943,738 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > After Malware, IE and FF won't run
Ad:
You are currently viewing page 1 of this multi-page discussion thread
Permalink
Sep 7th, 2008
0

After Malware, IE and FF won't run

Expand Post »
Hello,
I recently had a malware problem. I believe I've removed it from my system, but the damage was done. When I try and run Firefox or Internet Explorer, I get the following message and they won't run:

Quote ...
The procedure entry point SetupDiDestroyDeviceInfoList could not be located in the dynamic link library SETUPAPI.dll.
Also, when my system first boots, I get an error message that says,

Quote ...
RUNDLL
Error loading C:\WINDOWS\system32\xfvkyaum.dll
The specified module could not be found
I've searched Google for that supposed DLL file and returned no results...I get the feeling whatever is trying to access it is a remnant of the malware.

Help would be greatly appreciated. Here's my HijackThis logfile:

Quote ...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:03 AM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\AppServ\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\svchost.exe
C:\AppServ\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
O4 - HKLM\..\Run: [\YURC8.exe] C:\Windows\system32\YURC8.exe
O4 - HKLM\..\Run: [\YURC9.exe] C:\Windows\system32\YURC9.exe
O4 - HKLM\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKLM\..\Run: [\YURCB.exe] C:\Windows\system32\YURCB.exe
O4 - HKLM\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKLM\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKLM\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKLM\..\Run: [\YUR12.exe] C:\Windows\system32\YUR12.exe
O4 - HKLM\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O4 - HKLM\..\Run: [384546ef] rundll32.exe "C:\WINDOWS\system32\xfvykaum.dll",b
O4 - HKLM\..\Run: [BM3b767573] Rundll32.exe "C:\WINDOWS\system32\yrbaximy.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [\YURC8.exe] C:\Windows\system32\YURC8.exe
O4 - HKCU\..\Run: [\YURC9.exe] C:\Windows\system32\YURC9.exe
O4 - HKCU\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKCU\..\Run: [\YURCB.exe] C:\Windows\system32\YURCB.exe
O4 - HKCU\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKCU\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKCU\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKCU\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKCU\..\Run: [\YUR12.exe] C:\Windows\system32\YUR12.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL yfgsag.dll vfzqzv.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\system32\msinet.exe
O23 - Service: mysql - Unknown owner - C:\AppServ\MySQL\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12016 bytes
Thank you in advance!
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
bistered is offline Offline
7 posts
since Sep 2008
Permalink
Sep 7th, 2008
0

Re: After Malware, IE and FF won't run

This might help:
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebyt...are_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file to install the application and ensure that it is set to update and start, else start it via the icon.
Select "Perform Full Scan", then click Scan; the application will guide you through the remaining steps.
Make sure that everything is checked, and click Remove Selected.
Post the Notepad log [it is also saved under Logs tab in MBAM].
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]

Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
O4 - HKLM\..\Run: [\YURC8.exe] C:\Windows\system32\YURC8.exe
O4 - HKLM\..\Run: [\YURC9.exe] C:\Windows\system32\YURC9.exe
O4 - HKLM\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKLM\..\Run: [\YURCB.exe] C:\Windows\system32\YURCB.exe
O4 - HKLM\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKLM\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKLM\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKLM\..\Run: [\YUR12.exe] C:\Windows\system32\YUR12.exe
O4 - HKLM\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O4 - HKLM\..\Run: [384546ef] rundll32.exe "C:\WINDOWS\system32\xfvykaum.dll",b
O4 - HKLM\..\Run: [BM3b767573] Rundll32.exe "C:\WINDOWS\system32\yrbaximy.dll",s
O4 - HKCU\..\Run: [ksjf93orkekfniw73nfdd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [\YURC8.exe] C:\Windows\system32\YURC8.exe
O4 - HKCU\..\Run: [\YURC9.exe] C:\Windows\system32\YURC9.exe
O4 - HKCU\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
O4 - HKCU\..\Run: [\YURCB.exe] C:\Windows\system32\YURCB.exe
O4 - HKCU\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
O4 - HKCU\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe
O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe
O4 - HKCU\..\Run: [\YUR6.exe] C:\Windows\system32\YUR6.exe
O4 - HKCU\..\Run: [\YUR7.exe] C:\Windows\system32\YUR7.exe
O4 - HKCU\..\Run: [\YUR12.exe] C:\Windows\system32\YUR12.exe
O4 - HKCU\..\Run: [\YUR8.exe] C:\Windows\system32\YUR8.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL yfgsag.dll vfzqzv.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\system32\msinet.exe

Delete all these files:
C:\Windows\system32\YURC8.exe and similar [the 8 seems to vary as a hexadecimal integer]
C:\Windows\system32\YUR8.exe and similar
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\winlogen.exe
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
C:\WINDOWS\system32\xfvykaum.dll
C:\WINDOWS\system32\yrbaximy.dll
C:\WINDOWS\system32\msinet.exe

Post a fresh hijackthis log also.
Last edited by gerbil; Sep 7th, 2008 at 10:30 am.
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005
Permalink
Sep 7th, 2008
0

Re: After Malware, IE and FF won't run

Brilliant, thank you! Both problems seem to be fixed now. Here is the current HijackThis log:

Quote ...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:44 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\AppServ\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddwe.exe] C:\WINDOWS\system32\kddwe.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM3b767573] Rundll32.exe "C:\WINDOWS\system32\qpvqfmil.dll",s
O4 - HKLM\..\Run: [384546ef] rundll32.exe "C:\WINDOWS\system32\cckgmail.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User

'SYSTEM')
O4 - .DEFAULT Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User

'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{366FC8AC-01CE-4490-9C7B-E61DC7AA6EDA}: NameServer = 85.255.116.142,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E69F33-EA8B-4EBA-9D48-87696E32DBDD}: NameServer = 85.255.116.142,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O20 - AppInit_DLLs: ijzyev.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume

Technology\ELService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\system32\msinet.exe (file missing)
O23 - Service: mysql - Unknown owner - C:\AppServ\MySQL\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10977 bytes
A couple other things...
  • I noticed while in my system32 folder that there are a lot of filenames that seem suspicious to me. If I took screenshots of the folder contents and posted them, could someone help me identify unwanted files?
  • The malware changed a couple values that, for one, remove "folder options" from the tools menu in Windows Explorer, and second, disallow registry editing. There may be other changes that I haven't noticed yet... I found how to change both of these values (through the registry and/or Group Policy), but next time I try to open regedit or open Windows Explorer, the problems are back. Anyone know how to permanently fix these?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
bistered is offline Offline
7 posts
since Sep 2008
Permalink
Sep 7th, 2008
0

Re: After Malware, IE and FF won't run

System32 is larrrgge.. no-one will take the time to visually vet those files for you. If you are concerned about some [it is full of weird filenames, until you know what the file does...] I will give you a good online scan which has a whitelist.
Oh, please post that MBAM log.
Meantime, you have picked up a fresh infection, and some of the previous are still there. Let's try to deal with them...
==Disable TeaTimer:
Open Spybot, click Mode, select Advanced Mode, click Yes in new window, click on Tools in bottom left hand corner.
Click the Resident icon and uncheck Teatimer box.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Download fixwareout from http://downloads.subratam.org/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.

Only if your Internet connection is now not working perform this.... In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
==Start Combofix:
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

FIX CHECKED ENTRIES....!!
==Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kddwe.exe] C:\WINDOWS\system32\kddwe.exe
O4 - HKLM\..\Run: [BM3b767573] Rundll32.exe "C:\WINDOWS\system32\qpvqfmil.dll",s
O4 - HKLM\..\Run: [384546ef] rundll32.exe "C:\WINDOWS\system32\cckgmail.dll",b
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{366FC8AC-01CE-4490-9C7B-E61DC7AA6EDA}: NameServer = 85.255.116.142,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9E69F33-EA8B-4EBA-9D48-87696E32DBDD}: NameServer = 85.255.116.142,85.255.112.175
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.142 85.255.112.175
O20 - AppInit_DLLs: ijzyev.dll
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll

Delete these files:
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\kddwe.exe
C:\WINDOWS\system32\qpvqfmil.dll
C:\WINDOWS\system32\cckgmail.dll
C:\WINDOWS\system32\ijzyev.dll
C:\WINDOWS\system32\gjm86akm34.dll
C:\DOCUME~1\Bisterd\LOCALS~1\Temp\csrssc.exe

Okay, please run HT again and repost with the old MBAM, plus the fixwareout and combofix logs.
If at all possible please do not turn off your machine until we sort this infection.
Regedit should now be working for you.
Last edited by gerbil; Sep 7th, 2008 at 10:54 pm.
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005
Permalink
Sep 7th, 2008
0

Re: After Malware, IE and FF won't run

One more to fix:
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - C:\WINDOWS\system32\msinet.exe (file missing)
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005
Permalink
Sep 8th, 2008
0

Re: After Malware, IE and FF won't run

Yeah, soon after I posted that, the problems came back...Oy. The problems seem to be gone again now...

I disabled Teamtimer; thank you, I couldn't find how to do that.

MBAM: I tried using MBAM several times at the beginning, and every time I try to scan, my system crashes after a few seconds, so I can't get a log from that...I tried again now and it BSOD'd me again.

Fixwareout: Here's the Fixwareout log...and I did have a net connection problem afterward; doing as you said restored it.

Quote ...
Username "Bisterd" - 09/07/2008 21:36:08 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kddwe.exe"

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kddwe.ren 52224 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"C:\\WINDOWS\\system32\\kddwe.exe"="C:\\WINDOWS\\system32\\kddwe.exe"
"384546ef"="rundll32.exe \"C:\\WINDOWS\\system32\\cckgmail.dll\",b"
"BM3b767573"="Rundll32.exe \"C:\\WINDOWS\\system32\\qpvqfmil.dll\",s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"=""
"Google Update"="\"C:\\Documents and Settings\\Bisterd\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe\" /c"
"Jnskdfmf9eldfd"="C:\\DOCUME~1\\Bisterd\\LOCALS~1\\Temp\\csrssc.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Combofix: Whew, that was thorough. Log:

Quote ...
ComboFix 08-09-05.05 - Bisterd 2008-09-07 21:58:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.571 [GMT -7:00]
Running from: C:\Documents and Settings\Bisterd\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\d.exe
C:\Program Files\Internet Explorer\setupapi.dll
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\1.ico
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\2.ico
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\4.exe
C:\Program Files\PCHealthCenter\5.exe
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sc.html
C:\WINDOWS\BM3b767573.txt
C:\WINDOWS\BM3b767573.xml
C:\WINDOWS\system32\awtsRIxu.dll
C:\WINDOWS\system32\cckgmail.dll
C:\WINDOWS\system32\erbnhwyb.dll
C:\WINDOWS\system32\ijzyev.dll
C:\WINDOWS\system32\jfuiwfvk.dll
C:\WINDOWS\system32\jiuxmc.dll
C:\WINDOWS\system32\liamgkcc.ini
C:\WINDOWS\system32\ljJYRJaY.dll
C:\WINDOWS\system32\mlJArpqn.dll
C:\WINDOWS\system32\moadcbkq.ini
C:\WINDOWS\system32\muakyvfx.ini
C:\WINDOWS\system32\qkbcdaom.dll
C:\WINDOWS\system32\rjhuictw.ini
C:\WINDOWS\system32\vfzqzv.dll
C:\WINDOWS\system32\winaap32.dll
C:\WINDOWS\system32\wisksdmp.dll
C:\WINDOWS\system32\wtciuhjr.dll
C:\WINDOWS\system32\xerqdhws.dll
C:\WINDOWS\system32\YaJRYJjl.ini
C:\WINDOWS\system32\YaJRYJjl.ini2
C:\WINDOWS\system32\yfgsag.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Service_msupdate


((((((((((((((((((((((((( Files Created from 2008-08-08 to 2008-09-08 )))))))))))))))))))))))))))))))
.

2008-09-07 21:35 . 2008-09-07 21:43 <DIR> d-------- C:\fixwareout
2008-09-07 16:38 . 2008-09-07 16:38 <DIR> d-------- C:\Program Files\CCleaner
2008-09-07 11:02 . 2008-09-07 11:02 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-07 11:02 . 2008-09-07 11:02 <DIR> d-------- C:\Documents and Settings\Bisterd\Application Data\Malwarebytes
2008-09-07 11:02 . 2008-09-07 11:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-07 11:02 . 2008-09-02 00:26 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-07 11:02 . 2008-09-02 00:25 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-07 01:32 . 2008-09-07 01:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-07 00:22 . 2008-09-07 00:22 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-09-06 13:24 . 2008-09-06 13:24 25,088 --a------ C:\WINDOWS\system32\sups.dll
2008-09-06 12:09 . 2008-09-06 12:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-09-06 12:09 . 2008-09-06 12:09 1,409 --a------ C:\WINDOWS\QTFont.for
2008-09-06 11:40 . 2008-09-06 11:40 21,504 --a------ C:\WINDOWS\system32\odiw.dll
2008-09-06 11:16 . 2008-09-06 11:16 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-06 10:54 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico
2008-09-06 10:50 . 2008-09-07 22:11 <DIR> d-------- C:\Program Files\PCHealthCenter
2008-09-06 10:50 . 2008-09-05 17:07 31,232 --a------ C:\x
2008-09-06 10:50 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico
2008-09-06 10:40 . 2008-09-06 10:40 0 --a------ C:\d1.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\uoju.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\oitkxr.exe
2008-09-06 10:39 . 2008-09-06 10:39 34,816 --a------ C:\accq.exe
2008-09-06 10:39 . 2008-09-06 10:39 29,184 --a------ C:\ubcs.exe
2008-09-06 10:39 . 2008-09-06 10:39 10,000 --a------ C:\WINDOWS\system32\gjm86akm34.dll
2008-09-06 10:39 . 2008-09-06 10:39 0 --a------ C:\944064064
2008-09-06 10:37 . 2008-09-06 10:37 <DIR> d-------- C:\Program Files\PowerISO
2008-09-06 07:27 . 2008-09-06 07:27 155,648 --a------ C:\WINDOWS\system32\CodecBHO.dll
2008-08-24 18:41 . 2008-09-04 16:27 <DIR> d-------- C:\Program Files\ColorPic 4.1
2008-08-24 18:41 . 2008-08-24 18:41 134,126 --a------ C:\WINDOWS\ColorPic Uninstaller.exe
2008-08-09 18:27 . 2008-08-09 18:27 <DIR> d-------- C:\Program Files\Multiple Image Resizer .NET
2008-08-09 17:58 . 2008-08-09 17:58 <DIR> d-------- C:\Program Files\Gadwin PrintScreenPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-08 00:49 --------- d-----w C:\Documents and Settings\Bisterd\Application Data\FileZilla
2008-09-07 23:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 22:43 --------- d-----w C:\Documents and Settings\Bisterd\Application Data\SiteAdvisor
2008-09-07 08:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-07 08:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-09-07 08:03 --------- d-----w C:\Documents and Settings\Bisterd\Application Data\AVG7
2008-09-06 18:09 --------- d-----w C:\Documents and Settings\Bisterd\Application Data\uTorrent
2008-09-06 17:39 --------- d-----w C:\Program Files\Opera
2008-09-06 02:59 --------- d-----w C:\Program Files\eMule
2008-09-04 23:27 --------- d-----w C:\Program Files\FileZilla-3.1.0.1
2008-09-04 23:26 --------- d-----w C:\Program Files\ConTEXT
2008-09-04 23:07 --------- d-----w C:\Documents and Settings\Bisterd\Application Data\.gaim
2008-08-30 02:51 --------- d-----w C:\Documents and Settings\Bisterd\Application Data\gtk-2.0
2008-08-24 05:26 --------- d-----w C:\Documents and Settings\Bisterd\Application Data\LimeWire
2008-08-10 06:54 --------- d-----w C:\Program Files\zsnesw
2008-08-10 01:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 01:13 --------- d-----w C:\Documents and Settings\Bisterd\Application Data\OpenOffice.org2
2008-08-04 05:11 --------- d-----w C:\Program Files\Jnes
2008-08-04 00:51 45,168 ----a-w C:\Documents and Settings\Bisterd\Application Data\GDIPFONTCACHEV1.DAT
2008-07-30 23:06 --------- d-----w C:\Program Files\InterActual
2008-07-28 05:10 --------- d-----w C:\Program Files\PHP
2008-07-28 04:37 --------- d-----w C:\Program Files\Apache Software Foundation
2008-07-28 03:24 --------- d-----w C:\Program Files\MySQL
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-03-12 04:03 49 ----a-w C:\Program Files\Warnings.txt
2007-03-12 04:03 239 ----a-w C:\Program Files\Morrowind.ini
2007-03-12 04:03 114 ----a-w C:\Program Files\ProgramFlow.txt
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SETA1.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET83.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET79.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET64.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET58.tmp
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 18:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 04:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2006-05-25 05:05 88 --sh--r C:\WINDOWS\system32\2D10762079.sys
2006-06-12 05:09 56 --sh--r C:\WINDOWS\system32\792076102D.sys
2005-10-08 02:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-06-12 05:09 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2006-04-27 17:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C897D}]
2008-09-06 10:39 10000 --a------ C:\WINDOWS\system32\gjm86akm34.dll

C:\Documents and Settings\Bisterd\Start Menu\Programs\Startup\
YouTube Uploader.lnk - C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 71152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5BF49A2-94F3-42BD-F434-3604812C897D}"= "C:\WINDOWS\system32\gjm86akm34.dll" [2008-09-06 10000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ijzyev.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=C:\WINDOWS\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bisterd^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Bisterd\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bisterd^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]
path=C:\Documents and Settings\Bisterd\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bisterd^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Bisterd\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 14:17 50736 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
--------- 2004-12-02 18:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 03:20 122940 C:\WINDOWS\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-09-29 12:01 67584 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-08-22 16:16 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2005-06-17 05:56 139264 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-12-04 16:39 461584 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-06-10 08:44 249856 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-06-10 08:44 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 09:18 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-07-12 17:05 1117184 C:\Program Files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 09:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-04-09 10:57 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2007-06-18 15:10 271360 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2007-09-27 18:17 443968 C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-16 23:32 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
--a------ 2006-07-07 12:58 8915456 C:\Program Files\Vidalia\vidalia.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-01-30 11:54 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2005-03-22 21:20 339968 C:\WINDOWS\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)
"ServiceLayer"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
"NetSvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 Apache2.2;Apache2.2;C:\AppServ\Apache2.2\bin\httpd.exe [2007-01-09 20539]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 USA19W;USA19W;C:\WINDOWS\system32\DRIVERS\usa19w2k.sys [2002-05-13 292920]
R3 USA19w2KP;Keyspan High Speed USB Serial Adapter Port Driver;C:\WINDOWS\system32\DRIVERS\usa19w2kp.SYS [2002-04-08 40848]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2002-11-08 14156]
S3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-09-01 16768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-winaap32 - winaap32.dll
MSConfigStartUp-Acrobat Assistant 7 - C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
MSConfigStartUp-AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
MSConfigStartUp-LogitechCameraAssistant - C:\Program Files\Logitech\Video\CameraAssistant.exe
MSConfigStartUp-LogitechCommunicationsManager - C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
MSConfigStartUp-LogitechQuickCamRibbon - C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
MSConfigStartUp-LogitechSoftwareUpdate - C:\Program Files\Logitech\Video\ManifestEngine.exe
MSConfigStartUp-LogitechVideo[inspector] - C:\Program Files\Logitech\Video\InstallHelper.exe
MSConfigStartUp-LVCOMSX - C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
MSConfigStartUp-Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Bisterd\Application Data\Mozilla\Firefox\Profiles\ki31759a.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig?hl=en
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-07 22:12:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mysql]
"ImagePath"="C:\AppServ\MySQL\bin\mysqld-nt --defaults-file=C:\AppServ\MySQL\my.ini mysql"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\abp480n5]
"ImagePath"="\SystemRoot\system32\DRIVERS\ABP480N5.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ACPIEC]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Adobe LM Service]
"ImagePath"="\"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Adobe Version Cue CS3]
"ImagePath"="\"C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe\" -win32service"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\adpu160m]
"ImagePath"="\SystemRoot\system32\DRIVERS\adpu160m.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aec]
"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\agp440]
"ImagePath"="\SystemRoot\system32\DRIVERS\agp440.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\agpCPQ]
"ImagePath"="\SystemRoot\system32\DRIVERS\agpCPQ.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Aha154x]
"ImagePath"="\SystemRoot\system32\DRIVERS\aha154x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aic78u2]
"ImagePath"="\SystemRoot\system32\DRIVERS\aic78u2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aic78xx]
"ImagePath"="\SystemRoot\system32\DRIVERS\aic78xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AliIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\aliide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\alim1541]
"ImagePath"="\SystemRoot\system32\DRIVERS\alim1541.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\amdagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\amdagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\amsint]
"ImagePath"="\SystemRoot\system32\DRIVERS\amsint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Apache2.2]
"ImagePath"="\"C:\AppServ\Apache2.2\bin\httpd.exe\" -k runservice"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Apple Mobile Device]
"ImagePath"="\"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\asc]
"ImagePath"="\SystemRoot\system32\DRIVERS\asc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\asc3350p]
"ImagePath"="\SystemRoot\system32\DRIVERS\asc3350p.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\asc3550]
"ImagePath"="\SystemRoot\system32\DRIVERS\asc3550.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ASP.NET_1.1.4322]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BITS]
"ServiceDll"="%systemroot%\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Bonjour Service]
"ImagePath"="\"C:\Program Files\Bonjour\mDNSResponder.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\bvrp_pci]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\catchme]
"ImagePath"="\??\C:\ComboFix\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cbidf]
"ImagePath"="\SystemRoot\system32\DRIVERS\cbidf2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CCALib8]
"ImagePath"="C:\Program Files\Canon\CAL\CALMAIN.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CCDECODE]
"ImagePath"="system32\DRIVERS\CCDECODE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cd20xrnt]
"ImagePath"="\SystemRoot\system32\DRIVERS\cd20xrnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Changer]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CmdIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\cmdide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\COMSysApp]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Cpqarray]
"ImagePath"="\SystemRoot\system32\DRIVERS\cpqarray.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Creative Service for CDROM Access]
"ImagePath"="C:\WINDOWS\system32\CTsvcCDA.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ctsfm2k]
"ImagePath"="system32\DRIVERS\ctsfm2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dac2w2k]
"ImagePath"="\SystemRoot\system32\DRIVERS\dac2w2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dac960nt]
"ImagePath"="\SystemRoot\system32\DRIVERS\dac960nt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLABOIOM]
"ImagePath"="System32\DLA\DLABOIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLACDBHM]
"ImagePath"="System32\Drivers\DLACDBHM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLADResN]
"ImagePath"="System32\DLA\DLADResN.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLAIFS_M]
"ImagePath"="System32\DLA\DLAIFS_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLAOPIOM]
"ImagePath"="System32\DLA\DLAOPIOM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLAPoolM]
"ImagePath"="System32\DLA\DLAPoolM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLARTL_N]
"ImagePath"="System32\Drivers\DLARTL_N.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLAUDFAM]
"ImagePath"="System32\DLA\DLAUDFAM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DLAUDF_M]
"ImagePath"="System32\DLA\DLAUDF_M.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\dpti2o]
"ImagePath"="\SystemRoot\system32\DRIVERS\dpti2o.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DRVMCDB]
"ImagePath"="System32\Drivers\DRVMCDB.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\DRVNDDM]
"ImagePath"="System32\Drivers\DRVNDDM.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\E100B]
"ImagePath"="system32\DRIVERS\e100b325.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\e1express]
"ImagePath"="system32\DRIVERS\e1e5132.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ehRecvr]
"ImagePath"="C:\WINDOWS\eHome\ehRecvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ehSched]
"ImagePath"="C:\WINDOWS\eHome\ehSched.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ELacpi]
"ImagePath"="system32\DRIVERS\ELacpi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ELhid]
"ImagePath"="System32\DRIVERS\ELhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ELkbd]
"ImagePath"="System32\DRIVERS\ELkbd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ELmon]
"ImagePath"="System32\DRIVERS\ELmon.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ELmou]
"ImagePath"="System32\DRIVERS\ELmou.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ELService]
"ImagePath"="\"C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\EventSystem]
"ServiceDll"="C:\WINDOWS\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fax]
"ImagePath"="%systemroot%\system32\fxssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fdc]
"ImagePath"="system32\DRIVERS\fdc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FilterService]
"ImagePath"="system32\DRIVERS\lvuvcflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FLEXnet Licensing Service]
"ImagePath"="\"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Flpydisk]
"ImagePath"="system32\DRIVERS\flpydisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\FltMgr]
"ImagePath"="system32\DRIVERS\fltMgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GEARAspiWDM]
"ImagePath"="System32\Drivers\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GoogleDesktopManager]
"ImagePath"="\"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\gusvc]
"ImagePath"="\"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HidUsb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\hpn]
"ImagePath"="\SystemRoot\system32\DRIVERS\hpn.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HSFHWBS2]
"ImagePath"="system32\DRIVERS\HSFHWBS2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HSF_DP]
"ImagePath"="system32\DRIVERS\HSF_DP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i2omgmt]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i2omp]
"ImagePath"="\SystemRoot\system32\DRIVERS\i2omp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IAANTMon]
"ImagePath"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iastor]
"ImagePath"="system32\drivers\iastor.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDriverT]
"ImagePath"="\"C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IFPUSB]
"ImagePath"="system32\DRIVERS\ifpusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ILADFtmi]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ini910u]
"ImagePath"="\SystemRoot\system32\DRIVERS\ini910u.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IntelIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\intelide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ip6Fw]
"ImagePath"="system32\DRIVERS\Ip6Fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpFilterDriver]
"ImagePath"="System32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iPod Service]
"ImagePath"="\"C:\Program Files\iPod\bin\iPodService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Jukebox3]
"ImagePath"="system32\DRIVERS\ctpdusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lbrtfdc]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LCcfltr]
"ImagePath"="System32\Drivers\LCcFltr.Sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Lvckap]
"ImagePath"="system32\DRIVERS\LVcKap.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LVMVDrv]
"ImagePath"="system32\DRIVERS\LVMVDrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lvpopflt]
"ImagePath"="system32\DRIVERS\lvpopflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LVPrcMon]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LVUSBSta]
"ImagePath"="system32\drivers\lvusbsta.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\LVUVC]
"ImagePath"="system32\DRIVERS\lvuvc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\McrdSvc]
"ImagePath"="C:\WINDOWS\ehome\mcrdsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mdmxsdk]
"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MHN]
"ServiceDll"="%SystemRoot%\System32\mhn.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MHNDRV]
"ImagePath"="system32\DRIVERS\mhndrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mnmsrvc]
"ImagePath"="C:\WINDOWS\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MODEMCSA]
"ImagePath"="system32\drivers\MODEMCSA.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mraid35x]
"ImagePath"="\SystemRoot\system32\DRIVERS\mraid35x.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSDTC]
"ImagePath"="C:\WINDOWS\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mysql]
"ImagePath"="C:\AppServ\MySQL\bin\mysqld-nt --defaults-file=C:\AppServ\MySQL\my.ini mysql"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetSvc]
"ImagePath"="C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\nv]
"ImagePath"="system32\DRIVERS\nv4_mini.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NVSvc]
"ImagePath"="%SystemRoot%\system32\nvsvc32.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ossrv]
"ImagePath"="system32\DRIVERS\ctoss2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\P17]
"ImagePath"="system32\drivers\P17.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Parport]
"ImagePath"="system32\DRIVERS\parport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCIDump]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Pcmcia]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDCOMP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDRELI]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PDRFRAME]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PenClass]
"ImagePath"="System32\Drivers\PenClass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\perc2]
"ImagePath"="\SystemRoot\system32\DRIVERS\perc2.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\perc2hib]
"ImagePath"="\SystemRoot\system32\DRIVERS\perc2hib.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Pml Driver HPZ12]
"ImagePath"="C:\WINDOWS\system32\HPZipm12.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Point32]
"ImagePath"="system32\DRIVERS\point32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1080]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1080.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ql10wnt]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql10wnt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql12160]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql12160.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1240]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1240.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ql1280]
"ImagePath"="\SystemRoot\system32\DRIVERS\ql1280.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RDSessMgr]
"ImagePath"="C:\WINDOWS\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SCDEmu]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Ser2pl]
"ImagePath"="system32\DRIVERS\ser2pl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\serenum]
"ImagePath"="system32\DRIVERS\serenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Serial]
"ImagePath"="system32\DRIVERS\serial.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ServiceLayer]
"ImagePath"="\"C:\Program Files\PC Connectivity Solution\ServiceLayer.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sfloppy]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sisagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\sisagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SLIP]
"ImagePath"="system32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Sparrow]
"ImagePath"="\SystemRoot\system32\DRIVERS\sparrow.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\srservice]
"ServiceDll"="C:\WINDOWS\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\STHDA]
"ImagePath"="system32\drivers\sthda.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\streamip]
"ImagePath"="system32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SwPrv]
"ImagePath"="C:\WINDOWS\system32\dllhost.exe /Processid:{6F6160A9-C71A-4D34-91A0-5B9E71074979}"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\symc810]
"ImagePath"="\SystemRoot\system32\DRIVERS\symc810.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\symc8xx]
"ImagePath"="\SystemRoot\system32\DRIVERS\symc8xx.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sym_hi]
"ImagePath"="\SystemRoot\system32\DRIVERS\sym_hi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sym_u3]
"ImagePath"="\SystemRoot\system32\DRIVERS\sym_u3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TabletService]
"ImagePath"="C:\WINDOWS\system32\Tablet.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TlntSvr]
"ImagePath"="C:\WINDOWS\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TosIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\toside.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ultra]
"ImagePath"="\SystemRoot\system32\DRIVERS\ultra.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\USA19W]
"ImagePath"="system32\DRIVERS\usa19w2k.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\USA19w2KP]
"ImagePath"="system32\DRIVERS\usa19w2kp.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usb]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbaudio]
"ImagePath"="system32\drivers\usbaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\USBSTOR]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\usnjsvc]
"ImagePath"="\"C:\Program Files\MSN Messenger\usnsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\viaagp]
"ImagePath"="\SystemRoot\system32\DRIVERS\viaagp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ViaIde]
"ImagePath"="\SystemRoot\system32\DRIVERS\viaide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Viewpoint Manager Service]
"ImagePath"="\"C:\Program Files\Viewpoint\Common\ViewpointService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\w32time]
"ServiceDll"="%systemroot%\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WACOM]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wanatw]
"ImagePath"="system32\DRIVERS\wanatw4.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WDICA]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\winachsf]
"ImagePath"="system32\DRIVERS\HSF_CNXT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmdmPmSN]
"ServiceDll"="C:\WINDOWS\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WmiApSrv]
"ImagePath"="C:\WINDOWS\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WMPNetworkSvc]
"ImagePath"="\"C:\Program Files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WS2IFSL]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WSTCODEC]
"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wuauserv]
"ServiceDll"="C:\WINDOWS\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{366FC8AC-01CE-4490-9C7B-E61DC7AA6EDA}]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B9E69F33-EA8B-4EBA-9D48-87696E32DBDD}]
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\AppServ\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Bisterd\LOCALS~1\temp\csrssc.exe
C:\WINDOWS\system32\mmc.exe
.
**************************************************************************
.
Completion time: 2008-09-07 23:00:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-08 05:58:57

Pre-Run: 47,628,169,216 bytes free
Post-Run: 47,506,624,512 bytes free

1031 --- E O F --- 2008-05-17 10:02:44
And here's the latest HT:

Quote ...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:42 PM, on 9/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\AppServ\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\gjm86akm34.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Bisterd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe (User 'Default user')
O4 - Startup: YouTube Uploader.lnk = C:\Documents and Settings\Bisterd\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: lksdfj98w3rmsekfnaui3rgfdgf - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\gjm86akm34.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\AppServ\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\AppServ\MySQL\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9403 bytes
I deleted all the files you listed except one (gjm86akm34.dll); I can't get rid of it because "access is denied", I assume it's in use by something..

I would also appreciate that system32 online scan you mentioned. In my system32 folder after all this, I found a couple of little pornographic icons in there. I don't doubt there's more junk.

Thanks again for all this, you're a miracle worker!
Reputation Points: 10
Solved Threads: 0
Newbie Poster
bistered is offline Offline
7 posts
since Sep 2008
Permalink
Sep 8th, 2008
0

Re: After Malware, IE and FF won't run

For the tough file, C:\WINDOWS\system32\gjm86akm34.dll :
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
I'll get back to you on the rest...
Last edited by gerbil; Sep 8th, 2008 at 9:38 am.
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005
Permalink
Sep 8th, 2008
0

Re: After Malware, IE and FF won't run

Oh dear, your sys has been whacked. Next skirmish follows... and I would like to point out that I much dislike the namers of codec, game and linux files....
==Uninstall MBAM and delete the downloaded files, it has been compromised because it has not removed files I know it should.
==Please go to this web page http://virusscan.jotti.org/, click browse and submit this file for examination:
C:\WINDOWS\system32\kddwe.exe
-I just wish to get it recognised... now you may not find it there cos Fixwareout should have dealt with it, but it may still be here:
C:\WINDOWS\Temp\kddwe.ren
-post the report.
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Help with Code Tags
(Toggle Plain Text)
Killall::

Files::
2008-09-06 13:24 . 2008-09-06 13:24 25,088 --a------ C:\WINDOWS\system32\sups.dll
2008-09-06 11:40 . 2008-09-06 11:40 21,504 --a------ C:\WINDOWS\system32\odiw.dll
2008-09-06 10:54 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico
2008-09-06 10:50 . 2008-09-05 17:07 31,232 --a------ C:\x
2008-09-06 10:50 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico
2008-09-06 10:40 . 2008-09-06 10:40 0 --a------ C:\d1.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\uoju.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\oitkxr.exe
2008-09-06 10:39 . 2008-09-06 10:39 34,816 --a------ C:\accq.exe
2008-09-06 10:39 . 2008-09-06 10:39 29,184 --a------ C:\ubcs.exe
2008-09-06 10:39 . 2008-09-06 10:39 10,000 --a------ C:\WINDOWS\system32\gjm86akm34.dll
2008-09-06 10:39 . 2008-09-06 10:39 0 --a------ C:\944064064
2008-09-06 07:27 . 2008-09-06 07:27 155,648 --a------ C:\WINDOWS\system32\CodecBHO.dll
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SETA1.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET83.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET79.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET64.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET58.tmp
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2006-05-25 05:05 88 --sh--r C:\WINDOWS\system32\2D10762079.sys
2006-06-12 05:09 56 --sh--r C:\WINDOWS\system32\792076102D.sys
C:\WINDOWS\system32\kddwe.exe
C:\WINDOWS\Temp\kddwe.ren

Folders::
2008-09-06 10:50 . 2008-09-07 22:11 <DIR> d-------- C:\Program Files\PCHealthCenter

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C897D}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5BF49A2-94F3-42BD-F434-3604812C897D}"= -

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\WINDOWS\\system32\\kddwe.exe"=-
"384546ef"=-
"BM3b767573"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"=-
Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
...and a fresh hijackthis scan.
Phew.
Last edited by gerbil; Sep 8th, 2008 at 11:16 am.
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005
Permalink
Sep 8th, 2008
0

Re: After Malware, IE and FF won't run

Small problem...I don't have a kddwe.exe or kddwe.ren file in my sys32 folder. Is that bad?

Folder Options and regedit keep disabling themselves again...ack...

Oh, and that unlocker is great.

Edit: I can't get MBAM to scan successfully without crashing the system, remember? I assume that's why those files are still there that it should get rid of.
Last edited by bistered; Sep 8th, 2008 at 1:05 pm.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
bistered is offline Offline
7 posts
since Sep 2008
Permalink
Sep 8th, 2008
0

Re: After Malware, IE and FF won't run

No, it is not bad. Just run the next part for me, please - I have re-submitted it because of a syntax error, so ignore the instruction in my previous post regarding this part.
And yep, MBAM broke, so delete all of it.

==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to a folder or your desktop.

Killall::

File::
2008-09-06 13:24 . 2008-09-06 13:24 25,088 --a------ C:\WINDOWS\system32\sups.dll
2008-09-06 11:40 . 2008-09-06 11:40 21,504 --a------ C:\WINDOWS\system32\odiw.dll
2008-09-06 10:54 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\2.ico
2008-09-06 10:50 . 2008-09-05 17:07 31,232 --a------ C:\x
2008-09-06 10:50 . 2008-09-05 17:07 3,262 --a------ C:\WINDOWS\system32\1.ico
2008-09-06 10:40 . 2008-09-06 10:40 0 --a------ C:\d1.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\uoju.exe
2008-09-06 10:39 . 2008-09-06 10:39 66,048 --a------ C:\oitkxr.exe
2008-09-06 10:39 . 2008-09-06 10:39 34,816 --a------ C:\accq.exe
2008-09-06 10:39 . 2008-09-06 10:39 29,184 --a------ C:\ubcs.exe
2008-09-06 10:39 . 2008-09-06 10:39 10,000 --a------ C:\WINDOWS\system32\gjm86akm34.dll
2008-09-06 10:39 . 2008-09-06 10:39 0 --a------ C:\944064064
2008-09-06 07:27 . 2008-09-06 07:27 155,648 --a------ C:\WINDOWS\system32\CodecBHO.dll
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SETA1.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET83.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET79.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET64.tmp
2006-10-03 09:43 2,402,550 ----a-w C:\WINDOWS\inf\SET58.tmp
1999-07-07 00:00 6 --sh--r C:\WINDOWS\@@desktop.dat
2006-05-25 05:05 88 --sh--r C:\WINDOWS\system32\2D10762079.sys
2006-06-12 05:09 56 --sh--r C:\WINDOWS\system32\792076102D.sys
C:\WINDOWS\system32\kddwe.exe
C:\WINDOWS\Temp\kddwe.ren

Folder::
2008-09-06 10:50 . 2008-09-07 22:11 <DIR> d-------- C:\Program Files\PCHealthCenter

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5BF49A2-94F3-42BD-F434-3604812C897D}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{C5BF49A2-94F3-42BD-F434-3604812C897D}"= -

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\WINDOWS\\system32\\kddwe.exe"=-
"384546ef"=-
"BM3b767573"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jnskdfmf9eldfd"=-

Good. Now drag CFScript.txt onto Combofix [drag the icon if on your desktop, or the filename if in a folder]. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
...and a fresh hijackthis scan.
Phew.
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Help with notavirus
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: CKVO.exe virus





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC