	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

08/19/2009 at 12:43PM PDT, ID: 24666102

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.4

rootkit

Asked by jmutone in Anti-Virus, Miscellaneous Security, HijackThis Software

Tags: rootkit virus combofix sdfix gmer

I have a rootkit that I can't remove. I ran sdfix, combofix and gmer. I ran gmer and ran a scan but it disappears before finishing. If I stop it when I see typing in red I can delete or disable the service. Here's a log file from gmer. See line with
" \\?\globalroot\Device\__max++>\61146290.x86.dll " in them.
I put the combofix log below gmer too.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-08-19 14:21:58
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT 89AE8420 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9D3B6350]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9D3B6580]

---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[612] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 00BD1102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\system32\winlogon.exe[1180] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\61146290.x86.dll
.text C:\WINDOWS\system32\winlogon.exe[1180] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\61146290.x86.dll
.text C:\WINDOWS\system32\winlogon.exe[1180] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\61146290.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\winlogon.exe[1180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\61146290.x86.dll
IAT C:\WINDOWS\system32\winlogon.exe[1180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\61146290.x86.dll

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [876] 0x35670000
Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [924] 0x35670000
Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\SavRoam.exe [988] 0x35670000
Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\Program Files\Intel\AMT\UNS.exe [1088] 0x35670000
Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1180] 0x35670000
Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1512] 0x35670000
Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1808] 0x35670000
Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1840] 0x35670000
Library \\?\globalroot\Device\__max++>\61146290.x86.dll (*** hidden *** ) @ C:\Program Files\Intel\AMT\LMS.exe [1936] 0x35670000

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{0ED516BE-6065-447F-9729-C55486FD6F5E}\RP547\A0039131.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{0ED516BE-6065-447F-9729-C55486FD6F5E}\RP547\A0039759.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{0ED516BE-6065-447F-9729-C55486FD6F5E}\RP547\A0039808.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{0ED516BE-6065-447F-9729-C55486FD6F5E}\RP547\A0039834.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{0ED516BE-6065-447F-9729-C55486FD6F5E}\RP547\A0039839.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{0ED516BE-6065-447F-9729-C55486FD6F5E}\RP547\A0039850.sys:1 8192 bytes executable

ComboFix 09-08-18.04 - Administrator 08/19/2009 15:26.3.2 - NTFSx86
Running from: c:\install\spyware\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 17:55 . 2008-04-14 00:12      14336      ----a-w-      c:\windows\system32\svchost.exe
2009-08-19 17:21 . 2009-08-19 17:21      --------      d-----w-      c:\documents and settings\administrator.SNPD\Application Data\Research In Motion
2009-08-19 16:41 . 2009-08-19 16:41      3942048      ----a-w-      c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-19 16:35 . 2009-08-19 16:35      --------      d-----w-      c:\program files\Unlocker
2009-08-19 16:20 . 2009-08-19 16:20      578560      -c--a-w-      c:\windows\system32\dllcache\user32.dll
2009-08-19 16:19 . 2009-08-19 16:19      --------      d-----w-      c:\windows\ERUNT
2009-08-19 16:18 . 2009-08-19 16:18      --------      d-----w-      c:\documents and settings\Administrator\Local Settings\Application Data\GHISLER
2009-08-19 16:12 . 2009-08-19 16:12      --------      d-----w-      c:\documents and settings\dave\Application Data\Malwarebytes
2009-08-19 16:12 . 2009-08-03 17:36      38160      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 16:12 . 2009-08-19 19:01      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-08-19 16:12 . 2009-08-19 16:12      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-19 16:12 . 2009-08-03 17:36      19096      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-08-19 13:23 . 2009-08-19 13:23      --------      d-----w-      c:\documents and settings\robert\Application Data\Research In Motion
2009-08-17 12:20 . 2009-08-17 12:20      --------      d-----w-      c:\documents and settings\brent\Application Data\Research In Motion
2009-08-16 01:33 . 2009-08-16 01:33      1181040      ----a-w-      c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e1e03.vdb\NAVEX32A.DLL
2009-08-16 01:33 . 2009-08-16 01:33      87888      ----a-w-      c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e1e03.vdb\NAVENG.SYS
2009-08-16 01:33 . 2009-08-16 01:33      875728      ----a-w-      c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e1e03.vdb\NAVEX15.SYS
2009-08-16 01:33 . 2009-08-16 01:33      371248      ----a-w-      c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e1e03.vdb\EECTRL.SYS
2009-08-16 01:33 . 2009-08-16 01:33      259368      ----a-w-      c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e1e03.vdb\ECMSVR32.DLL
2009-08-16 01:33 . 2009-08-16 01:33      2414128      ----a-w-      c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e1e03.vdb\CCERASER.DLL
2009-08-16 01:33 . 2009-08-16 01:33      177520      ----a-w-      c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e1e03.vdb\NAVENG32.DLL
2009-08-16 01:33 . 2009-08-16 01:33      101936      ----a-w-      c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2e1e03.vdb\ERASER.SYS
2009-08-05 03:10 . 2009-08-05 03:10      --------      d-----w-      c:\documents and settings\dave\Local Settings\Application Data\Temp
2009-07-23 13:25 . 2009-07-23 13:25      --------      d-----w-      c:\program files\Jetcast

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 17:02 . 2008-05-01 01:04      --------      d-----w-      c:\program files\Symantec AntiVirus
2009-08-19 16:40 . 2009-05-29 14:25      256      ----a-w-      c:\windows\system32\pool.bin
2009-08-18 05:37 . 2009-03-21 04:39      117760      ----a-w-      c:\documents and settings\police\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-17 20:42 . 2009-03-13 19:23      --------      d-----w-      c:\program files\DYMO Label
2009-08-17 12:09 . 2008-05-01 15:48      --------      d-----w-      c:\documents and settings\All Users\Application Data\Google Updater
2009-08-16 17:20 . 2008-01-24 20:23      107208      -c--a-w-      c:\documents and settings\Judge\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 05:09 . 2008-05-01 01:26      --------      d-----w-      c:\documents and settings\police\Application Data\InstallShield
2009-08-11 05:08 . 2008-02-21 16:24      --------      d-----w-      c:\program files\Common Files\Roxio Shared
2009-08-11 05:08 . 2008-02-21 16:24      --------      d-----w-      c:\program files\Roxio
2009-08-11 05:07 . 2009-05-29 14:20      --------      d-----w-      c:\documents and settings\All Users\Application Data\Roxio
2009-08-11 05:03 . 2008-02-21 16:25      --------      d-----w-      c:\program files\Common Files\Sonic Shared
2009-08-11 04:57 . 2009-04-22 19:41      --------      d-----w-      c:\program files\Common Files\Research In Motion
2009-08-11 04:42 . 2008-04-30 23:40      --------      d-----w-      c:\program files\LogMeIn
2009-08-11 04:22 . 2009-03-07 23:56      --------      d-----w-      c:\program files\SUPERAntiSpyware
2009-08-06 19:10 . 2008-04-30 22:36      --------      d-----w-      c:\program files\Microsoft Money
2009-07-18 21:25 . 2009-05-21 17:40      --------      d-----w-      c:\program files\SJS
2009-06-25 14:59 . 2009-03-23 18:51      117760      ----a-w-      c:\documents and settings\dave\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-15 14:50 . 2009-06-15 14:50      390664      -c--a-w-      c:\documents and settings\dave\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-05-21 19:37 . 2009-06-19 17:33      55      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Shortcuts\prtact.bat
2008-03-06 20:35 . 2008-02-21 18:51      952      --sha-w-      c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2004-08-04 04:56      14336      8F078AE4ED187AAABC0A305146DE6716      c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12      14336      27C6D03BCDB8CFEB96B716F3D8BE3E18      c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12      14336      27C6D03BCDB8CFEB96B716F3D8BE3E18      c:\windows\system32\svchost.exe

[-] 2007-03-08 15:48      578048      7AA4F6C00405DFC4B70ED4214E7D687B      c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 00:12      578560      B26B135FF1B9F60C9388B4A7D16F600B      c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12      578560      B26B135FF1B9F60C9388B4A7D16F600B      c:\windows\system32\user32.dll
[-] 2009-08-19 16:20      578560      !HASH: COULD NOT OPEN FILE !!!!!      c:\windows\system32\dllcache\user32.dll

[-] 2004-08-04 04:56      82944      2ED0B7F12A60F90092081C50FA0EC2B2      c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12      82432      2CCC474EB85CEAA3E1FA1726580A3E5A      c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12      82432      2CCC474EB85CEAA3E1FA1726580A3E5A      c:\windows\system32\ws2_32.dll

[-] 2008-03-01 13:03      827392      6316C2F0C61271C8ABDFF7429174879E      c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[-] 2008-04-23 03:35      827392      41546B396A526918DA7995A02EA04E51      c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2008-06-23 16:01      827904      C66402A06B83B036C195242C0C8CF83C      c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2008-08-26 09:08      827904      77C192FE56A70D7FA0247BA0A6201C32      c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 20:24      827904      0D5B75171FF51775B630A431B6C667E8      c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2008-12-20 23:56      827904      044E0A4E9FE97C0FB9AFE9C89E2A82E6      c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-03-03 00:17      828416      C8667854873938CA13C986F16B0CD183      c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-04-29 04:49      828928      62CCA075F44015147B8971DAFFBCFF76      c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2006-10-19 20:12      664576      64CE26DB72810B30F7855EA51E1DF836      c:\windows\ie7\wininet.dll
[-] 2007-08-13 23:54      818688      A4A0FC92358F39538A6494C42EF99FE9      c:\windows\ie7updates\KB942615-IE7\wininet.dll
[-] 2007-10-10 23:56      824832      30C1E0F34AD2972C72A01DB5C74AB065      c:\windows\ie7updates\KB944533-IE7\wininet.dll
[-] 2007-12-07 02:21      824832      806D274C9A6C3AAEA5EAE8E4AF841E04      c:\windows\ie7updates\KB947864-IE7\wininet.dll
[-] 2008-03-01 13:06      826368      AD21461AEF8244EDEC2EF18E55E1DCF3      c:\windows\ie7updates\KB950759-IE7\wininet.dll
[-] 2008-04-23 04:16      826368      F6589BE784647CFDBC22EA51CCB1A57A      c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2008-06-23 16:57      826368      8C13D4A7479FA0A026EDA8ABCE82C0ED      c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2008-08-26 07:24      826368      EF8EBA98145BFA44E80D17A3B3453300      c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:38      826368      6741EAF7B7F110E803A6E38F6E5FA6B0      c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-12-20 23:15      826368      A82935D32D0672E8FF4E91AE398E901C      c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2009-03-03 00:18      826368      28775945CCD53DEE280EF58DEA1A94C4      c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2008-04-14 00:12      666112      7A4F775ABB2F1C97DEF3E73AFA2FAEDD      c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2009-04-29 04:56      827392      8E2D471157B0DF329D8D0EA5D83B0DDB      c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3gdr\wininet.dll
[-] 2009-04-29 04:49      828928      62CCA075F44015147B8971DAFFBCFF76      c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3qfe\wininet.dll
[-] 2007-10-10 23:56      824832      30C1E0F34AD2972C72A01DB5C74AB065      c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
[-] 2007-10-10 23:47      825344      0E5D918F87EFA7D2424D66B499C7EB04      c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
[-] 2007-10-11 05:57      666112      80D660A49E0D118144423099B2A9F5DA      c:\windows\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\sp2qfe\wininet.dll
[-] 2009-04-29 04:56      827392      8E2D471157B0DF329D8D0EA5D83B0DDB      c:\windows\system32\wininet.dll
[-] 2009-04-29 04:56      827392      8E2D471157B0DF329D8D0EA5D83B0DDB      c:\windows\system32\dllcache\wininet.dll

[-] 2008-06-20 11:51      361600      9AEFA14BD6B182D61E3119FA5F436D3D      c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59      361600      AD978A1B783B5719720CFF204B666C8E      c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2008-06-20 10:44      360960      744E57C99232201AE98C49168B918F48      c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2008-04-13 19:20      361344      93EA8D04EC73A85DB02EB8805988F733      c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 16:53      360832      64798ECFA43D78C7178375FCDD16D8C8      c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2008-04-13 19:20      361344      93EA8D04EC73A85DB02EB8805988F733      c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51      361600      9AEFA14BD6B182D61E3119FA5F436D3D      c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51      361600      9AEFA14BD6B182D61E3119FA5F436D3D      c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-04 04:56      502272      01C3346C241652F43AED8E2149881BFE      c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12      507904      ED0EF0A136DEC83DF69F04118870003E      c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12      507904      ED0EF0A136DEC83DF69F04118870003E      c:\windows\system32\winlogon.exe

[-] 2004-08-04 03:14      182912      558635D3AF1C7546D26067D5D9B6959E      c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-13 19:20      182656      1DF7F42665C94B825322FAE71721130D      c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20      182656      1DF7F42665C94B825322FAE71721130D      c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 03:00      29056      4448006B6BC60E6C027932CFC38D6855      c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-13 18:53      36608      3BB22519A194418D5FEC05D800A19AD0      c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53      36608      3BB22519A194418D5FEC05D800A19AD0      c:\windows\system32\drivers\ip6fw.sys

[-] 2009-02-06 10:30      2066176      607352B9CB3D708C67F6039097801B5A      c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 19:39      2066048      A25E9B86EFFB2AF33BF51E676B68BFB0      c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15      2017280      2DFB215E291E3D9B1CF9A6739B3BF16C      c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2008-08-14 09:33      2023936      8206B5F94A6A9450E934029420C1693F      c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2008-04-13 18:31      2023936      7F653A89F6E89E3AE0D49830EECE35D4      c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2009-02-07 23:02      2066048      5BA7F2141BC6DB06100D0E5A732C617A      c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31      2065792      109F8E3E3C82E337BB71B6BC9B895D61      c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2009-02-06 10:32      2023936      65D4220799E6FC2CB079070A6393CC0E      c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-07 23:02      2066048      5BA7F2141BC6DB06100D0E5A732C617A      c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2009-02-07 23:35      2189184      EFE8EACE83EAAD5849A7A548FB75B584      c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 20:11      2189184      31914172342BFF330063F343AC6958FE      c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-02-28 09:53      2137600      E6679C3023B17D8B78946BC5DF53FA20      c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2008-08-14 10:09      2145280      F6F8245B3A2E9CA834DD318E7AE0C6D0      c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2008-04-13 19:24      2145280      40F8880122A030A7E9E1FEDEA833B33D      c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2009-02-06 11:08      2189056      7A95B10A73737EBF24139AAA63F5212B      c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27      2188928      0C89243C7C3EE199B96FCC16990E0679      c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2009-02-06 11:06      2145280      0CBA44D0938D57F334C0862424148B70      c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 11:08      2189056      7A95B10A73737EBF24139AAA63F5212B      c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 00:12      1033728      12896823FB95BFB3DC9B46BCAEDC9923      c:\windows\explorer.exe
[-] 2007-06-13 10:23      1033216      97BD6515465659FF8F3B7BE375B2EA87      c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12      1033728      12896823FB95BFB3DC9B46BCAEDC9923      c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2009-02-06 11:06      110592      020CEAAEDC8EB655B6506B8C70D53BB6      c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-04 04:56      108032      C6CE6EEC82F187615D1002BB3BB50ED4      c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 00:12      108544      0E776ED5F7CC9F94299E70461B7B8185      c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 00:12      108544      0E776ED5F7CC9F94299E70461B7B8185      c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-02-06 11:11      110592      65DF52F5B8B6E9BBD183505225C37315      c:\windows\system32\services.exe
[-] 2009-02-06 11:11      110592      65DF52F5B8B6E9BBD183505225C37315      c:\windows\system32\dllcache\services.exe

[-] 2004-08-04 04:56      13312      84885F9B82F4D55C6146EBF6065D75D2      c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 00:12      13312      BF2466B3E18E970D8A976FB95FC1CA85      c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12      13312      BF2466B3E18E970D8A976FB95FC1CA85      c:\windows\system32\lsass.exe

[-] 2004-08-04 04:56      15360      24232996A38C0B0CF151C2140AE29FC8      c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12      15360      5F1D5F88303D4A4DBC8E5F97BA967CC3      c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12      15360      5F1D5F88303D4A4DBC8E5F97BA967CC3      c:\windows\system32\ctfmon.exe

[-] 2006-10-19 20:08      57856      AD3D9D191AEA7B5445FE1D82FFBB4788      c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12      57856      D8E14A61ACC1D4A6CD0D38AEBAC7FA3B      c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12      57856      D8E14A61ACC1D4A6CD0D38AEBAC7FA3B      c:\windows\system32\spoolsv.exe

[-] 2004-08-04 04:56      24576      39B1FFB03C2296323832ACBAE50D2AFF      c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12      26112      A93AEE1928A9D7CE3E16D24EC7380F89      c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12      26112      A93AEE1928A9D7CE3E16D24EC7380F89      c:\windows\system32\userinit.exe

[-] 2004-08-04 04:56      295424      B60C877D16D9C880B952FDA04ADF16E6      c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 00:12      295424      FF3477C03BE7201C294C35F684B3479F      c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12      295424      FF3477C03BE7201C294C35F684B3479F      c:\windows\system32\termsrv.dll

[-] 2009-03-21 13:59      991744      DA11D9D6ECBDF0F93436A4B7C13F7BEC      c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2007-04-16 16:07      986112      09F7CB3687F86EDAA4CA081F7AB66C03      c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2008-04-14 00:11      989696      C24B983D211C34DA8FCC1AC38477971D      c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2008-04-14 00:11      989696      C24B983D211C34DA8FCC1AC38477971D      c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-03-21 14:06      989696      B921FB870C9AC0D509B2CCABBBBE95F3      c:\windows\system32\kernel32.dll
[-] 2009-03-21 14:06      989696      B921FB870C9AC0D509B2CCABBBBE95F3      c:\windows\system32\dllcache\kernel32.dll

[-] 2004-08-04 04:56      17408      1B5F6923ABB450692E9FE0672C897AED      c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 00:12      17408      50A166237A0FA771261275A405646CC0      c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12      17408      50A166237A0FA771261275A405646CC0      c:\windows\system32\powrprof.dll

[-] 2004-08-04 04:56      110080      87CA7CE6469577F059297B9D6556D66D      c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 00:11      110080      0DA85218E92526972A821587E6A8BF8F      c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11      110080      0DA85218E92526972A821587E6A8BF8F      c:\windows\system32\imm32.dll

[-] 2008-03-01 13:03      3593216      4EE273E2B09317C1217EF0DB91F93534      c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[-] 2008-04-23 03:35      3593728      4D612FF5D3B7EEF200595AE6F95D5E68      c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll
[-] 2008-06-23 16:01      3594240      28B8231CA8D55FC85E027A57C90F5C88      c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\mshtml.dll
[-] 2008-08-26 09:08      3594752      25CC085720EE3617FD1F8AB9E2F7CAB2      c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[-] 2008-10-16 20:24      3595264      B74F31A4BD83797D7A083F922169287D      c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[-] 2008-12-13 06:26      3594752      C79FAD61CD4A26ED5AA8C16D991C6FBD      c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[-] 2009-01-16 16:24      3596288      CC9D001B7370B292C35B366CA05B12B4      c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2009-02-21 07:39      3596800      1BB754AB47B327DE8DBF2FA18C36357C      c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[-] 2009-04-29 04:49      3598336      C6FD770D518FB024245A0EE217D72BC1      c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[-] 2006-10-19 20:12      3058176      D251679BD9EF0250201FB899EC40FD32      c:\windows\ie7\mshtml.dll
[-] 2007-08-13 23:54      3578368      C6EC2493346ED8888A549F59210A8ED3      c:\windows\ie7updates\KB942615-IE7\mshtml.dll
[-] 2007-10-31 10:12      3590656      8AB7ECF59D6EBBE986277B65ED4A40A1      c:\windows\ie7updates\KB944533-IE7\mshtml.dll
[-] 2007-12-08 05:21      3592192      A097C36412455F0C7E42377FAF8809B7      c:\windows\ie7updates\KB947864-IE7\mshtml.dll
[-] 2008-03-01 22:36      3591680      AB2C88167D78D71D93558ACECB24CC7A      c:\windows\ie7updates\KB950759-IE7\mshtml.dll
[-] 2008-04-24 02:16      3591680      8976CAB317105F7431B08EA32AB73C65      c:\windows\ie7updates\KB953838-IE7\mshtml.dll
[-] 2008-06-24 14:57      3592192      EC936148284F557F19C333178768109B      c:\windows\ie7updates\KB956390-IE7\mshtml.dll
[-] 2008-08-27 08:24      3593216      1AD035E04A7068EC2820B055A3131ED8      c:\windows\ie7updates\KB958215-IE7\mshtml.dll
[-] 2008-10-17 07:08      3593216      EACAEDEF6FA2A969DE5B36190D45396F      c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-12-13 06:40      3593216      121EC39A64D64205A88C2C45B034B455      c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2009-01-17 02:35      3594752      3B413267DA8AE71C20E5EF3E54F74728      c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[-] 2009-02-20 18:09      3595264      C7C3E41CC2F6EB4A629FE2184136C098      c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2008-04-14 00:11      3066880      A706E122B398FE1AB85CB9B75D044223      c:\windows\ServicePackFiles\i386\mshtml.dll
[-] 2009-04-29 04:56      3596288      2B4315EC9E3124408A2A5074C4B97700      c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3gdr\mshtml.dll
[-] 2009-04-29 04:49      3598336      C6FD770D518FB024245A0EE217D72BC1      c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3qfe\mshtml.dll
[-] 2007-10-31 10:12      3590656      8AB7ECF59D6EBBE986277B65ED4A40A1      c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\mshtml.dll
[-] 2007-10-30 23:48      3593216      54D8B404F17AA74C666F7F3AEF2AE459      c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\mshtml.dll
[-] 2007-10-30 09:55      3065856      79314A0A6B0DA78AFE491FF2D8B117BA      c:\windows\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\sp2qfe\mshtml.dll
[-] 2009-04-29 04:56      3596288      2B4315EC9E3124408A2A5074C4B97700      c:\windows\system32\mshtml.dll
[-] 2009-04-29 04:56      3596288      2B4315EC9E3124408A2A5074C4B97700      c:\windows\system32\dllcache\mshtml.dll

[-] 2004-08-04 02:58      24576      EBDEE8A2EE5393890A1ACEE971C4C246      c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-13 18:39      24576      463C1EC80CD17420A542B7F36A36F128      c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 18:39      24576      463C1EC80CD17420A542B7F36A36F128      c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 04:56      792064      6728270CB7DBB776ED086F5AC4C82310      c:\windows\$NtServicePackUninstall$\comres.dll
[-] 2008-04-14 00:11      792064      1280A158C722FA95A80FB7AEBE78FA7D      c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 00:11      792064      1280A158C722FA95A80FB7AEBE78FA7D      c:\windows\system32\comres.dll

[-] 2004-08-04 04:56      22016      74D66B3DE265E8789153414E75175F26      c:\windows\$NtServicePackUninstall$\lpk.dll
[-] 2008-04-14 00:11      22016      012DF358CEBAA23ACB26D82077820817      c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 00:11      22016      012DF358CEBAA23ACB26D82077820817      c:\windows\system32\lpk.dll

[-] 2001-08-23 12:00      4224      DA1F27D85E0D1525F6621372E7B685E9      c:\windows\system32\dllcache\beep.sys
[-] 2001-08-23 12:00      4224      DA1F27D85E0D1525F6621372E7B685E9      c:\windows\system32\drivers\beep.sys

[-] 2001-08-23 12:00      2944      73C1E1F395918BC2C6DD67AF7591A3AD      c:\windows\system32\dllcache\null.sys
[-] 2001-08-23 12:00      2944      73C1E1F395918BC2C6DD67AF7591A3AD      c:\windows\system32\drivers\null.sys

[-] 2006-02-15 00:22      142464      1EE7B434BA961EF845DE136224C30FEC      c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2008-04-13 16:39      142592      8BED39E3C35D6A489438B8141717A557      c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-13 16:39      142592      8BED39E3C35D6A489438B8141717A557      c:\windows\system32\drivers\aec.sys

[-] 2006-11-01 19:17      927504      925F8B61ED301A317BA850EBEECBDAA0      c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2008-04-14 00:11      927504      CDDD4416B2B4C7295FE3FDB6DDE57E4E      c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 00:11      927504      CDDD4416B2B4C7295FE3FDB6DDE57E4E      c:\windows\system32\mfc40u.dll

[-] 2009-02-09 10:56      401408      9222562D44021B988B9F9F62207FB6F2      c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2006-10-19 20:09      398336      C369DF215D352B6F3A0B8C3469AA34F8      c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2008-04-14 00:12      399360      2589FE6015A316C0F5D5112B4DA7B509      c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2008-04-14 00:12      399360      2589FE6015A316C0F5D5112B4DA7B509      c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2009-02-09 12:10      401408      6B27A5C03DFB94B4245739065431322C      c:\windows\system32\rpcss.dll
[-] 2009-02-09 12:10      401408      6B27A5C03DFB94B4245739065431322C      c:\windows\system32\dllcache\rpcss.dll

[-] 2004-08-04 04:56      33792      95FD808E4AC22ABA025A7B3EAC0375D2      c:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2008-04-14 00:11      33792      986B1FF5814366D71E0AC5755C88F2D3      c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 00:11      33792      986B1FF5814366D71E0AC5755C88F2D3      c:\windows\system32\msgsvc.dll

[-] 2006-10-19 20:13      617472      B0124CB21D28B1C9F678B566B6B57D92      c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2008-04-14 00:11      617472      06F247492BC786CE5C24A23E178C711A      c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 00:11      617472      06F247492BC786CE5C24A23E178C711A      c:\windows\system32\comctl32.dll
[-] 2001-08-23 12:00      921088      AEF3D788DBF40C7C4D204EA45EB0C505      c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-04 04:57      1050624      5AF68A5E44734A082442668E9C787743      c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2008-04-14 00:12      1054208      BD38D1EBE24A46BD3EDA059560AFBA12      c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2001-08-23 12:00      11648      9859C0F6936E723E4892D7141B1327D5      c:\windows\system32\drivers\acpiec.sys

[-] 2004-08-04 04:56      5120      E8A12A12EA9088B4327D49EDCA3ADD3E      c:\windows\$NtServicePackUninstall$\sfc.dll
[-] 2008-04-14 00:12      5120      96E1C926F22EE1BFBAE82901A35F6BF3      c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 00:12      5120      96E1C926F22EE1BFBAE82901A35F6BF3      c:\windows\system32\sfc.dll

[-] 2004-08-04 04:56      407040      96353FCECBA774BB8DA74A1C6507015A      c:\windows\$NtServicePackUninstall$\netlogon.dll
[-] 2008-04-14 00:12      407040      1B7F071C51B77C272875C3A23E1E4550      c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 00:12      407040      1B7F071C51B77C272875C3A23E1E4550      c:\windows\system32\netlogon.dll

[-] 2004-08-04 04:56      382464      2C69EC7E5A311334D10DD95F338FCCEA      c:\windows\$NtServicePackUninstall$\qmgr.dll
[-] 2008-04-14 00:12      409088      574738F61FCA2935F5265DC4E5691314      c:\windows\ServicePackFiles\i386\qmgr.dll
[-] 2008-04-14 00:12      409088      574738F61FCA2935F5265DC4E5691314      c:\windows\system32\qmgr.dll
[-] 2008-04-14 00:12      409088      574738F61FCA2935F5265DC4E5691314      c:\windows\system32\bits\qmgr.dll

[-] 2004-08-04 04:56      180224      0F78E27F563F2AAF74B91A49E2ABF19A      c:\windows\$NtServicePackUninstall$\scecli.dll
[-] 2008-04-14 00:12      181248      A86BB5E61BF3E39B62AB4C7E7085A084      c:\windows\ServicePackFiles\i386\scecli.dll
[-] 2008-04-14 00:12      181248      A86BB5E61BF3E39B62AB4C7E7085A084      c:\windows\system32\scecli.dll

[-] 2004-08-04 04:56      55808      82B24CB70E5944E6E34662205A2A5B78      c:\windows\$NtServicePackUninstall$\eventlog.dll
[-] 2008-04-14 00:11      56320      6D4FEB43EE538FC5428CC7F0565AA656      c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2008-04-14 00:11      60928      !HASH: COULD NOT OPEN FILE !!!!!      c:\windows\system32\eventlog.dll

[-] 2004-08-04 03:05      14336      02000ABF34AF4C218C35D257024807D6      c:\windows\$NtServicePackUninstall$\asyncmac.sys
[-] 2008-04-13 18:57      14336      B153AFFAC761E7F5FCFA822B9C4E97BC      c:\windows\ServicePackFiles\i386\asyncmac.sys
[-] 2008-04-13 18:57      14336      B153AFFAC761E7F5FCFA822B9C4E97BC      c:\windows\system32\drivers\asyncmac.sys

[-] 2007-02-09 11:10      574464      19A811EF5F1ED5C926A028CE107FF1AF      c:\windows\$NtServicePackUninstall$\ntfs.sys
[-] 2008-04-13 19:15      574976      78A08DD6A8D65E697C18E1DB01C5CDCA      c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2008-04-13 19:15      574976      78A08DD6A8D65E697C18E1DB01C5CDCA      c:\windows\system32\drivers\ntfs.sys

[-] 2005-01-28 18:44      25088      140EF97B64F560FD78643CAE2CDAD838      c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 04:56      52224      C086483E3DBA8C1C0A687EC8D5B3D4C1      c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
[-] 2006-10-19 02:47      27136      C51B4A5C05A5475708E3C81C7765B71D      c:\windows\system32\mspmsnsv.dll
[-] 2006-10-19 02:47      27136      C51B4A5C05A5475708E3C81C7765B71D      c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2004-08-04 04:56      129536      EEF46DAB68229A14DA3D8E73C99E2959      c:\windows\$NtServicePackUninstall$\xmlprov.dll
[-] 2008-04-14 00:12      129024      295D21F14C335B53CB8154E5B1F892B9      c:\windows\ServicePackFiles\i386\xmlprov.dll
[-] 2008-04-14 00:12      129024      295D21F14C335B53CB8154E5B1F892B9      c:\windows\system32\xmlprov.dll

[-] 2004-08-04 04:56      60416      10654F9DDCEA9C46CFB77554231BE73B      c:\windows\$NtServicePackUninstall$\cryptsvc.dll
[-] 2008-04-14 00:11      62464      3D4E199942E29207970E04315D02AD3B      c:\windows\ServicePackFiles\i386\cryptsvc.dll
[-] 2008-04-14 00:11      62464      3D4E199942E29207970E04315D02AD3B      c:\windows\system32\cryptsvc.dll

[-] 2004-08-04 04:56      77312      E3CFCCDDA4EDD1D0DC9168B2E18F27B8      c:\windows\$NtServicePackUninstall$\browser.dll
[-] 2008-04-14 00:11      77824      A06CE3399D16DB864F55FAEB1F1927A9      c:\windows\ServicePackFiles\i386\browser.dll
[-] 2008-04-14 00:11      77824      A06CE3399D16DB864F55FAEB1F1927A9      c:\windows\system32\browser.dll

[-] 2006-10-19 20:07      249344      1418A3A6E76E5A2E3F5E43866E793A8B      c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2008-04-14 00:12      249856      3CB78C17BB664637787C9A1C98F79C38      c:\windows\ServicePackFiles\i386\tapisrv.dll
[-] 2008-04-14 00:12      249856      3CB78C17BB664637787C9A1C98F79C38      c:\windows\system32\tapisrv.dll

[-] 2008-06-20 17:46      245248      832E4DD8964AB7ACC880B2837CB1ED20      c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[-] 2008-06-20 17:43      245248      FCEE5FCB99F7C724593365C706D28388      c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[-] 2008-06-20 17:36      245248      1DFCA7713EA5A70D5D93B436AEA0317A      c:\windows\$NtServicePackUninstall$\mswsock.dll
[-] 2008-04-14 00:12      245248      B4138E99236F0F57D4CF49BAE98A0746      c:\windows\$NtUninstallKB951748$\mswsock.dll
[-] 2004-08-04 04:56      245248      4E74AF063C3271FBEA20DD940CFD1184      c:\windows\$NtUninstallKB951748_0$\mswsock.dll
[-] 2008-04-14 00:12      245248      B4138E99236F0F57D4CF49BAE98A0746      c:\windows\ServicePackFiles\i386\mswsock.dll
[-] 2008-06-20 17:46      245248      832E4DD8964AB7ACC880B2837CB1ED20      c:\windows\system32\mswsock.dll
[-] 2008-06-20 17:46      245248      832E4DD8964AB7ACC880B2837CB1ED20      c:\windows\system32\dllcache\mswsock.dll

[-] 2006-10-19 20:10      197632      3516D8A18B36784B1005B950B84232E1      c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2008-04-14 00:12      198144      13E67B55B3ABD7BF3FE7AAE5A0F9A9DE      c:\windows\ServicePackFiles\i386\netman.dll
[-] 2008-04-14 00:12      198144      13E67B55B3ABD7BF3FE7AAE5A0F9A9DE      c:\windows\system32\netman.dll

[-] 2008-07-07 20:26      253952      D4991D98F2DB73C60D042F1AEF79EFAE      c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[-] 2008-07-07 20:23      253952      F17F6226BDC0CD5F0BEF0DAF84D29BEC      c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[-] 2008-07-07 20:06      253952      A4AB3DCA4A383F0DF4988ABDEB84F9A4      c:\windows\$NtServicePackUninstall$\es.dll
[-] 2008-04-14 00:11      246272      19A799805B24990867B00C120D300C3A      c:\windows\$NtUninstallKB950974$\es.dll
[-] 2006-10-19 20:09      243200      95F5FEA4C6DE2C3F28784D0DCC8F0DD3      c:\windows\$NtUninstallKB950974_0$\es.dll
[-] 2008-04-14 00:11      246272      19A799805B24990867B00C120D300C3A      c:\windows\ServicePackFiles\i386\es.dll
[-] 2008-07-07 20:26      253952      D4991D98F2DB73C60D042F1AEF79EFAE      c:\windows\system32\es.dll
[-] 2008-07-07 20:26      253952      D4991D98F2DB73C60D042F1AEF79EFAE      c:\windows\system32\dllcache\es.dll

[-] 2004-08-04 04:56      170496      92BDF74F12D6CBEC43C94D4B7F804838      c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2008-04-14 00:12      171008      3805DF0AC4296A34BA4BF93B346CC378      c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 00:12      171008      3805DF0AC4296A34BA4BF93B346CC378      c:\windows\system32\srsvc.dll

[-] 2004-08-04 04:56      13824      49911DD39E023BB6C45E4E436CFBD297      c:\windows\$NtServicePackUninstall$\wscntfy.exe
[-] 2008-04-14 00:12      13824      F92E1076C42FCD6DB3D72D8CFE9816D5      c:\windows\ServicePackFiles\i386\wscntfy.exe
[-] 2008-04-14 00:12      13824      F92E1076C42FCD6DB3D72D8CFE9816D5      c:\windows\system32\wscntfy.exe

[-] 2004-08-04 04:56      435200      B62F29C00AC55A761B2E45877D85EA0F      c:\windows\$NtServicePackUninstall$\ntmssvc.dll
[-] 2008-04-14 00:12      435200      156F64A3345BD23C600655FB4D10BC08      c:\windows\ServicePackFiles\i386\ntmssvc.dll
[-] 2008-04-14 00:12      435200      156F64A3345BD23C600655FB4D10BC08      c:\windows\system32\ntmssvc.dll

[-] 2004-08-04 04:56      89088      44DB7A9BDD2FB58747D123FBF1D35ADB      c:\windows\$NtServicePackUninstall$\rasauto.dll
[-] 2008-04-14 00:12      88576      AD188BE7BDF94E8DF4CA0A55C00A5073      c:\windows\ServicePackFiles\i386\rasauto.dll
[-] 2008-04-14 00:12      88576      AD188BE7BDF94E8DF4CA0A55C00A5073      c:\windows\system32\rasauto.dll

[-] 2004-08-04 04:56      1580544      30A609E00BD1D4FFC49D6B5A432BE7F2      c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2008-04-14 00:12      1614848      9DD07AF82244867CA36681EA2D29CE79      c:\windows\ServicePackFiles\i386\sfcfiles.dll
[-] 2008-04-14 00:12      1614848      9DD07AF82244867CA36681EA2D29CE79      c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 04:56      190976      92360854316611F6CC471612213C3D92      c:\windows\$NtServicePackUninstall$\schedsvc.dll
[-] 2008-04-14 00:12      192512      0A9A7365A1CA4319AA7C1D6CD8E4EAFA      c:\windows\ServicePackFiles\i386\schedsvc.dll
[-] 2008-04-14 00:12      192512      0A9A7365A1CA4319AA7C1D6CD8E4EAFA      c:\windows\system32\schedsvc.dll

[-] 2004-08-04 04:56      59904      3151427DB7D87107D1C5BE58FAC53960      c:\windows\$NtServicePackUninstall$\regsvc.dll
[-] 2008-04-14 00:12      59904      5B19B557B0C188210A56A6B699D90B8F      c:\windows\ServicePackFiles\i386\regsvc.dll
[-] 2008-04-14 00:12      59904      5B19B557B0C188210A56A6B699D90B8F      c:\windows\system32\regsvc.dll

[-] 2004-08-04 04:56      71680      4B8D61792F7175BED48859CC18CE4E38      c:\windows\$NtServicePackUninstall$\ssdpsrv.dll
[-] 2008-04-14 00:12      71680      0A5679B3714EDAB99E357057EE88FCA6      c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[-] 2008-04-14 00:12      71680      0A5679B3714EDAB99E357057EE88FCA6      c:\windows\system32\ssdpsrv.dll

[-] 2007-02-05 20:17      185344      ACA5D98663D879C6BAAFCEA7E2F1B710      c:\windows\$NtServicePackUninstall$\upnphost.dll
[-] 2008-04-14 00:12      185856      1EBAFEB9A3FBDC41B8D9C7F0F687AD91      c:\windows\ServicePackFiles\i386\upnphost.dll
[-] 2008-04-14 00:12      185856      1EBAFEB9A3FBDC41B8D9C7F0F687AD91      c:\windows\system32\upnphost.dll

[-] 2006-12-19 21:50      135168      53D9184A21C5CBF600D918E51EF3A7E5      c:\windows\$NtServicePackUninstall$\shsvcs.dll
[-] 2008-04-14 00:12      135168      1926899BF9FFE2602B63074971700412      c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2008-04-14 00:12      135168      1926899BF9FFE2602B63074971700412      c:\windows\system32\shsvcs.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-19_18.43.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 19:06 . 2009-08-19 19:06      8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2009-08-19 16:19 . 2009-08-19 16:19      8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-08-19 19:06 . 2009-08-19 19:06      1028096 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2005-06-08 20530]
"Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2005-06-08 24626]
"Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2005-06-08 45106]
"Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2005-06-08 20480]
"Client Access PC5250 Sound"="c:\program files\IBM\Client Access\Emulator\pcssnd.exe" [2005-06-08 40960]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2005-11-01 151552]
"MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2005-06-01 40960]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-16 198160]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05      356352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2008-12-17 14:34      46392      ----a-w-      c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_winlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-20 19:58      87352      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 gupdate1c9a5f289928a3c;Google Update Service (gupdate1c9a5f289928a3c);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 133104]
R3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_service.exe Start=service [x]
R3 HBMW;HBMW;c:\docume~1\dave\LOCALS~1\Temp\HBMW.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-09 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-11 74480]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-10-20 47640]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
S2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2007-06-12 2521880]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-01 101936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt      REG_MULTI_SZ       hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-08-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-01 12:43]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 04:49]

2009-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-16 04:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://nycourts.gov/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
Trusted Zone: complusdata.com\citrix
TCP: {F4334BEC-3891-471B-8EE9-D36C1D11BAA2} = 10.24.190.162,213.174.139.72
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cwbnetnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cwbrxd]
"ImagePath"="c:\windows\CWBRXD.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DefWatch]
"ImagePath"="\"c:\program files\Symantec AntiVirus\DefWatch.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLABMFSM]
"ImagePath"="System32\DLA\DLABMFSM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLABOIOM]
"ImagePath"="System32\DLA\DLABOIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLACDBHM]
"ImagePath"="System32\Drivers\DLACDBHM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLADResM]
"ImagePath"="System32\DLA\DLADResM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAIFS_M]
"ImagePath"="System32\DLA\DLAIFS_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAOPIOM]
"ImagePath"="System32\DLA\DLAOPIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAPoolM]
"ImagePath"="System32\DLA\DLAPoolM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLARTL_M]
"ImagePath"="System32\Drivers\DLARTL_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAUDFAM]
"ImagePath"="System32\DLA\DLAUDFAM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DLAUDF_M]
"ImagePath"="System32\DLA\DLAUDF_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot4]
"ImagePath"="system32\DRIVERS\Dot4.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot4Print]
"ImagePath"="system32\DRIVERS\Dot4Prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot4Scan]
"ImagePath"="system32\DRIVERS\Dot4Scan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dot4ufd]
"ImagePath"="system32\DRIVERS\hppaufd0.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRVMCDB]
"ImagePath"="System32\Drivers\DRVMCDB.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DRVNDDM]
"ImagePath"="System32\Drivers\DRVNDDM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e1express]
"ImagePath"="system32\DRIVERS\e1e5132.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eeCtrl]
"ImagePath"="\??\c:\program files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EraserUtilRebootDrv]
"ImagePath"="\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0]
"ImagePath"="c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GoToAssist Express Customer]
"ImagePath"="\"c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_service.exe\" Start=service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gupdate1c9a5f289928a3c]
"ImagePath"="\"c:\program files\Google\Update\GoogleUpdate.exe\" /svc"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc]
"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HBMW]
"ImagePath"="c:\docume~1\dave\LOCALS~1\Temp\HBMW.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HECI]
"ImagePath"="system32\DRIVERS\HECI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hidusb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HP Port Resolver]
"ImagePath"="c:\windows\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HP Status Server]
"ImagePath"="c:\windows\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPFXBULK]
"ImagePath"="system32\drivers\hpfxbulk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqcxs08]
"ServiceDll"="c:\program files\HP\Digital Imaging\bin\hpqcxs08.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSF_DPV]
"ImagePath"="system32\DRIVERS\HSX_DPV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSXHWBS2]
"ImagePath"="system32\DRIVERS\HSXHWBS2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IAANTMON]
"ImagePath"="c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ialm]
"ImagePath"="system32\DRIVERS\igxpmp32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"="system32\drivers\iaStor.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]
"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\drivers\ip6fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LiveUpdate]
"ImagePath"="\"c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIInfo]
"ImagePath"="\??\c:\program files\LogMeIn\x86\RaInfo.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIMaint]
"ImagePath"="\"c:\program files\LogMeIn\x86\RaMaint.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lmimirr]
"ImagePath"="system32\DRIVERS\lmimirr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIRfsClientNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMIRfsDriver]
"ImagePath"="\??\c:\windows\system32\drivers\LMIRfsDriver.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LMS]
"ImagePath"="c:\program files\Intel\AMT\LMS.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LogMeIn]
"ImagePath"="\"c:\program files\LogMeIn\x86\LogMeIn.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDM]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mdmxsdk]
"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG]
"ImagePath"="\??\c:\progra~1\COMMON~1\SYMANT~1\VIRUSD~1\20090815.003\naveng.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15]
"ImagePath"="\??\c:\progra~1\COMMON~1\SYMANT~1\VIRUSD~1\20090815.003\navex15.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Net Driver HPZ12]
"ServiceDll"="c:\windows\system32\HPZinw12.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing]
"ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPZ12]
"ServiceDll"="c:\windows\system32\HPZipm12.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtexisLicensing]
"ImagePath"="c:\windows\system32\PSIService.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimUsb]
"ImagePath"="System32\Drivers\RimUsb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimVSerPort]
"ImagePath"="system32\DRIVERS\RimSerial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ROOTMODEM]
"ImagePath"="System32\Drivers\RootMdm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Roxio UPnP Renderer 9]
"ImagePath"="\"c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Roxio Upnp Server 9]
"ImagePath"="\"c:\program files\Roxio\Digital Home 9\RoxioUpnpService9.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RoxLiveShare9]
"ImagePath"="\"c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RoxMediaDB9]
"ImagePath"="\"c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RoxWatch9]
"ImagePath"="\"c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASDIFSV]
"ImagePath"="\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASENUM]
"ImagePath"="\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASKUTIL]
"ImagePath"="\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SavRoam]
"ImagePath"="\"c:\program files\Symantec AntiVirus\SavRoam.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="\??\c:\program files\Symantec AntiVirus\savrt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRTPEL]
"ImagePath"="\??\c:\program files\Symantec AntiVirus\Savrtpel.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SenFiltService]
"ImagePath"="system32\drivers\Senfilt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="\"c:\program files\Common Files\Symantec Shared\SNDSrvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPBBCDrv]
"ImagePath"="\??\c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPBBCSvc]
"ImagePath"="\"c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{32FA57BF-B0F8-469E-9C45-18A3E337D496}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swwd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symantec AntiVirus]
"ImagePath"="\"c:\program files\Symantec AntiVirus\Rtvscan.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SymEvent]
"ImagePath"="\??\c:\windows\system32\Drivers\SYMEVENT.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMREDRV]
"ImagePath"="\SystemRoot\System32\Drivers\SYMREDRV.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="\SystemRoot\System32\Drivers\SYMTDI.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UNS]
"ImagePath"="c:\program files\Intel\AMT\UNS.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USB]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wceusbsh]
"ImagePath"="system32\DRIVERS\wceusbsh.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winachsf]
"ImagePath"="system32\DRIVERS\HSX_CNXT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\XAudio]
"ImagePath"="system32\DRIVERS\xaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\XAudioService]
"ImagePath"="%SystemRoot%\system32\DRIVERS\xaudio.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{F4334BEC-3891-471B-8EE9-D36C1D11BAA2}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1180)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist Express Customer\136\g2ax_winlogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
B7A97EBC.x86.dll 35670000 53248 \\?\globalroot\Device\__max++>\B7A97EBC.x86.dll

- - - - - - - > 'lsass.exe'(1236)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(744)
c:\program files\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe
c:\program files\RDS\PLTBar.exe
c:\program files\PrintKey2000\Printkey2000.exe
c:\program files\RDS\RMClient\PMCTray.exe
.
**************************************************************************
.
Completion time: 2009-08-19 15:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 19:37
ComboFix2.txt 2009-08-19 18:57
ComboFix3.txt 2009-08-19 18:47

Pre-Run: 140,658,302,976 bytes free
Post-Run: 140,647,583,744 bytes free

1014      --- E O F ---      2009-06-11 16:03

View the Solution FREE for 30 Days

20090824-EE-VQP-74 - Hierarchy / EE_QW_3_20080625

1. rpggamer...264,501
2. warturtle159,232
3. xmachine121,568
4. Admin3k95,624
5. David-Ho...76,727
6. johnb676736,082
7. optoma32,538
8. Computer...32,298
9. greyknigh...32,017
10. moh10ly28,014
11. surfer2423,430
12. JeremySB...19,636
13. MikeHolcomb19,486
14. legalsrl17,600
15. Jonvee17,494
16. IndiGenus16,830
17. ljones_cna16,825
18. dstewartjr14,680
19. jhyiesla14,398
20. NaturaTek13,331
21. torimar12,825
22. LeeTutor11,684
23. bRvO11,500
24. younghv11,462
25. thinkpads...11,310

1. rpggamer...732,346
2. IndiGenus287,259
3. warturtle159,232
4. Admin3k151,164
5. younghv126,007
6. xmachine122,968
7. David-Ho...102,152
8. phototropic85,780
9. moh10ly77,373
10. johnb676772,495
11. r-k71,908
12. Sheharya...49,873
13. legalsrl41,275
14. war138,050
15. greyknigh...33,742
16. optoma32,538
17. orangutang32,309
18. Computer...32,298
19. briancassin30,806
20. jimmymcp0229,920
21. rindi26,614
22. michko26,180
23. Tolomir25,100
24. jhyiesla25,098
25. surfer2423,430

rootkit

Asked by jmutone in Anti-Virus, Miscellaneous Security, HijackThis Software

Tags: rootkit virus combofix sdfix gmer

About this solution