Virtumonde/Virtumonde.prx/firewallbypass

[Shaba]

Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\Xwofiwam.bin
c:\windows\Cfagazuyufom.dat
C:\xnfd.exe
C:\jurj.exe
c:\windows\instsp2.exe
c:\windows\system32\jazoloya.exe
c:\windows\system32\huvagobi.exe
c:\windows\system32\kivifivu.dll.vir
c:\windows\system32\boguwuhu.exe

Folder::
c:\documents and settings\Student\Local Settings\Application Data\{BEF2BB6F-0B50-4738-9E57-DF0B826A7C0E}
c:\program files\Seekapp
c:\documents and settings\All Users\Application Data\Seekapp

Driver::
Seekapp Service

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1003ad07-1bb1-11de-949c-0017a4e3bc5c}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4191f182-22ea-11de-94a3-0017a4e3bc5c}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ae2a78f-10f2-11de-9491-0017a4e3bc5c}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9094bbc2-12c4-11de-9493-0017a4e3bc5c}]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\explorer.exe"=-
"c:\\WINDOWS\\system32\\winlogon.exe"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

 

[Guilty Sp4rk]

I apologize for double posting and bunping this topic, I hate it when people do it on my forum... But I posted the virus scan report back for a file Shaba asked me to scan and post back, it's been a day or two and I'm just wondering if there is anything else to do or if I'm ok from here. I'm not having anymore trouble and I reported the infected file on the website and it didn't show up this morning when I checked. So nobody else will fall victim to it. Again, I apologize but I was just wondering if any other steps required.

 

[Guilty Sp4rk]

Ok... As soon as I posted that a post mysteriously showed up above mine. I don't know why it showed up just now. Again, sorry and I'll get to running that ComboFix script.

 

[Shaba]

That is a forum bug, no need to apologize

 

[Guilty Sp4rk]

ComboFix Log:

ComboFix 09-04-17.01 - Student 04/16/2009 14:12.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.161 [GMT -7:00]
Running from: c:\documents and settings\Student\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Student\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\jurj.exe
c:\windows\Cfagazuyufom.dat
c:\windows\instsp2.exe
c:\windows\system32\boguwuhu.exe
c:\windows\system32\huvagobi.exe
c:\windows\system32\jazoloya.exe
c:\windows\system32\kivifivu.dll.vir
c:\windows\Xwofiwam.bin
C:\xnfd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Seekapp
c:\documents and settings\All Users\Application Data\Seekapp\seekapp131.exe
c:\documents and settings\Student\Local Settings\Application Data\{BEF2BB6F-0B50-4738-9E57-DF0B826A7C0E}
c:\documents and settings\Student\Local Settings\Application Data\{BEF2BB6F-0B50-4738-9E57-DF0B826A7C0E}\chrome.manifest
c:\documents and settings\Student\Local Settings\Application Data\{BEF2BB6F-0B50-4738-9E57-DF0B826A7C0E}\chrome\content\_cfg.js
c:\documents and settings\Student\Local Settings\Application Data\{BEF2BB6F-0B50-4738-9E57-DF0B826A7C0E}\chrome\content\c.js
c:\documents and settings\Student\Local Settings\Application Data\{BEF2BB6F-0B50-4738-9E57-DF0B826A7C0E}\chrome\content\overlay.xul
c:\documents and settings\Student\Local Settings\Application Data\{BEF2BB6F-0B50-4738-9E57-DF0B826A7C0E}\install.rdf
C:\jurj.exe
c:\program files\Seekapp
c:\program files\Seekapp\readme.html
c:\program files\Seekapp\seekapp.dll
c:\program files\Seekapp\seekapp.exe
c:\program files\Seekapp\uninstall.exe
c:\windows\Cfagazuyufom.dat
c:\windows\instsp2.exe
c:\windows\system32\boguwuhu.exe
c:\windows\system32\huvagobi.exe
c:\windows\system32\jazoloya.exe
c:\windows\system32\kivifivu.dll.vir
c:\windows\Xwofiwam.bin
C:\xnfd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_SEEKAPP_SERVICE
-------\Service_FCI
-------\Service_Seekapp Service


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 21:17 . 2009-04-16 21:17 -------- d-----w c:\documents and settings\Student\Local Settings\Application Data\{AF69389A-FCD4-4ADE-AA55-2047887F4793}
2009-04-16 08:04 . 2009-04-16 08:04 -------- d-----w c:\program files\Dragon UnPACKer 5
2009-04-15 08:03 . 2009-04-15 08:03 -------- d-----w c:\documents and settings\Student\Application Data\Stardock
2009-04-15 08:03 . 2009-04-15 08:03 -------- dc-h--w c:\documents and settings\All Users\Application Data\{62902F53-D725-44F9-B385-979CC0E00E8A}
2009-04-15 08:02 . 2009-04-15 08:04 -------- d-----w c:\program files\Stardock
2009-04-15 08:02 . 2009-04-15 08:02 -------- d-----w c:\documents and settings\All Users\Application Data\Stardock
2009-04-13 05:18 . 2009-04-13 05:18 -------- d-----w c:\program files\ffdshow
2009-04-13 05:18 . 2009-04-14 00:45 -------- d-----w c:\documents and settings\Student\Application Data\Sp4rkMod
2009-04-12 02:23 . 2009-04-12 02:23 -------- d-----w C:\VundoFix Backups
2009-04-12 01:50 . 2009-04-12 01:50 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-11 21:36 . 2009-04-15 08:06 -------- d-----w c:\documents and settings\Student\Local Settings\Application Data\Stardock
2009-04-11 21:29 . 2009-04-11 21:29 56 ----a-w c:\windows\wb.ini
2009-04-11 21:29 . 2009-04-11 21:29 -------- d-----w c:\program files\Common Files\Stardock
2009-04-11 21:29 . 2003-02-27 05:27 36864 ----a-w c:\windows\system32\wbsys.dll
2009-04-11 21:29 . 2009-04-16 07:23 -------- d-----w c:\program files\AlienGUIse
2009-04-11 19:49 . 2009-04-11 19:49 -------- d-----w c:\program files\Crytek
2009-04-11 06:01 . 2009-04-11 06:01 -------- d-----w c:\documents and settings\Student\Application Data\Thinking Minds Budiling Bytes
2009-04-10 01:41 . 2009-04-10 01:41 73 ----a-w c:\windows\EurekaLog.ini
2009-04-10 01:18 . 2009-04-10 01:18 -------- d-----w c:\documents and settings\Student\Application Data\URSoft
2009-04-10 01:18 . 2009-04-11 20:15 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 01:18 . 2009-04-11 21:42 -------- d-----w c:\program files\Your Uninstaller 2008
2009-04-10 00:01 . 2009-04-10 00:05 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-10 00:01 . 2009-04-10 00:01 -------- d-----w c:\documents and settings\Student\Application Data\SystemRequirementsLab
2009-04-09 02:37 . 2009-04-09 02:37 6144 --sha-w c:\windows\system32\Thumbs.db
2009-04-08 05:40 . 2009-04-08 05:40 4096 ----a-w c:\windows\d3dx.dat
2009-04-07 19:13 . 2009-04-07 19:13 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-07 05:09 . 2009-04-07 05:09 -------- d-----w c:\windows\system32\Adobe
2009-04-04 22:42 . 2009-04-04 22:42 -------- d-----w c:\program files\JanSoft
2009-04-04 22:33 . 2004-01-08 18:38 208896 ----a-w c:\windows\system\lame_enc.dll
2009-04-04 21:42 . 2009-04-04 21:42 -------- d-----w c:\documents and settings\Student\Application Data\dvdcss
2009-04-04 18:55 . 2007-06-29 21:47 34304 ----a-w c:\windows\system32\drivers\AmdLLD.sys
2009-04-04 18:55 . 2009-04-04 18:55 -------- d-----w c:\program files\AMD
2009-04-04 18:50 . 2009-04-04 18:51 -------- d-----w c:\windows\system32\The Future Is Fusion dir
2009-04-04 18:50 . 2009-04-04 18:50 520192 ----a-w c:\windows\system32\The Future Is Fusion.scr
2009-04-04 02:12 . 2009-04-04 02:12 -------- d-----w c:\program files\Ubisoft
2009-04-03 06:51 . 2004-08-04 07:56 21504 -c--a-w c:\windows\system32\dllcache\hidserv.dll
2009-04-03 06:51 . 2004-08-04 07:56 21504 ----a-w c:\windows\system32\hidserv.dll
2009-04-02 23:01 . 2009-04-04 02:01 -------- d-----w c:\program files\the Rosenrot Screensaver
2009-03-31 21:42 . 2009-03-31 21:51 -------- d-----w c:\documents and settings\Student\Application Data\vlc
2009-03-31 21:41 . 2009-03-31 21:41 -------- d-----w c:\program files\VideoLAN
2009-03-31 21:18 . 2008-12-20 23:15 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-31 21:18 . 2008-12-20 23:15 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-03-31 21:18 . 2008-12-20 23:15 267776 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-03-31 21:18 . 2008-12-20 23:15 6066688 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-03-31 21:18 . 2008-12-20 23:15 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-31 21:18 . 2008-12-19 09:10 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-03-31 21:18 . 2007-03-08 05:10 991232 -c----w c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-31 21:18 . 2008-12-20 23:15 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-03-31 21:18 . 2007-04-17 09:32 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-03-31 20:30 . 2009-03-31 20:30 253688 ----a-w c:\windows\system32\cssdll32.dll.vir
2009-03-31 20:30 . 2009-04-01 08:07 -------- d-----w c:\program files\AskBarDis
2009-03-31 20:26 . 2009-03-31 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-03-31 20:26 . 2009-03-31 23:50 -------- d-----w c:\program files\COMODO
2009-03-31 20:24 . 2009-03-31 20:24 -------- d-----w c:\windows\system32\CatRoot_bak
2009-03-31 00:33 . 2009-03-31 00:33 -------- d-----w c:\program files\PQDVD
2009-03-30 22:36 . 2009-03-30 22:36 -------- d-----w c:\program files\Xiph.Org
2009-03-29 02:25 . 2009-03-31 22:15 -------- d-----w c:\program files\Peretek
2009-03-29 00:18 . 2009-03-29 00:18 -------- d-----w c:\documents and settings\Student\Local Settings\Application Data\SRS Labs
2009-03-29 00:18 . 2009-03-29 00:18 -------- d-----w c:\documents and settings\All Users\Application Data\SRS Labs
2009-03-29 00:16 . 2007-07-26 16:25 39808 ----a-r c:\windows\system32\drivers\SRS_SSCFilter_i386.sys
2009-03-29 00:16 . 2007-07-26 16:25 42112 ----a-r c:\windows\system32\drivers\csiidecoder_kern_i386.sys
2009-03-29 00:16 . 2007-07-26 16:25 47360 ----a-r c:\windows\system32\drivers\Surroundhp_kern_i386.sys
2009-03-29 00:16 . 2007-07-26 16:25 47104 ----a-r c:\windows\system32\drivers\tshd4_kern_i386.sys
2009-03-29 00:16 . 2007-07-26 16:25 32000 ----a-r c:\windows\system32\drivers\wowhd_kern_i386.sys
2009-03-29 00:16 . 2009-03-29 00:16 -------- d-----w c:\program files\SRS Labs
2009-03-25 09:12 . 2009-04-02 22:58 818753 ----a-w c:\windows\system32\the FarCry River Screensaver.scr
2009-03-25 09:10 . 2009-04-13 05:54 -------- d-----w c:\program files\the FarCry River Screensaver
2009-03-25 09:08 . 2009-03-31 22:15 -------- d-----w c:\program files\the FarCry Slideshow
2009-03-25 09:06 . 2009-03-25 09:06 818753 ----a-w c:\windows\system32\My Screensaver.scr
2009-03-25 02:41 . 2009-03-25 02:41 -------- d-----w c:\program files\Audacity
2009-03-22 06:04 . 2009-03-25 06:31 -------- d-----w c:\documents and settings\Student\Application Data\IGN_DLM
2009-03-21 06:18 . 2009-03-21 06:18 -------- d-----w c:\program files\Common Files\DirectX
2009-03-21 06:16 . 2009-04-11 20:33 -------- d-----w c:\program files\SCi Games
2009-03-21 02:56 . 2009-03-21 02:56 -------- d-----w c:\program files\Trend Micro
2009-03-21 01:57 . 2009-03-21 02:03 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-21 01:57 . 2009-03-21 02:03 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-21 01:56 . 2009-03-21 01:56 -------- d-----w c:\documents and settings\Student\Application Data\Uniblue
2009-03-21 01:55 . 2009-04-11 20:18 -------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-21 01:35 . 2009-03-21 01:35 -------- d-----w c:\documents and settings\Student\Application Data\Simply Super Software
2009-03-20 19:07 . 2009-04-16 05:07 7680 --sha-w c:\windows\Thumbs.db
2009-03-20 04:00 . 2009-04-10 07:21 -------- d-----w c:\program files\OgreDemo
2009-03-19 20:57 . 2009-03-19 20:57 -------- d-----w c:\documents and settings\Student\Application Data\.ZMatrix
2009-03-19 20:57 . 2009-03-20 06:24 -------- d-----w c:\program files\ZMatrix
2009-03-19 20:57 . 2009-03-19 20:57 68 ----a-w c:\windows\ZMatrixSS.ini
2009-03-19 20:54 . 2009-03-19 20:54 -------- d-----w c:\program files\KellySoftware
2009-03-19 00:00 . 2009-03-19 01:18 -------- d-----w c:\program files\MyBot
2009-03-18 23:56 . 2009-03-18 23:57 -------- d-----w c:\program files\Buddy Icon Maker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 21:17 . 2007-06-08 21:46 -------- d-----w c:\program files\OfficeScan NT
2009-04-16 16:34 . 2009-03-17 08:24 -------- d-----w c:\program files\Isotope244 Graphics
2009-04-14 08:46 . 2006-02-28 12:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-13 02:10 . 2006-07-11 05:47 -------- d-----w c:\program files\Java
2009-04-12 20:08 . 2006-02-28 12:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-12 02:41 . 2009-04-12 02:23 136 ----a-w C:\VundoFix.txt
2009-04-11 20:31 . 2006-07-11 05:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-10 07:13 . 2009-03-14 05:54 -------- d-----w c:\program files\Extension Changer
2009-04-10 01:24 . 2009-03-14 01:39 -------- d-----w c:\program files\Common Files\Apple
2009-04-07 01:23 . 2009-03-13 03:56 45680 ----a-w c:\documents and settings\Student\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 02:05 . 2009-03-14 01:42 -------- d-----w c:\program files\Bonjour
2009-03-21 01:28 . 2009-03-14 01:40 -------- d-----w c:\program files\QuickTime
2009-03-18 06:11 . 2009-03-15 02:47 -------- d-----w c:\program files\YouTube Downloader
2009-03-18 06:11 . 2009-03-13 02:12 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-17 23:27 . 2009-03-17 08:24 -------- d-----w c:\documents and settings\Student\Application Data\Isotope 244
2009-03-16 09:36 . 2009-03-16 09:18 103509 ----a-w c:\windows\hpoins04.dat
2009-03-16 09:36 . 2009-03-16 09:36 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-16 09:36 . 2006-07-11 05:39 -------- d-----w c:\program files\Hewlett-Packard
2009-03-16 09:34 . 2006-07-11 05:56 -------- d-----w c:\program files\Hp
2009-03-15 00:30 . 2009-03-15 00:30 98304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-14 23:55 . 2009-03-14 23:55 -------- d-----w c:\program files\Rockstar Games
2009-03-14 04:09 . 2009-03-14 04:08 -------- d-----w c:\program files\Paint.NET
2009-03-14 01:49 . 2009-03-14 01:43 -------- d-----w c:\documents and settings\Student\Application Data\Apple Computer
2009-03-14 01:43 . 2009-03-14 01:42 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 01:42 . 2009-03-14 01:40 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-14 01:40 . 2009-03-14 01:40 -------- d-----w c:\program files\Apple Software Update
2009-03-14 01:39 . 2009-03-14 01:39 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-03-13 17:42 . 2009-03-13 17:42 -------- d-----w c:\documents and settings\Student\Application Data\Sonic
2009-03-13 17:42 . 2009-03-13 17:42 -------- d-----w c:\documents and settings\Student\Application Data\Leadertech
2009-03-13 03:55 . 2009-03-13 03:55 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-03-13 03:55 . 2007-06-15 02:11 -------- d-----w c:\documents and settings\Student\Application Data\ATI
2009-03-13 02:09 . 2006-07-11 06:10 -------- d-----w c:\program files\Windows Media Connect
2009-03-13 02:02 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\Student\Application Data\acccore
2009-03-13 02:01 . 2009-03-12 23:00 461 ---ha-w C:\IPH.PH
2009-03-13 02:01 . 2009-03-13 02:00 -------- d-----w c:\program files\AIM6
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\program files\Viewpoint
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-13 02:00 . 2009-03-13 02:00 -------- d-----w c:\program files\Common Files\AOL
2009-03-12 22:29 . 2006-07-11 05:54 -------- d-----w c:\program files\ATI Technologies
2009-03-12 22:19 . 2007-05-17 22:57 -------- d-----w c:\documents and settings\Administrator\Application Data\ATI
2009-03-12 22:19 . 2007-05-10 00:16 -------- d-----w c:\documents and settings\admin\Application Data\ATI
2009-03-12 22:07 . 2009-03-12 21:32 -------- d-----w c:\program files\Microsoft Games
2009-03-12 21:40 . 2009-03-12 21:40 109208 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-12 21:39 . 2009-03-12 21:39 -------- d-----w c:\program files\MSBuild
2009-03-12 21:39 . 2009-03-12 21:39 -------- d-----w c:\program files\Reference Assemblies
2009-03-12 21:34 . 2009-03-12 21:34 -------- d-----w c:\program files\MSXML 6.0
2009-03-12 21:19 . 2009-03-12 21:19 -------- d-----w c:\program files\RADVideo
2009-03-12 21:19 . 2009-03-12 21:19 -------- d-----w c:\program files\Opera
2009-03-09 12:19 . 2009-03-16 22:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-10 07:46 . 2009-02-10 07:46 3013120 ----a-w c:\windows\Matrix_ks.SCR
2009-02-09 10:19 . 2006-02-28 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-04 05:03 . 2009-02-04 05:03 290816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-04 04:56 . 2009-02-04 04:56 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-04 04:44 . 2009-02-04 04:44 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-04 04:13 . 2009-02-04 04:13 887724 ----a-w c:\windows\system32\ativva6x.dat
2009-02-04 04:13 . 2009-02-04 04:13 3107788 ----a-w c:\windows\system32\ativva5x.dat
2009-02-04 04:05 . 2009-03-12 22:17 593920 ------w c:\windows\system32\ati2sgag.exe
2009-02-04 03:58 . 2009-02-04 03:58 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-04 03:53 . 2009-02-04 03:53 122880 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-04 02:43 . 2009-02-04 02:43 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-04 02:42 . 2009-02-04 02:42 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-04 02:40 . 2009-02-04 02:40 3244032 ----a-w c:\windows\system32\aticaldd.dll
2007-06-26 00:53 . 2007-06-26 00:53 33456 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-15 02:16 . 2007-06-15 02:11 130 ----a-w c:\documents and settings\Student\Local Settings\Application Data\fusioncache.dat
2007-06-08 02:33 . 2007-05-17 22:57 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2007-05-10 00:18 . 2007-05-10 00:16 128 ----a-w c:\documents and settings\admin\Local Settings\Application Data\fusioncache.dat
2009-01-11 20:08 . 2009-01-11 20:08 71680 --sha-w c:\windows\system32\watekaho.dll.vir
.

((((((((((((((((((((((((((((( SnapShot@2009-04-12_18.49.35.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-16 21:17 . 2009-04-16 21:17 16384 c:\windows\Temp\Perflib_Perfdata_678.dat
- 2009-04-04 02:13 . 2009-04-04 02:13 40960 c:\windows\Installer\{471BB1D9-6F59-4093-B46D-373772D5C111}\PlayFarCryShortcut_5D5785608EA2413A81BC34862580C935.exe
+ 2009-04-15 22:29 . 2009-04-15 22:29 40960 c:\windows\Installer\{471BB1D9-6F59-4093-B46D-373772D5C111}\PlayFarCryShortcut_5D5785608EA2413A81BC34862580C935.exe
- 2009-04-04 02:13 . 2009-04-04 02:13 40960 c:\windows\Installer\{471BB1D9-6F59-4093-B46D-373772D5C111}\FarCryDesktopShortcu_5D5785608EA2413A81BC34862580C935.exe
+ 2009-04-15 22:29 . 2009-04-15 22:29 40960 c:\windows\Installer\{471BB1D9-6F59-4093-B46D-373772D5C111}\FarCryDesktopShortcu_5D5785608EA2413A81BC34862580C935.exe
+ 2009-04-15 08:05 . 2009-04-15 08:05 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\WBOCXLib\4ab8d146645c38200663578f909d1412\WBOCXLib.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 73728 c:\windows\assembly\NativeImages_v2.0.50727_32\StardockCentralDSkin\e42dd94dbccbafc11a9de0f980027210\StardockCentralDSkin.ni.dll
+ 2009-04-15 08:03 . 2009-04-15 08:03 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Stardock.Central.Se#\2f47bba10e7be4921155b60df8f6b1c1\Stardock.Central.Security.ni.dll
+ 2009-04-15 08:03 . 2009-04-15 08:03 17920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\cd0730694ba5927a6efd32129783e1b4\Microsoft.VisualC.ni.dll
- 2009-04-04 02:13 . 2009-04-04 02:13 2238 c:\windows\Installer\{471BB1D9-6F59-4093-B46D-373772D5C111}\ARPPRODUCTICON.exe
+ 2009-04-15 22:29 . 2009-04-15 22:29 2238 c:\windows\Installer\{471BB1D9-6F59-4093-B46D-373772D5C111}\ARPPRODUCTICON.exe
+ 2006-08-31 19:34 . 2006-08-31 19:34 516161 c:\windows\system32\ss244tie.scr
+ 2004-01-12 21:52 . 2004-01-12 21:52 606280 c:\windows\system32\ss244ld.scr
- 2009-03-16 22:56 . 2009-03-16 22:55 148888 c:\windows\system32\javaws.exe
+ 2009-04-13 02:10 . 2009-03-09 12:19 148888 c:\windows\system32\javaws.exe
- 2009-03-16 22:56 . 2009-03-16 22:55 144792 c:\windows\system32\javaw.exe
+ 2009-04-13 02:10 . 2009-03-09 12:19 144792 c:\windows\system32\javaw.exe
+ 2009-04-13 02:10 . 2009-03-09 12:19 144792 c:\windows\system32\java.exe
- 2009-03-16 22:56 . 2009-03-16 22:55 144792 c:\windows\system32\java.exe
+ 2005-11-02 15:35 . 2005-11-02 15:35 162304 c:\windows\system32\fmod.dll
+ 2006-02-28 12:00 . 2009-04-14 08:46 182912 c:\windows\system32\dllcache\ndis.sys
+ 2009-04-15 08:04 . 2009-04-15 08:04 282624 c:\windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\c6e1dd3086ade6ca4527a09892616618\VistaBridgeLibrary.ni.dll
+ 2009-04-15 08:04 . 2009-04-15 08:04 499712 c:\windows\assembly\NativeImages_v2.0.50727_32\VDialog\67a74495a83ad45cdb19d1a5a78a5e3a\VDialog.ni.dll
+ 2009-04-15 08:03 . 2009-04-15 08:03 815104 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\0898f6c1de8cb89413d206e3d6a3ce1d\System.Runtime.Remoting.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 229376 c:\windows\assembly\NativeImages_v2.0.50727_32\SharpBITS.Base\7c5adebe6d676d54766dc1e6be41928f\SharpBITS.Base.ni.dll
+ 2009-04-15 08:04 . 2009-04-15 08:04 229376 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd\c34911272b8fd42f8a97b9759e037cbb\Sd.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 450560 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Zip\750b105dcb921d1c86dcc43660525dc7\Sd.Zip.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 770048 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Web\45cddd9816b79bff2ec0ad9f44e8591e\Sd.Web.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 102400 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Uninstall\59e3c46bdc127231e538240d83b29cf7\Sd.Uninstall.ni.dll
+ 2009-04-15 08:04 . 2009-04-15 08:04 167936 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.UI\f20b33e8d0a3cc6771e5558bc1d6e609\Sd.UI.ni.dll
+ 2009-04-15 08:04 . 2009-04-15 08:04 843776 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Irc\edc16d7bc521ec79faea73fa13aeaac5\Sd.Irc.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 303104 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.InstallManager\ecefd9763e06f3c8ada4bf99ed914a75\Sd.InstallManager.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 569344 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common.XmlSerial#\0c6544996cf191972c3386fed5fe528d\Sd.Common.XmlSerializers.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 643072 c:\windows\assembly\NativeImages_v2.0.50727_32\sd.central.cvp.serv#\7f4c0711a0e144e38f984efccaf447b2\sd.central.cvp.server.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 147456 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive\fc6a6ef8f2ee10b48038f91b95bdb693\Sd.Central.Archive.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 335872 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Central.Archive.#\b6e50462fae9a8a4ef3620177e71b19f\Sd.Central.Archive.XmlSerializers.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 331776 c:\windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\98e03556d9e4c3cc42e58229ab312217\MyDock.Util.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\Interop.IWshRuntime#\a3b00a471b21a87bbd11d8646a134b94\Interop.IWshRuntimeLibrary.ni.dll
+ 2009-04-15 08:03 . 2009-04-15 08:03 700416 c:\windows\assembly\NativeImages_v2.0.50727_32\ICSharpCode.SharpZi#\9ecc5b644b392cf96b88a9b9a5f7f1e6\ICSharpCode.SharpZipLib.ni.dll
+ 2009-04-15 08:03 . 2009-04-15 08:03 1183744 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\1abdb47765d0696a2fc0a1095bac0249\System.Data.OracleClient.ni.dll
+ 2009-04-15 08:03 . 2009-04-15 08:03 1282048 c:\windows\assembly\NativeImages_v2.0.50727_32\Sd.Common\582738e89f90221677ad8b1d501acb0c\Sd.Common.ni.dll
+ 2009-04-15 08:05 . 2009-04-15 08:05 5959680 c:\windows\assembly\NativeImages_v2.0.50727_32\Impulse\b8b2a17619c4c2e0ee2309cc22a3661d\Impulse.ni.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4c39ece2-e0cf-4110-affc-c119de4ce517}]
c:\windows\system32\duputiva.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2BA40A2-74F3-42BD-F434-2604812C8954}]
c:\windows\system32\hsf73ikmdf3f.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

c:\documents and settings\Student\Start Menu\Programs\Startup\
ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-4-7 323584]
Stardock ObjectDock.lnk - c:\program files\Stardock\Object Desktop\ObjectDock\ObjectDock.exe [2009-4-15 3446512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-5-9 184320]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
"DisableLockWorkstation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoNetConnectDisconnect"= 1 (0x1)
"NoManageMyComputerVerb"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoThemesTab"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"NoFolderOptions"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{B2BA40A2-74F3-42BD-F434-2604812C8954}"= "c:\windows\system32\hsf73ikmdf3f.dll" [BU]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\zesiyaza.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zesiyaza.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli mshpoce.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Student\\Desktop\\Black & White\\Black and White\\runblack.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
"c:\\WINDOWS\\explorer.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\Documents and Settings\\Student\\Application Data\\Sp4rkMod\\armorsurf.exe"=

S2 TmFilter;Trend Micro Filter;c:\program files\OfficeScan NT\TmXPFlt.sys [2008-11-27 205328]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\OfficeScan NT\TmPreFlt.sys [2008-11-27 36368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-10-21 36352]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1003ad07-1bb1-11de-949c-0017a4e3bc5c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com g:
\Shell\Open\command - f:\resycled\ntldr.com g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4191f182-22ea-11de-94a3-0017a4e3bc5c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com g:
\Shell\Open\command - f:\resycled\ntldr.com g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ae2a78f-10f2-11de-9491-0017a4e3bc5c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com g:
\Shell\Open\command - e:\resycled\ntldr.com g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9094bbc2-12c4-11de-9493-0017a4e3bc5c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:
\Shell\Open\command - g:\resycled\ntldr.com e:
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://schools.connectionsacademy.com/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aim.com\www
Trusted Zone: aol.com\iknowthat.school
Trusted Zone: aolatschool.com\www
Trusted Zone: atwola.com\ar
Trusted Zone: atwola.com\www.ar
Trusted Zone: brainpop.com\www
Trusted Zone: connectionsacademy.com\schools
Trusted Zone: D
Trusted Zone: edgate.com\www
Trusted Zone: letsgolearn.com\www
Trusted Zone: msnbc.com
Trusted Zone: passport.net\login
Trusted Zone: schoolnotes.com
Trusted Zone: teacherweb.com
Trusted Zone: worldbookonline.com\www
FF - ProfilePath - c:\documents and settings\Student\Application Data\Mozilla\Firefox\Profiles\qhfqqwfy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.isotope244.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 14:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????Z??????R?@?????,?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]
"ImagePath"="system32\DRIVERS\ACPIEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ADIHdAudAddService]
"ImagePath"="system32\drivers\ADIHdAud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AEAudioService]
"ImagePath"="system32\drivers\AEAudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]
"ImagePath"="system32\DRIVERS\aliide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdK8]
"ImagePath"="system32\DRIVERS\AmdK8.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdLLD]
"ImagePath"="system32\DRIVERS\AmdLLD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Arp1394]
"ImagePath"="system32\DRIVERS\arp1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_1.1.4322]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ati HotKey Poller]
"ImagePath"="%SystemRoot%\system32\Ati2evxx.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ATI Smart]
"ImagePath"="c:\windows\system32\ati2sgag.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ati2mtag]
"ImagePath"="system32\DRIVERS\ati2mtag.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atierecord]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ATSWPDRV]
"ImagePath"="system32\DRIVERS\ATSwpDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b57w2k]
"ImagePath"="system32\DRIVERS\b57xp32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BCM43XX]
"ImagePath"="system32\DRIVERS\bcmwl5.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]
"ServiceDll"="c:\windows\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bonjour Service]
"ImagePath"="\"c:\program files\Bonjour\mDNSResponder.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BTKRNL]
"ImagePath"="system32\DRIVERS\btkrnl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\btwdins]
"ImagePath"="c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BTWUSB]
"ImagePath"="System32\Drivers\btwusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CA561]
"ImagePath"="System32\Drivers\SPCA561.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\c:\docume~1\Student\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE]
"ImagePath"="system32\DRIVERS\CCDECODE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmBatt]
"ImagePath"="system32\DRIVERS\CmBatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Compbatt]
"ImagePath"="system32\DRIVERS\compbatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLABOIOM]
"ImagePath"="System32\DLA\DLABOIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLACDBHM]
"ImagePath"="System32\Drivers\DLACDBHM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLADResN]
"ImagePath"="System32\DLA\DLADResN.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAIFS_M]
"ImagePath"="System32\DLA\DLAIFS_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAOPIOM]
"ImagePath"="System32\DLA\DLAOPIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAPoolM]
"ImagePath"="System32\DLA\DLAPoolM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLARTL_N]
"ImagePath"="System32\Drivers\DLARTL_N.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAUDFAM]
"ImagePath"="System32\DLA\DLAUDFAM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAUDF_M]
"ImagePath"="System32\DLA\DLAUDF_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="system32\DRIVERS\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRVMCDB]
"ImagePath"="System32\Drivers\DRVMCDB.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRVNDDM]
"ImagePath"="System32\Drivers\DRVNDDM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eabfiltr]
"ImagePath"="system32\DRIVERS\eabfiltr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eabusb]
"ImagePath"="system32\DRIVERS\eabusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FCI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM]
"ImagePath"="system32\DRIVERS\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HBtnKey]
"ImagePath"="system32\DRIVERS\cpqbttn.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqwmiex]
"ImagePath"="c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSFHWAZL]
"ImagePath"="system32\DRIVERS\HSFHWAZL.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSF_DPV]
"ImagePath"="system32\DRIVERS\HSF_DPV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]
"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IFXTPM]
"ImagePath"="system32\DRIVERS\IFXTPM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="c:\windows\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]

 

[Guilty Sp4rk]

Here's the rest:

"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]
"ImagePath"="\"c:\program files\Java\jre6\bin\jqs.exe\" -service -config \"c:\program files\Java\jre6\lib\deploy\jqs\jqs.conf\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LightScribeService]
"ImagePath"="\"c:\program files\Common Files\LightScribe\LSSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDM]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mdmxsdk]
"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="c:\windows\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIC1394]
"ImagePath"="system32\DRIVERS\nic1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ntrtscan]
"ImagePath"="c:\program files\OfficeScan NT\ntrtscan.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohci1394]
"ImagePath"="system32\DRIVERS\ohci1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]
"ImagePath"="system32\DRIVERS\pcmcia.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Processor]
"ImagePath"="system32\DRIVERS\processr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasirda]
"ImagePath"="system32\DRIVERS\rasirda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdbus]
"ImagePath"="system32\DRIVERS\sdbus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Seekapp Service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sffdisk]
"ImagePath"="system32\DRIVERS\sffdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sffp_sd]
"ImagePath"="system32\DRIVERS\sffp_sd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP]
"ImagePath"="system32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMCIRDA]
"ImagePath"="system32\DRIVERS\smcirda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="c:\windows\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRS_SSCFilter]
"ImagePath"="system32\drivers\srs_sscfilter_i386.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip]
"ImagePath"="system32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{2E3529F7-0057-40C3-A536-4C2C7C7EFE4F}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMIDSCO]
"ImagePath"="\??\c:\progra~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SynTP]
"ImagePath"="system32\DRIVERS\SynTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tifm21]
"ImagePath"="system32\drivers\tifm21.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TmFilter]
"ImagePath"="\??\c:\program files\OfficeScan NT\TmXPFlt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmlisten]
"ImagePath"="c:\program files\OfficeScan NT\tmlisten.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TmPreFilter]
"ImagePath"="\??\c:\program files\OfficeScan NT\TmPreFlt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbohci]
"ImagePath"="system32\DRIVERS\usbohci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]
"ImagePath"="system32\DRIVERS\viaide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Viewpoint Manager Service]
"ImagePath"="\"c:\program files\Viewpoint\Common\ViewpointService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSApiNt]
"ImagePath"="\??\c:\program files\OfficeScan NT\VSApiNt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="c:\windows\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winachsf]
"ImagePath"="system32\DRIVERS\HSF_CNXT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiAcpi]
"ImagePath"="system32\DRIVERS\wmiacpi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC]
"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{0F91AB2C-6A19-4366-9E5B-6FEEB3247CDA}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{2FC4F96E-1F6B-425A-808B-F6484B48F044}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{3F20F6AE-31D6-4F15-8C7D-41A934A5B692}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{693BC4F4-472A-49CC-AC1E-9BE6742A2FB0}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{8DCB1E78-FE63-4398-9D1E-308743A281DB}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{995D485B-C3AC-4CC8-86E5-9DCB40CFBED4}]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1787410411-2529828033-874725645-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1787410411-2529828033-874725645-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8AC8B27C-6EA8-21A2-D08F-827F395DFF83}*]
"jaendkkcgdhfgkbhnogg"=hex:66,61,6e,68,6e,62,69,70,6c,6b,62,69,00,2f
"pamnpofglimiajhlfhebfnnjfohndgka"=hex:65,61,6e,68,6d,62,6e,70,6a,6b,00,69
"haendkkcgdhfgkbh"=hex:6e,62,6e,68,70,62,6a,62,61,63,61,61,61,63,62,63,6b,64,
69,6a,6e,61,65,6d,6d,66,61,6e,70,67,68,66,69,61,6e,62,69,6d,62,6b,61,70,69,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'lsass.exe'(936)
c:\windows\mshpoce.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\OfficeScan NT\OfcDog.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Analog Devices\Core\smax4pnp.exe
c:\program files\Hp\HP Software Update\hpwuSchd2.exe
c:\windows\system32\DLA\DLACTRLW.EXE
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
c:\program files\OfficeScan NT\PccNTMon.exe
c:\program files\OfficeScan NT\RAUAgent.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-04-16 14:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 21:21
ComboFix2.txt 2009-04-14 09:01
ComboFix3.txt 2009-04-13 01:50

Pre-Run: 27,355,856,896 bytes free
Post-Run: 27,992,444,928 bytes free

1052 --- E O F --- 2009-04-02 10:01

 

[Guilty Sp4rk]

The ComboFix log is in my previous 2 posts, it was huge. Here is the fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:45 PM, on 4/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\OfficeScan NT\RAUAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://schools.connectionsacademy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {4c39ece2-e0cf-4110-affc-c119de4ce517} - C:\WINDOWS\system32\duputiva.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\hsf73ikmdf3f.dll - {B2BA40A2-74F3-42BD-F434-2604812C8954} - C:\WINDOWS\system32\hsf73ikmdf3f.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Name] C:\WINDOWS\system32\cas\msname.vbs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jiwihifanu] Rundll32.exe "C:\WINDOWS\system32\vogekohe.dll",s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [2315632b] rundll32.exe "C:\WINDOWS\system32\dajufiwe.dll",b
O4 - HKLM\..\Run: [CPM202650b7] Rundll32.exe "c:\windows\system32\zesiyaza.dll",a
O4 - HKLM\..\Run: [Wdeholifetahefoz] rundll32.exe "C:\WINDOWS\egubikeh.dll",e
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF1497.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\kfihi7v6.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kfihi7v6.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Student\LOCALS~1\Temp\189101462.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [jiwihifanu] Rundll32.exe "C:\WINDOWS\system32\vogekohe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [jiwihifanu] Rundll32.exe "C:\WINDOWS\system32\vogekohe.dll",s (User 'NETWORK SERVICE')
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\Object Desktop\ObjectDock\ObjectDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://schools.connectionsacademy.com
O15 - Trusted Zone: www.aim.com
O15 - Trusted Zone: www.aolatschool.com
O15 - Trusted Zone: ar.atwola.com
O15 - Trusted Zone: www.ar.atwola.com
O15 - Trusted Zone: www.brainpop.com
O15 - Trusted Zone: http://schools.connectionsacademy.com
O15 - Trusted Zone: www.edgate.com
O15 - Trusted Zone: www.letsgolearn.com
O15 - Trusted Zone: http://*.msnbc.com
O15 - Trusted Zone: login.passport.net
O15 - Trusted Zone: http://*.schoolnotes.com
O15 - Trusted Zone: http://*.teacherweb.com
O15 - Trusted Zone: www.worldbookonline.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://10.1.0.17:8180/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://10.1.0.17:8180/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://10.1.0.17:8180/officescan/clientinstall/setup.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://10.1.0.17:8180/officescan/clientinstall/RemoveCtrl.cab
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zesiyaza.dll (file missing)
O22 - SharedTaskScheduler: jkxg983iksnf934uitmgs3gt - {B2BA40A2-74F3-42BD-F434-2604812C8954} - C:\WINDOWS\system32\hsf73ikmdf3f.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zesiyaza.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\OfficeScan NT\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10372 bytes

 

[Shaba]

Did you copy everything to CFScript?

I ask because all under Registry are still there.

If you did, please rerun it in safe mode.

 

[Guilty Sp4rk]

I just re-ran ComboFix in safe mode, I still get the rundll errors on startup, which tells me the registry values haven't been cleaned again.. Here's the log anyway :sad:

ComboFix 09-04-17.01 - Student 04/16/2009 15:25.6 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.290 [GMT -7:00]
Running from: c:\documents and settings\Student\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Student\Desktop\CFScript.txt

FILE ::
C:\jurj.exe
c:\windows\Cfagazuyufom.dat
c:\windows\instsp2.exe
c:\windows\system32\boguwuhu.exe
c:\windows\system32\huvagobi.exe
c:\windows\system32\jazoloya.exe
c:\windows\system32\kivifivu.dll.vir
c:\windows\Xwofiwam.bin
C:\xnfd.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_SEEKAPP_SERVICE
-------\Service_FCI
-------\Service_Seekapp Service


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-16 21:17 . 2009-04-16 21:17 -------- d-----w c:\documents and settings\Student\Local Settings\Application Data\{AF69389A-FCD4-4ADE-AA55-2047887F4793}
2009-04-16 08:04 . 2009-04-16 08:04 -------- d-----w c:\program files\Dragon UnPACKer 5
2009-04-15 08:03 . 2009-04-15 08:03 -------- d-----w c:\documents and settings\Student\Application Data\Stardock
2009-04-15 08:03 . 2009-04-15 08:03 -------- dc-h--w c:\documents and settings\All Users\Application Data\{62902F53-D725-44F9-B385-979CC0E00E8A}
2009-04-15 08:02 . 2009-04-15 08:04 -------- d-----w c:\program files\Stardock
2009-04-15 08:02 . 2009-04-15 08:02 -------- d-----w c:\documents and settings\All Users\Application Data\Stardock
2009-04-13 05:18 . 2009-04-13 05:18 -------- d-----w c:\program files\ffdshow
2009-04-13 05:18 . 2009-04-14 00:45 -------- d-----w c:\documents and settings\Student\Application Data\Sp4rkMod
2009-04-12 01:50 . 2009-04-12 01:50 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-11 21:36 . 2009-04-15 08:06 -------- d-----w c:\documents and settings\Student\Local Settings\Application Data\Stardock
2009-04-11 21:29 . 2009-04-11 21:29 56 ----a-w c:\windows\wb.ini
2009-04-11 21:29 . 2009-04-11 21:29 -------- d-----w c:\program files\Common Files\Stardock
2009-04-11 21:29 . 2003-02-27 05:27 36864 ----a-w c:\windows\system32\wbsys.dll
2009-04-11 21:29 . 2009-04-16 07:23 -------- d-----w c:\program files\AlienGUIse
2009-04-11 19:49 . 2009-04-11 19:49 -------- d-----w c:\program files\Crytek
2009-04-11 06:01 . 2009-04-11 06:01 -------- d-----w c:\documents and settings\Student\Application Data\Thinking Minds Budiling Bytes
2009-04-10 01:41 . 2009-04-10 01:41 73 ----a-w c:\windows\EurekaLog.ini
2009-04-10 01:18 . 2009-04-10 01:18 -------- d-----w c:\documents and settings\Student\Application Data\URSoft
2009-04-10 01:18 . 2009-04-11 20:15 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-10 01:18 . 2009-04-11 21:42 -------- d-----w c:\program files\Your Uninstaller 2008
2009-04-10 00:01 . 2009-04-10 00:05 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-10 00:01 . 2009-04-10 00:01 -------- d-----w c:\documents and settings\Student\Application Data\SystemRequirementsLab
2009-04-09 02:37 . 2009-04-09 02:37 6144 --sha-w c:\windows\system32\Thumbs.db
2009-04-08 05:40 . 2009-04-08 05:40 4096 ----a-w c:\windows\d3dx.dat
2009-04-07 19:13 . 2009-04-07 19:13 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-07 05:09 . 2009-04-07 05:09 -------- d-----w c:\windows\system32\Adobe
2009-04-04 22:42 . 2009-04-04 22:42 -------- d-----w c:\program files\JanSoft
2009-04-04 22:33 . 2004-01-08 18:38 208896 ----a-w c:\windows\system\lame_enc.dll
2009-04-04 21:42 . 2009-04-04 21:42 -------- d-----w c:\documents and settings\Student\Application Data\dvdcss
2009-04-04 18:55 . 2007-06-29 21:47 34304 ----a-w c:\windows\system32\drivers\AmdLLD.sys
2009-04-04 18:55 . 2009-04-04 18:55 -------- d-----w c:\program files\AMD
2009-04-04 18:50 . 2009-04-04 18:51 -------- d-----w c:\windows\system32\The Future Is Fusion dir
2009-04-04 18:50 . 2009-04-04 18:50 520192 ----a-w c:\windows\system32\The Future Is Fusion.scr
2009-04-04 02:12 . 2009-04-04 02:12 -------- d-----w c:\program files\Ubisoft
2009-04-03 06:51 . 2004-08-04 07:56 21504 -c--a-w c:\windows\system32\dllcache\hidserv.dll
2009-04-03 06:51 . 2004-08-04 07:56 21504 ----a-w c:\windows\system32\hidserv.dll
2009-04-02 23:01 . 2009-04-04 02:01 -------- d-----w c:\program files\the Rosenrot Screensaver
2009-03-31 21:42 . 2009-03-31 21:51 -------- d-----w c:\documents and settings\Student\Application Data\vlc
2009-03-31 21:41 . 2009-03-31 21:41 -------- d-----w c:\program files\VideoLAN
2009-03-31 21:18 . 2008-12-20 23:15 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-03-31 21:18 . 2008-12-20 23:15 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-03-31 21:18 . 2008-12-20 23:15 267776 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-03-31 21:18 . 2008-12-20 23:15 6066688 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-03-31 21:18 . 2008-12-20 23:15 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-31 21:18 . 2008-12-19 09:10 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-03-31 21:18 . 2007-03-08 05:10 991232 -c----w c:\windows\system32\dllcache\ieframe.dll.mui
2009-03-31 21:18 . 2008-12-20 23:15 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-03-31 21:18 . 2007-04-17 09:32 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-03-31 20:30 . 2009-03-31 20:30 253688 ----a-w c:\windows\system32\cssdll32.dll.vir
2009-03-31 20:30 . 2009-04-01 08:07 -------- d-----w c:\program files\AskBarDis
2009-03-31 20:26 . 2009-03-31 23:47 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-03-31 20:26 . 2009-03-31 23:50 -------- d-----w c:\program files\COMODO
2009-03-31 20:24 . 2009-03-31 20:24 -------- d-----w c:\windows\system32\CatRoot_bak
2009-03-31 00:33 . 2009-03-31 00:33 -------- d-----w c:\program files\PQDVD
2009-03-30 22:36 . 2009-03-30 22:36 -------- d-----w c:\program files\Xiph.Org
2009-03-29 02:25 . 2009-03-31 22:15 -------- d-----w c:\program files\Peretek
2009-03-29 00:18 . 2009-03-29 00:18 -------- d-----w c:\documents and settings\Student\Local Settings\Application Data\SRS Labs
2009-03-29 00:18 . 2009-03-29 00:18 -------- d-----w c:\documents and settings\All Users\Application Data\SRS Labs
2009-03-29 00:16 . 2007-07-26 16:25 39808 ----a-r c:\windows\system32\drivers\SRS_SSCFilter_i386.sys
2009-03-29 00:16 . 2007-07-26 16:25 42112 ----a-r c:\windows\system32\drivers\csiidecoder_kern_i386.sys
2009-03-29 00:16 . 2007-07-26 16:25 47360 ----a-r c:\windows\system32\drivers\Surroundhp_kern_i386.sys
2009-03-29 00:16 . 2007-07-26 16:25 47104 ----a-r c:\windows\system32\drivers\tshd4_kern_i386.sys
2009-03-29 00:16 . 2007-07-26 16:25 32000 ----a-r c:\windows\system32\drivers\wowhd_kern_i386.sys
2009-03-29 00:16 . 2009-03-29 00:16 -------- d-----w c:\program files\SRS Labs
2009-03-25 09:12 . 2009-04-02 22:58 818753 ----a-w c:\windows\system32\the FarCry River Screensaver.scr
2009-03-25 09:10 . 2009-04-13 05:54 -------- d-----w c:\program files\the FarCry River Screensaver
2009-03-25 09:08 . 2009-03-31 22:15 -------- d-----w c:\program files\the FarCry Slideshow
2009-03-25 09:06 . 2009-03-25 09:06 818753 ----a-w c:\windows\system32\My Screensaver.scr
2009-03-25 02:41 . 2009-03-25 02:41 -------- d-----w c:\program files\Audacity
2009-03-22 06:04 . 2009-03-25 06:31 -------- d-----w c:\documents and settings\Student\Application Data\IGN_DLM
2009-03-21 06:18 . 2009-03-21 06:18 -------- d-----w c:\program files\Common Files\DirectX
2009-03-21 06:16 . 2009-04-11 20:33 -------- d-----w c:\program files\SCi Games
2009-03-21 02:56 . 2009-03-21 02:56 -------- d-----w c:\program files\Trend Micro
2009-03-21 01:57 . 2009-03-21 02:03 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-21 01:57 . 2009-03-21 02:03 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-21 01:56 . 2009-03-21 01:56 -------- d-----w c:\documents and settings\Student\Application Data\Uniblue
2009-03-21 01:55 . 2009-04-11 20:18 -------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-21 01:35 . 2009-03-21 01:35 -------- d-----w c:\documents and settings\Student\Application Data\Simply Super Software
2009-03-20 19:07 . 2009-04-16 05:07 7680 --sha-w c:\windows\Thumbs.db
2009-03-20 04:00 . 2009-04-10 07:21 -------- d-----w c:\program files\OgreDemo
2009-03-19 20:57 . 2009-03-19 20:57 -------- d-----w c:\documents and settings\Student\Application Data\.ZMatrix
2009-03-19 20:57 . 2009-03-20 06:24 -------- d-----w c:\program files\ZMatrix
2009-03-19 20:57 . 2009-03-19 20:57 68 ----a-w c:\windows\ZMatrixSS.ini
2009-03-19 20:54 . 2009-03-19 20:54 -------- d-----w c:\program files\KellySoftware
2009-03-19 00:00 . 2009-03-19 01:18 -------- d-----w c:\program files\MyBot
2009-03-18 23:56 . 2009-03-18 23:57 -------- d-----w c:\program files\Buddy Icon Maker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-16 22:34 . 2007-06-08 21:46 -------- d-----w c:\program files\OfficeScan NT
2009-04-16 16:34 . 2009-03-17 08:24 -------- d-----w c:\program files\Isotope244 Graphics
2009-04-14 08:46 . 2006-02-28 12:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-13 02:10 . 2006-07-11 05:47 -------- d-----w c:\program files\Java
2009-04-12 20:08 . 2006-02-28 12:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-12 02:41 . 2009-04-12 02:23 136 ----a-w C:\VundoFix.txt
2009-04-11 20:31 . 2006-07-11 05:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-10 07:13 . 2009-03-14 05:54 -------- d-----w c:\program files\Extension Changer
2009-04-10 01:24 . 2009-03-14 01:39 -------- d-----w c:\program files\Common Files\Apple
2009-04-07 01:23 . 2009-03-13 03:56 45680 ----a-w c:\documents and settings\Student\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-21 02:05 . 2009-03-14 01:42 -------- d-----w c:\program files\Bonjour
2009-03-21 01:28 . 2009-03-14 01:40 -------- d-----w c:\program files\QuickTime
2009-03-18 06:11 . 2009-03-15 02:47 -------- d-----w c:\program files\YouTube Downloader
2009-03-18 06:11 . 2009-03-13 02:12 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-17 23:27 . 2009-03-17 08:24 -------- d-----w c:\documents and settings\Student\Application Data\Isotope 244
2009-03-16 09:36 . 2009-03-16 09:18 103509 ----a-w c:\windows\hpoins04.dat
2009-03-16 09:36 . 2009-03-16 09:36 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-16 09:36 . 2006-07-11 05:39 -------- d-----w c:\program files\Hewlett-Packard
2009-03-16 09:34 . 2006-07-11 05:56 -------- d-----w c:\program files\Hp
2009-03-15 00:30 . 2009-03-15 00:30 98304 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-14 23:55 . 2009-03-14 23:55 -------- d-----w c:\program files\Rockstar Games
2009-03-14 04:09 . 2009-03-14 04:08 -------- d-----w c:\program files\Paint.NET
2009-03-14 01:49 . 2009-03-14 01:43 -------- d-----w c:\documents and settings\Student\Application Data\Apple Computer
2009-03-14 01:43 . 2009-03-14 01:42 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 01:42 . 2009-03-14 01:40 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-14 01:40 . 2009-03-14 01:40 -------- d-----w c:\program files\Apple Software Update
2009-03-14 01:39 . 2009-03-14 01:39 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-03-13 17:42 . 2009-03-13 17:42 -------- d-----w c:\documents and settings\Student\Application Data\Sonic
2009-03-13 17:42 . 2009-03-13 17:42 -------- d-----w c:\documents and settings\Student\Application Data\Leadertech
2009-03-13 03:55 . 2009-03-13 03:55 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-03-13 03:55 . 2007-06-15 02:11 -------- d-----w c:\documents and settings\Student\Application Data\ATI
2009-03-13 02:09 . 2006-07-11 06:10 -------- d-----w c:\program files\Windows Media Connect
2009-03-13 02:02 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\Student\Application Data\acccore
2009-03-13 02:01 . 2009-03-12 23:00 461 ---ha-w C:\IPH.PH
2009-03-13 02:01 . 2009-03-13 02:00 -------- d-----w c:\program files\AIM6
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\program files\Viewpoint
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-03-13 02:01 . 2009-03-13 02:01 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-13 02:00 . 2009-03-13 02:00 -------- d-----w c:\program files\Common Files\AOL
2009-03-12 22:29 . 2006-07-11 05:54 -------- d-----w c:\program files\ATI Technologies
2009-03-12 22:19 . 2007-05-17 22:57 -------- d-----w c:\documents and settings\Administrator\Application Data\ATI
2009-03-12 22:19 . 2007-05-10 00:16 -------- d-----w c:\documents and settings\admin\Application Data\ATI
2009-03-12 22:07 . 2009-03-12 21:32 -------- d-----w c:\program files\Microsoft Games
2009-03-12 21:40 . 2009-03-12 21:40 109208 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-12 21:39 . 2009-03-12 21:39 -------- d-----w c:\program files\MSBuild
2009-03-12 21:39 . 2009-03-12 21:39 -------- d-----w c:\program files\Reference Assemblies
2009-03-12 21:34 . 2009-03-12 21:34 -------- d-----w c:\program files\MSXML 6.0
2009-03-12 21:19 . 2009-03-12 21:19 -------- d-----w c:\program files\RADVideo
2009-03-12 21:19 . 2009-03-12 21:19 -------- d-----w c:\program files\Opera
2009-03-09 12:19 . 2009-03-16 22:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-10 07:46 . 2009-02-10 07:46 3013120 ----a-w c:\windows\Matrix_ks.SCR
2009-02-09 10:19 . 2006-02-28 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-04 05:03 . 2009-02-04 05:03 290816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-04 04:56 . 2009-02-04 04:56 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-04 04:44 . 2009-02-04 04:44 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-04 04:13 . 2009-02-04 04:13 887724 ----a-w c:\windows\system32\ativva6x.dat
2009-02-04 04:13 . 2009-02-04 04:13 3107788 ----a-w c:\windows\system32\ativva5x.dat
2009-02-04 04:05 . 2009-03-12 22:17 593920 ------w c:\windows\system32\ati2sgag.exe
2009-02-04 03:58 . 2009-02-04 03:58 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-04 03:53 . 2009-02-04 03:53 122880 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-04 02:43 . 2009-02-04 02:43 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-04 02:42 . 2009-02-04 02:42 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-04 02:40 . 2009-02-04 02:40 3244032 ----a-w c:\windows\system32\aticaldd.dll
2007-06-26 00:53 . 2007-06-26 00:53 33456 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-06-15 02:16 . 2007-06-15 02:11 130 ----a-w c:\documents and settings\Student\Local Settings\Application Data\fusioncache.dat
2007-06-08 02:33 . 2007-05-17 22:57 136 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2007-05-10 00:18 . 2007-05-10 00:16 128 ----a-w c:\documents and settings\admin\Local Settings\Application Data\fusioncache.dat
2009-01-11 20:08 . 2009-01-11 20:08 71680 --sha-w c:\windows\system32\watekaho.dll.vir
.

((((((((((((((((((((((((((((( SnapShot_2009-04-16_21.18.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-16 22:34 . 2009-04-16 22:34 16384 c:\windows\temp\Perflib_Perfdata_254.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4c39ece2-e0cf-4110-affc-c119de4ce517}]
c:\windows\system32\duputiva.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B2BA40A2-74F3-42BD-F434-2604812C8954}]
c:\windows\system32\hsf73ikmdf3f.dll [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

c:\documents and settings\Student\Start Menu\Programs\Startup\
ImpulseNow.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-4-7 323584]
Stardock ObjectDock.lnk - c:\program files\Stardock\Object Desktop\ObjectDock\ObjectDock.exe [2009-4-15 3446512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 581693]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-5-9 184320]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
"DisableLockWorkstation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoNetConnectDisconnect"= 1 (0x1)
"NoManageMyComputerVerb"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoThemesTab"= 1 (0x1)
"NoPropertiesRecycleBin"= 1 (0x1)
"NoFolderOptions"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{B2BA40A2-74F3-42BD-F434-2604812C8954}"= "c:\windows\system32\hsf73ikmdf3f.dll" [BU]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\zesiyaza.dll" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zesiyaza.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli mshpoce.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Student\\Desktop\\Black & White\\Black and White\\runblack.exe"=
"c:\\Program Files\\Internet Explorer\\iexplore.exe"=
"c:\\WINDOWS\\explorer.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\Documents and Settings\\Student\\Application Data\\Sp4rkMod\\armorsurf.exe"=

S2 TmFilter;Trend Micro Filter;c:\program files\OfficeScan NT\TmXPFlt.sys [2008-11-27 205328]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\OfficeScan NT\TmPreFlt.sys [2008-11-27 36368]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-10-21 36352]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1003ad07-1bb1-11de-949c-0017a4e3bc5c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com g:
\Shell\Open\command - f:\resycled\ntldr.com g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4191f182-22ea-11de-94a3-0017a4e3bc5c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com g:
\Shell\Open\command - f:\resycled\ntldr.com g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ae2a78f-10f2-11de-9491-0017a4e3bc5c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com g:
\Shell\Open\command - e:\resycled\ntldr.com g:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9094bbc2-12c4-11de-9493-0017a4e3bc5c}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\ntldr.com e:
\Shell\Open\command - g:\resycled\ntldr.com e:
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://schools.connectionsacademy.com/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aim.com\www
Trusted Zone: aol.com\iknowthat.school
Trusted Zone: aolatschool.com\www
Trusted Zone: atwola.com\ar
Trusted Zone: atwola.com\www.ar
Trusted Zone: brainpop.com\www
Trusted Zone: connectionsacademy.com\schools
Trusted Zone: D
Trusted Zone: edgate.com\www
Trusted Zone: letsgolearn.com\www
Trusted Zone: msnbc.com
Trusted Zone: passport.net\login
Trusted Zone: schoolnotes.com
Trusted Zone: teacherweb.com
Trusted Zone: worldbookonline.com\www
FF - ProfilePath - c:\documents and settings\Student\Application Data\Mozilla\Firefox\Profiles\qhfqqwfy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.isotope244.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 15:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????,?@? ????Z??????R?@?????,?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]
"ImagePath"="system32\DRIVERS\ACPIEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ADIHdAudAddService]
"ImagePath"="system32\drivers\ADIHdAud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AEAudioService]
"ImagePath"="system32\drivers\AEAudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]
"ImagePath"="system32\DRIVERS\aliide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdK8]
"ImagePath"="system32\DRIVERS\AmdK8.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AmdLLD]
"ImagePath"="system32\DRIVERS\AmdLLD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Arp1394]
"ImagePath"="system32\DRIVERS\arp1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_1.1.4322]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ati HotKey Poller]
"ImagePath"="%SystemRoot%\system32\Ati2evxx.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ATI Smart]
"ImagePath"="c:\windows\system32\ati2sgag.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ati2mtag]
"ImagePath"="system32\DRIVERS\ati2mtag.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atierecord]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ATSWPDRV]
"ImagePath"="system32\DRIVERS\ATSwpDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b57w2k]
"ImagePath"="system32\DRIVERS\b57xp32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BCM43XX]
"ImagePath"="system32\DRIVERS\bcmwl5.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]
"ServiceDll"="c:\windows\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bonjour Service]
"ImagePath"="\"c:\program files\Bonjour\mDNSResponder.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BTKRNL]
"ImagePath"="system32\DRIVERS\btkrnl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\btwdins]
"ImagePath"="c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BTWUSB]
"ImagePath"="System32\Drivers\btwusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CA561]
"ImagePath"="System32\Drivers\SPCA561.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\c:\docume~1\Student\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE]
"ImagePath"="system32\DRIVERS\CCDECODE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmBatt]
"ImagePath"="system32\DRIVERS\CmBatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Compbatt]
"ImagePath"="system32\DRIVERS\compbatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLABOIOM]
"ImagePath"="System32\DLA\DLABOIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLACDBHM]
"ImagePath"="System32\Drivers\DLACDBHM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLADResN]
"ImagePath"="System32\DLA\DLADResN.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAIFS_M]
"ImagePath"="System32\DLA\DLAIFS_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAOPIOM]
"ImagePath"="System32\DLA\DLAOPIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAPoolM]
"ImagePath"="System32\DLA\DLAPoolM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLARTL_N]
"ImagePath"="System32\Drivers\DLARTL_N.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAUDFAM]
"ImagePath"="System32\DLA\DLAUDFAM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAUDF_M]
"ImagePath"="System32\DLA\DLAUDF_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="system32\DRIVERS\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRVMCDB]
"ImagePath"="System32\Drivers\DRVMCDB.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRVNDDM]
"ImagePath"="System32\Drivers\DRVNDDM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eabfiltr]
"ImagePath"="system32\DRIVERS\eabfiltr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eabusb]
"ImagePath"="system32\DRIVERS\eabusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FCI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM]
"ImagePath"="system32\DRIVERS\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HBtnKey]
"ImagePath"="system32\DRIVERS\cpqbttn.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqwmiex]
"ImagePath"="c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSFHWAZL]
"ImagePath"="system32\DRIVERS\HSFHWAZL.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSF_DPV]
"ImagePath"="system32\DRIVERS\HSF_DPV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]
"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IFXTPM]
"ImagePath"="system32\DRIVERS\IFXTPM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="c:\windows\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]
"ImagePath"="system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]
"ImagePath"="\"c:\program files\Java\jre6\bin\jqs.exe\" -service -config \"c:\program files\Java\jre6\lib\deploy\jqs\jqs.conf\""

 

[Guilty Sp4rk]

The rest:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LightScribeService]
"ImagePath"="\"c:\program files\Common Files\LightScribe\LSSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDM]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mdmxsdk]
"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="c:\windows\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIC1394]
"ImagePath"="system32\DRIVERS\nic1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ntrtscan]
"ImagePath"="c:\program files\OfficeScan NT\ntrtscan.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohci1394]
"ImagePath"="system32\DRIVERS\ohci1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]
"ImagePath"="system32\DRIVERS\pcmcia.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Processor]
"ImagePath"="system32\DRIVERS\processr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasirda]
"ImagePath"="system32\DRIVERS\rasirda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sdbus]
"ImagePath"="system32\DRIVERS\sdbus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Seekapp Service]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sffdisk]
"ImagePath"="system32\DRIVERS\sffdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sffp_sd]
"ImagePath"="system32\DRIVERS\sffp_sd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP]
"ImagePath"="system32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMCIRDA]
"ImagePath"="system32\DRIVERS\smcirda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="c:\windows\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SRS_SSCFilter]
"ImagePath"="system32\drivers\srs_sscfilter_i386.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip]
"ImagePath"="system32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{2E3529F7-0057-40C3-A536-4C2C7C7EFE4F}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMIDSCO]
"ImagePath"="\??\c:\progra~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SynTP]
"ImagePath"="system32\DRIVERS\SynTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tifm21]
"ImagePath"="system32\drivers\tifm21.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TmFilter]
"ImagePath"="\??\c:\program files\OfficeScan NT\TmXPFlt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmlisten]
"ImagePath"="c:\program files\OfficeScan NT\tmlisten.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TmPreFilter]
"ImagePath"="\??\c:\program files\OfficeScan NT\TmPreFlt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbohci]
"ImagePath"="system32\DRIVERS\usbohci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]
"ImagePath"="system32\DRIVERS\viaide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Viewpoint Manager Service]
"ImagePath"="\"c:\program files\Viewpoint\Common\ViewpointService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSApiNt]
"ImagePath"="\??\c:\program files\OfficeScan NT\VSApiNt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="c:\windows\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winachsf]
"ImagePath"="system32\DRIVERS\HSF_CNXT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiAcpi]
"ImagePath"="system32\DRIVERS\wmiacpi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC]
"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{0F91AB2C-6A19-4366-9E5B-6FEEB3247CDA}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{2FC4F96E-1F6B-425A-808B-F6484B48F044}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{3F20F6AE-31D6-4F15-8C7D-41A934A5B692}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{693BC4F4-472A-49CC-AC1E-9BE6742A2FB0}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{8DCB1E78-FE63-4398-9D1E-308743A281DB}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{995D485B-C3AC-4CC8-86E5-9DCB40CFBED4}]
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1787410411-2529828033-874725645-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-1787410411-2529828033-874725645-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8AC8B27C-6EA8-21A2-D08F-827F395DFF83}*]
"jaendkkcgdhfgkbhnogg"=hex:66,61,6e,68,6e,62,69,70,6c,6b,62,69,00,2f
"pamnpofglimiajhlfhebfnnjfohndgka"=hex:65,61,6e,68,6d,62,6e,70,6a,6b,00,69
"haendkkcgdhfgkbh"=hex:6e,62,6e,68,70,62,6a,62,61,63,61,61,61,63,62,63,6b,64,
69,6a,6e,61,65,6d,6d,66,61,6e,70,67,68,66,69,61,6e,62,69,6d,62,6b,61,70,69,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\Ati2evxx.dll
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'lsass.exe'(936)
c:\windows\mshpoce.dll

- - - - - - - > 'explorer.exe'(3904)
c:\windows\mshpoce.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\egubikeh.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\ati2evxx.exe
c:\program files\OfficeScan NT\OfcDog.exe
c:\program files\Analog Devices\Core\smax4pnp.exe
c:\program files\Hp\HP Software Update\hpwuSchd2.exe
c:\windows\system32\DLA\DLACTRLW.EXE
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
c:\program files\OfficeScan NT\PccNTMon.exe
c:\program files\OfficeScan NT\RAUAgent.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-04-16 15:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 22:39
ComboFix2.txt 2009-04-16 21:21
ComboFix3.txt 2009-04-14 09:01
ComboFix4.txt 2009-04-13 01:50

Pre-Run: 28,480,692,224 bytes free
Post-Run: 27,990,470,656 bytes free

995 --- E O F --- 2009-04-02 10:01

 

[Guilty Sp4rk]

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:07 PM, on 4/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\OfficeScan NT\ofcdog.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\OfficeScan NT\pccntmon.exe
C:\Program Files\OfficeScan NT\RAUAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://schools.connectionsacademy.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {4c39ece2-e0cf-4110-affc-c119de4ce517} - C:\WINDOWS\system32\duputiva.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\hsf73ikmdf3f.dll - {B2BA40A2-74F3-42BD-F434-2604812C8954} - C:\WINDOWS\system32\hsf73ikmdf3f.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Name] C:\WINDOWS\system32\cas\msname.vbs
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jiwihifanu] Rundll32.exe "C:\WINDOWS\system32\vogekohe.dll",s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [2315632b] rundll32.exe "C:\WINDOWS\system32\dajufiwe.dll",b
O4 - HKLM\..\Run: [CPM202650b7] Rundll32.exe "c:\windows\system32\zesiyaza.dll",a
O4 - HKLM\..\Run: [Wdeholifetahefoz] rundll32.exe "C:\WINDOWS\egubikeh.dll",e
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF15735.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [] C:\WINDOWS\TEMP\kfihi7v6.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kfihi7v6.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Student\LOCALS~1\Temp\189101462.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [jiwihifanu] Rundll32.exe "C:\WINDOWS\system32\vogekohe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [jiwihifanu] Rundll32.exe "C:\WINDOWS\system32\vogekohe.dll",s (User 'NETWORK SERVICE')
O4 - Startup: ImpulseNow.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\Object Desktop\ObjectDock\ObjectDock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://schools.connectionsacademy.com
O15 - Trusted Zone: www.aim.com
O15 - Trusted Zone: www.aolatschool.com
O15 - Trusted Zone: ar.atwola.com
O15 - Trusted Zone: www.ar.atwola.com
O15 - Trusted Zone: www.brainpop.com
O15 - Trusted Zone: http://schools.connectionsacademy.com
O15 - Trusted Zone: www.edgate.com
O15 - Trusted Zone: www.letsgolearn.com
O15 - Trusted Zone: http://*.msnbc.com
O15 - Trusted Zone: login.passport.net
O15 - Trusted Zone: http://*.schoolnotes.com
O15 - Trusted Zone: http://*.teacherweb.com
O15 - Trusted Zone: www.worldbookonline.com
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://10.1.0.17:8180/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://10.1.0.17:8180/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://10.1.0.17:8180/officescan/clientinstall/setup.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://10.1.0.17:8180/officescan/clientinstall/RemoveCtrl.cab
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zesiyaza.dll (file missing)
O22 - SharedTaskScheduler: jkxg983iksnf934uitmgs3gt - {B2BA40A2-74F3-42BD-F434-2604812C8954} - C:\WINDOWS\system32\hsf73ikmdf3f.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zesiyaza.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\OfficeScan NT\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10533 bytes




Um, Does this mean it can't be fixed? Sorry if I seem a bit panic-y but I have over 12GB of uncompressed game files to a game I've been developing and I have no way of storing the files anywhere other than my comp right now :sad:

 

[Shaba]

No, those are there because of Trend Micro.

Please disable it and keep it disabled.

After that, rerun CFScript in safe mode.

 

[Shaba]

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.