Solved

Virus? Trojan? Mass mailer using IE.

Posted on 2007-12-02
17
1,411 Views
Last Modified: 2013-11-22
A friend download some kinda trojan that has created havoc for the machine. Some program is constantly trying to send out emails. It had norton internet security earlier which kept popping up with numerous 'mail scanning messages'. I uninstalled Norton and Installed Mcafee Antivirus Plus 2007. The firewall detects IE as a mail client. If i block IE in that section, the mails stop going through. After a couple of restarts, there is another entry of Internet Explorer and around 40 - 50 messages. "Santa Claus's present to you id#XXXXXXXXXX..   " are trying to be sent.

 Norton, Mcafee, Spybot and Ad-aware came up with nothing.. This is more like a home built virus? Any help is appreciated.
0
Comment
Question by:Lance_P
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 100 total points
ID: 20392362
Sounds like a bot maybe. Give SDFix a try here.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please upload the contents to http://www.ee-stuff.com or attach it as a code snippet.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
ID: 20392370
Run these tools and attach their logfiles, run Combofix last.

1.  Can you run Hijackthis and show us the log please?
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.


2.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.

Also, Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com for us to check please or attch the logfile using "Attach Code Snippet"

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


3.  Combofix will terminate your connection while it's scanning and resume connection straightafter.
If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternatively, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20392372
Ooops, sorry didn't refresh and didn't see you posted.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Author Comment

by:Lance_P
ID: 20392399
Ok here is the Hijack Ths log. Working on the other tools.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:26 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 
 
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network 
 
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
 
Files\Messenger\msmsgs.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth 
 
Software\bin\btwdins.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program 
 
Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - 
 
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program 
 
Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program 
 
Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program 
 
Files\Intel\Wireless\Bin\S24EvMon.exe
 
--
End of file - 5334 bytes

Open in new window

0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392409
Just something more to mention.. Im getting IRQ_NOT_LESS_OR_EQUAL BSOD's.. WIll check which driver is causing the problem later.. unless its related to this.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392460
Ok. Here's a report from SDFix.

Im guessing it has done its job better than CA and Symantec.

SDFix: Version 1.116
 
Run by Dipti on Sun 12/02/2007 at 01:38 PM
 
Microsoft Windows XP [Version 5.1.2600]
 
Running From: C:\SDFix
 
Safe Mode:
Checking Services: 
 
Name:
kprof
ntio256
poof
runtime
 
Path:
\??\C:\WINDOWS\system32\kprof 
\??\C:\WINDOWS\system32\ntio256.sys 
\??\C:\WINDOWS\system32\poof 
\??\C:\WINDOWS\System32\drivers\runtime.sys 
 
kprof - Deleted
ntio256 - Deleted
poof - Deleted
runtime - Deleted
 
 
 
Restoring Windows Registry Values
Restoring Windows Default Hosts File
 
Rebooting...
 
 
Normal Mode:
Checking Files: 
 
Trojan Files Found:
 
C:\WINDOWS\system32\8_exception.nls  - Deleted
C:\WINDOWS\system32\koos.exe  - Deleted
C:\WINDOWS\system32\kprof  - Deleted
C:\WINDOWS\system32\poof  - Deleted
 
 
Could Not Remove C:\WINDOWS\Temp\startdrv.exe 
 
 
Removing Temp Files...
 
ADS Check:
 
C:\WINDOWS
No streams found. 
 
C:\WINDOWS\system32
No streams found. 
 
C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 
 
 
                                 Final Check:
 
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 13:43:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI
 
scanning hidden processes ...
 
scanning hidden services ...
 
HKLM\SYSTEM\CurrentControlSet\Services\.NETFrameworkorking
 
HKLM\SYSTEM\CurrentControlSet\Services\Abiosdskeworkorking
 
HKLM\SYSTEM\CurrentControlSet\Services\abp480n5eworkorking
 
HKLM\SYSTEM\CurrentControlSet\Services\ACPIMemUsageCheckService
 
HKLM\SYSTEM\CurrentControlSet\Services\ACPIECmUsageCheckService
 
HKLM\SYSTEM\CurrentControlSet\Services\adpu160msageCheckService
 
HKLM\SYSTEM\CurrentControlSet\Services\aecu160msageCheckService
 
HKLM\SYSTEM\CurrentControlSet\Services\AegisP0msageCheckService
 
HKLM\SYSTEM\CurrentControlSet\Services\AFDisP0msageCheckService
 
HKLM\SYSTEM\CurrentControlSet\Services\AgereSoftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\agp440oftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\agpCPQoftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\Aha154xftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\aic78u2ftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\aic78xxftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\AlerterftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\ALGrterftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\AliIderftModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\alim1541tModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\amdagp41tModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\amsint41tModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt1tModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\Arp13941tModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\asc13941tModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\asc3350ptModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\asc3550ptModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\ASP.NETptModemeckService
 
HKLM\SYSTEM\CurrentControlSet\Services\ASP.NET_1.1.4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\aspnet_state4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\AsyncMactate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\atapiMactate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Atdiskactate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Atmarpcctate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\AudioSrvtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\audstubvtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BattCubvtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BeepCubvtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BITSCubvtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Browservtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\btaudiovtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BTDrivertate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BthEnumrtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BthPanmrtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BTHPORTrtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BthServrtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BTHUSBvrtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BTKRNLvrtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BTSERIALtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\btwdinsLtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BTWDNDIState4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\BTWUSBIState4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\catchmeState4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\cbidfmeState4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\cbidf2kState4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\CCDECODEtate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\cd20xrnttate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Cdaudiottate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Cdfsdiottate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Cdromiottate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Changerttate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\CiSvcerttate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\CLCapSvctate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\ClipSrvctate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\CLSchedctate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\CmBattdctate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\CmdIdedctate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Compbatttate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\COMSysAppate4322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\ContentFilter322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\ContentIndexr322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\Cpqarrayndexr322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\CryptSvcndexr322kService
 
HKLM\SYSTEM\CurrentControlSet\Services\dac2w2knk Media Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\dac960ntk Media Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\DcCam0ntk Media Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\DcomLaunchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\DhcpLaunchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\DiskLaunchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\DKbFltrnchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\dmadminnchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\dmbootnnchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\dmiootnnchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\dmloadnnchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\dmserverchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\DMusicerchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\DnscachechMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\dpti2ohechMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\drmkaudechMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\eeCtrldechMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\EmproxyechMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\EpmPsdyechMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\EpmShdyechMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\ERSvcdyechMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\EventlogchMedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\EventSystemedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\EvtEngystemedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\Fastfatstemedia Library Service
 
HKLM\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\FaxtUserSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\FdctUserSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\FipsUserSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\FlpydiskSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\FltMgrskSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Fs_RecskSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\FtdiskskSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\GpciskskSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\HDAudBusSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\helpsvcsSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\HidServsSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\hpnServsSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\HTTPervsSwitchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\HTTPFilteritchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\i2omgmtteritchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\i2ompmtteritchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\i8042prteritchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ialm2prteritchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IDriverTeritchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ImapierTeritchingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ImapiServicechingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\inetaccsvicechingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ini910usvicechingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\InportusvicechingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\int15tusvicechingCompatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IntcAzAudAddServicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IntelIdedAddServicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\intelppmdAddServicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Ip6FwppmdAddServicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IpFilterDriverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IpInIperDriverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IpNatperDriverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IPSecperDriverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\irdacperDriverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IRENUMerDriverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\IrmonMerDriverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ISAPISearchverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\isapnpearchverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Kbdclassrchverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\kmixerssrchverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\KSecDDssrchverrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\lanmanservererrvicempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstationcempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\lbrtfdcorkstationcempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ldapfdcorkstationcempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\LicenseServiceioncempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\LightScribeServiceempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\LmHostsribeServiceempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\lv321avribeServiceempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\lvmvdrvribeServiceempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\LVPrcMonibeServiceempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\LVPrcSrvibeServiceempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\LVUSBStaibeServiceempatibilitye
 
HKLM\SYSTEM\CurrentControlSet\Services\McAfee HackerWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mcmispupdmgrrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mcmscsvcdmgrrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\McNASvccdmgrrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\McODSvccdmgrrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mcpromgrdmgrrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\McRedirectorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\McShieldctorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\McSysmonctorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MessengertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mfeavfkertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mfebopkertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mfehidkertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mferkdkertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mfesmfkertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mnmddfkertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvcertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ModemvcertorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MouclassrtorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MountMgrrtorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MPFPtMgrrtorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MpfServiceorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mraid35xceorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV5xceorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MRxSmb5xceorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MSDTCb5xceorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MsfsCb5xceorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MSIServereorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MSKSSRVereorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MSPCLOCKreorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MSPQMOCKreorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\mssmbiosreorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MSTEEiosreorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\MupEEiosreorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NABTSFECreorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NDISSFECreorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NdisIPECreorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NdisTapireorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NdisuioireorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NdisWanireorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NDProxyireorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NetBIOSireorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NetBTOSireorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NetDDESireorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NetDDEdsdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NetlogondmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NetmanondmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NIC1394ndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Nla1394ndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\nma1394ndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NPF1394ndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Npfs394ndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NSCIRDAndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NtfsRDAndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NTIDrvrndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NtLmSspndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvcndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NullSvcndmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NwlnkFltdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\NwlnkFwddmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ohci1394dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Parport4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PartMgr4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ParVdmr4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PCIVdmr4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PCIIdep4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Pcmciap4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PDCOMPp4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PDFRAME4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PDRELIE4dmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PDRFRAMEdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\perc2AMEdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\perc2hibdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PerfDiskdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PerfNetkdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PerfOStkdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PerfProcdmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PlugPlaydmorrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgentrrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PortProxyntrrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PptpMiniportrWatch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\psdfilterStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\psdvdiskrStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PtilinkkrStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\PxHelp20rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ql108020rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Ql10wnt0rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ql121600rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ql124000rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ql128000rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RasAcd00rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RasAuto0rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Rasirda0rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Rasl2tp0rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RasManp0rStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RasPppoerStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RasptioerStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RdbssioerStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RDPCDDoerStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RDPDDDoerStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\rdpdrDoerStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RDPNPDoerStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RDPWDDoerStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgrStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\redbookgrStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RegSrvcgrStoragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccessragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RFCOMMAccessragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RichVideoessragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\rpcapddeoessragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorssragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RpcSscatorssragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\RSVPscatorssragech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\S24EventMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\s24transMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SamSsansMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SCardSvrMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ScheduleMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SecdrvleMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\seclogonMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SENSogonMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\serenumnMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SerialmnMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SfloppynMonitorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccesstorech Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\sisagpWDetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SLIPgpWDetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SparrowDetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\splitteretectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Spoolerretectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\sroolerretectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\srservicetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Srvervicetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRVcetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\stisvcVcetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\streamipetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\swenumipetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\swmidiipetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SwPrviipetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\symc810petectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\symc8xxpetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\sym_hixpetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\sym_u3xpetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SynTP3xpetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\sysaudioetectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\SysmonLogtectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvogtectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Tcpiprvogtectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\TDPIPEvogtectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\TDTCPEvogtectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\TermDDvogtectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\TermServicectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Themesrvicectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\tifm21rvicectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\TosIdervicectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\TrkWksrvicectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\TSDDDsrvicectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\tunmpsrvicectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\tvicporticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\UBHelpericectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Udfslpericectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ultrapericectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Updateericectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\upnphosticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\UPSphosticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\usbphosticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\usbehciticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\usbhubiticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\usbscanticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\USBSTORticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\usbuhciticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\VgaSaveticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\viaagpeticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\ViaIdeeticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\VolSnapticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\VSSSnapticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\W32Timeticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\w39n51eticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\W3SVC1eticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Wanarpeticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WDICApeticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\wdmaudeticectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WebClientcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\winmgmtntcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\Winsockntcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2tcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WinTrusttcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSNtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WmiAcpiNtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpltcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WmiApSrvtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSLvtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\wscsvcLvtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WSTCODECtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\wuauservtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCrvtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\xlavba8vtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\xmlprovvtcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\yukonwxptcectionch Servicelitye
 
HKLM\SYSTEM\CurrentControlSet\Services\zntportptcectionch Servicelitye
 
scanning hidden autostart entries ...
 
scanning hidden files ...
 
 
scan completed successfully
hidden processes: 0
hidden services: 356
hidden files: 0
 
 
Remaining Services:
------------------
 
 
 
Authorized Application Key Export:
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"="C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe:*:Disabled:CyberLink PowerCinema Resident Program"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Disabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\Common Files\\McAfee\\mna\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\mna\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
 
Remaining Files:
---------------
C:\WINDOWS\Temp\startdrv.exe  Found
 
File Backups: - C:\SDFix\backups\backups.zip
 
Files with Hidden Attributes:
 
Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"
Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"
Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"
Tue  1 Aug 2006         1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"
Wed 31 Oct 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\BIT1.tmp"
 
Finished! 

Open in new window

0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392476
I tried to run ComboFix .. and it came up with the same BSOD IRQL_NOT ...

Stop: 0x0000000A (0x00000000, 0x0000001C, 0x00000000, 0x804F8A3B)
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392523
Reboot tried combo fix again .. nogo . BSOD

Stop: 0x0000007F (0x0000000D , 0x00000000 , 0x00000000, 0x00000000)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20392618
There's a file that SDFix missed.... delete that file and we'll see if combofix run afterwards.
SDfix was supposed to have been updated to delete this file --> C:\WINDOWS\Temp\startdrv.exe
 but somehow it must've been missed to be included in the updates.

You can delete it yourself in safe mode or uisng a third party tool like Killbox, delete on reboot, or try using Avenger just to make sure.

Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip

   *Click on Avenger.zip to open the file
   *Extract avenger.exe to your desktop

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text inside the lines below):

-----------------------------------------------------------------------------------------------------------
Files to delete:
C:\WINDOWS\Temp\startdrv.exe

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | startdrv
------------------------------------------------------------------------------------------------------------

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392633
Well i did not do that, but while i was waiting I uninstall Mcafee and IE7 apart from everything that was installed in the past 3 days including updates etc.. did not wanna take any chances.

After rebooting I ran Combo Fix again and it ran this time. No BSOD. Heres the Log.
ComboFix 07-12-02.5 - Dipti 2007-12-02 14:25:08.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.603 [GMT -8:00]
Running from: C:\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Documents and Settings\acer\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
 
.
-------\LEGACY_CTL_W32
-------\LEGACY_FMTR
-------\LEGACY_NTIO256
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_XLAVBA8
-------\nm
-------\NPF
-------\runtime
-------\xlavba8
 
 
(((((((((((((((((((((((((   Files Created from 2007-11-02 to 2007-12-02  )))))))))))))))))))))))))))))))
.
 
2007-12-02 14:14 . 2007-12-02 14:14	230	--a------	C:\WINDOWS\system32\spupdsvc.inf
2007-12-02 14:06 . 2007-12-02 14:06	<DIR>	d--hs----	C:\FOUND.003
2007-12-02 13:53 . 2007-12-02 13:53	<DIR>	d--hs----	C:\FOUND.002
2007-12-02 13:37 . 2007-12-02 13:37	<DIR>	d--------	C:\WINDOWS\SDFIX
2007-12-02 13:32 . 2007-12-02 13:32	<DIR>	d--hs----	C:\FOUND.001
2007-12-02 13:27 . 2007-12-03 01:26	1,540,811	--a------	C:\ComboFix.exe
2007-12-02 13:27 . 2007-12-03 01:27	812,344	--a------	C:\HJTInstall.exe
2007-12-02 13:20 . 2007-12-02 13:20	1,221,897	--a------	C:\SDFix.exe
2007-12-02 00:42 . 2007-12-02 00:42	<DIR>	d--hs----	C:\FOUND.000
2007-12-02 00:23 . 2007-08-13 18:40	991,232	--a------	C:\WINDOWS\system32\ieframe.dll.mui
2007-12-01 23:48 . 2007-12-01 23:49	<DIR>	d--------	C:\Program Files\Lavasoft
2007-12-01 14:30 . 2007-12-01 14:30	<DIR>	d--hs----	C:\Documents and Settings\Dipti\UserData
2007-12-01 14:12 . 2007-12-01 14:12	<DIR>	d--------	C:\Program Files\Trend Micro
2007-12-01 14:05 . 2007-12-01 14:05	<DIR>	d--------	C:\Documents and Settings\Dipti\Application Data\McAfee
2007-12-01 12:52 . 2007-12-02 14:18	14,006	--a------	C:\WINDOWS\system32\Config.MPF
2007-12-01 12:30 . 2007-12-01 12:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-30 16:06 . 2007-11-30 16:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-30 15:48 . 2007-11-30 15:48	<DIR>	d--------	C:\Documents and Settings\Dipti\Application Data\Yahoo!
2007-11-30 15:39 . 2007-11-30 15:39	<DIR>	d--------	C:\Documents and Settings\Dipti\Bluetooth Software
2007-11-30 11:03 . 2007-11-30 11:03	<DIR>	d---s----	C:\Documents and Settings\acer\UserData
2007-11-25 12:37 . 2007-11-25 12:37	<DIR>	d--------	C:\Documents and Settings\acer\Application Data\AdobeUM
2007-11-11 06:19 . 2007-11-28 09:16	754	--a------	C:\WINDOWS\WORDPAD.INI
2007-11-05 08:29 . 2007-11-05 08:29	<DIR>	d--------	C:\Documents and Settings\acer\Application Data\AVSystemCare
2007-11-05 08:29 . 2001-03-08 18:30	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll
2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\WINDOWS\system32\color
2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\Program Files\Common Files\Kodak
2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\KPCMS
2007-11-04 01:48 . 2007-11-04 01:48	<DIR>	d--------	C:\Program Files\Kodak
2007-11-04 01:45 . 2007-11-04 01:46	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kodak
2007-11-04 00:14 . 2001-08-17 22:36	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll
2007-11-04 00:13 . 2004-08-04 00:56	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll
2007-11-04 00:13 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-04 00:13 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-02 14:53 . 2007-11-02 14:53	20,992	--a------	C:\WINDOWS\loos.exe
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 11:02	---------	d-----w	C:\Program Files\MSXML 4.0
2007-10-31 08:14	---------	d-----w	C:\Documents and Settings\acer\Application Data\LimeWire
2007-10-31 08:12	---------	d-----w	C:\Program Files\Java
2007-10-31 08:11	---------	d-----w	C:\Program Files\LimeWire
2007-10-31 08:11	---------	d-----w	C:\Program Files\Common Files\Java
2007-10-31 07:24	---------	d-----w	C:\Documents and Settings\acer\Application Data\Yahoo!
2007-10-31 07:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-26 03:36	8,454,656	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"Salestart"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 09:41]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-12 15:48]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 C:\WINDOWS\RTHDCPL.exe]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2006-05-17 19:04]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 18:22]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 12:13]
"LaunchApp"="Alaunch" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 14:40]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 15:00]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 C:\WINDOWS\AGRSMMSG.exe]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-06-07 20:18]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-03-10 09:40:30]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-06-29 10:45:00]
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
			SkyTel.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ePower_DMC"=C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
 
R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 int15;int15;\??\C:\WINDOWS\system32\drivers\int15.sys
R2 tvicport;tvicport;\??\C:\WINDOWS\system32\drivers\tvicport.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 psdfilter;psdfilter;\??\C:\WINDOWS\system32\Drivers\psdfilter.sys
R3 psdvdisk;psdvdisk;\??\C:\WINDOWS\system32\Drivers\psdvdisk.sys
 
.
**************************************************************************
 
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 14:28:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2007-12-02 14:29:21 - machine was rebooted
.
	--- E O F ---

Open in new window

0
 
LVL 9

Author Comment

by:Lance_P
ID: 20392651
Prior to running ComboFix.. somthing was still uploading data.. Although Mcafee died on me and was not detecting any network traffic.. Now it all seems to have come to a standstill.

Please let me know if you figure out anything more from the logs. Ill keep keep it under observation for a day atleast.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20392904
>>Could Not Remove C:\WINDOWS\Temp\startdrv.exe <<
 the file that SDFix found and couldn't removed is not showing in CF log,  if you didn't removed it, looks like it's gone.
Combofix also removed some bad files there, and also files related to AVSystemCare that still needed to come off.

If you still have AVSystemCare please remove it, or we'll just delete the relevant entries that CF found. If you find an AVSystemCare folder in Program Files delete that also.

Open notepad and copy/paste the text inside the lines below into it
--------------------------------------------------------------
File::
C:\WINDOWS\loos.exe

Folder::
C:\Documents and Settings\acer\Application Data\AVSystemCare

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Salestart"=-
--------------------------------------------------------------

Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the result.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20393120
Gamergirl,
Heres the log.  Looks like the internet activity has stopped. The BSOD's seem to have stopped.
ComboFix 07-12-02.5 - Dipti 2007-12-02 16:47:41.2 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.691 [GMT -8:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt.txt
 * Created a new restore point
 
FILE
C:\Windows\loos.exe
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Documents and Settings\acer\Application Data\AVSystemCare
C:\Documents and Settings\acer\Application Data\AVSystemCare\avtasks.dat
C:\Documents and Settings\acer\Application Data\AVSystemCare\Logs\av.log
C:\Documents and Settings\acer\Application Data\AVSystemCare\Logs\ga6Support.log
C:\Documents and Settings\acer\Application Data\AVSystemCare\Logs\update.log
C:\Windows\loos.exe
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
 
.
-------\ctl_w32
 
 
(((((((((((((((((((((((((   Files Created from 2007-11-03 to 2007-12-03  )))))))))))))))))))))))))))))))
.
 
2007-12-02 16:49 . 2007-12-02 16:49	<DIR>	d--------	C:\QUARANTINE
2007-12-02 14:40 . 2007-12-02 14:40	<DIR>	d--------	C:\Program Files\Common Files\Cisco Systems
2007-12-02 14:40 . 2006-11-17 03:06	1,495,552	--a------	C:\WINDOWS\system32\epoPGPsdk.dll
2007-12-02 14:40 . 2006-11-17 03:06	280	--a------	C:\WINDOWS\system32\epoPGPsdk.dll.sig
2007-12-02 14:39 . 2007-12-02 14:39	<DIR>	d--------	C:\Program Files\McAfee
2007-12-02 14:39 . 2007-12-02 14:39	<DIR>	d--------	C:\Program Files\Common Files\McAfee
2007-12-02 14:39 . 2006-11-30 08:50	168,776	--a------	C:\WINDOWS\system32\drivers\mfehidk.sys
2007-12-02 14:39 . 2006-11-30 08:50	72,264	--a------	C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-02 14:39 . 2006-11-30 08:50	64,360	--a------	C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-02 14:39 . 2006-11-30 08:50	52,136	--a------	C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-02 14:39 . 2006-11-30 08:50	34,152	--a------	C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-02 14:14 . 2007-12-02 14:14	230	--a------	C:\WINDOWS\system32\spupdsvc.inf
2007-12-02 14:06 . 2007-12-02 14:06	<DIR>	d--hs----	C:\FOUND.003
2007-12-02 13:53 . 2007-12-02 13:53	<DIR>	d--hs----	C:\FOUND.002
2007-12-02 13:37 . 2007-12-02 13:37	<DIR>	d--------	C:\WINDOWS\SDFIX
2007-12-02 13:32 . 2007-12-02 13:32	<DIR>	d--hs----	C:\FOUND.001
2007-12-02 13:27 . 2007-12-03 01:26	1,540,811	--a------	C:\ComboFix.exe
2007-12-02 13:27 . 2007-12-03 01:27	812,344	--a------	C:\HJTInstall.exe
2007-12-02 13:20 . 2007-12-02 13:20	1,221,897	--a------	C:\SDFix.exe
2007-12-02 00:42 . 2007-12-02 00:42	<DIR>	d--hs----	C:\FOUND.000
2007-12-02 00:23 . 2007-08-13 18:40	991,232	--a------	C:\WINDOWS\system32\ieframe.dll.mui
2007-12-01 23:48 . 2007-12-01 23:49	<DIR>	d--------	C:\Program Files\Lavasoft
2007-12-01 14:30 . 2007-12-01 14:30	<DIR>	d--hs----	C:\Documents and Settings\Dipti\UserData
2007-12-01 14:12 . 2007-12-01 14:12	<DIR>	d--------	C:\Program Files\Trend Micro
2007-12-01 14:05 . 2007-12-01 14:05	<DIR>	d--------	C:\Documents and Settings\Dipti\Application Data\McAfee
2007-12-01 12:52 . 2007-12-02 14:18	14,006	--a------	C:\WINDOWS\system32\Config.MPF
2007-12-01 12:30 . 2007-12-01 12:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-30 16:06 . 2007-11-30 16:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-30 15:48 . 2007-11-30 15:48	<DIR>	d--------	C:\Documents and Settings\Dipti\Application Data\Yahoo!
2007-11-30 15:39 . 2007-11-30 15:39	<DIR>	d--------	C:\Documents and Settings\Dipti\Bluetooth Software
2007-11-30 11:03 . 2007-11-30 11:03	<DIR>	d---s----	C:\Documents and Settings\acer\UserData
2007-11-25 12:37 . 2007-11-25 12:37	<DIR>	d--------	C:\Documents and Settings\acer\Application Data\AdobeUM
2007-11-11 06:19 . 2007-11-28 09:16	754	--a------	C:\WINDOWS\WORDPAD.INI
2007-11-05 08:29 . 2001-03-08 18:30	24,064	--a------	C:\WINDOWS\system32\msxml3a.dll
2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\WINDOWS\system32\color
2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\Program Files\Common Files\Kodak
2007-11-04 01:49 . 2007-11-04 01:49	<DIR>	d--------	C:\KPCMS
2007-11-04 01:48 . 2007-11-04 01:48	<DIR>	d--------	C:\Program Files\Kodak
2007-11-04 01:45 . 2007-11-04 01:46	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kodak
2007-11-04 00:14 . 2001-08-17 22:36	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll
2007-11-04 00:13 . 2004-08-04 00:56	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll
2007-11-04 00:13 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-04 00:13 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\dllcache\usbscan.sys
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 11:02	---------	d-----w	C:\Program Files\MSXML 4.0
2007-10-31 08:14	---------	d-----w	C:\Documents and Settings\acer\Application Data\LimeWire
2007-10-31 08:12	---------	d-----w	C:\Program Files\Java
2007-10-31 08:11	---------	d-----w	C:\Program Files\LimeWire
2007-10-31 08:11	---------	d-----w	C:\Program Files\Common Files\Java
2007-10-31 07:24	---------	d-----w	C:\Documents and Settings\acer\Application Data\Yahoo!
2007-10-31 07:13	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-26 03:36	8,454,656	----a-w	C:\WINDOWS\system32\dllcache\shell32.dll
.
 
(((((((((((((((((((((((((((((   snapshot@2007-12-02_14.28.59.31   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-03 00:50:58	16,384	----a-w	C:\WINDOWS\Temp\Perflib_Perfdata_74.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"Salestart"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 09:41]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-12 15:48]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-09-23 13:08]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 C:\WINDOWS\RTHDCPL.exe]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2006-05-17 19:04]
"ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 11:15]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 10:39]
"LogitechVideo[inspector]"="C:\Program Files\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 18:22]
"LogitechCameraAssistant"="C:\Program Files\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 15:47]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 12:13]
"LaunchApp"="Alaunch" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 14:40]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 15:00]
"Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 C:\WINDOWS\AGRSMMSG.exe]
"Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-06-07 20:18]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2005-03-10 09:40:30]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-06-29 10:45:00]
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
			SkyTel.EXE
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate"=3 (0x3)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ePower_DMC"=C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
 
R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 int15;int15;\??\C:\WINDOWS\system32\drivers\int15.sys
R2 tvicport;tvicport;\??\C:\WINDOWS\system32\drivers\tvicport.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
R3 psdfilter;psdfilter;\??\C:\WINDOWS\system32\Drivers\psdfilter.sys
R3 psdvdisk;psdvdisk;\??\C:\WINDOWS\system32\Drivers\psdvdisk.sys
 
.
**************************************************************************
 
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 16:51:29
Windows 5.1.2600 Service Pack 2 FAT NTAPI
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2007-12-02 16:53:07 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-02 14:29
.
	--- E O F ---

Open in new window

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20393324
Combofix took care of the AVSystem files...
but it's still listing this AVSystem value in the run key.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Salestart"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []

If you're familiar with the registry, you can just edit the registry yourself and under the run key, delete the reference "Salestart" which is pointing to AVSystemCare.

If you haven't edited your registry before, I can make a reg file that you can just merge with your registry to delete that value.


C:\Program Files\Common Files\AVSystemCare <-- also check and delete this folder if still present, it's where that run value is pointing to.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20393353
These files below (lost file fragments) can also be safely deleted. Once, a tech told me that having numerous and regular appearance of these files can also mean that hard disk is on its way.
But of course we had these files in our other drive, a machine that freezes and BSODs a lot, and it's lasted for years, :)

C:\FOUND.003
C:\FOUND.002
C:\FOUND.001
C:\FOUND.000


If everything is okay now, and you no longer need to run CF, you can then uninstall Combofix.

Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
0
 
LVL 9

Author Comment

by:Lance_P
ID: 20394976
Hey GamerGirl,
  Thanks for all the help. It seems to have been sorted now. I did run CCleaner earlier and i think it took care of the registry entry 'avsystem care' cause it was no longer present when i checked it. Thanks for all the help. Saved me an OS Reinstall. Although i think the HDD might be on its way out cause of the high pitch sound it makes now n then...
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20399247
Glad to know it's been sorted out.

And good luck with the hard drive, :)

Thanks!
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question