Rootkit issue: sirefef

Geeks to Go Forums > Security > Computer Won't Boot - Malware Related

Today's New Content

Rootkit issue: sirefef

#16 wtibard

Group: Member
Posts: 13
Joined: 28-May 12

Posted 02 June 2012 - 07:09 AM

The computer seems to be working much better. I just haven't run the removal tools again because that seems to be the cause of the instability with the start up before. I will wait until you tell me it is the best time to run the removal tool.

here is the combofix log:
ComboFix 12-06-01.01 - Josh and Lydia 06/02/2012 8:47.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2472 [GMT -4:00]
Running from: c:\users\Josh and Lydia\Desktop\ComboFix.exe
Command switches used :: c:\users\Josh and Lydia\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\U
c:\windows\assembly\temp\U\00000001.@
c:\windows\assembly\temp\U\00000002.@
c:\windows\assembly\temp\U\00000004.@
c:\windows\assembly\temp\U\000000c0.@
c:\windows\assembly\temp\U\000000cb.@
c:\windows\assembly\temp\U\000000cf.@
c:\windows\assembly\temp\U\80000000.@
c:\windows\assembly\temp\U\80000004.@
c:\windows\assembly\temp\U\80000032.@
c:\windows\assembly\temp\U\80000064.@
c:\windows\assembly\temp\U\800000c0.@
c:\windows\assembly\temp\U\800000cb.@
c:\windows\assembly\temp\U\800000cf.@
.
.
((((((((((((((((((((((((( Files Created from 2012-05-02 to 2012-06-02 )))))))))))))))))))))))))))))))
.
.
2012-06-02 12:55 . 2012-06-02 12:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-02 12:55 . 2012-06-02 12:55 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-06-02 00:50 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{573069BE-795A-4581-8794-EDB98B5AAE6B}\mpengine.dll
2012-06-01 13:40 . 2012-06-01 13:40 -------- d-----w- c:\program files (x86)\ESET
2012-05-31 05:37 . 2012-05-31 05:39 -------- d-----w- C:\FRST
2012-05-29 17:37 . 2012-05-29 17:37 -------- d-----w- C:\_OTL
2012-05-28 22:09 . 2012-05-29 21:56 -------- d-----w- c:\program files (x86)\ERUNT
2012-05-28 21:34 . 2012-05-28 21:34 -------- d-----w- c:\program files\Enigma Software Group
2012-05-28 21:19 . 2012-05-28 21:19 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\SpeedyPC Software
2012-05-28 21:19 . 2012-05-28 21:19 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\DriverCure
2012-05-28 21:19 . 2012-05-28 22:29 -------- d-----w- c:\programdata\SpeedyPC Software
2012-05-24 00:14 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-05-24 00:14 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-05-24 00:14 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-05-24 00:14 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-05-24 00:14 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-05-24 00:14 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-05-24 00:14 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-05-24 00:13 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-05-24 00:13 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-05-24 00:13 . 2012-05-30 00:24 -------- d-----w- c:\programdata\AVAST Software
2012-05-24 00:13 . 2012-05-30 00:24 -------- d-----w- c:\program files\AVAST Software
2012-05-23 23:36 . 2012-05-30 00:23 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-23 23:36 . 2012-05-23 23:36 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-05-23 19:43 . 2012-05-28 23:55 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\AVG2012
2012-05-23 19:41 . 2012-05-28 23:55 -------- d-----w- c:\program files (x86)\AVG Secure Search
2012-05-23 01:14 . 2012-05-23 01:14 -------- d-----w- c:\users\Josh and Lydia\AppData\Local\AVG Secure Search
2012-05-23 01:14 . 2012-05-25 20:20 -------- d-----w- c:\programdata\AVG Secure Search
2012-05-23 01:14 . 2012-05-28 23:55 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-05-23 01:14 . 2012-05-23 01:14 -------- d--h--w- c:\programdata\Common Files
2012-05-23 01:13 . 2012-05-28 23:55 -------- d-----w- c:\programdata\AVG2012
2012-05-23 01:13 . 2012-05-23 01:13 -------- d-----w- C:\$AVG
2012-05-23 01:12 . 2012-05-25 20:18 -------- d-----w- c:\program files (x86)\AVG
2012-05-23 01:07 . 2012-05-30 00:30 -------- d-----w- c:\programdata\MFAData
2012-05-18 13:15 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-05-18 13:15 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-05-18 01:02 . 2012-05-30 00:27 -------- d-----w- c:\windows\system32\SPReview
2012-05-18 00:36 . 2012-05-18 01:01 -------- d-----w- C:\1eabf5ff9f15662cf7967fd7f8ec1c
2012-05-17 18:15 . 2012-05-17 18:15 50000 ----a-w- c:\windows\system32\drivers\jepphzzw.sys
2012-05-16 22:31 . 2012-05-30 00:24 -------- d-----w- c:\program files\Microsoft Silverlight
2012-05-16 18:13 . 2012-05-23 19:42 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\ICQ
2012-05-16 18:13 . 2012-05-30 00:30 -------- d-----w- c:\program files (x86)\ICQ7M
2012-05-16 16:06 . 2012-05-18 17:20 -------- d-----w- c:\program files\Google
2012-05-16 16:05 . 2012-05-30 00:23 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-05-16 15:33 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-16 15:33 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-16 15:32 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-16 15:32 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-16 15:32 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-16 15:32 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-16 15:32 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-15 18:34 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-15 18:34 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-15 18:34 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-15 18:34 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-15 18:34 . 2010-11-20 13:24 2164224 ----a-w- c:\program files\Windows Journal\Journal.exe
2012-05-15 18:34 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-15 18:34 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-15 18:30 . 2012-05-30 00:26 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\SUPERAntiSpyware.com
2012-05-15 18:29 . 2012-06-01 12:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-15 17:42 . 2012-05-15 17:42 -------- d-----w- C:\avrescue
2012-05-15 15:47 . 2012-05-15 15:47 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\Avira
2012-05-15 15:45 . 2012-05-15 22:01 -------- d-----w- c:\program files (x86)\Ask.com
2012-05-15 15:44 . 2012-05-15 15:45 -------- d-----w- c:\programdata\Avira
2012-05-15 15:44 . 2012-05-15 15:44 -------- d-----w- c:\program files (x86)\Avira
2012-05-10 11:30 . 2012-05-30 00:23 -------- d-----w- c:\program files (x86)\Hewlett-Packard
2012-05-10 11:28 . 2012-05-30 00:26 -------- d-----w- c:\windows\Hewlett-Packard
2012-05-08 16:55 . 2012-05-15 21:55 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\Malwarebytes
2012-05-08 16:55 . 2012-06-01 13:28 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-08 16:55 . 2012-05-30 00:24 -------- d-----w- c:\programdata\Malwarebytes
2012-05-08 16:55 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-08 01:01 . 2012-05-17 18:17 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-05-05 00:42 . 2012-05-05 00:42 -------- d-----w- c:\program files (x86)\7-Zip
2012-05-04 13:06 . 2012-05-04 13:06 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-04 13:06 . 2012-05-30 00:27 -------- d-----w- c:\windows\system32\Macromed
2012-05-03 23:33 . 2012-05-03 23:33 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\Photobook Designer
2012-05-03 23:06 . 2012-05-30 00:24 -------- d-----w- c:\program files (x86)\Photobook Designer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 12:56 . 2010-04-03 18:08 45056 ----a-w- c:\windows\system32\acovcnt.exe
2012-05-23 23:36 . 2010-04-16 12:34 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-05-18 01:16 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-05-18 01:16 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-05-04 13:06 . 2011-07-10 14:20 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2009-04-08 18:31 . 2009-04-08 18:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
2008-08-12 05:45 . 2008-08-12 05:45 155648 ----a-w- c:\program files (x86)\Common Files\MSIactionall.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-01_00.53.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-30 19:29 . 2012-06-02 12:41 58732 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-02 12:58 43204 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-04-01 17:46 . 2012-06-02 12:58 25074 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2593247150-68266997-1352798338-1001_UserData.bin
+ 2010-04-01 19:40 . 2012-06-02 13:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-01 19:40 . 2012-06-01 00:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-06-01 12:53 91888 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-04-01 19:40 . 2012-06-02 13:00 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-01 19:40 . 2012-06-01 00:54 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-01 19:40 . 2012-06-01 00:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-01 19:40 . 2012-06-02 13:00 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-01 17:42 . 2012-06-02 12:41 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-01 17:42 . 2012-06-01 00:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-01 17:42 . 2012-06-02 12:41 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-01 17:42 . 2012-06-01 00:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-03 02:10 . 2012-06-01 13:17 9426 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2012-06-01 00:51 . 2012-06-01 00:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-02 12:56 . 2012-06-02 12:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-01 00:51 . 2012-06-01 00:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-02 12:56 . 2012-06-02 12:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-06-02 12:56 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-06-01 00:51 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-01 21:53 . 2012-06-01 03:08 377792 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-06-01 00:25 627316 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-01 15:07 627316 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-01 15:07 107600 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-06-01 00:25 107600 c:\windows\system32\perfc009.dat
+ 2010-04-02 00:05 . 2012-02-23 14:18 279656 c:\windows\system32\MpSigStub.exe
- 2010-04-02 00:05 . 2012-01-31 12:44 279656 c:\windows\system32\MpSigStub.exe
+ 2009-07-14 05:01 . 2012-06-02 12:55 396268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-06-01 00:50 396268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2012-06-01 00:51 3112960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-02 12:56 3112960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:45 . 2012-06-01 00:58 7112398 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-06-01 00:56 7112398 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:54 . 2012-06-02 12:56 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-01 00:51 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 01:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 2676584]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-01 4786048]
"ICQ"="c:\program files (x86)\ICQ7M\ICQ.exe" [2012-05-16 127040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-07-13 498160]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2009-10-27 6998656]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2009-08-20 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-09-17 2245120]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-07-28 554328]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Reader Library Launcher"="c:\program files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2011-03-15 650080]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"MobileBroadband"="c:\program files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-09-08 272384]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\Josh and Lydia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe [2010-1-30 12862]
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2010-1-30 156952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-08 135664]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [x]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-08 135664]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [x]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [x]
R3 ZTEusbwwan;ZTE MBN Miniport;c:\windows\system32\DRIVERS\ZTEusbwwan.sys [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-02-02 517632]
S2 VmbService;Vodafone Mobile Broadband Service;c:\program files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-09-08 8704]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
S3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-08 13:13]
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-08 13:13]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2593247150-68266997-1352798338-1001Core.job
- c:\users\Josh and Lydia\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-20 15:54]
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2593247150-68266997-1352798338-1001UA.job
- c:\users\Josh and Lydia\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-20 15:54]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-09-30 621440]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-09-01 323584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 415256]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qcmerced
passthru
cpqvcagent
s217bus
dcstor32
superproserver
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{781B39EC-2E18-41FC-9B00-B84E4FFCA85F} - c:\program files (x86)\ICQ7M\ICQ.exe
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{80C9912D-A3B9-4796-97A8-30241B99A5F4}: NameServer = 196.207.36.251 196.207.36.254
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-ESET Online Scanner - c:\program files (x86)\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\windows\AsScrPro.exe
.
**************************************************************************
.
Completion time: 2012-06-02 09:05:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-02 13:05
ComboFix2.txt 2012-06-01 13:14
ComboFix3.txt 2012-06-01 01:01
.
Pre-Run: 165,824,118,784 bytes free
Post-Run: 165,628,755,968 bytes free
.
- - End Of File - - 3C6DB3BC48E78092CF7706C20BB41DB8

#17 JSntgRvr

Group: Global Moderator
Posts: 9,530
Joined: 30-November 05

Posted 02 June 2012 - 10:43 AM

Which removal tools are you referring to?

One of the fixes didn't go thru.

Download the enclosed file:

CFScript.txt (75bytes)
Number of downloads: 27

Save it next to Combofix overwriting the previous one.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

#18 wtibard

Group: Member
Posts: 13
Joined: 28-May 12

Posted 02 June 2012 - 04:54 PM

the removal tools that are still on the computer are Superantispyware, malwarebytes and Avast. Avast is the only one that seems to recognize the trojan that is creating the issue and is also the one that originally made the start up unstable after it tried to remove the trojan.

here is the combofix log:
ComboFix 12-06-01.01 - Josh and Lydia 06/02/2012 18:27:05.4.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2526 [GMT -4:00]
Running from: c:\users\Josh and Lydia\Desktop\ComboFix.exe
Command switches used :: c:\users\Josh and Lydia\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-02 to 2012-06-02 )))))))))))))))))))))))))))))))
.
.
2012-06-02 22:38 . 2012-06-02 22:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-02 22:38 . 2012-06-02 22:38 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-06-01 13:40 . 2012-06-01 13:40 -------- d-----w- c:\program files (x86)\ESET
2012-05-31 05:37 . 2012-05-31 05:39 -------- d-----w- C:\FRST
2012-05-29 17:37 . 2012-05-29 17:37 -------- d-----w- C:\_OTL
2012-05-28 22:09 . 2012-05-29 21:56 -------- d-----w- c:\program files (x86)\ERUNT
2012-05-28 21:34 . 2012-05-28 21:34 -------- d-----w- c:\program files\Enigma Software Group
2012-05-28 21:19 . 2012-05-28 21:19 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\SpeedyPC Software
2012-05-28 21:19 . 2012-05-28 21:19 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\DriverCure
2012-05-28 21:19 . 2012-05-28 22:29 -------- d-----w- c:\programdata\SpeedyPC Software
2012-05-24 00:14 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-05-24 00:14 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-05-24 00:14 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-05-24 00:14 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-05-24 00:14 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-05-24 00:14 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-05-24 00:14 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-05-24 00:13 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-05-24 00:13 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-05-24 00:13 . 2012-05-30 00:24 -------- d-----w- c:\programdata\AVAST Software
2012-05-24 00:13 . 2012-05-30 00:24 -------- d-----w- c:\program files\AVAST Software
2012-05-23 23:36 . 2012-05-30 00:23 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-23 23:36 . 2012-05-23 23:36 476960 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-05-23 19:43 . 2012-05-28 23:55 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\AVG2012
2012-05-23 19:41 . 2012-05-28 23:55 -------- d-----w- c:\program files (x86)\AVG Secure Search
2012-05-23 01:14 . 2012-05-23 01:14 -------- d-----w- c:\users\Josh and Lydia\AppData\Local\AVG Secure Search
2012-05-23 01:14 . 2012-05-25 20:20 -------- d-----w- c:\programdata\AVG Secure Search
2012-05-23 01:14 . 2012-05-28 23:55 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-05-23 01:14 . 2012-05-23 01:14 -------- d--h--w- c:\programdata\Common Files
2012-05-23 01:13 . 2012-05-28 23:55 -------- d-----w- c:\programdata\AVG2012
2012-05-23 01:13 . 2012-05-23 01:13 -------- d-----w- C:\$AVG
2012-05-23 01:12 . 2012-05-25 20:18 -------- d-----w- c:\program files (x86)\AVG
2012-05-23 01:07 . 2012-05-30 00:30 -------- d-----w- c:\programdata\MFAData
2012-05-18 13:15 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-05-18 13:15 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-05-18 01:02 . 2012-05-30 00:27 -------- d-----w- c:\windows\system32\SPReview
2012-05-18 00:36 . 2012-05-18 01:01 -------- d-----w- C:\1eabf5ff9f15662cf7967fd7f8ec1c
2012-05-17 18:15 . 2012-05-17 18:15 50000 ----a-w- c:\windows\system32\drivers\jepphzzw.sys
2012-05-16 22:31 . 2012-05-30 00:24 -------- d-----w- c:\program files\Microsoft Silverlight
2012-05-16 18:13 . 2012-05-23 19:42 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\ICQ
2012-05-16 18:13 . 2012-05-30 00:30 -------- d-----w- c:\program files (x86)\ICQ7M
2012-05-16 16:06 . 2012-05-18 17:20 -------- d-----w- c:\program files\Google
2012-05-16 16:05 . 2012-05-30 00:23 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-05-16 15:33 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-16 15:33 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-16 15:32 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-16 15:32 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-16 15:32 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-16 15:32 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-16 15:32 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-15 18:34 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-15 18:34 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-15 18:34 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-15 18:34 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-15 18:34 . 2010-11-20 13:24 2164224 ----a-w- c:\program files\Windows Journal\Journal.exe
2012-05-15 18:34 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-15 18:34 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-15 18:30 . 2012-05-30 00:26 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\SUPERAntiSpyware.com
2012-05-15 18:29 . 2012-06-01 12:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-15 17:42 . 2012-05-15 17:42 -------- d-----w- C:\avrescue
2012-05-15 15:47 . 2012-05-15 15:47 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\Avira
2012-05-15 15:45 . 2012-05-15 22:01 -------- d-----w- c:\program files (x86)\Ask.com
2012-05-15 15:44 . 2012-05-15 15:45 -------- d-----w- c:\programdata\Avira
2012-05-15 15:44 . 2012-05-15 15:44 -------- d-----w- c:\program files (x86)\Avira
2012-05-10 11:30 . 2012-05-30 00:23 -------- d-----w- c:\program files (x86)\Hewlett-Packard
2012-05-10 11:28 . 2012-05-30 00:26 -------- d-----w- c:\windows\Hewlett-Packard
2012-05-08 16:55 . 2012-05-15 21:55 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\Malwarebytes
2012-05-08 16:55 . 2012-06-01 13:28 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-08 16:55 . 2012-05-30 00:24 -------- d-----w- c:\programdata\Malwarebytes
2012-05-08 16:55 . 2012-04-04 19:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-08 01:01 . 2012-05-17 18:17 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-05-05 00:42 . 2012-05-05 00:42 -------- d-----w- c:\program files (x86)\7-Zip
2012-05-04 13:06 . 2012-05-04 13:06 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-04 13:06 . 2012-05-30 00:27 -------- d-----w- c:\windows\system32\Macromed
2012-05-03 23:33 . 2012-05-03 23:33 -------- d-----w- c:\users\Josh and Lydia\AppData\Roaming\Photobook Designer
2012-05-03 23:06 . 2012-05-30 00:24 -------- d-----w- c:\program files (x86)\Photobook Designer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 22:39 . 2010-04-03 18:08 45056 ----a-w- c:\windows\system32\acovcnt.exe
2012-05-23 23:36 . 2010-04-16 12:34 472864 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-05-18 01:16 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-05-18 01:16 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-05-08 17:02 . 2012-06-02 00:50 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{573069BE-795A-4581-8794-EDB98B5AAE6B}\mpengine.dll
2012-05-04 13:06 . 2011-07-10 14:20 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2009-04-08 18:31 . 2009-04-08 18:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
2008-08-12 05:45 . 2008-08-12 05:45 155648 ----a-w- c:\program files (x86)\Common Files\MSIactionall.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-01_00.53.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-30 19:29 . 2012-06-02 12:41 58732 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-06-02 22:41 43316 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-04-01 17:46 . 2012-06-02 22:41 25130 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2593247150-68266997-1352798338-1001_UserData.bin
+ 2010-04-01 19:40 . 2012-06-02 22:42 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-01 19:40 . 2012-06-01 00:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-06-01 12:53 91888 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-04-01 19:40 . 2012-06-02 22:42 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-01 19:40 . 2012-06-01 00:54 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-01 19:40 . 2012-06-01 00:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-01 19:40 . 2012-06-02 22:42 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-01 17:42 . 2012-06-02 22:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-01 17:42 . 2012-06-01 00:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-01 17:42 . 2012-06-02 22:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-01 17:42 . 2012-06-01 00:55 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-03 02:10 . 2012-06-01 13:17 9426 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2012-06-01 00:51 . 2012-06-01 00:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-06-02 22:39 . 2012-06-02 22:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-06-01 00:51 . 2012-06-01 00:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-06-02 22:39 . 2012-06-02 22:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2012-06-02 22:40 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-06-01 00:51 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-01 21:53 . 2012-06-01 03:08 377792 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-06-01 00:25 627316 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-01 15:07 627316 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-06-01 15:07 107600 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-06-01 00:25 107600 c:\windows\system32\perfc009.dat
+ 2010-04-02 00:05 . 2012-02-23 14:18 279656 c:\windows\system32\MpSigStub.exe
- 2010-04-02 00:05 . 2012-01-31 12:44 279656 c:\windows\system32\MpSigStub.exe
+ 2009-07-14 05:01 . 2012-06-02 22:38 396268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-06-01 00:50 396268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2012-06-01 00:51 3112960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-06-02 22:40 3112960 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:45 . 2012-06-01 00:58 7112398 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-06-01 00:56 7112398 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:54 . 2012-06-02 22:40 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-01 00:51 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 01:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 2676584]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-01 4786048]
"ICQ"="c:\program files (x86)\ICQ7M\ICQ.exe" [2012-05-16 127040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-07-13 498160]
"ATKOSD2"="c:\program files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe" [2009-10-27 6998656]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe" [2009-08-20 170624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-09-17 2245120]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-07-28 554328]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Reader Library Launcher"="c:\program files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2011-03-15 650080]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"MobileBroadband"="c:\program files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-09-08 272384]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\Josh and Lydia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe [2010-1-30 12862]
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2010-1-30 156952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-08 135664]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 BrSerIb;Brother MFC Serial Interface Driver(WDM);c:\windows\system32\DRIVERS\BrSerIb.sys [x]
R3 BrUsbSIb;Brother MFC Serial USB Driver(WDM);c:\windows\system32\DRIVERS\BrUsbSIb.sys [x]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-08 135664]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]
R3 massfilter;MBB Mass Storage Filter Driver;c:\windows\system32\DRIVERS\massfilter.sys [x]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [x]
R3 ZTEusbwwan;ZTE MBN Miniport;c:\windows\system32\DRIVERS\ZTEusbwwan.sys [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-02-02 517632]
S2 VmbService;Vodafone Mobile Broadband Service;c:\program files (x86)\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [2010-09-08 8704]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
S3 vodafone_K3805-z_dc_enum;vodafone_K3805-z_dc_enum;c:\windows\system32\DRIVERS\vodafone_K3805-z_dc_enum.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-08 13:13]
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-08 13:13]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2593247150-68266997-1352798338-1001Core.job
- c:\users\Josh and Lydia\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-20 15:54]
.
2012-06-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2593247150-68266997-1352798338-1001UA.job
- c:\users\Josh and Lydia\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-20 15:54]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\Josh and Lydia\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-09-30 621440]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-09-01 323584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 415256]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
qcmerced
passthru
cpqvcagent
s217bus
dcstor32
superproserver
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{781B39EC-2E18-41FC-9B00-B84E4FFCA85F} - c:\program files (x86)\ICQ7M\ICQ.exe
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{80C9912D-A3B9-4796-97A8-30241B99A5F4}: NameServer = 196.207.36.251 196.207.36.254
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
c:\program files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\windows\AsScrPro.exe
.
**************************************************************************
.
Completion time: 2012-06-02 18:48:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-02 22:48
ComboFix2.txt 2012-06-02 13:05
ComboFix3.txt 2012-06-01 13:14
ComboFix4.txt 2012-06-01 01:01
.
Pre-Run: 162,499,919,872 bytes free
Post-Run: 162,525,360,128 bytes free
.
- - End Of File - - 8BB439681AF7F23BCC7E312D8E8D020D

#19 JSntgRvr

Group: Global Moderator
Posts: 9,530
Joined: 30-November 05

Posted 02 June 2012 - 06:55 PM

Well, we will need to clear the quarantined item on the tools we have ran first, but Combofix seems unable to remove some orphans from the registry. Let me consult this with the developer, then we will do some housekeeping before running those tools.

I will post back promptly.

#20 wtibard

Group: Member
Posts: 13
Joined: 28-May 12

Posted 03 June 2012 - 06:43 AM

Okay, thank you so much for your time so far. I will keep on the look out for your next post.

#21 JSntgRvr

Group: Global Moderator
Posts: 9,530
Joined: 30-November 05

Posted 03 June 2012 - 12:44 PM

Lets try to obtain a report of the key in question.

Download the enclosed file:

Query.zip (338bytes)
Number of downloads: 16

Save and extract its contents to the desktop. Once extracted, open the folder, and click on the Query.bat file. Port the contents of the resulting report.

#22 wtibard

Group: Member
Posts: 13
Joined: 28-May 12

Posted 03 June 2012 - 03:16 PM

Here is the Query report:
Svchost Export
.
.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
"RPCSS"=hex(7):52,00,70,00,63,00,45,00,70,00,74,00,4d,00,61,00,70,00,70,00,65,\
00,72,00,00,00,52,00,70,00,63,00,53,00,73,00,00,00,00,00
"defragsvc"=hex(7):64,00,65,00,66,00,72,00,61,00,67,00,73,00,76,00,63,00,00,00,\
00,00
"LocalSystemNetworkRestricted"=hex(7):55,00,78,00,53,00,6d,00,73,00,00,00,57,\
00,64,00,69,00,53,00,79,00,73,00,74,00,65,00,6d,00,48,00,6f,00,73,00,74,00,\
00,00,4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,74,00,72,00,6b,00,77,00,6b,\
00,73,00,00,00,41,00,75,00,64,00,69,00,6f,00,45,00,6e,00,64,00,70,00,6f,00,\
69,00,6e,00,74,00,42,00,75,00,69,00,6c,00,64,00,65,00,72,00,00,00,57,00,55,\
00,44,00,46,00,53,00,76,00,63,00,00,00,49,00,50,00,42,00,75,00,73,00,45,00,\
6e,00,75,00,6d,00,00,00,68,00,69,00,64,00,73,00,65,00,72,00,76,00,00,00,64,\
00,6f,00,74,00,33,00,73,00,76,00,63,00,00,00,69,00,72,00,6d,00,6f,00,6e,00,\
00,00,73,00,79,00,73,00,6d,00,61,00,69,00,6e,00,00,00,50,00,63,00,61,00,53,\
00,76,00,63,00,00,00,68,00,6f,00,6d,00,65,00,67,00,72,00,6f,00,75,00,70,00,\
6c,00,69,00,73,00,74,00,65,00,6e,00,65,00,72,00,00,00,57,00,50,00,44,00,42,\
00,75,00,73,00,45,00,6e,00,75,00,6d,00,00,00,77,00,6c,00,61,00,6e,00,73,00,\
76,00,63,00,00,00,54,00,61,00,62,00,6c,00,65,00,74,00,49,00,6e,00,70,00,75,\
00,74,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,00,00
"LocalService"=hex(7):6e,00,73,00,69,00,00,00,57,00,64,00,69,00,53,00,65,00,72,\
00,76,00,69,00,63,00,65,00,48,00,6f,00,73,00,74,00,00,00,77,00,33,00,32,00,\
74,00,69,00,6d,00,65,00,00,00,45,00,76,00,65,00,6e,00,74,00,53,00,79,00,73,\
00,74,00,65,00,6d,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,\
67,00,69,00,73,00,74,00,72,00,79,00,00,00,57,00,69,00,6e,00,48,00,74,00,74,\
00,70,00,41,00,75,00,74,00,6f,00,50,00,72,00,6f,00,78,00,79,00,53,00,76,00,\
63,00,00,00,73,00,70,00,70,00,75,00,69,00,6e,00,6f,00,74,00,69,00,66,00,79,\
00,00,00,54,00,48,00,52,00,45,00,41,00,44,00,4f,00,52,00,44,00,45,00,52,00,\
00,00,6e,00,65,00,74,00,70,00,72,00,6f,00,66,00,6d,00,00,00,6c,00,6c,00,74,\
00,64,00,73,00,76,00,63,00,00,00,66,00,64,00,70,00,68,00,6f,00,73,00,74,00,\
00,00,53,00,73,00,74,00,70,00,53,00,76,00,63,00,00,00,57,00,65,00,62,00,43,\
00,6c,00,69,00,65,00,6e,00,74,00,00,00,00,00
"netsvcs"=hex(7):41,00,65,00,4c,00,6f,00,6f,00,6b,00,75,00,70,00,53,00,76,00,\
63,00,00,00,43,00,65,00,72,00,74,00,50,00,72,00,6f,00,70,00,53,00,76,00,63,\
00,00,00,53,00,43,00,50,00,6f,00,6c,00,69,00,63,00,79,00,53,00,76,00,63,00,\
00,00,6c,00,61,00,6e,00,6d,00,61,00,6e,00,73,00,65,00,72,00,76,00,65,00,72,\
00,00,00,67,00,70,00,73,00,76,00,63,00,00,00,49,00,4b,00,45,00,45,00,58,00,\
54,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,49,00,61,00,73,00,00,00,49,00,72,00,6d,00,6f,00,\
6e,00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,\
00,00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,\
69,00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,\
00,74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,\
73,00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,\
00,63,00,65,00,73,00,73,00,00,00,53,00,45,00,4e,00,53,00,00,00,53,00,68,00,\
61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,00,73,00,73,00,00,00,53,00,52,\
00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,54,00,61,00,70,00,69,00,\
73,00,72,00,76,00,00,00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,\
00,6d,00,53,00,70,00,00,00,71,00,63,00,6d,00,65,00,72,00,63,00,65,00,64,00,\
00,00,70,00,61,00,73,00,73,00,74,00,68,00,72,00,75,00,00,00,63,00,70,00,71,\
00,76,00,63,00,61,00,67,00,65,00,6e,00,74,00,00,00,73,00,32,00,31,00,37,00,\
62,00,75,00,73,00,00,00,64,00,63,00,73,00,74,00,6f,00,72,00,33,00,32,00,00,\
00,73,00,75,00,70,00,65,00,72,00,70,00,72,00,6f,00,73,00,65,00,72,00,76,00,\
65,00,72,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,00,00,77,00,75,00,61,00,75,00,73,00,65,00,72,00,76,00,00,00,42,00,\
49,00,54,00,53,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,\
00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,4c,00,6f,00,67,00,6f,00,\
6e,00,48,00,6f,00,75,00,72,00,73,00,00,00,50,00,43,00,41,00,75,00,64,00,69,\
00,74,00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,00,75,00,70,00,\
6c,00,6f,00,61,00,64,00,6d,00,67,00,72,00,00,00,69,00,70,00,68,00,6c,00,70,\
00,73,00,76,00,63,00,00,00,73,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,\
00,00,41,00,70,00,70,00,49,00,6e,00,66,00,6f,00,00,00,6d,00,73,00,69,00,73,\
00,63,00,73,00,69,00,00,00,4d,00,4d,00,43,00,53,00,53,00,00,00,77,00,69,00,\
6e,00,6d,00,67,00,6d,00,74,00,00,00,53,00,65,00,73,00,73,00,69,00,6f,00,6e,\
00,45,00,6e,00,76,00,00,00,62,00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,\
45,00,61,00,70,00,48,00,6f,00,73,00,74,00,00,00,73,00,63,00,68,00,65,00,64,\
00,75,00,6c,00,65,00,00,00,68,00,6b,00,6d,00,73,00,76,00,63,00,00,00,77,00,\
65,00,72,00,63,00,70,00,6c,00,73,00,75,00,70,00,70,00,6f,00,72,00,74,00,00,\
00,50,00,72,00,6f,00,66,00,53,00,76,00,63,00,00,00,54,00,68,00,65,00,6d,00,\
65,00,73,00,00,00,42,00,44,00,45,00,53,00,56,00,43,00,00,00,00,00
"WerSvcGroup"=hex(7):77,00,65,00,72,00,73,00,76,00,63,00,00,00,00,00
"LocalServiceNoNetwork"=hex(7):44,00,50,00,53,00,00,00,50,00,4c,00,41,00,00,00,\
42,00,46,00,45,00,00,00,6d,00,70,00,73,00,73,00,76,00,63,00,00,00,57,00,77,\
00,61,00,6e,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00
"swprv"=hex(7):73,00,77,00,70,00,72,00,76,00,00,00,00,00
"LocalServiceNetworkRestricted"=hex(7):44,00,48,00,43,00,50,00,00,00,65,00,76,\
00,65,00,6e,00,74,00,6c,00,6f,00,67,00,00,00,41,00,75,00,64,00,69,00,6f,00,\
53,00,72,00,76,00,00,00,42,00,74,00,68,00,48,00,46,00,53,00,72,00,76,00,00,\
00,4c,00,6d,00,48,00,6f,00,73,00,74,00,73,00,00,00,77,00,73,00,63,00,73,00,\
76,00,63,00,00,00,68,00,6f,00,6d,00,65,00,67,00,72,00,6f,00,75,00,70,00,70,\
00,72,00,6f,00,76,00,69,00,64,00,65,00,72,00,00,00,57,00,50,00,43,00,53,00,\
76,00,63,00,00,00,00,00
"LocalServicePeerNet"=hex(7):50,00,4e,00,52,00,50,00,53,00,76,00,63,00,00,00,\
70,00,32,00,70,00,69,00,6d,00,73,00,76,00,63,00,00,00,70,00,32,00,70,00,73,\
00,76,00,63,00,00,00,50,00,6e,00,72,00,70,00,41,00,75,00,74,00,6f,00,52,00,\
65,00,67,00,00,00,00,00
"NetworkServiceAndNoImpersonation"=hex(7):4b,00,74,00,6d,00,52,00,6d,00,00,00,\
00,00
"regsvc"=hex(7):52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,00,69,00,73,\
00,74,00,72,00,79,00,00,00,00,00
"LocalServiceAndNoImpersonation"=hex(7):53,00,53,00,44,00,50,00,53,00,52,00,56,\
00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,73,00,74,00,00,00,53,00,43,00,\
61,00,72,00,64,00,53,00,76,00,72,00,00,00,54,00,42,00,53,00,00,00,66,00,64,\
00,72,00,65,00,73,00,70,00,75,00,62,00,00,00,46,00,6f,00,6e,00,74,00,43,00,\
61,00,63,00,68,00,65,00,00,00,41,00,70,00,70,00,49,00,44,00,53,00,76,00,63,\
00,00,00,51,00,57,00,41,00,56,00,45,00,00,00,77,00,63,00,6e,00,63,00,73,00,\
76,00,63,00,00,00,4d,00,63,00,78,00,32,00,53,00,76,00,63,00,00,00,53,00,65,\
00,6e,00,73,00,72,00,53,00,76,00,63,00,00,00,00,00
"DcomLaunch"=hex(7):50,00,6f,00,77,00,65,00,72,00,00,00,50,00,6c,00,75,00,67,\
00,50,00,6c,00,61,00,79,00,00,00,44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,\
6e,00,63,00,68,00,00,00,00,00
"NetworkServiceNetworkRestricted"=hex(7):50,00,6f,00,6c,00,69,00,63,00,79,00,\
41,00,67,00,65,00,6e,00,74,00,00,00,00,00
"NetworkService"=hex(7):43,00,72,00,79,00,70,00,74,00,53,00,76,00,63,00,00,00,\
44,00,48,00,43,00,50,00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,\
00,69,00,63,00,65,00,00,00,44,00,4e,00,53,00,43,00,61,00,63,00,68,00,65,00,\
00,00,6c,00,61,00,6e,00,6d,00,61,00,6e,00,77,00,6f,00,72,00,6b,00,73,00,74,\
00,61,00,74,00,69,00,6f,00,6e,00,00,00,4e,00,61,00,70,00,41,00,67,00,65,00,\
6e,00,74,00,00,00,6e,00,6c,00,61,00,73,00,76,00,63,00,00,00,57,00,69,00,6e,\
00,52,00,4d,00,00,00,57,00,45,00,43,00,53,00,56,00,43,00,00,00,54,00,61,00,\
70,00,69,00,73,00,72,00,76,00,00,00,00,00
"sdrsvc"=hex(7):73,00,64,00,72,00,73,00,76,00,63,00,00,00,00,00
"WbioSvcGroup"=hex(7):57,00,62,00,69,00,6f,00,53,00,72,00,76,00,63,00,00,00,00,\
00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"wcssvc"=hex(7):57,00,63,00,73,00,50,00,6c,00,75,00,67,00,49,00,6e,00,53,00,65,\
00,72,00,76,00,69,00,63,00,65,00,00,00,00,00
"AxInstSVGroup"=hex(7):41,00,78,00,49,00,6e,00,73,00,74,00,53,00,56,00,00,00,\
00,00
"secsvcs"=hex(7):57,00,69,00,6e,00,44,00,65,00,66,00,65,00,6e,00,64,00,00,00,\
00,00
"bthsvcs"=hex(7):62,00,74,00,68,00,73,00,65,00,72,00,76,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\AxInstSVGroup]
"ImpersonationLevel"=dword:00000003
"CoInitializeSecurityParam"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\defragsvc]
"CoInitializeSecurityParam"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalService]
"AuthenticationCapabilities"=dword:00002000
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceAndNoImpersonation]
"AuthenticationCapabilities"=dword:00002000
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceNetworkRestricted]
"DefaultRpcStackSize"=dword:00000040
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalServiceNoNetwork]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\LocalSystemNetworkRestricted]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:0000001c

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkServiceRemoteDesktopHyperVAgent]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000
"AuthenticationLevel"=dword:00000006

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkServiceRemoteDesktopPublishing]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000
"AuthenticationLevel"=dword:00000006

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\SDRSVC]
"CoInitializeSecurityParam"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\swprv]
"CoInitializeSecurityParam"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\wcssvc]
"CoInitializeSecurityParam"=dword:00000001
"CoInitializeSecurityAppID"="{CD11FAB6-1C0E-45e1-BA31-5C6008EF2607}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\wercplsupport]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

????.
.
Services
.
.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\!SASCORE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Data
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking 4.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET Data Provider for Oracle
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET Data Provider for SqlServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NETFramework
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1394ohci
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AcpiPmi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdobeARMservice
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adp94xx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adpahci
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adpu320
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adsi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADSMService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFBAgent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\agp440
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aliide
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdide
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AmdK8
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AmdPPM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsata
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdxata
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AmUStor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppIDSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Appinfo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apple Mobile Device
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\arc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\arcsas
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AsDsm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASLDRService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASMMAP64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswFsBlk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswMonFlt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswRdr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswSnx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswSP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswTdi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AsyncMac
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\athr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ATKGFNEXSrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast! Antivirus
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AxInstSV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\b06bdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\b57nd60a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BattC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BDESVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Beep
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\blbdrive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Bonjour Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bowser
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrFiltLo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrFiltUp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrSerIb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Brserid
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrSerWdm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrUsbMdm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrUsbSer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrUsbSIb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHMODEM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdfs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cdrom
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertPropSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\circlass
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CLFS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v4.0.30319_32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v4.0.30319_64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CmBatt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdide
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CNG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Compbatt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CompositeBus
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crcdisk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DCLocator
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\defragsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DfsC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\discache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dot3svc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\drmkaud
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DXGKrnl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EapHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ebdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EFS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehRecvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ehSched
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Elantech
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\elxstor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ErrDev
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ETD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ewusbnet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ew_hwusbdev
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exfat
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastfat
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fdc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fdPHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FDResPub
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FileInfo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Filetrace
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\flpydisk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FltMgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FlyUsb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache3.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FsDepends
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fssfltr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fsssvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fs_Rec
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fvevol
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gagp30kx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GEARAspiWDM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\grmnusb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdatem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcw85cir
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HdAudAddService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HDAudBus
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidBatt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidBth
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidIr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hidserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidUsb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hkmsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HpSAMD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\huawei_enumerator
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\huawei_update
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwcdcmdm0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwdatacard
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwpolicy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwusbapp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwusbdev
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hwusbser
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStorV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\igfx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iirsp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IKEEXT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetaccs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelide
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelppm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPBusEnum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPMIDRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNAT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPod Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\isapnp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iScsiPrt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbfiltr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KeyIso
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KSecDD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KSecPkg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksthunk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KtmRm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\L1E
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LeapFrog Connect Device Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdio
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lmhosts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LSI_FC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LSI_SAS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LSI_SAS2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LSI_SCSI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\luafv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lullaby
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\massfilter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McciCMService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McciCMService64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mcx2Svc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\megasas
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MegaSR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Office Groove Audit Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Modem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\monitor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouclass
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mountmgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpio
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MREMP50
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MREMP50a64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MREMPR5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRENDIS5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRESP50
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRESP50a64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msahci
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdsm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC Bridge 3.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC Bridge 4.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Msfs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mshidkmdf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msisadrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msiserver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSKSSRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSPCLOCK
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSPQM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsRPC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSCNTRS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mssmbios
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTEE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTConfig
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MTsensor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NativeWifiP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisCap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisTapi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDProxy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netprofm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfrd960
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nsi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nsiproxy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ntfs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Null
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvraid
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvstor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nv_agp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ohci1394
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Outlook
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Parport
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partmgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PcaSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pci
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pciide
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmcia
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcw
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PEAUTH
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfDisk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfNet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfOS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfProc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Power
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Processor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Psched
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PxHlpa64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ql2300
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ql40xx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QWAVE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QWAVEdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAcd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAgileVpn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rasl2tp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasPppoe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasSstp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdbss
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdpbus
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPCDD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPDD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPENCDD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPREFMP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPWD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdyboost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rspndr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASDIFSV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTIL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sbp2port
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scfilter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCPolicySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDRSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\secdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensrSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Serenum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Serial
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sermouse
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelEndpoint 3.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelOperation 3.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceModelService 3.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sffdisk
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sffp_mmc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sffp_sd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sfloppy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiSGbeLH
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiSRaid2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SiSRaid4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Smb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSvcHost 3.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMSvcHost 4.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNP2UVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sony SCSI Helper Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spldr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sppsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sppuinotify
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srv2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvnet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SstpSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stexstor
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StillCam
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\superproserver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swenum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swprv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMain
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TabletInputService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TBS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6TUNNEL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpipreg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIPTUNNEL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDPIPE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDTCP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\THREADORDER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmlwf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmwfp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TSDDD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tssecsrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TsUsbFlt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tunnel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uagp35
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\udfs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UGatherer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UGTHRSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UI0Detect
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uliagpkx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\umbus
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmPass
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBAAPL64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbcir
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbehci
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbohci
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbprint
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbscan
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbuhci
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UxSms
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrvroot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vds
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vga
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VgaSave
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vhdmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VIA HD Audio Codec Default
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VIAHdAudAddService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\viaide
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VmbService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vodafone_K3805-z_dc_enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\volmgr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\volmgrx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\volsnap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsmraid
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwifibus
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwififlt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwifimp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WacomPen
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WANARP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wanarpv6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WatAdminSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbengine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WbioSrvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WcsPlugInService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wdf01000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdiServiceHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdiSystemHost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WfpLwf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WimFltr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WIMMount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Workflow Foundation 3.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winmgmt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinUsb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wlansvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlidsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiAcpi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApRpl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmiApSrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPCSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPDBusEnum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ws2ifsl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSDPrintDevice
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearchIdxPi
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WudfPf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WUDFRd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wudfsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WwanSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZTEusbmdm6k
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZTEusbnmea
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZTEusbser6k
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZTEusbvoice
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZTEusbwwan
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{11137D73-7A11-4CE4-8CBA-738C7991F129}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{80C9912D-A3B9-4796-97A8-30241B99A5F4}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A42A0B7A-AEBA-43EE-8393-A2D9B7E8EE57}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C4FF99CE-6B0F-4E75-AB37-397441F5785D}

#23 JSntgRvr

Group: Global Moderator
Posts: 9,530
Joined: 30-November 05

Posted 03 June 2012 - 07:17 PM

Except for superproserver, which seems to be part of a network monitoring program, the rest are orphans. I see no need to remove these at this time.

Lets do some housekeeping.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

Rename Combofix to Uninstall and click on it. That should remove the application.

Run OTL.exe and click on the Cleanup button. Follow the prompts

Remove the C:\FRST folder.

Manually remove any tool left that I asked you to download, except for Malwarebytes Antimalware. That one is a good program to keep.

Clear your Recycle Bin.

Once done, run those scans you wanted to verify if the infection is gone.

Keep me posted.

#24 wtibard

Group: Member
Posts: 13
Joined: 28-May 12

Posted 04 June 2012 - 01:47 PM

The avast was able to fully remove the viruses after the other programs finished. The computer appears virus free according to the scans. Thanks so much for your time and hard work. It was such a big help and a lifesaver.

#25 JSntgRvr

Group: Global Moderator
Posts: 9,530
Joined: 30-November 05

Posted 04 June 2012 - 06:53 PM

My pleasure.

Always keep your JAVA updated. Older versions will make your computer vulnerable.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

#26 JSntgRvr

Group: Global Moderator
Posts: 9,530
Joined: 30-November 05

Posted 01 July 2012 - 08:37 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Computer Won't Boot - Malware Related

Share this topic:

2 Pages
←
1
2

Please log in to reply

Rootkit issue: sirefef - Geeks to Go Forums