -------- d-----w- c:\program files\ERUNT
2011-05-11 11:44 . 2011-05-11 11:45 -------- d-----r- C:\MS Office 2007 ENG
2011-05-11 06:49 . 2011-05-11 06:51 -------- d-----w- c:\program files\Security Task Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows2\system32\GPhotos.scr
2011-03-04 06:45 . 2003-07-16 16:43 434176 ----a-w- c:\windows2\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 16:45 1857920 ----a-w- c:\windows2\system32\win32k.sys
2011-04-14 16:26 . 2011-05-10 17:16 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-08-12 06:12 . 2006-12-24 10:49 135680 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
.
[-] 2008-04-14 . 865A48ECBD314A8089BB108FF5DF9532 . 220160 . . [5.1.2600.5512] . . c:\windows2\regedit.exe
[-] 2008-04-14 . 865A48ECBD314A8089BB108FF5DF9532 . 220160 . . [5.1.2600.5512] . . c:\windows2\ServicePackFiles\i386\regedit.exe
[7] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows2\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\regedit.exe
[7] 2004-08-03 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows2\$NtServicePackUninstall$\regedit.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 19:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
c:\documents and settings\Me.TIM\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows2\system32\guard32.dll
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BCMSMMSG"=BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS2\\System32\\igfxtray.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\LSDSMCAUVUTYBOG.scr"=
"c:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe"=
.
R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows2\system32\DRIVERS\bcm42xx5.sys [2001-08-17 54271]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows2\system32\DRIVERS\cmdguard.sys [2011-05-02 242472]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows2\system32\DRIVERS\cmdhlp.sys [2011-05-02 29400]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-22 c:\windows2\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 19:44]
.
2011-05-21 c:\windows2\Tasks\WGASetup.job
- c:\windows2\system32\KB905474\wgasetup.exe [2011-05-13 19:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:egyptainhollandiatissueculture@msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows2\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Me.TIM\Application Data\Mozilla\Firefox\Profiles\6tv5e5pb.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 01:57
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Abiosdsk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\abp480n5]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ACPI]
"ImagePath"="System32\DRIVERS\ACPI.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ACPIEC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\adpu160m]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\aec]
"ImagePath"="system32\drivers\aec.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Aha154x]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\aic78u2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\aic78xx]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AliIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\amsint]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\asc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\asc3350p]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\asc3550]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\atapi]
"ImagePath"="System32\DRIVERS\atapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Atdisk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Atmarpc]
"ImagePath"="System32\DRIVERS\atmarpc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\audstub]
"ImagePath"="System32\DRIVERS\audstub.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\b57w2k]
"ImagePath"="System32\DRIVERS\b57xp32.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\BCM42XX]
"ImagePath"="System32\DRIVERS\bcm42xx5.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\bcm4sbxp]
"ImagePath"="System32\DRIVERS\bcm4sbxp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\BCMModem]
"ImagePath"="system32\DRIVERS\BCMSM.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Beep]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\BITS]
"ServiceDll"="%systemroot%\system32\qmgr.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\catchme]
"ImagePath"="\??\c:\docume~1\Me.TIM\LOCALS~1\Temp\catchme.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbidf2k]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cd20xrnt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Cdaudio]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Cdfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Cdrom]
"ImagePath"="System32\DRIVERS\cdrom.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Changer]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cmdAgent]
"ImagePath"="\"c:\program files\COMODO\COMODO Internet Security\cmdagent.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cmdGuard]
"ImagePath"="System32\DRIVERS\cmdguard.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cmdHlp]
"ImagePath"="System32\DRIVERS\cmdhlp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\CmdIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\COMSysApp]
"ImagePath"="%SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ContentFilter]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ContentIndex]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Cpqarray]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dac2w2k]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dac960nt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Disk]
"ImagePath"="System32\DRIVERS\disk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dpti2o]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\EventSystem]
"ServiceDll"="c:\windows2\System32\es.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Fastfat]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Fdc]
"ImagePath"="System32\DRIVERS\fdc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Fips]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Flpydisk]
"ImagePath"="System32\DRIVERS\flpydisk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Fs_Rec]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ftdisk]
"ImagePath"="System32\DRIVERS\ftdisk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Gpc]
"ImagePath"="System32\DRIVERS\msgpc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\gusvc]
"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\hidusb]
"ImagePath"="System32\DRIVERS\hidusb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\hpn]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\i2omgmt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\i2omp]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\i8042prt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ialm]
"ImagePath"="System32\DRIVERS\ialmnt5.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Imapi]
"ImagePath"="System32\DRIVERS\imapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\inetaccs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ini910u]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Inport]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Inspect]
"ImagePath"="System32\DRIVERS\inspect.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IntelIde]
"ImagePath"="System32\DRIVERS\intelide.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\intelppm]
"ImagePath"="System32\DRIVERS\intelppm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ip6fw]
"ImagePath"="system32\drivers\ip6fw.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IpFilterDriver]
"ImagePath"="System32\DRIVERS\ipfltdrv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IpInIp]
"ImagePath"="System32\DRIVERS\ipinip.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IpNat]
"ImagePath"="System32\DRIVERS\ipnat.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IPSec]
"ImagePath"="System32\DRIVERS\ipsec.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IRENUM]
"ImagePath"="System32\DRIVERS\irenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ISAPISearch]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\isapnp]
"ImagePath"="System32\DRIVERS\isapnp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Kbdclass]
"ImagePath"="System32\DRIVERS\kbdclass.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kbdhid]
"ImagePath"="System32\DRIVERS\kbdhid.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\KSecDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\lbrtfdc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ldap]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\LicenseService]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MDM]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mnmdd]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mnmsrvc]
"ImagePath"="c:\windows2\System32\mnmsrvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Modem]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MODEMCSA]
"ImagePath"="system32\drivers\MODEMCSA.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Mouclass]
"ImagePath"="System32\DRIVERS\mouclass.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mouhid]
"ImagePath"="System32\DRIVERS\mouhid.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MountMgr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mraid35x]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MRxDAV]
"ImagePath"="System32\DRIVERS\mrxdav.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MRxSmb]
"ImagePath"="System32\DRIVERS\mrxsmb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSDTC]
"ImagePath"="c:\windows2\System32\msdtc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Msfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mssmbios]
"ImagePath"="System32\DRIVERS\mssmbios.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Mup]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NDIS]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NdisTapi]
"ImagePath"="System32\DRIVERS\ndistapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ndisuio]
"ImagePath"="System32\DRIVERS\ndisuio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NdisWan]
"ImagePath"="System32\DRIVERS\ndiswan.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NDProxy]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetBIOS]
"ImagePath"="System32\DRIVERS\netbios.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetBT]
"ImagePath"="System32\DRIVERS\netbt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Npfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ntfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\System32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Null]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NwlnkFlt]
"ImagePath"="System32\DRIVERS\nwlnkflt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NwlnkFwd]
"ImagePath"="System32\DRIVERS\nwlnkfwd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Parport]
"ImagePath"="System32\DRIVERS\parport.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PartMgr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ParVdm]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCI]
"ImagePath"="System32\DRIVERS\pci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCIDump]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCIIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Pcmcia]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PDCOMP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PDFRAME]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PDRELI]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PDRFRAME]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\perc2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\perc2hib]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PerfDisk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PerfNet]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PerfOS]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PerfProc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PptpMiniport]
"ImagePath"="System32\DRIVERS\raspptp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Processor]
"ImagePath"="System32\DRIVERS\processr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PSched]
"ImagePath"="System32\DRIVERS\psched.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ptilink]
"ImagePath"="System32\DRIVERS\ptilink.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ql1080]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ql10wnt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ql12160]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ql1240]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ql1280]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RasAcd]
"ImagePath"="System32\DRIVERS\rasacd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Rasl2tp]
"ImagePath"="System32\DRIVERS\rasl2tp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RasPppoe]
"ImagePath"="System32\DRIVERS\raspppoe.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Raspti]
"ImagePath"="System32\DRIVERS\raspti.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Rdbss]
"ImagePath"="System32\DRIVERS\rdbss.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDPDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rdpdr]
"ImagePath"="System32\DRIVERS\rdpdr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDPNP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDPWD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDSessMgr]
"ImagePath"="c:\windows2\system32\sessmgr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\redbook]
"ImagePath"="System32\DRIVERS\redbook.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RpcLocator]
"ImagePath"="%SystemRoot%\System32\locator.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RSVP]
"ImagePath"="%SystemRoot%\System32\rsvp.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Secdrv]
"ImagePath"="System32\DRIVERS\secdrv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\senfilt]
"ImagePath"="system32\drivers\senfilt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\serenum]
"ImagePath"="System32\DRIVERS\serenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Serial]
"ImagePath"="System32\DRIVERS\serial.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Sfloppy]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Simbad]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\smwdm]
"ImagePath"="system32\drivers\smwdm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Sparrow]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\sr]
"ImagePath"="System32\DRIVERS\sr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Srv]
"ImagePath"="System32\DRIVERS\srv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\swenum]
"ImagePath"="System32\DRIVERS\swenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SwPrv]
"ImagePath"="c:\windows2\System32\dllhost.exe /Processid:{B8B5E953-419D-442A-A711-4CA2060AADDA}"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\swwd]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\symc810]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\symc8xx]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\sym_hi]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\sym_u3]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Tcpip]
"ImagePath"="System32\DRIVERS\tcpip.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TDPIPE]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TDTCP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TermDD]
"ImagePath"="System32\DRIVERS\termdd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TlntSvr]
"ImagePath"="c:\windows2\System32\tlntsvr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TosIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TSDDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Udfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ultra]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Update]
"ImagePath"="System32\DRIVERS\update.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\usbehci]
"ImagePath"="System32\DRIVERS\usbehci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\usbhub]
"ImagePath"="System32\DRIVERS\usbhub.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\USBSTOR]
"ImagePath"="System32\DRIVERS\USBSTOR.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\usbuhci]
"ImagePath"="System32\DRIVERS\usbuhci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ViaIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\VolSnap]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\W3SVC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Wanarp]
"ImagePath"="System32\DRIVERS\wanarp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WDICA]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Winsock]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WinSock2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WinTrust]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\mspmsnsv.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WmiApRpl]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WmiApSrv]
"ImagePath"="c:\windows2\System32\wbem\wmiapsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\{D66B2196-5266-41D8-A57A-6E96CDC55151}]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS2\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS2\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(748)
c:\windows2\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2408)
c:\windows2\system32\WININET.dll
c:\windows2\system32\guard32.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows2\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\BillP Studios\WinPatrol\winpatrol.exe
.
**************************************************************************
.
Completion time: 2011-05-22 03:18:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-22 00:18
ComboFix2.txt 2011-05-21 21:10
.
Pre-Run: 30,204,321,792 bytes free
Post-Run: 29,976,920,064 bytes free
.
Current=4 Default=4 Failed=1 LastKnownGood=6 Sets=1,2,3,4,6
- - End Of File - - 75410EA30B4DBA63678C6AF01F023244

 

[tankedsecondchance]

Well, i can only see my last post when i hit reply so here is the text i wrote, and the log is in the zipped file due to it being to large i think.

 

[Blade81]

Hi,

I was trying to get some scanner to run to prove there's a Sality file infector present in your system meaning reformat as only sensible solution.

Though you weren't able to get scanners to run there's enough evidence (like safe mode disabled + some signs in the log) to show that infection is present.


If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

I DO NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

• Avira AntiVir Rescue System - Avira's download page.
  If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Tools Support Forum.
• Dr Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.
• F-Secure Rescue CD - Rescue CD 3.01 released.
  Video: How to Remove Malware with F-Secure Rescue CD
  If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum.
• BitDefender LiveCD - Index of /rescue_cd
  If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum.
• Kaspersky RescueDisk - Index of /devbuilds/RescueDisk/
  If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

 

[tankedsecondchance]

Well, I'm a sucker for lost causes:, i used the now working registry editor and fixed the Safe-boot keys and now I'm in Safe-mode,I'm currently running Malewares first to see what former registry problems still arise. I still have all the tools i downloaded before, what would you advise me to run now? As for now dumping the entire system shall be my last resource.

 

[Blade81]

Hi,

I've learnt from my experiences with file infectors that it's like battling against windmills - it may look brighter for a moment and then all hell breaks loose again. You may try one of those live cds if you wish but like I said there's no guarantee those will bring permanent result.

 

[tankedsecondchance]

Well, while in safemode i noticed that in the administrator account all the problems i had here were still there, as in no registry editor, taskmanager which surprises me, seeing as i can access them here in normal mode under my other administrator account.

 

[Blade81]

Like I said, safest way is to reformat the system and start from scratch. You may try other methods if you want but my last advice on this case is told above.

 

[tankedsecondchance]

you were correct we got the one online scanner to run in safe mode and it discoverd 1398 infected files in safe mode. we left it to scan and fix what ever it wanted it said it took care of all except four and we deleted those.

lol task manager is now locked again i just wanted to let you we will start over thanks for your help i will let you know what take place with the new install.

 

[Blade81]

You're welcome. You have to be careful to not use files from older installation if you have some of those saved. If such file is Sality infected it will kick off new epidemic on fresh installation.

 

[tankedsecondchance]

based on what eset mentioned the only files we were planing to move are word documents and pictures.

You're welcome. You have to be careful to not use files from older installation if you have some of those saved. If such file is Sality infected it will kick off new epidemic on fresh installation.

 

[Blade81]

Ok, that should work

 

[tankedsecondchance]

Blade again,

thanks for your time and help

the good thing is i had no important private information on these pcs we have at home and all three have issues, all are being dumped,formatted and everything installed new.

my computer never really acted badly. every-now and then in a period over two months, it would hang up for a bit or ie7 would mention and internal error and close then say im sorry, i must re-start.

All the virus protection appeared to work correctly updates scans everything except the cpu usage load would sometimes spike for no clear reason over the last couple of months.


Again thanks

Tim from egypt

 

[Blade81]

You're welcome. Infections like Sality are real meanies. Usually up-to-date antivirus protection + patched system helps keeping uninvited guests away. This topic may give some idea how the infection got itself in.