Solved

Virus? Trojan? Mass mailer using IE.

Posted on 2007-12-02
17
1,407 Views
Last Modified: 2013-11-22
A friend download some kinda trojan that has created havoc for the machine. Some program is constantly trying to send out emails. It had norton internet security earlier which kept popping up with numerous 'mail scanning messages'. I uninstalled Norton and Installed Mcafee Antivirus Plus 2007. The firewall detects IE as a mail client. If i block IE in that section, the mails stop going through. After a couple of restarts, there is another entry of Internet Explorer and around 40 - 50 messages. "Santa Claus's present to you id#XXXXXXXXXX..   " are trying to be sent.

 Norton, Mcafee, Spybot and Ad-aware came up with nothing.. This is more like a home built virus? Any help is appreciated.
0
Comment
Question by:Lance_P
  • 9
  • 7
17 Comments
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 100 total points
ID: 20392362
Sounds like a bot maybe. Give SDFix a try here.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com or attach it as a code snippet.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
ID: 20392370
Run these tools and attach their logfiles, run Combofix last.

1.  Can you run Hijackthis and show us the log please?
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.


2.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.

Also, Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please or attch the logfile using "Attach Code Snippet"

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


3.  Combofix will terminate your connection while it's scanning and resume connection straightafter.
If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternatively, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20392372
Ooops, sorry didn't refresh and didn't see you posted.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392399
Ok here is the Hijack Ths log. Working on the other tools.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:28:26 PM, on 12/2/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 
 

7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network 
 

Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
 

Files\Messenger\msmsgs.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth 
 

Software\bin\btwdins.exe

O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program 
 

Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - 
 

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program 
 

Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program 
 

Files\WinPcap\rpcapd.exe

O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program 
 

Files\Intel\Wireless\Bin\S24EvMon.exe
 

--

End of file - 5334 bytes

Open in new window

0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392409
Just something more to mention.. Im getting IRQ_NOT_LESS_OR_EQUAL BSOD's.. WIll check which driver is causing the problem later.. unless its related to this.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392460
Ok. Here's a report from SDFix.

Im guessing it has done its job better than CA and Symantec.


SDFix: Version 1.116
 

Run by Dipti on Sun 12/02/2007 at 01:38 PM
 

Microsoft Windows XP [Version 5.1.2600]
 

Running From: C:\SDFix
 

Safe Mode:

Checking Services: 
 

Name:

kprof

ntio256

poof

runtime
 

Path:

\??\C:\WINDOWS\system32\kprof 

\??\C:\WINDOWS\system32\ntio256.sys 

\??\C:\WINDOWS\system32\poof 

\??\C:\WINDOWS\System32\drivers\runtime.sys 
 

kprof - Deleted

ntio256 - Deleted

poof - Deleted

runtime - Deleted
 
 
 

Restoring Windows Registry Values

Restoring Windows Default Hosts File
 

Rebooting...
 
 

Normal Mode:

Checking Files: 
 

Trojan Files Found:
 

C:\WINDOWS\system32\8_exception.nls  - Deleted

C:\WINDOWS\system32\koos.exe  - Deleted

C:\WINDOWS\system32\kprof  - Deleted

C:\WINDOWS\system32\poof  - Deleted
 
 

Could Not Remove C:\WINDOWS\Temp\startdrv.exe 
 
 

Removing Temp Files...
 

ADS Check:
 

C:\WINDOWS

No streams found. 
 

C:\WINDOWS\system32

No streams found. 
 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 
 
 

                                 Final Check:
 

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-02 13:43:04

Windows 5.1.2600 Service Pack 2 FAT NTAPI
 

scanning hidden processes ...
 

scanning hidden services ...
 

HKLM\SYSTEM\CurrentControlSet\Services\.NETFrameworkorking
 

HKLM\SYSTEM\CurrentControlSet\Services\Abiosdskeworkorking
 

HKLM\SYSTEM\CurrentControlSet\Services\abp480n5eworkorking
 

HKLM\SYSTEM\CurrentControlSet\Services\ACPIMemUsageCheckService
 

HKLM\SYSTEM\CurrentControlSet\Services\ACPIECmUsageCheckService
 

HKLM\SYSTEM\CurrentControlSet\Services\adpu160msageCheckService
 

HKLM\SYSTEM\CurrentControlSet\Services\aecu160msageCheckService
 

HKLM\SYSTEM\CurrentControlSet\Services\AegisP0msageCheckService
 

HKLM\SYSTEM\CurrentControlSet\Services\AFDisP0msageCheckService
 

HKLM\SYSTEM\CurrentControlSet\Services\AgereSoftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\agp440oftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\agpCPQoftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\Aha154xftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\aic78u2ftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\aic78xxftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\AlerterftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\ALGrterftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\AliIderftModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\alim1541tModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\amdagp41tModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\amsint41tModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt1tModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\Arp13941tModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\asc13941tModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\asc3350ptModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\asc3550ptModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\ASP.NETptModemeckService
 

HKLM\SYSTEM\CurrentControlSet\Services\ASP.NET_1.1.4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\aspnet_state4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\AsyncMactate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\atapiMactate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Atdiskactate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Atmarpcctate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\AudioSrvtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\audstubvtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BattCubvtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BeepCubvtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BITSCubvtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Browservtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\btaudiovtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BTDrivertate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BthEnumrtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BthPanmrtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BTHPORTrtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BthServrtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BTHUSBvrtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BTKRNLvrtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BTSERIALtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\btwdinsLtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BTWDNDIState4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\BTWUSBIState4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\catchmeState4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\cbidfmeState4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\cbidf2kState4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\CCDECODEtate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\cd20xrnttate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Cdaudiottate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Cdfsdiottate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Cdromiottate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Changerttate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\CiSvcerttate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\CLCapSvctate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\ClipSrvctate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\CLSchedctate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\CmBattdctate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\CmdIdedctate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Compbatttate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\COMSysAppate4322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\ContentFilter322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\ContentIndexr322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\Cpqarrayndexr322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\CryptSvcndexr322kService
 

HKLM\SYSTEM\CurrentControlSet\Services\dac2w2knk Media Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\dac960ntk Media Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\DcCam0ntk Media Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\DhcpLaunchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\DiskLaunchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\DKbFltrnchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\dmadminnchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\dmbootnnchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\dmiootnnchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\dmloadnnchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\dmserverchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\DMusicerchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\DnscachechMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\dpti2ohechMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\drmkaudechMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\eeCtrldechMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\EmproxyechMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\EpmPsdyechMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\EpmShdyechMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\ERSvcdyechMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\EventlogchMedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\EventSystemedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\EvtEngystemedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\Fastfatstemedia Library Service
 

HKLM\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\FaxtUserSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\FdctUserSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\FipsUserSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\FlpydiskSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\FltMgrskSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Fs_RecskSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\FtdiskskSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\GpciskskSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\HDAudBusSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\helpsvcsSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\HidServsSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\hpnServsSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\HTTPervsSwitchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\HTTPFilteritchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\i2omgmtteritchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\i2ompmtteritchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\i8042prteritchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ialm2prteritchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IDriverTeritchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ImapierTeritchingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ImapiServicechingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\inetaccsvicechingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ini910usvicechingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\InportusvicechingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\int15tusvicechingCompatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IntcAzAudAddServicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IntelIdedAddServicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\intelppmdAddServicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Ip6FwppmdAddServicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IpInIperDriverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IpNatperDriverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IPSecperDriverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\irdacperDriverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IRENUMerDriverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\IrmonMerDriverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ISAPISearchverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\isapnpearchverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Kbdclassrchverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\kmixerssrchverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\KSecDDssrchverrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\lanmanservererrvicempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstationcempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\lbrtfdcorkstationcempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ldapfdcorkstationcempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\LicenseServiceioncempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\LightScribeServiceempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\LmHostsribeServiceempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\lv321avribeServiceempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\lvmvdrvribeServiceempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\LVPrcMonibeServiceempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\LVPrcSrvibeServiceempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\LVUSBStaibeServiceempatibilitye
 

HKLM\SYSTEM\CurrentControlSet\Services\McAfee HackerWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mcmispupdmgrrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mcmscsvcdmgrrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\McNASvccdmgrrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\McODSvccdmgrrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mcpromgrdmgrrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\McRedirectorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\McShieldctorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\McSysmonctorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MessengertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mfeavfkertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mfebopkertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mfehidkertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mferkdkertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mfesmfkertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mnmddfkertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvcertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ModemvcertorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MouclassrtorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MountMgrrtorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MPFPtMgrrtorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MpfServiceorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mraid35xceorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV5xceorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MRxSmb5xceorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MSDTCb5xceorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MsfsCb5xceorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MSIServereorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MSKSSRVereorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MSPCLOCKreorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MSPQMOCKreorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\mssmbiosreorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MSTEEiosreorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\MupEEiosreorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NABTSFECreorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NDISSFECreorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NdisIPECreorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NdisTapireorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NdisuioireorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NdisWanireorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NDProxyireorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NetBIOSireorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NetBTOSireorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NetDDESireorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NetDDEdsdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NetlogondmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NetmanondmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NIC1394ndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Nla1394ndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\nma1394ndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NPF1394ndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Npfs394ndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NSCIRDAndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NtfsRDAndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NTIDrvrndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NtLmSspndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvcndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NullSvcndmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NwlnkFltdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\NwlnkFwddmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ohci1394dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Parport4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PartMgr4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ParVdmr4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PCIVdmr4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PCIDump4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PCIIdep4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Pcmciap4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PDCOMPp4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PDFRAME4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PDRELIE4dmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PDRFRAMEdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\perc2AMEdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\perc2hibdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PerfDiskdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetkdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PerfOStkdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PerfProcdmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PlugPlaydmorrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgentrrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PortProxyntrrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PptpMiniportrWatch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\psdfilterStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\psdvdiskrStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PtilinkkrStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\PxHelp20rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ql108020rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Ql10wnt0rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ql121600rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ql124000rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ql128000rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RasAcd00rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RasAuto0rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Rasirda0rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Rasl2tp0rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RasManp0rStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RasPppoerStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RasptioerStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RdbssioerStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RDPCDDoerStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RDPDDDoerStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\rdpdrDoerStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RDPNPDoerStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RDPWDDoerStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgrStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\redbookgrStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RegSrvcgrStoragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccessragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RFCOMMAccessragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RichVideoessragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\rpcapddeoessragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorssragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscatorssragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\RSVPscatorssragech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\S24EventMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\s24transMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SamSsansMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SCardSvrMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ScheduleMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SecdrvleMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\seclogonMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SENSogonMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\serenumnMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SerialmnMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SfloppynMonitorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccesstorech Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\sisagpWDetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SLIPgpWDetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SparrowDetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\splitteretectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Spoolerretectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\sroolerretectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\srservicetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Srvervicetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRVcetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\stisvcVcetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\streamipetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\swenumipetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\swmidiipetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SwPrviipetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\symc810petectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\symc8xxpetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\sym_hixpetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\sym_u3xpetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SynTP3xpetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\sysaudioetectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\SysmonLogtectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvogtectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Tcpiprvogtectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\TDPIPEvogtectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPEvogtectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\TermDDvogtectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\TermServicectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Themesrvicectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\tifm21rvicectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\TosIdervicectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\TrkWksrvicectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDsrvicectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\tunmpsrvicectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\tvicporticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\UBHelpericectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Udfslpericectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ultrapericectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Updateericectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\upnphosticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\UPSphosticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\usbphosticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\usbehciticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\usbhubiticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\usbscanticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\USBSTORticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\usbuhciticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\VgaSaveticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\viaagpeticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\ViaIdeeticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\VolSnapticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\VSSSnapticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\W32Timeticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\w39n51eticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\W3SVC1eticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Wanarpeticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WDICApeticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\wdmaudeticectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WebClientcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\winmgmtntcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\Winsockntcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2tcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WinTrusttcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSNtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WmiAcpiNtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpltcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WmiApSrvtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSLvtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcLvtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WSTCODECtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\wuauservtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCrvtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\xlavba8vtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\xmlprovvtcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\yukonwxptcectionch Servicelitye
 

HKLM\SYSTEM\CurrentControlSet\Services\zntportptcectionch Servicelitye
 

scanning hidden autostart entries ...
 

scanning hidden files ...
 
 

scan completed successfully

hidden processes: 0

hidden services: 356

hidden files: 0
 
 

Remaining Services:

------------------
 
 
 

Authorized Application Key Export:
 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"="C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe:*:Disabled:CyberLink PowerCinema Resident Program"

"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Disabled:Windows Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"

"C:\\Program Files\\Common Files\\McAfee\\mna\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\mna\\McNASvc.exe:*:Enabled:McAfee Network Agent"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
 

Remaining Files:

---------------

C:\WINDOWS\Temp\startdrv.exe  Found
 

File Backups: - C:\SDFix\backups\backups.zip
 

Files with Hidden Attributes:
 

Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"

Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"

Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"

Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"

Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"

Wed 31 Oct 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT1.tmp"
 

Finished! 

Open in new window

0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392476
I tried to run ComboFix .. and it came up with the same BSOD IRQL_NOT ...

Stop: 0x0000000A (0x00000000, 0x0000001C, 0x00000000, 0x804F8A3B)
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392523
Reboot tried combo fix again .. nogo . BSOD

Stop: 0x0000007F (0x0000000D , 0x00000000 , 0x00000000, 0x00000000)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20392618
There's a file that SDFix missed.... delete that file and we'll see if combofix run afterwards.
SDfix was supposed to have been updated to delete this file --> C:\WINDOWS\Temp\startdrv.exe
 but somehow it must've been missed to be included in the updates.

You can delete it yourself in safe mode or uisng a third party tool like Killbox, delete on reboot, or try using Avenger just to make sure.

Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):

-----------------------------------------------------------------------------------------------------------
Files to delete:
C:\WINDOWS\Temp\startdrv.exe

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | startdrv
------------------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392633
Well i did not do that, but while i was waiting I uninstall Mcafee and IE7 apart from everything that was installed in the past 3 days including updates etc.. did not wanna take any chances.

After rebooting I ran Combo Fix again and it ran this time. No BSOD. Heres the Log.
ComboFix 07-12-02.5 - Dipti 2007-12-02 14:25:08.1 - [color=red][b]FAT32[/b][/color]x86

Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.603 [GMT -8:00]

Running from: C:\ComboFix.exe

 * Created a new restore point

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Documents and Settings\acer\ResErrors.log

C:\Documents and Settings\All Users\Application Data.\salesmonitor

C:\WINDOWS\system32\1_exception.nls

C:\WINDOWS\system32\drivers\ctl_w32.sys

C:\WINDOWS\system32\drivers\npf.sys

C:\WINDOWS\system32\packet.dll

C:\WINDOWS\system32\pthreadVC.dll

C:\WINDOWS\system32\WanPacket.dll

C:\WINDOWS\system32\wpcap.dll
 

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
 

.

-------\LEGACY_CTL_W32

-------\LEGACY_FMTR

-------\LEGACY_NTIO256

-------\LEGACY_POOF

-------\LEGACY_RUNTIME

-------\LEGACY_XLAVBA8

-------\nm

-------\NPF

-------\runtime

-------\xlavba8
 
 

(((((((((((((((((((((((((   Files Created from 2007-11-02 to 2007-12-02  )))))))))))))))))))))))))))))))

.
 

2007-12-02 14:14 . 2007-12-02 14:14	230	--a------	C:\WINDOWS\system32\spupdsvc.inf

2007-12-02 14:06 . 2007-12-02 14:06	<DIR>	d--hs----	C:\FOUND.003

2007-12-02 13:53 . 2007-12-02 13:53	<DIR>	d--hs----	C:\FOUND.002

2007-12-02 13:37 . 2007-12-02 13:37	<DIR>	d--------	C:\WINDOWS\SDFIX

2007-12-02 13:32 . 2007-12-02 13:32	<DIR>	d--hs----	C:\FOUND.001

2007-12-02 13:27 . 2007-12-03 01:26	1,540,811	--a------	C:\ComboFix.exe

2007-12-02 13:27 . 2007-12-03 01:27	812,344	--a------	C:\HJTInstall.exe

2007-12-02 13:20 . 2007-12-02 13:20	1,221,897	--a------	C:\SDFix.exe

2007-12-02 00:42 . 2007-12-02 00:42	<DIR>	d--hs----	C:\FOUND.000

2007-12-02 00:23 . 2007-08-13 18:40	991,232	--a------	C:\WINDOWS\system32\ieframe.dll.mui

2007-12-01 23:48 . 2007-12-01 23:49	<DIR>	d--------	C:\Program Files\Lavasoft

2007-12-01 14:30 . 2007-12-01 14:30	<DIR>	d--hs----	C:\Documents and Settings\Dipti\UserData

2007-12-01 14:12 . 2007-12-01 14:12	<DIR>	d--------	C:\Program Files\Trend Micro

2007-12-01 14:05 . 2007-12-01 14:05	<DIR>	d--------	C:\Documents and Settings\Dipti\Application Data\McAfee

2007-12-01 12:52 . 2007-12-02 14:18	14,006	--a------	C:\WINDOWS\system32\Config.MPF

2007-12-01 12:30 . 2007-12-01 12:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\McAfee

2007-11-30 16:06 . 2007-11-30 16:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-30 15:48 . 2007-11-30 15:48	<DIR>	d--------	C:\Documents and Settings\Dipti\Application Data\Yahoo!

2007-11-30 15:39 . 2007-11-30 15:39	<DIR>	d--------	C:\Documents and Settings\Dipti\Bluetooth Software

2007-11-30 11:03 . 2007-11-30 11:03	<DIR>	d---s----	C:\Documents and Settings\acer\UserData

2007-11-25 12:37 . 2007-11-25 12:37	<DIR>	d--------	C:\Documents and Settings\acer\Application Data\AdobeUM

2007-11-11 06:19 . 2007-11-28 09:16	754	--a------	C:\WINDOWS\WORDPAD.INI

2007-11-05 08:29 . 2007-11-05 08:29	<DIR>	d--------	C:\Documents and Settings\acer\Application Data\AVSystemCare

2007-11-05 08:29 . 2001-03-08 18:30	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll

2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\WINDOWS\system32\color

2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\Program Files\Common Files\Kodak

2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\KPCMS

2007-11-04 01:48 . 2007-11-04 01:48	<DIR>	d--------	C:\Program Files\Kodak

2007-11-04 01:45 . 2007-11-04 01:46	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kodak

2007-11-04 00:14 . 2001-08-17 22:36	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll

2007-11-04 00:13 . 2004-08-04 00:56	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll

2007-11-04 00:13 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys

2007-11-04 00:13 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\dllcache\usbscan.sys

2007-11-02 14:53 . 2007-11-02 14:53	20,992	--a------	C:\WINDOWS\loos.exe
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-31 11:02	---------	d-----w	C:\Program Files\MSXML 4.0

2007-10-31 08:14	---------	d-----w	C:\Documents and Settings\acer\Application Data\LimeWire

2007-10-31 08:12	---------	d-----w	C:\Program Files\Java

2007-10-31 08:11	---------	d-----w	C:\Program Files\LimeWire

2007-10-31 08:11	---------	d-----w	C:\Program Files\Common Files\Java

2007-10-31 07:24	---------	d-----w	C:\Documents and Settings\acer\Application Data\Yahoo!

2007-10-31 07:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo!

2007-10-26 03:36	8,454,656	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]

"Salestart"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13]

"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 09:41]

"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-12 15:48]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]

"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 C:\WINDOWS\RTHDCPL.exe]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]

"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2006-05-17 19:04]

"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39]

"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55]

"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 18:22]

"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47]

"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 12:13]

"LaunchApp"="Alaunch" []

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57]

"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 14:40]

"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 15:00]

"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 C:\WINDOWS\AGRSMMSG.exe]

"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-06-07 20:18]
 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-03-10 09:40:30]

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-06-29 10:45:00]

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

			SkyTel.EXE
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LiveUpdate Notice Service"=2 (0x2)

"LiveUpdate"=3 (0x3)
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"ePower_DMC"=C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
 

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys

R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys

R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys

R2 int15;int15;\??\C:\WINDOWS\system32\drivers\int15.sys

R2 tvicport;tvicport;\??\C:\WINDOWS\system32\drivers\tvicport.sys

R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys

R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys

R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys

R3 psdfilter;psdfilter;\??\C:\WINDOWS\system32\Drivers\psdfilter.sys

R3 psdvdisk;psdvdisk;\??\C:\WINDOWS\system32\Drivers\psdvdisk.sys
 

.

**************************************************************************
 

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-02 14:28:12

Windows 5.1.2600 Service Pack 2 FAT NTAPI
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully 

hidden files: 0 
 

**************************************************************************

.

Completion time: 2007-12-02 14:29:21 - machine was rebooted

.

	--- E O F ---

Open in new window

0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392651
Prior to running ComboFix.. somthing was still uploading data.. Although Mcafee died on me and was not detecting any network traffic.. Now it all seems to have come to a standstill.

Please let me know if you figure out anything more from the logs. Ill keep keep it under observation for a day atleast.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20392904
>>Could Not Remove C:\WINDOWS\Temp\startdrv.exe <<
 the file that SDFix found and couldn't removed is not showing in CF log,  if you didn't removed it, looks like it's gone.
Combofix also removed some bad files there, and also files related to AVSystemCare that still needed to come off.

If you still have AVSystemCare please remove it, or we'll just delete the relevant entries that CF found. If you find an AVSystemCare folder in Program Files delete that also.

Open notepad and copy/paste the text inside the lines below into it
--------------------------------------------------------------
File::
C:\WINDOWS\loos.exe

Folder::
C:\Documents and Settings\acer\Application Data\AVSystemCare

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Salestart"=-
--------------------------------------------------------------

Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the result.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20393120
Gamergirl,
Heres the log.  Looks like the internet activity has stopped. The BSOD's seem to have stopped.
ComboFix 07-12-02.5 - Dipti 2007-12-02 16:47:41.2 - [color=red][b]FAT32[/b][/color]x86

Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.691 [GMT -8:00]

Running from: C:\ComboFix.exe

Command switches used :: C:\CFScript.txt.txt

 * Created a new restore point
 

FILE

C:\Windows\loos.exe

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Documents and Settings\acer\Application Data\AVSystemCare

C:\Documents and Settings\acer\Application Data\AVSystemCare\avtasks.dat

C:\Documents and Settings\acer\Application Data\AVSystemCare\Logs\av.log

C:\Documents and Settings\acer\Application Data\AVSystemCare\Logs\ga6Support.log

C:\Documents and Settings\acer\Application Data\AVSystemCare\Logs\update.log

C:\Windows\loos.exe
 

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
 

.

-------\ctl_w32
 
 

(((((((((((((((((((((((((   Files Created from 2007-11-03 to 2007-12-03  )))))))))))))))))))))))))))))))

.
 

2007-12-02 16:49 . 2007-12-02 16:49	<DIR>	d--------	C:\QUARANTINE

2007-12-02 14:40 . 2007-12-02 14:40	<DIR>	d--------	C:\Program Files\Common Files\Cisco Systems

2007-12-02 14:40 . 2006-11-17 03:06	1,495,552	--a------	C:\WINDOWS\system32\epoPGPsdk.dll

2007-12-02 14:40 . 2006-11-17 03:06	280	--a------	C:\WINDOWS\system32\epoPGPsdk.dll.sig

2007-12-02 14:39 . 2007-12-02 14:39	<DIR>	d--------	C:\Program Files\McAfee

2007-12-02 14:39 . 2007-12-02 14:39	<DIR>	d--------	C:\Program Files\Common Files\McAfee

2007-12-02 14:39 . 2006-11-30 08:50	168,776	--a------	C:\WINDOWS\system32\drivers\mfehidk.sys

2007-12-02 14:39 . 2006-11-30 08:50	72,264	--a------	C:\WINDOWS\system32\drivers\mfeavfk.sys

2007-12-02 14:39 . 2006-11-30 08:50	64,360	--a------	C:\WINDOWS\system32\drivers\mfeapfk.sys

2007-12-02 14:39 . 2006-11-30 08:50	52,136	--a------	C:\WINDOWS\system32\drivers\mfetdik.sys

2007-12-02 14:39 . 2006-11-30 08:50	34,152	--a------	C:\WINDOWS\system32\drivers\mfebopk.sys

2007-12-02 14:14 . 2007-12-02 14:14	230	--a------	C:\WINDOWS\system32\spupdsvc.inf

2007-12-02 14:06 . 2007-12-02 14:06	<DIR>	d--hs----	C:\FOUND.003

2007-12-02 13:53 . 2007-12-02 13:53	<DIR>	d--hs----	C:\FOUND.002

2007-12-02 13:37 . 2007-12-02 13:37	<DIR>	d--------	C:\WINDOWS\SDFIX

2007-12-02 13:32 . 2007-12-02 13:32	<DIR>	d--hs----	C:\FOUND.001

2007-12-02 13:27 . 2007-12-03 01:26	1,540,811	--a------	C:\ComboFix.exe

2007-12-02 13:27 . 2007-12-03 01:27	812,344	--a------	C:\HJTInstall.exe

2007-12-02 13:20 . 2007-12-02 13:20	1,221,897	--a------	C:\SDFix.exe

2007-12-02 00:42 . 2007-12-02 00:42	<DIR>	d--hs----	C:\FOUND.000

2007-12-02 00:23 . 2007-08-13 18:40	991,232	--a------	C:\WINDOWS\system32\ieframe.dll.mui

2007-12-01 23:48 . 2007-12-01 23:49	<DIR>	d--------	C:\Program Files\Lavasoft

2007-12-01 14:30 . 2007-12-01 14:30	<DIR>	d--hs----	C:\Documents and Settings\Dipti\UserData

2007-12-01 14:12 . 2007-12-01 14:12	<DIR>	d--------	C:\Program Files\Trend Micro

2007-12-01 14:05 . 2007-12-01 14:05	<DIR>	d--------	C:\Documents and Settings\Dipti\Application Data\McAfee

2007-12-01 12:52 . 2007-12-02 14:18	14,006	--a------	C:\WINDOWS\system32\Config.MPF

2007-12-01 12:30 . 2007-12-01 12:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\McAfee

2007-11-30 16:06 . 2007-11-30 16:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-30 15:48 . 2007-11-30 15:48	<DIR>	d--------	C:\Documents and Settings\Dipti\Application Data\Yahoo!

2007-11-30 15:39 . 2007-11-30 15:39	<DIR>	d--------	C:\Documents and Settings\Dipti\Bluetooth Software

2007-11-30 11:03 . 2007-11-30 11:03	<DIR>	d---s----	C:\Documents and Settings\acer\UserData

2007-11-25 12:37 . 2007-11-25 12:37	<DIR>	d--------	C:\Documents and Settings\acer\Application Data\AdobeUM

2007-11-11 06:19 . 2007-11-28 09:16	754	--a------	C:\WINDOWS\WORDPAD.INI

2007-11-05 08:29 . 2001-03-08 18:30	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll

2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\WINDOWS\system32\color

2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\Program Files\Common Files\Kodak

2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\KPCMS

2007-11-04 01:48 . 2007-11-04 01:48	<DIR>	d--------	C:\Program Files\Kodak

2007-11-04 01:45 . 2007-11-04 01:46	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kodak

2007-11-04 00:14 . 2001-08-17 22:36	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll

2007-11-04 00:13 . 2004-08-04 00:56	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll

2007-11-04 00:13 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys

2007-11-04 00:13 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\dllcache\usbscan.sys
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-10-31 11:02	---------	d-----w	C:\Program Files\MSXML 4.0

2007-10-31 08:14	---------	d-----w	C:\Documents and Settings\acer\Application Data\LimeWire

2007-10-31 08:12	---------	d-----w	C:\Program Files\Java

2007-10-31 08:11	---------	d-----w	C:\Program Files\LimeWire

2007-10-31 08:11	---------	d-----w	C:\Program Files\Common Files\Java

2007-10-31 07:24	---------	d-----w	C:\Documents and Settings\acer\Application Data\Yahoo!

2007-10-31 07:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo!

2007-10-26 03:36	8,454,656	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll

.
 

(((((((((((((((((((((((((((((   snapshot@2007-12-02_14.28.59.31   )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-12-03 00:50:58	16,384	----a-w	C:\WINDOWS\Temp\Perflib_Perfdata_74.dat

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]

"Salestart"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13]

"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 09:41]

"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-12 15:48]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]

"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 C:\WINDOWS\RTHDCPL.exe]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]

"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2006-05-17 19:04]

"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39]

"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55]

"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 18:22]

"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47]

"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 12:13]

"LaunchApp"="Alaunch" []

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57]

"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 14:40]

"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 15:00]

"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12]

"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 C:\WINDOWS\AGRSMMSG.exe]

"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-06-07 20:18]

"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50]

"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39]
 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-03-10 09:40:30]

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-06-29 10:45:00]

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

			SkyTel.EXE
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"LiveUpdate Notice Service"=2 (0x2)

"LiveUpdate"=3 (0x3)
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"ePower_DMC"=C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
 

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys

R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys

R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys

R2 int15;int15;\??\C:\WINDOWS\system32\drivers\int15.sys

R2 tvicport;tvicport;\??\C:\WINDOWS\system32\drivers\tvicport.sys

R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys

R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys

R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys

R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys

R3 psdfilter;psdfilter;\??\C:\WINDOWS\system32\Drivers\psdfilter.sys

R3 psdvdisk;psdvdisk;\??\C:\WINDOWS\system32\Drivers\psdvdisk.sys
 

.

**************************************************************************
 

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-02 16:51:29

Windows 5.1.2600 Service Pack 2 FAT NTAPI
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully 

hidden files: 0 
 

**************************************************************************

.

Completion time: 2007-12-02 16:53:07 - machine was rebooted

C:\ComboFix2.txt ... 2007-12-02 14:29

.

	--- E O F ---

Open in new window

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20393324
Combofix took care of the AVSystem files...
but it's still listing this AVSystem value in the run key.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Salestart"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []

If you're familiar with the registry, you can just edit the registry yourself and under the run key, delete the reference "Salestart" which is pointing to AVSystemCare.

If you haven't edited your registry before, I can make a reg file that you can just merge with your registry to delete that value.


C:\Program Files\Common Files\AVSystemCare <-- also check and delete this folder if still present, it's where that run value is pointing to.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20393353
These files below (lost file fragments) can also be safely deleted. Once, a tech told me that having numerous and regular appearance of these files can also mean that hard disk is on its way.
But of course we had these files in our other drive, a machine that freezes and BSODs a lot, and it's lasted for years, :)

C:\FOUND.003
C:\FOUND.002
C:\FOUND.001
C:\FOUND.000


If everything is okay now, and you no longer need to run CF, you can then uninstall Combofix.

Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20394976
Hey GamerGirl,
  Thanks for all the help. It seems to have been sorted now. I did run CCleaner earlier and i think it took care of the registry entry 'avsystem care' cause it was no longer present when i checked it. Thanks for all the help. Saved me an OS Reinstall. Although i think the HDD might be on its way out cause of the high pitch sound it makes now n then...
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20399247
Glad to know it's been sorted out.

And good luck with the hard drive, :)

Thanks!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now