Generic Rootkit.d!rootkit

xsited · 03-29-2009, 04:13 AM

McAfee has detected Generic Rootkit.d!rootkit and FakeAlert.AB that does not want to go away. The system randomly locks up and fails to allow certain AV scanning tools to run.

I have included DDS.txt log file and attached the Attach and a HijackThis log.

I am unable to get anything to run for GMER after disabling McAfee and from an attempt in Safe Mode as well.

Any advice would be appreciated.

Thanks.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Francesca at 2:40:40.70 on Sun 03/29/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.413 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Documents and Settings\Francesca\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: : {d0ab1348-beee-414f-ae6d-cb26cd29d66d} - c:\windows\system32\enjbmzo.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [PHIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\phonetic\TINTLCFG.EXE /PHIMETIPSync
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179693235828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Filter: text/html - {3baf5d08-9712-46e3-8a2a-0278c2d74073} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: pkiezaup - enjbmzo.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\france~1\applic~1\mozilla\firefox\profiles\qhxda40e.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\documents and settings\francesca\application data\mozilla\firefox\profiles\qhxda40e.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\EbayAccessService.dll
FF - component: c:\documents and settings\francesca\application data\mozilla\firefox\profiles\qhxda40e.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\EbayFormSubmitObserver.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 ppqloloj;ppqloloj;c:\windows\system32\drivers\ppqloloj.sys [2006-9-1 23424]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [2009-3-28 50606]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 213640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-28 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-22 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-22 144704]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-22 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-22 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-22 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-22 40552]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-9-1 226304]
S2 avpoqvrw;Microsoft Composite Battery Helper;c:\windows\system32\svchost.exe -k netsvcs [2006-9-1 14336]
S3 exdisk;Express Disk Service;c:\windows\system32\drivers\exdisk.sys --> c:\windows\system32\drivers\exdisk.sys [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 SSSPUHBIWXAIA;SSSPUHBIWXAIA;c:\docume~1\tom\locals~1\temp\SSSPUHBIWXAIA.exe [2009-3-29 371584]
S3 XN;XN;c:\docume~1\admini~1\locals~1\temp\XN.exe [2009-3-28 519040]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-5-20 1120960]

=============== Created Last 30 ================

2009-03-29 02:22 2,126 a------- c:\windows\system32\wpa.dbl
2009-03-28 16:36 <DIR> --d----- c:\program files\McAfee.com
2009-03-28 10:17 40,960 a------- c:\windows\system32\exitwx.exe
2009-03-28 10:16 50,606 a------- c:\windows\system32\drivers\DCDisk.sys
2009-03-28 08:04 <DIR> --d----- c:\program files\Trend Micro
2009-03-28 07:52 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-27 19:04 1,032,192 a------- c:\windows\system32\explorer.exe
2009-03-27 13:11 <DIR> --d----- C:\tmp
2009-03-26 09:00 <DIR> --d----- c:\program files\Panda Security
2009-03-26 08:46 <DIR> --d----- c:\windows\pss
2009-03-26 07:32 <DIR> --d----- C:\Autorun
2009-03-24 21:40 135,168 a------- c:\windows\system32\RtlCPAPI.dll
2009-03-24 21:40 40,960 a------- c:\windows\system32\ChCfg.exe
2009-03-24 21:38 2,879,488 a------- c:\windows\SkyTel.exe
2009-03-24 21:38 <DIR> --d----- c:\program files\Realtek
2009-03-24 21:38 487,424 a------- c:\windows\RtlExUpd.dll
2009-03-24 21:25 <DIR> --d----- c:\program files\Sony Pictures Games
2009-03-22 11:14 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-22 11:14 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-22 11:14 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-22 11:14 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-22 11:12 <DIR> --d----- c:\program files\common files\McAfee
2009-03-22 11:12 <DIR> --d----- c:\program files\McAfee
2009-03-22 11:04 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-22 09:32 <DIR> --d----- c:\program files\WinPcap
2009-03-22 09:17 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-19 20:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks
2009-03-19 20:13 <DIR> --d----- c:\documents and settings\francesca\LocalLow

==================== Find3M ====================

2009-03-28 04:34 15,360 a------- c:\windows\system32\ctfmon.exe
2009-03-24 21:28 21,419 a------- c:\windows\system32\drivers\AegisP.sys
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-05 14:50 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 14:22 410,984 a------- c:\windows\system32\deploytk.dll
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 03:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 05:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 2:41:18.53 ===============

km2357 · 03-29-2009, 12:17 PM

Hello and welcome to Tech Support Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

I will be back as soon as possible with your first instructions!

km2357 · 03-29-2009, 12:42 PM

Do you know what the following entry in your Add/Remove Programs is?

???????? 2003

It should be at the top of the list.

Try renaming Gmer.exe and try running it again. If you get a GMER log, please post it in your next reply/post.

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.

xsited · 03-29-2009, 05:29 PM

km,

Sometimes the most complicated things have the simplest solutions.
Ark is attached. Visibility is clearer.

The file you questioned is a Mandarin keyboard mapping driver.

Is it safe to assume that the same approach should be taken with combofix?

xsited · 03-29-2009, 06:19 PM

ComboFix results.

km2357 · 03-30-2009, 12:35 AM

Thanks for the logs.

From now on, please post any logs I ask for, do not attach them. If they don't fit into one post, use multiple posts to get them in.

Thanks.

Step # 1 Upload Files

Go to Jotti
Copy the following line into the white textbox:
c:\windows\system32\exitwx.exe
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

c:\windows\system32\ChCfg.exe

If Jotti is busy, Go to VirusTotal and scan the file(s) there.

Step # 2: Run CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

KILLALL::

Driver::

SSSPUHBIWXAIA
XN
ppqloloj

File::

c:\docume~1\ADMINI~1\LOCALS~1\Temp\XN.exe
c:\docume~1\Tom\LOCALS~1\Temp\SSSPUHBIWXAIA.exe
c:\windows\system32\drivers\ppqloloj.sys

DirLook::

c:\documents and settings\NetworkService\Application Data\vgyhohub

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Note: This CFScript is for use on xsited's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. The Jotti/Virustotal results
2. The ComboFix Log that appears after Step 2 has been completed.

xsited · 03-30-2009, 08:52 AM

Thanks for the reply. The machine is unable to perform step #1, due to the fact there are no network interfaces present. The NICs are visible. ipconfig throws an error about ACTIVEDS.dll not found.

km2357 · 03-30-2009, 01:24 PM

Quote:

Originally Posted by xsited

Thanks for the reply. The machine is unable to perform step #1, due to the fact there are no network interfaces present. The NICs are visible. ipconfig throws an error about ACTIVEDS.dll not found.

Did you post this from your computer or another computer? Are you able to go online at all from your computer?

xsited · 03-30-2009, 01:55 PM

The post is from another computer. The computer is NOT able to go online. DLLs ACTIVEDS.dll are ACLUI.dll missing but exist in a Service Pack folder. I have NOT restored them in a search path where they could be found. I did proceed to step #2 and have a ComboFix output to attach as follows.

xsited · 03-30-2009, 08:37 PM

Can not post ComboFix due to ....

Fatal error: Maximum execution time of 30 seconds exceeded in /home/tsf/public_html/includes/functions.php on line 1822

xsited · 03-30-2009, 11:30 PM

A resolution of sorts. ACTIVEDS.dll ACLUI.dll ADSLDPC.dll were missing for sure. The resolution was to use the McAfee uninstall tool and reinstall McAfee. Networking returned. Trying to clean up now.

km2357 · 03-31-2009, 12:46 AM

Nice work on getting your computer connected back to the Internet.

Try Step #1 again from Post #6 of this thread and post back the Jotti/Virustotal results.

And try posting the ComboFix Log from Step #2 again (don't attach it). If its too big for one post, use multiple posts to get it all in.

xsited · 03-31-2009, 07:15 AM

Jotti reports clear on those file.

ComboFix 09-03-29.02 - Francesca 2009-03-30 8:37:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.239 [GMT -7:00]
Running from: c:\documents and settings\Francesca\Desktop\cf.exe
Command switches used :: c:\documents and settings\Francesca\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\XN.exe
c:\docume~1\Tom\LOCALS~1\Temp\SSSPUHBIWXAIA.exe
c:\windows\system32\drivers\ppqloloj.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PPQLOLOJ
-------\Legacy_VGADOWN
-------\Legacy_XN
-------\Service_ppqloloj
-------\Service_XN

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-30 08:40 . 2009-03-30 08:40 1,316 --a------ c:\windows\system32\Config.MPF
2009-03-30 07:26 . 2009-03-30 07:26 2,126 --a------ c:\windows\system32\wpa.dbl
2009-03-29 16:43 . 2009-03-29 16:43 <DIR> d-------- c:\documents and settings\NetworkService\Application

Data\SACore
2009-03-29 01:26 . 2009-03-29 01:26 <DIR> d-------- c:\documents and settings\LocalService\Application

Data\SACore
2009-03-28 16:43 . 2009-03-28 16:43 <DIR> d-------- c:\documents and settings\All Users\Application

Data\SiteAdvisor
2009-03-28 16:36 . 2009-03-28 16:36 <DIR> d-------- c:\program files\McAfee.com
2009-03-28 10:17 . 2004-05-12 10:13 40,960 --a------ c:\windows\system32\exitwx.exe
2009-03-28 10:16 . 2005-09-14 10:25 50,606 --a------ c:\windows\system32\drivers\DCDisk.sys
2009-03-28 09:25 . 2009-03-28 09:25 <DIR> d-------- c:\documents and settings\NetworkService\Application

Data\vgyhohub
2009-03-28 08:04 . 2009-03-28 08:04 <DIR> d-------- c:\program files\Trend Micro
2009-03-28 07:52 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-27 13:11 . 2009-03-27 13:11 <DIR> d-------- C:\tmp
2009-03-26 09:00 . 2009-03-28 16:28 <DIR> d-------- c:\program files\Panda Security
2009-03-26 07:32 . 2009-03-26 07:33 <DIR> d-------- C:\Autorun
2009-03-24 21:40 . 2005-10-31 11:17 135,168 --a------ c:\windows\system32\RtlCPAPI.dll
2009-03-24 21:40 . 2005-07-15 09:48 40,960 --a------ c:\windows\system32\ChCfg.exe
2009-03-24 21:38 . 2009-03-24 21:38 <DIR> d-------- c:\program files\Realtek
2009-03-24 21:38 . 2006-05-16 11:04 2,879,488 --a------ c:\windows\SkyTel.exe
2009-03-24 21:38 . 2005-04-16 15:20 487,424 --a------ c:\windows\RtlExUpd.dll
2009-03-24 21:25 . 2009-03-26 07:52 <DIR> d-------- c:\program files\Sony Pictures Games
2009-03-22 11:14 . 2008-10-23 13:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-22 11:14 . 2009-01-16 20:04 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-22 11:14 . 2009-01-16 20:04 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-22 11:14 . 2009-01-16 20:04 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-22 11:12 . 2009-03-28 16:42 <DIR> d-------- c:\program files\McAfee
2009-03-22 11:12 . 2009-03-28 16:37 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-22 11:04 . 2009-01-16 20:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-03-22 09:35 . 2009-03-28 16:48 <DIR> d-------- c:\documents and settings\All Users\Application

Data\McAfee
2009-03-22 09:32 . 2009-03-22 09:32 <DIR> d-------- c:\program files\WinPcap
2009-03-19 20:13 . 2009-03-19 20:13 <DIR> d-------- c:\documents and settings\Francesca\LocalLow
2009-03-19 20:13 . 2009-03-19 20:13 <DIR> d-------- c:\documents and settings\All Users\Application

Data\TVU Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 15:47 --------- d-----w c:\documents and settings\Francesca\Application Data\Skype
2009-03-28 23:27 --------- d-----w c:\program files\Windows Live
2009-03-26 14:55 --------- d-----w c:\program files\Common Files\AOL
2009-03-26 14:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-25 04:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-25 04:28 21,419 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-25 04:19 --------- d-----w c:\program files\Sony
2009-03-19 05:58 --------- d-----w c:\documents and settings\Francesca\Application Data\Move Networks
2009-03-15 17:32 --------- d-----w c:\documents and settings\Francesca\Application Data\DVD Flick
2009-03-11 17:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-29 08:24 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-29 08:24 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-29 08:24 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-29 08:24 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-29 08:24 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\NetworkService\ApplicationData\vgyhohub ----

c:\documents and settings\NetworkService\ApplicationData\vgyhohub\

------- Sigcheck -------

2006-03-15 05:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 17:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2004-08-03 22:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe

2004-08-13 16:01 502784 ea16f83b5e4964c100f6098ce9874927 c:\windows\$NtServicePackUninstall$\winlogon.exe
2006-03-15 05:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtUninstallKB307154$\winlogon.exe
2008-04-13 17:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2004-08-03 22:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe

2006-03-15 05:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 17:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2004-08-03 22:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe

2006-03-15 05:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-13 17:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe
2004-08-03 22:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe

2006-03-15 05:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 17:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2009-03-28 04:34 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-29_17.10.35.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-29 23:31:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-30 14:31:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-29 23:31:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local

Settings\History\History.IE5\index.dat
+ 2009-03-30 14:31:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local

Settings\History\History.IE5\index.dat
- 2009-03-29 09:22:17 301,232 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-30 14:26:28 301,232 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-30 15:42:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_14c.dat
+ 2009-03-30 15:42:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ec.dat
.

xsited · 03-31-2009, 07:26 AM

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0AB1348-BEEE-414F-AE6D-CB26CD29D66D}]
c:\windows\system32\enjbmzo.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 16:11 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ppqloloj;ppqloloj;c:\windows\system32\drivers\ppqloloj.sys [2006-09-01 23424]
R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [2009-03-28 50606]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-28

203280]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

-sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S3 exdisk;Express Disk Service;c:\windows\system32\DRIVERS\exdisk.sys --> c:\windows\system32\DRIVERS\exdisk.sys [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i

VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 SSSPUHBIWXAIA;SSSPUHBIWXAIA;c:\docume~1\Tom\LOCALS~1\Temp\SSSPUHBIWXAIA.exe -->

c:\docume~1\Tom\LOCALS~1\Temp\SSSPUHBIWXAIA.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2009-03-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.
- - - - ORPHANS REMOVED - - - -

Notify-pkiezaup - enjbmzo.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
Filter: text/html - {3baf5d08-9712-46e3-8a2a-0278c2d74073} -
FF - ProfilePath - c:\documents and settings\Francesca\Application Data\Mozilla\Firefox\Profiles\qhxda40e.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\documents and settings\Francesca\Application

Data\Mozilla\Firefox\Profiles\qhxda40e.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\compo

nents\EbayAccessService.dll
FF - component: c:\documents and settings\Francesca\Application

Data\Mozilla\Firefox\Profiles\qhxda40e.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\compo

nents\EbayFormSubmitObserver.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 08:44:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Data]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET CLR Networking]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for Oracle]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NET Data Provider for SqlServer]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.NETFramework]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\abp480n5]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI]
"ImagePath"="system32\DRIVERS\ACPI.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPIEC]
"ImagePath"="system32\DRIVERS\ACPIEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\adpu160m]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aec]
"ImagePath"="system32\drivers\aec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AegisP]
"ImagePath"="system32\DRIVERS\AegisP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AnyDVD]
"ImagePath"="System32\Drivers\AnyDVD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ApfiltrService]
"ImagePath"="system32\DRIVERS\Apfiltr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Apple Mobile Device]
"ImagePath"="\"c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Arp1394]
"ImagePath"="system32\DRIVERS\arp1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_1.1.4322]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state]
"ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\DRIVERS\atapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc]
"ImagePath"="system32\DRIVERS\atmarpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub]
"ImagePath"="system32\DRIVERS\audstub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\avpoqvrw]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS]
"ServiceDll"="c:\windows\system32\qmgr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme]
"ImagePath"="\??\c:\docume~1\FRANCE~1\LOCALS~1\Temp\catchme.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE]
"ImagePath"="system32\DRIVERS\CCDECODE.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom]
"ImagePath"="system32\DRIVERS\cdrom.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32]
"ImagePath"="c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmBatt]
"ImagePath"="system32\DRIVERS\CmBatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Compbatt]
"ImagePath"="system32\DRIVERS\compbatt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DCDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk]
"ImagePath"="system32\DRIVERS\disk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMICall]
"ImagePath"="system32\DRIVERS\DMICall.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ehRecvr]
"ImagePath"="c:\windows\eHome\ehRecvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ehSched]
"ImagePath"="c:\windows\eHome\ehSched.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ElbyCDIO]
"ImagePath"="System32\Drivers\ElbyCDIO.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem]
"ServiceDll"="c:\windows\system32\es.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EvtEng]
"ImagePath"="c:\program files\Intel\Wireless\Bin\EvtEng.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exdisk]
"ImagePath"="system32\DRIVERS\exdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fssfltr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk]
"ImagePath"="system32\DRIVERS\ftdisk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM]
"ImagePath"="System32\Drivers\GEARAspiWDM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc]
"ImagePath"="system32\DRIVERS\msgpc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus]
"ImagePath"="system32\DRIVERS\HDAudBus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hidusb]
"ImagePath"="system32\DRIVERS\hidusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HP Port Resolver]
"ImagePath"="c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HP Status Server]
"ImagePath"="c:\windows\system32\spool\drivers\w32x86\3\HPBOID.EXE"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412]
"ImagePath"="system32\DRIVERS\HPZid412.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12]
"ImagePath"="system32\DRIVERS\HPZipr12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12]
"ImagePath"="system32\DRIVERS\HPZius12.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSFHWAZL]
"ImagePath"="system32\DRIVERS\HSFHWAZL.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSF_DPV]
"ImagePath"="system32\DRIVERS\HSF_DPV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt]
"ImagePath"="system32\DRIVERS\i8042prt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ialm]
"ImagePath"="system32\DRIVERS\ialmnt5.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT]
"ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Image Converter video recording monitor for VAIO Entertainment]
"ImagePath"="c:\program files\Sony\Image Converter 2\IcVzMon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi]
"ImagePath"="system32\DRIVERS\imapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService]
"ImagePath"="c:\windows\system32\imapi.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntcAzAudAddService]
"ImagePath"="system32\drivers\RtkHDAud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm]
"ImagePath"="system32\DRIVERS\intelppm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw]
"ImagePath"="system32\drivers\ip6fw.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver]
"ImagePath"="system32\DRIVERS\ipfltdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp]
"ImagePath"="system32\DRIVERS\ipinip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat]
"ImagePath"="system32\DRIVERS\ipnat.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service]
"ImagePath"="\"c:\program files\iPod\bin\iPodService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec]
"ImagePath"="system32\DRIVERS\ipsec.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM]
"ImagePath"="system32\DRIVERS\irenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp]
"ImagePath"="system32\DRIVERS\isapnp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\JavaQuickStarterService]
"ImagePath"="\"c:\program files\Java\jre6\bin\jqs.exe\" -service -config \"c:\program

files\Java\jre6\lib\deploy\jqs\jqs.conf\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass]
"ImagePath"="system32\DRIVERS\kbdclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbdhid]
"ImagePath"="system32\DRIVERS\kbdhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MBackMonitor]
"ImagePath"="\"c:\program files\McAfee\MBK\MBackMonitor.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McAfee SiteAdvisor Service]
"ImagePath"="\"c:\program files\McAfee\SiteAdvisor\McSACore.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mcmscsvc]
"ImagePath"="c:\progra~1\McAfee\MSC\mcmscsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McNASvc]
"ImagePath"="\"c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McODS]
"ImagePath"="c:\progra~1\McAfee\VIRUSS~1\mcods.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McProxy]
"ImagePath"="c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McrdSvc]
"ImagePath"="c:\windows\ehome\mcrdsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McShield]
"ImagePath"="c:\progra~1\McAfee\VIRUSS~1\mcshield.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MCSTRM]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McSysmon]
"ImagePath"="c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mdmxsdk]
"ImagePath"="system32\DRIVERS\mdmxsdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfeavfk]
"ImagePath"="system32\drivers\mfeavfk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfebopk]
"ImagePath"="system32\drivers\mfebopk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfehidk]
"ImagePath"="system32\drivers\mfehidk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mferkdk]
"ImagePath"="system32\drivers\mferkdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mfesmfk]
"ImagePath"="system32\drivers\mfesmfk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MHN]
"ServiceDll"="%SystemRoot%\System32\mhn.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MHNDRV]
"ImagePath"="system32\DRIVERS\mhndrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Microsoft Office Groove Audit Service]
"ImagePath"="\"c:\program files\Microsoft Office\Office12\GrooveAuditService.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc]
"ImagePath"="c:\windows\system32\mnmsrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass]
"ImagePath"="system32\DRIVERS\mouclass.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid]
"ImagePath"="system32\DRIVERS\mouhid.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPFP]
"ImagePath"="System32\Drivers\Mpfp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MpfService]
"ImagePath"="\"c:\program files\McAfee\MPF\MPFSrv.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV]
"ImagePath"="system32\DRIVERS\mrxdav.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb]
"ImagePath"="system32\DRIVERS\mrxsmb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSCSPTISRV]
"ImagePath"="\"c:\program files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC]
"ImagePath"="c:\windows\system32\msdtc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer]
"ImagePath"="c:\windows\system32\msiexec.exe /V"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSK80Service]
"ImagePath"="\"c:\program files\McAfee\MSK\MskSrver.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios]
"ImagePath"="system32\DRIVERS\mssmbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSSQL$VAIO_VEDB]
"ImagePath"="c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSSQLServerADHelper]
"ImagePath"="c:\program files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE]
"ImagePath"="system32\drivers\MSTEE.sys"

xsited · 03-31-2009, 07:32 AM

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC]
"ImagePath"="system32\DRIVERS\NABTSFEC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP]
"ImagePath"="system32\DRIVERS\NdisIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi]
"ImagePath"="system32\DRIVERS\ndistapi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio]
"ImagePath"="system32\DRIVERS\ndisuio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan]
"ImagePath"="system32\DRIVERS\ndiswan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT]
"ImagePath"="system32\DRIVERS\netbt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETw3x32]
"ImagePath"="system32\DRIVERS\NETw3x32.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIC1394]
"ImagePath"="system32\DRIVERS\nic1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npf]
"ImagePath"="system32\drivers\npf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt]
"ImagePath"="system32\DRIVERS\nwlnkflt.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd]
"ImagePath"="system32\DRIVERS\nwlnkfwd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\odserv]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohci1394]
"ImagePath"="system32\DRIVERS\ohci1394.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Outlook]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PACSPTISVR]
"ImagePath"="\"c:\program files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI]
"ImagePath"="system32\DRIVERS\pci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde]
"ImagePath"="system32\DRIVERS\pciide.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia]
"ImagePath"="system32\DRIVERS\pcmcia.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPZ12]
"ImagePath"="c:\windows\system32\HPZipm12.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ppqloloj]
"ImagePath"="system32\drivers\ppqloloj.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport]
"ImagePath"="system32\DRIVERS\raspptp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched]
"ImagePath"="system32\DRIVERS\psched.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink]
"ImagePath"="system32\DRIVERS\ptilink.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20]
"ImagePath"="System32\Drivers\PxHelp20.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd]
"ImagePath"="system32\DRIVERS\rasacd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp]
"ImagePath"="system32\DRIVERS\rasl2tp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe]
"ImagePath"="system32\DRIVERS\raspppoe.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti]
"ImagePath"="system32\DRIVERS\raspti.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss]
"ImagePath"="system32\DRIVERS\rdbss.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr]
"ImagePath"="system32\DRIVERS\rdpdr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr]
"ImagePath"="c:\windows\system32\sessmgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook]
"ImagePath"="system32\DRIVERS\redbook.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RegSrvc]
"ImagePath"="c:\program files\Intel\Wireless\Bin\RegSrvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator]
"ImagePath"="%SystemRoot%\system32\locator.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP]
"ImagePath"="%SystemRoot%\system32\rsvp.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RT2500USB]
"ImagePath"="system32\DRIVERS\rt2500usb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S24EventMonitor]
"ImagePath"="c:\program files\Intel\Wireless\Bin\S24EvMon.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\s24trans]
"ImagePath"="system32\DRIVERS\s24trans.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv]
"ImagePath"="system32\DRIVERS\secdrv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy]
"ImagePath"="system32\DRIVERS\sfloppy.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP]
"ImagePath"="system32\DRIVERS\SLIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNC]
"ImagePath"="System32\Drivers\SonyNC.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNPSTD3]
"ImagePath"="system32\DRIVERS\snpstd3.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SonicStageMonitoring]
"ImagePath"="c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPTISRV]
"ImagePath"="\"c:\program files\Common Files\Sony Shared\AVLib\SPTISRV.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SQLAgent$VAIO_VEDB]
"ImagePath"="c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr]
"ImagePath"="system32\DRIVERS\sr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice]
"ServiceDll"="c:\windows\system32\srsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv]
"ImagePath"="system32\DRIVERS\srv.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSScsiSV]
"ImagePath"="c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSSPUHBIWXAIA]
"ImagePath"="c:\docume~1\Tom\LOCALS~1\Temp\SSSPUHBIWXAIA.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip]
"ImagePath"="system32\DRIVERS\StreamIP.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum]
"ImagePath"="system32\DRIVERS\swenum.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv]
"ImagePath"="c:\windows\system32\dllhost.exe /Processid:{592C546F-B5D1-48CA-BCDC-8A4ABEF83A43}"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swwd]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Symantec Core LC]
"ImagePath"="\"c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip]
"ImagePath"="system32\DRIVERS\tcpip.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD]
"ImagePath"="system32\DRIVERS\termdd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ti21sony]
"ImagePath"="system32\drivers\ti21sony.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr]
"ImagePath"="c:\windows\system32\tlntsvr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tmcomm]
"ImagePath"="\??\c:\windows\system32\drivers\tmcomm.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update]
"ImagePath"="system32\DRIVERS\update.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBAAPL]
"ImagePath"="System32\Drivers\usbaapl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbaudio]
"ImagePath"="system32\drivers\usbaudio.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp]
"ImagePath"="system32\DRIVERS\usbccgp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci]
"ImagePath"="system32\DRIVERS\usbehci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub]
"ImagePath"="system32\DRIVERS\usbhub.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint]
"ImagePath"="system32\DRIVERS\usbprint.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan]
"ImagePath"="system32\DRIVERS\usbscan.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbstor]
"ImagePath"="system32\DRIVERS\USBSTOR.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci]
"ImagePath"="system32\DRIVERS\usbuhci.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usnjsvc]
"ImagePath"="\"c:\program files\Windows Live\Messenger\usnsvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VAIO Entertainment TV Device Arbitration Service]
"ImagePath"="\"c:\program files\Common Files\Sony Shared\VAIO Entertainment

Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VAIO Event Service]
"ImagePath"="c:\program files\Sony\VAIO Event Service\VESMgr.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VAIOMediaPlatform-IntegratedServer-AppServer]
"ImagePath"="c:\program files\Sony\VAIO Media Integrated Server\VMISrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VAIOMediaPlatform-IntegratedServer-HTTP]
"ImagePath"="\"c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe\"

/Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot=\"SOFTWARE\Sony Corporation\VAIO Media Platform\2.0\"

/RegExt=\"Applications\IntegratedServer\HTTP\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VAIOMediaPlatform-IntegratedServer-UPnP]
"ImagePath"="c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VAIOMediaPlatform-Mobile-Gateway]
"ImagePath"="\"c:\program files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe\"

/Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot=\"SOFTWARE\Sony Corporation\VAIO Media Platform\2.0\"

/RegExt=\"\Addons\Packages\Mobile\Gateway\" /DisplayName=\"VAIO Media Gateway Server\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Vcsw]
"ImagePath"="c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -RunBySCM"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VzCdbSvc]
"ImagePath"="\"c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VzFw]
"ImagePath"="c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time]
"ServiceDll"="c:\windows\system32\w32time.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp]
"ImagePath"="system32\DRIVERS\wanarp.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wdf01000]
"ImagePath"="system32\DRIVERS\Wdf01000.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winachsf]
"ImagePath"="system32\DRIVERS\HSF_CNXT.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WLSetupSvc]
"ImagePath"="\"c:\program files\Windows Live\installer\WLSetupSvc.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\MsPMSNSv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv]
"ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc]
"ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WpdUsb]
"ImagePath"="system32\DRIVERS\wpdusb.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL]
"ImagePath"="\SystemRoot\System32\drivers\ws2ifsl.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC]
"ImagePath"="system32\DRIVERS\WSTCODEC.SYS"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf]
"ImagePath"="system32\DRIVERS\WudfPf.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd]
"ImagePath"="system32\DRIVERS\wudfrd.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc]
"ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\XN]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yukonwxp]
"ImagePath"="system32\DRIVERS\yk51x86.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zumbus]
"ImagePath"="system32\DRIVERS\zumbus.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{0BEF28B7-6546-4ED1-A6FC-750356DB79B6}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{22279BB7-828A-4572-A6C7-111D33D1CD55}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{57661D90-8180-4BE3-8696-19FA0D1334B6}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{8E99875C-2520-46F1-AEE8-626A72156B8E}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{948162B4-EBAB-4C1A-8D33-C653E03C694A}]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{9F99EC0F-262D-420C-A7AE-F4E40C5B4863}]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\program files\Apoint\Apoint.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\program files\Sony\ISB Utility\ISBMgr.exe
c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
c:\program files\HP\HP Software Update\hpwuSchd2.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\HP\hpcoretech\hpcmpmgr.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\vsnpstd3.exe
c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
c:\program files\McAfee\MBK\McAfeeDataBackup.exe
c:\program files\Windows Live\Messenger\msnmsgr.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-30 8:52:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 15:52:10

Pre-Run: 50,697,142,272 bytes free
Post-Run: 50,678,112,256 bytes free

920 --- E O F --- 2009-03-27 02:22:39

xsited · 03-31-2009, 07:39 AM

Currently repeatedly scanning....

km2357 · 03-31-2009, 01:18 PM

Quote:

Originally Posted by xsited

Currently repeatedly scanning....

What is scanning?

Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u13.
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
J2SE Runtime Environment 5.0 Update 7

Java(TM) SE Runtime Environment 6

Java(TM) SE Runtime Environment 6 Update 1

Java(TM) 6 Update 3

Java(TM) 6 Update 5

Java(TM) 6 Update 11
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.

Step # 2 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO

Step # 3 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.

Post the MalwareBytes' Log in your next reply.

xsited · 04-01-2009, 12:51 AM

To clarify my last post, I just meant to imply that I am always performing AV scans.

All steps done. Doing another malewarebytes scan now.

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3

3/31/2009 11:18:40 PM
mbam-log-2009-03-31 (23-18-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 174606
Time elapsed: 1 hour(s), 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0ab1348-beee-414f-ae6d-cb26cd29d66d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pkiezaup (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d0ab1348-beee-414f-ae6d-cb26cd29d66d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\enjbmzo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-085955-956.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-090025-680.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-090312-638.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-090858-369.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-091629-539.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fckutoy.dll (Trojan.Vundo.H) -> Delete on reboot.

xsited · 04-01-2009, 08:10 AM

Last scan results which repeats the same 4 target after reboot.

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3

4/1/2009 7:04:18 AM
mbam-log-2009-04-01 (07-04-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 4267
Time elapsed: 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0ab1348-beee-414f-ae6d-cb26cd29d66d} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pkiezaup (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d0ab1348-beee-414f-ae6d-cb26cd29d66d} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\enjbmzo.dll (Trojan.Vundo.H) -> No action taken.

km2357 · 04-01-2009, 04:42 PM

I'd like for you to do the following:

First, delete ComboFix.exe off of your Desktop.

Then download the latest version of ComboFix from one of the links below and be sure to save it to your Desktop:

Link 1
Link 2
Link 3

Once ComboFix is finished, you can go ahead and attach its log in your next post.

03-29-2009, 12:17 PM	#2 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Generic Rootkit.d!rootkit Hello and welcome to Tech Support Forum. My name is km2357 and I will be helping you to remove any infection(s) that you may have. I will be giving you a series of instructions that need to be followed in the order in which I give them to you. If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again. Please do not start another thread or topic, I will assist you at this thread until we solve your problems. Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same. I will be back as soon as possible with your first instructions! __________________ Member of ASAP

03-29-2009, 12:42 PM	#3 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Generic Rootkit.d!rootkit Do you know what the following entry in your Add/Remove Programs is? ???????? 2003 It should be at the top of the list. Try renaming Gmer.exe and try running it again. If you get a GMER log, please post it in your next reply/post. Step # 1: Download and Run ComboFix We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IMPORTANT !!! Save ComboFix.exe to your Desktop When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply. __________________ Member of ASAP

03-30-2009, 12:35 AM	#6 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Generic Rootkit.d!rootkit Thanks for the logs. From now on, please post any logs I ask for, do not attach them. If they don't fit into one post, use multiple posts to get them in. Thanks. Step # 1 Upload Files Go to Jotti Copy the following line into the white textbox: c:\windows\system32\exitwx.exe Click Submit. Please post the results of this scan to this thread. Repeat the above steps with the following files: c:\windows\system32\ChCfg.exe If Jotti is busy, Go to VirusTotal and scan the file(s) there. Step # 2: Run CFScript Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: KILLALL:: Driver:: SSSPUHBIWXAIA XN ppqloloj File:: c:\docume~1\ADMINI~1\LOCALS~1\Temp\XN.exe c:\docume~1\Tom\LOCALS~1\Temp\SSSPUHBIWXAIA.exe c:\windows\system32\drivers\ppqloloj.sys DirLook:: c:\documents and settings\NetworkService\Application Data\vgyhohub Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Note: This CFScript is for use on xsited's computer only! Do not use it on your computer. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. In your next post/reply, I need to see the following: 1. The Jotti/Virustotal results 2. The ComboFix Log that appears after Step 2 has been completed. __________________ Member of ASAP

03-30-2009, 08:52 AM	#7 (permalink)
xsited Registered User Join Date: Mar 2009 Posts: 29 OS: XP	Re: Generic Rootkit.d!rootkit Thanks for the reply. The machine is unable to perform step #1, due to the fact there are no network interfaces present. The NICs are visible. ipconfig throws an error about ACTIVEDS.dll not found.

03-30-2009, 01:55 PM	#9 (permalink)
xsited Registered User Join Date: Mar 2009 Posts: 29 OS: XP	Re: Generic Rootkit.d!rootkit The post is from another computer. The computer is NOT able to go online. DLLs ACTIVEDS.dll are ACLUI.dll missing but exist in a Service Pack folder. I have NOT restored them in a search path where they could be found. I did proceed to step #2 and have a ComboFix output to attach as follows. Last edited by xsited; 03-30-2009 at 01:57 PM.

03-30-2009, 08:37 PM	#10 (permalink)
xsited Registered User Join Date: Mar 2009 Posts: 29 OS: XP	Re: Generic Rootkit.d!rootkit Can not post ComboFix due to .... Fatal error: Maximum execution time of 30 seconds exceeded in /home/tsf/public_html/includes/functions.php on line 1822

03-30-2009, 11:30 PM	#11 (permalink)
xsited Registered User Join Date: Mar 2009 Posts: 29 OS: XP	Re: Generic Rootkit.d!rootkit A resolution of sorts. ACTIVEDS.dll ACLUI.dll ADSLDPC.dll were missing for sure. The resolution was to use the McAfee uninstall tool and reinstall McAfee. Networking returned. Trying to clean up now.

03-31-2009, 12:46 AM	#12 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Generic Rootkit.d!rootkit Nice work on getting your computer connected back to the Internet. Try Step #1 again from Post #6 of this thread and post back the Jotti/Virustotal results. And try posting the ComboFix Log from Step #2 again (don't attach it). If its too big for one post, use multiple posts to get it all in. __________________ Member of ASAP

03-31-2009, 07:15 AM	#13 (permalink)
xsited Registered User Join Date: Mar 2009 Posts: 29 OS: XP	Re: Generic Rootkit.d!rootkit Jotti reports clear on those file. ComboFix 09-03-29.02 - Francesca 2009-03-30 8:37:14.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.239 [GMT -7:00] Running from: c:\documents and settings\Francesca\Desktop\cf.exe Command switches used :: c:\documents and settings\Francesca\Desktop\CFScript.txt AV: McAfee VirusScan On-access scanning enabled (Updated) FW: McAfee Personal Firewall enabled * Created a new restore point FILE :: c:\docume~1\ADMINI~1\LOCALS~1\Temp\XN.exe c:\docume~1\Tom\LOCALS~1\Temp\SSSPUHBIWXAIA.exe c:\windows\system32\drivers\ppqloloj.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PPQLOLOJ -------\Legacy_VGADOWN -------\Legacy_XN -------\Service_ppqloloj -------\Service_XN ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 ))))))))))))))))))))))))))))))) . 2009-03-30 08:40 . 2009-03-30 08:40 1,316 --a------ c:\windows\system32\Config.MPF 2009-03-30 07:26 . 2009-03-30 07:26 2,126 --a------ c:\windows\system32\wpa.dbl 2009-03-29 16:43 . 2009-03-29 16:43 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SACore 2009-03-29 01:26 . 2009-03-29 01:26 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore 2009-03-28 16:43 . 2009-03-28 16:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor 2009-03-28 16:36 . 2009-03-28 16:36 <DIR> d-------- c:\program files\McAfee.com 2009-03-28 10:17 . 2004-05-12 10:13 40,960 --a------ c:\windows\system32\exitwx.exe 2009-03-28 10:16 . 2005-09-14 10:25 50,606 --a------ c:\windows\system32\drivers\DCDisk.sys 2009-03-28 09:25 . 2009-03-28 09:25 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\vgyhohub 2009-03-28 08:04 . 2009-03-28 08:04 <DIR> d-------- c:\program files\Trend Micro 2009-03-28 07:52 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys 2009-03-27 13:11 . 2009-03-27 13:11 <DIR> d-------- C:\tmp 2009-03-26 09:00 . 2009-03-28 16:28 <DIR> d-------- c:\program files\Panda Security 2009-03-26 07:32 . 2009-03-26 07:33 <DIR> d-------- C:\Autorun 2009-03-24 21:40 . 2005-10-31 11:17 135,168 --a------ c:\windows\system32\RtlCPAPI.dll 2009-03-24 21:40 . 2005-07-15 09:48 40,960 --a------ c:\windows\system32\ChCfg.exe 2009-03-24 21:38 . 2009-03-24 21:38 <DIR> d-------- c:\program files\Realtek 2009-03-24 21:38 . 2006-05-16 11:04 2,879,488 --a------ c:\windows\SkyTel.exe 2009-03-24 21:38 . 2005-04-16 15:20 487,424 --a------ c:\windows\RtlExUpd.dll 2009-03-24 21:25 . 2009-03-26 07:52 <DIR> d-------- c:\program files\Sony Pictures Games 2009-03-22 11:14 . 2008-10-23 13:08 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys 2009-03-22 11:14 . 2009-01-16 20:04 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys 2009-03-22 11:14 . 2009-01-16 20:04 40,552 --a------ c:\windows\system32\drivers\mfesmfk.sys 2009-03-22 11:14 . 2009-01-16 20:04 35,272 --a------ c:\windows\system32\drivers\mfebopk.sys 2009-03-22 11:12 . 2009-03-28 16:42 <DIR> d-------- c:\program files\McAfee 2009-03-22 11:12 . 2009-03-28 16:37 <DIR> d-------- c:\program files\Common Files\McAfee 2009-03-22 11:04 . 2009-01-16 20:03 34,216 --a------ c:\windows\system32\drivers\mferkdk.sys 2009-03-22 09:35 . 2009-03-28 16:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee 2009-03-22 09:32 . 2009-03-22 09:32 <DIR> d-------- c:\program files\WinPcap 2009-03-19 20:13 . 2009-03-19 20:13 <DIR> d-------- c:\documents and settings\Francesca\LocalLow 2009-03-19 20:13 . 2009-03-19 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-30 15:47 --------- d-----w c:\documents and settings\Francesca\Application Data\Skype 2009-03-28 23:27 --------- d-----w c:\program files\Windows Live 2009-03-26 14:55 --------- d-----w c:\program files\Common Files\AOL 2009-03-26 14:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-03-25 04:38 --------- d--h--w c:\program files\InstallShield Installation Information 2009-03-25 04:28 21,419 ----a-w c:\windows\system32\drivers\AegisP.sys 2009-03-25 04:19 --------- d-----w c:\program files\Sony 2009-03-19 05:58 --------- d-----w c:\documents and settings\Francesca\Application Data\Move Networks 2009-03-15 17:32 --------- d-----w c:\documents and settings\Francesca\Application Data\DVD Flick 2009-03-11 17:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-03-29 08:24 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2009-03-29 08:24 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2009-03-29 08:24 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2009-03-29 08:24 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2009-03-29 08:24 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll 2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll 2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll 2008-03-16 12:30 216,064 --sh--r c:\windows\system32\nbDX.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\NetworkService\ApplicationData\vgyhohub ---- c:\documents and settings\NetworkService\ApplicationData\vgyhohub\ ------- Sigcheck ------- 2006-03-15 05:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe 2008-04-13 17:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe 2004-08-03 22:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe 2004-08-13 16:01 502784 ea16f83b5e4964c100f6098ce9874927 c:\windows\$NtServicePackUninstall$\winlogon.exe 2006-03-15 05:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtUninstallKB307154$\winlogon.exe 2008-04-13 17:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe 2004-08-03 22:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe 2006-03-15 05:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe 2008-04-13 17:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe 2004-08-03 22:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe 2006-03-15 05:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe 2008-04-13 17:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\ServicePackFiles\i386\lsass.exe 2004-08-03 22:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe 2006-03-15 05:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe 2008-04-13 17:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe 2009-03-28 04:34 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe . ((((((((((((((((((((((((((((( SnapShot@2009-03-29_17.10.35.53 ))))))))))))))))))))))))))))))))))))))))) . - 2009-03-29 23:31:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-03-30 14:31:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-03-29 23:31:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-03-30 14:31:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-03-29 09:22:17 301,232 ----a-w c:\windows\system32\FNTCACHE.DAT + 2009-03-30 14:26:28 301,232 ----a-w c:\windows\system32\FNTCACHE.DAT + 2009-03-30 15:42:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_14c.dat + 2009-03-30 15:42:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ec.dat .

03-31-2009, 07:39 AM	#16 (permalink)
xsited Registered User Join Date: Mar 2009 Posts: 29 OS: XP	Re: Generic Rootkit.d!rootkit Currently repeatedly scanning....

04-01-2009, 12:51 AM	#18 (permalink)
xsited Registered User Join Date: Mar 2009 Posts: 29 OS: XP	Re: Generic Rootkit.d!rootkit To clarify my last post, I just meant to imply that I am always performing AV scans. All steps done. Doing another malewarebytes scan now. Malwarebytes' Anti-Malware 1.35 Database version: 1927 Windows 5.1.2600 Service Pack 3 3/31/2009 11:18:40 PM mbam-log-2009-03-31 (23-18-40).txt Scan type: Full Scan (C:\\|) Objects scanned: 174606 Time elapsed: 1 hour(s), 9 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0ab1348-beee-414f-ae6d-cb26cd29d66d} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pkiezaup (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{d0ab1348-beee-414f-ae6d-cb26cd29d66d} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\windows\system32\enjbmzo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-085955-956.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-090025-680.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-090312-638.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-090858-369.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Program Files\Trend Micro\HijackThis\backups\backup-20090328-091629-539.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fckutoy.dll (Trojan.Vundo.H) -> Delete on reboot.

04-01-2009, 08:10 AM	#19 (permalink)
xsited Registered User Join Date: Mar 2009 Posts: 29 OS: XP	Re: Generic Rootkit.d!rootkit Last scan results which repeats the same 4 target after reboot. Malwarebytes' Anti-Malware 1.35 Database version: 1927 Windows 5.1.2600 Service Pack 3 4/1/2009 7:04:18 AM mbam-log-2009-04-01 (07-04-13).txt Scan type: Full Scan (C:\\|) Objects scanned: 4267 Time elapsed: 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d0ab1348-beee-414f-ae6d-cb26cd29d66d} (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pkiezaup (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{d0ab1348-beee-414f-ae6d-cb26cd29d66d} (Trojan.Vundo.H) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\windows\system32\enjbmzo.dll (Trojan.Vundo.H) -> No action taken.

04-01-2009, 04:42 PM	#20 (permalink)
km2357 Analyst, Security Team Join Date: Jan 2009 Posts: 314 OS: Win98SE, XP Home SP3	Re: Generic Rootkit.d!rootkit I'd like for you to do the following: First, delete ComboFix.exe off of your Desktop. Then download the latest version of ComboFix from one of the links below and be sure to save it to your Desktop: Link 1 Link 2 Link 3 Once ComboFix is finished, you can go ahead and attach its log in your next post. __________________ Member of ASAP