Jump to content


Photo

Something Corrupts My System Files After Sfc Cleans Them


  • Please log in to reply
12 replies to this topic

#1 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 11 March 2011 - 04:56 PM

Hi, the symptoms of the malware are extensive and varied. It presented 3 weeks ago a day after a Dell service technician replaced my laptop hard drive with a brand new one, and then installed non-existent firmware on it. Dell are refusing to comment aside from offering to refund my laptop's purchase price. Upon noticing how fast my laptop was running after the Dell scum left, I formatted my desktop and another laptop's hard drives, and installed Win7 from a flash drive I created on the Dell. The next day, everything went to sh.t.

The first peculiar thing I noticed was some applications on my desktop refusing to run when I double-clicked on them. Messages would pop up saying I didn't have permissions and to contact my Administrator (I am always logged in as Administrator). I tried to uninstall / delete but unable to. I tried d/l'ing Revo Uninstaller and the .exe file was deleted immediately upon install. The same thing happened with most AV 'solutions' and malware scan utilities. I had been running MS Security Essentials and iObit 360 and both were running through full scans saying everything was peachy. I uninstalled oBit's software fine, but MS Security Essentials was impossible to get rid of. I noticed a Windows Service for MS Security Essentials but I could not Stop or Disable it as everything was greyed out.

Trying to manually delete files, I noticed most of my desktop's applications had strange permissions added. To start with, Trusted Installer had become the owner for most of them, and I was unable to reclaim ownership as Administrator as Trusted Installer had also taken over Audit and Special Permissions for my C: drive as Creator Owner. There were also a lot of listed Permissions for User S-1-21-xxx (long hash code) etc, on almost every executable file.

I formatted using the Win7 Ultimate genuine discs and installed Trend Micro Titanium, which was immediately patched and I had similar problems getting rid of that to try other AV 'solutions'. Webroot went the same way. ESET was even worse, running through Full scans saying everything was fine, whilst Firewall rules were being added to let in the hacker-world-at-large.

Forum 'experts' have proved painfully slow, utterly clueless, surprisingly dull and creepily pathetic, in their nauseating refusal to address pointed queries and their shameful willingness to simply declare anything they don't understand is 'fine', whilst they ignore detected rootkits which haven't been cleaned on my system but simply no longer show on scans. They have pronounced my systems clean on the basis of a Malwarebytes clean scan (which has said everything is fine, on every scan from the start), ignoring the fact that Gmer's first ever scan result was unaddressed...

---- Services - GMER 1.0.15 ----

Service C:\Windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----



...or the tens of thousands of Errors/Warnings being logged...

Posted Image


ComboFix and RKill result in BSODs pretty much every time:

Posted Image

Microsoft tech support are either hilariously incompetent or just simply vile. They receive the evidence I send them, then claim they didn't. They've accused me of imagining it all, and advised me to quickly report it to the "Cyber Police". They're idiots (and that's really being diplomatic).

Frustrated and out of ideas, with one hard drive destroyed (admitted possibly by frustrated uninstalls of hidden non-plug&play drivers I did en masse one day), I purchased a new hard drive and low-level formatted (dban) my laptop's hard drive. I flashed the BIOS on each hard drive, and with all network adapters deactivated, I then installed Win7 Ultimate onto the 'clean' hard drives with the same Win7 genuine advantage disc. Before going online, I installed McAfee Total Protection, and then individually took each system online to download the latest of Microsoft's endless security patches for the thousands of exploitabilities in their retarded OS.

With everything more or less stable for 3-4 days following the huge effort, I breathed a sigh of relief. Which turned into a furious scream yesterday, when I realised Windows Update was refusing to...Update. Critical security patches were deemed unnecessary, and I have to manually download and install them. They patch nothing, which isn't surprising. Every time I do a command line scan with System File Checker, corrupted system files are found and replaced. Hours later, they're all corrupted again and sfc /scannow 'fixes' them all again. Back and forth.

I think I've finally worked out what's corrupting them, but I don't have a clue how to address it.

Somehow the 8 hour low-level format I conducted (prior to flashing the BIOS) on my Latitude didn't affect the cbs.log as it's showing logs from a fortnight before the low-level format. I thought that was impossible?

In each cbs.log, I have endless repetitions of activity which are highly suspect. I don't know 100% which sections are or aren't logs of legitimate activity (and I would wager a lot neither do Microsoft, which explains why they are useless / refuse to assist). But I'm pretty sure I can finger some parts which are *not* legit.

In my desktop cbs.log, the only "clients" which initialize sessions are:
SPP (a few times)
WindowsUpdateAgent (00's or 000's of times)

In my laptop cbs.log, the following "clients" initialize sessions:
DISM Package Manager Provider (x 2)
lpksetup (x 20)
WindowsUpdateAgent (x 00's or 000's)
Software Explorer (x 20)
SPP (x 7)

I think the lpksetup client sessions are highly suspect. Although I'm basing that primarily on this thread below and because I can't think of a legitimate reason for silent language pack operations to be occurring.

http://seclists.org/...re/2010/Oct/374

Exploit: Windows 7 lpksetup.exe (oci.dll) DLL Hijacking Vulnerability
Extension: .mlc
Author: Tyler Borland
Date: 10/20/2010
Tested on: Windows 7
Ultimate Effect: Remote Code Execution


My cbs.log files are many tens of thousands of lines / pages from only the last 3 weeks. But after a sfc /scannow clean, I turned on my laptop the next day and stuff started happening silently pretty much instantly without any prompt or signal whatsoever. I then ran another sfc scan and it replaced all the corrupted system files. The cbs.log excerpt for those two events only (20 min apart) are here: http://justpaste.it/98y

10 min after SFC replaced all the corrupted files in the excerpt above, the silent process kicked into gear again, uploading corrupted replacements from the offline registry hive. I ran SFC again, even more corrupted files cleaned and replaced. Around and around we go...switched-off computers are waking up on their own accord, and it creeps me out.

MBAM / SAS couldn't find a prostitute in a brothel. I seriously think they're both redundant and worthless. Immunet isn't really working at the moment, screenshot: Immunet Rootkit Scan

The requested HijackThis log is below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:45:37 PM, on 11/03/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8080.16413)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\taskeng.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\goscuter1\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Users\goscuter1\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: XmarksThumbnailsDLLBHO - {1BD0BEFE-F697-4eee-B7E1-76B849A5CB84} - C:\Program Files\Xmarks\Thumbnails for IE\xmarksthumbnails.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110310171744.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Users\goscuter1\AppData\Roaming\LastPass\LPBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Webroot Browser Helper Object - {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} - (no file)
O2 - BHO: WRCommonBHO - {D93EC24D-8741-4D41-B83D-A5793B998416} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Users\goscuter1\AppData\Roaming\LastPass\LPBar.dll
O3 - Toolbar: (no name) - {97ab88ef-346b-4179-a0b1-7445896547a5} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Kaspersky Security Scan.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O8 - Extra context menu item: LastPass - file://C:\Users\goscuter1\AppData\Roaming\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\goscuter1\AppData\Roaming\LastPass\context.html?cmd=fillforms
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Users\goscuter1\AppData\Roaming\LastPass\LPBar.dll
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O9 - Extra button: Betway.com Casino - {8f5dc89b-70e1-48b3-a760-7b77aac47207} - https://betway.gamea...px?gameID=Lobby (file missing) (HKCU)
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support....veX/MSDcode.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Immunet 3.0 (ImmunetProtect) - Sourcefire, Inc. - C:\Program Files\Immunet Protect\3.0.0\agent.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe

--
End of file - 6934 bytes



#2 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 11 March 2011 - 08:36 PM

Mostly out of boredom, I tried a ComboFix scan again. After the malware blocked it a few times saying it wasn't compatible with Vista or 7, I tried it in Safe Mode and it ran through it's 70 stages or w/e and delivered a logfile - anything of value/interest in this huge log?

ComboFix 11-03-10.04 - goscuter1 12/03/2011 2:01.1.2 - x86 NETWORK
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.3572.2805 [GMT 7:00]
Running from: c:\users\goscuter1\Desktop\agssgf.exe
AV: Immunet 3.0 *Disabled/Updated* {E26D838D-778A-C93D-0B41-46E786995C11}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 )))))))))))))))))))))))))))))))
.
.
2011-03-11 19:04 . 2011-03-11 19:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-11 18:55 . 2011-03-11 18:55 -------- d-----w- c:\programdata\Rcleaner
2011-03-11 18:54 . 2011-03-11 18:54 -------- d-----w- c:\program files\Rcleaner Rogue Remover
2011-03-10 11:32 . 2011-03-10 11:32 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-03-10 11:09 . 2011-03-10 11:09 -------- d-----w- c:\program files\Kaspersky Security Scan
2011-03-10 11:08 . 2011-03-10 11:08 -------- d-----w- c:\programdata\WinZip
2011-03-10 10:07 . 2011-03-10 10:07 31952 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys
2011-03-10 10:07 . 2011-03-10 10:07 47440 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys
2011-03-10 10:02 . 2011-03-10 10:02 -------- d-----w- c:\program files\NirSoft
2011-03-10 08:50 . 2011-03-10 08:50 -------- d-----w- C:\Casino
2011-03-10 02:26 . 2011-03-10 02:26 -------- d-----w- c:\program files\Common Files\Adobe
2011-03-10 02:23 . 2011-03-10 10:08 -------- d-----w- c:\programdata\Immunet
2011-03-10 02:22 . 2011-03-11 19:07 -------- d-----w- c:\program files\Immunet Protect
2011-03-10 02:20 . 2011-03-10 07:13 -------- d-----w- c:\programdata\Google Updater
2011-03-10 02:20 . 2011-03-10 02:25 -------- d-----w- c:\program files\Google
2011-03-09 15:10 . 2011-03-09 15:10 -------- d-----w- c:\programdata\McAfee Security Scan
2011-03-09 14:49 . 2010-10-13 15:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-03-09 14:49 . 2010-10-13 15:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-03-09 14:49 . 2010-10-13 15:28 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-03-09 14:49 . 2010-10-13 15:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-03-09 14:49 . 2010-10-13 15:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-03-09 14:49 . 2010-10-13 15:28 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-03-09 14:49 . 2010-10-13 15:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-03-09 14:49 . 2010-10-13 15:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-03-09 14:49 . 2011-03-09 14:50 -------- d-----w- c:\program files\Common Files\Mcafee
2011-03-09 14:49 . 2011-03-09 15:01 -------- d-----w- c:\program files\McAfee
2011-03-09 14:38 . 2010-10-13 15:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-03-09 10:35 . 2011-03-09 10:35 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2011-03-09 09:45 . 2011-02-19 06:30 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-03-09 09:45 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-03-09 09:45 . 2011-02-19 06:30 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-09 04:29 . 2010-12-23 05:54 850944 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 04:29 . 2010-12-23 05:54 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-09 04:29 . 2010-12-23 05:54 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 04:29 . 2010-12-23 05:50 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-06 03:31 . 2011-03-09 15:10 -------- d-----w- c:\program files\McAfee Security Scan
2011-03-06 02:22 . 2010-04-13 13:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2011-03-06 02:22 . 2011-03-06 02:22 -------- d-----w- c:\program files\McAfee Online Backup
2011-03-06 02:20 . 2011-03-09 13:24 -------- d-----w- c:\programdata\NVIDIA
2011-03-06 02:18 . 2011-01-08 03:27 5653096 ----a-w- c:\windows\system32\nvwgf2um.dll
2011-03-06 02:18 . 2011-01-08 03:27 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
2011-03-06 02:18 . 2011-01-08 03:27 10467656 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-03-06 02:18 . 2011-01-08 03:27 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
2011-03-06 02:18 . 2011-01-08 03:27 4941928 ----a-w- c:\windows\system32\nvcuda.dll
2011-03-06 02:18 . 2011-01-08 03:27 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
2011-03-06 02:18 . 2011-01-08 03:27 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-03-06 02:18 . 2011-01-08 03:27 1965672 ----a-w- c:\windows\system32\nvapi.dll
2011-03-06 02:10 . 2011-03-06 02:19 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-03-06 02:09 . 2011-01-08 03:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-03-06 02:09 . 2011-01-08 03:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-03-06 02:09 . 2011-01-08 03:27 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-06 02:09 . 2011-01-08 03:27 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-03-06 02:08 . 2011-03-10 09:20 -------- d-----w- c:\program files\NVIDIA Corporation
2011-03-06 02:08 . 2011-03-06 02:08 -------- d-----w- C:\NVIDIA
2011-03-06 00:50 . 2011-03-06 01:52 -------- d-----w- c:\programdata\AVAST Software
2011-03-06 00:50 . 2011-03-06 00:50 -------- d-----w- c:\program files\AVAST Software
2011-03-06 00:08 . 2011-03-06 00:08 -------- d-----w- c:\program files\UltraISO
2011-03-06 00:08 . 2011-03-06 00:08 -------- d-----w- c:\program files\Common Files\EZB Systems
2011-03-05 17:25 . 2011-03-05 17:27 -------- d-----w- c:\program files\TweakNow PowerPack 2011
2011-03-05 17:19 . 2011-02-23 02:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B3B99559-E40D-49FE-A08C-93E928E2D9A3}\mpengine.dll
2011-03-03 03:38 . 2011-03-05 18:22 -------- d-----w- c:\program files\CMAK
2011-03-02 19:51 . 2011-02-15 07:36 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2011-03-02 19:51 . 2011-02-15 07:36 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-03-02 19:51 . 2011-02-15 07:36 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-03-02 19:51 . 2011-02-15 21:11 116592 ----a-w- c:\windows\system32\drivers\pwipf6.sys
2011-02-26 03:57 . 2011-02-26 03:57 -------- d-----w- c:\program files\Common Files\Skype
2011-02-26 03:56 . 2011-03-05 17:08 -------- d-----r- c:\program files\Skype
2011-02-26 03:56 . 2011-02-26 03:56 -------- d-----w- c:\programdata\Skype
2011-02-26 03:44 . 2011-02-26 03:45 -------- d-----w- c:\program files\Trillian
2011-02-25 22:56 . 2011-02-25 08:01 -------- d-----w- c:\windows\Panther
2011-02-25 20:56 . 2011-02-25 20:57 -------- d-----w- c:\program files\VPNSecureMe
2011-02-25 20:34 . 2011-02-25 20:34 -------- d-----w- c:\program files\Common Files\Java
2011-02-25 20:34 . 2011-02-25 20:34 -------- d-----w- c:\program files\Java
2011-02-25 20:06 . 2011-02-25 20:07 -------- d-----w- c:\program files\OpenVPN
2011-02-25 19:50 . 2011-02-05 06:20 94208 ----a-w- c:\program files\Internet Explorer\th\iediag.resources.dll
2011-02-25 17:53 . 2011-03-04 01:45 -------- d-----w- c:\program files\Full Tilt Poker
2011-02-25 17:38 . 2011-02-25 17:39 -------- d-----w- c:\program files\Xmarks
2011-02-25 15:42 . 2011-03-05 15:41 -------- d-----w- c:\programdata\boost_interprocess
2011-02-25 15:08 . 2011-02-25 15:08 -------- d-----w- c:\programdata\Trend Micro
2011-02-25 14:05 . 2011-02-25 14:05 -------- d-----w- c:\program files\Microsoft Silverlight
2011-02-25 12:57 . 2011-02-25 15:21 -------- d-----w- c:\program files\ImageShack Uploader
2011-02-25 12:14 . 2011-02-25 12:17 -------- d-----w- c:\program files\Wave Systems Corp
2011-02-25 12:14 . 2011-02-25 12:14 -------- d-----w- c:\windows\system32\Test
2011-02-25 12:14 . 2011-02-25 13:31 -------- d-----w- c:\programdata\Wave Systems Corp
2011-02-25 12:14 . 2011-02-25 12:14 -------- d-----w- c:\windows\Downloaded Installations
2011-02-25 12:12 . 2011-02-25 12:12 -------- d-----w- c:\programdata\NTRU Cryptosystems
2011-02-25 12:10 . 2011-02-25 12:10 -------- d-----w- c:\windows\system32\drivers\th-TH
2011-02-25 12:10 . 2011-02-25 19:51 -------- d-----w- c:\windows\system32\wbem\th-TH
2011-02-25 12:10 . 2011-02-25 12:10 -------- d-----w- c:\windows\th-TH
2011-02-25 12:04 . 2011-02-25 12:04 -------- d-----w- c:\program files\Microsoft.NET
2011-02-25 11:33 . 2011-02-25 11:33 -------- d-----w- c:\programdata\Dell
2011-02-25 11:14 . 2011-02-25 11:14 -------- d-----w- c:\windows\system32\SPReview
2011-02-25 11:13 . 2011-02-25 11:13 -------- d-----w- c:\windows\system32\EventProviders
2011-02-25 10:59 . 2010-11-05 01:58 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-25 10:59 . 2010-11-20 12:19 53760 ----a-w- c:\windows\system32\LSCSHostPolicy.dll
2011-02-25 10:59 . 2010-11-20 10:24 52224 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
2011-02-25 10:59 . 2010-11-20 12:21 11776 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2011-02-25 10:59 . 2010-11-20 12:19 3215872 ----a-w- c:\windows\system32\mstscax.dll
2011-02-25 10:59 . 2010-11-20 12:18 1171456 ----a-w- c:\windows\system32\d3d10warp.dll
2011-02-25 10:59 . 2010-11-20 12:21 120320 ----a-w- c:\windows\system32\tssrvlic.dll
2011-02-25 10:59 . 2010-11-20 12:19 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-02-25 10:59 . 2010-11-20 12:19 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-02-25 10:59 . 2010-11-20 12:17 80896 ----a-w- c:\windows\system32\RDVGHelper.exe
2011-02-25 10:57 . 2010-11-20 12:30 3911040 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-25 10:56 . 2010-11-20 12:17 280576 ----a-w- c:\windows\system32\spreview.exe
2011-02-25 10:55 . 2010-11-20 12:18 1792000 ----a-w- c:\windows\system32\authui.dll
2011-02-25 10:54 . 2010-11-20 12:19 304640 ----a-w- c:\windows\system32\gdi32.dll
2011-02-25 10:53 . 2010-11-20 12:20 1508864 ----a-w- c:\windows\system32\pla.dll
2011-02-25 10:52 . 2010-11-20 12:30 173440 ----a-w- c:\windows\system32\drivers\rdyboost.sys
2011-02-25 10:51 . 2010-11-20 12:18 210432 ----a-w- c:\windows\system32\dxdiagn.dll
2011-02-25 10:50 . 2010-11-20 12:20 28672 ----a-w- c:\windows\system32\profprov.dll
2011-02-25 10:49 . 2009-12-15 02:31 260712 ----a-w- c:\windows\system32\nViewSetup.exe
2011-02-25 10:48 . 2011-02-25 10:48 -------- d-----w- c:\windows\system32\SRSLabs
2011-02-25 10:48 . 2010-11-20 12:21 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-02-25 10:48 . 2010-11-20 12:21 780288 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-02-25 10:48 . 2010-11-20 12:21 363008 ----a-w- c:\windows\system32\wbemcomn.dll
2011-02-25 10:48 . 2010-11-20 12:19 606208 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-02-25 10:48 . 2010-11-20 12:21 697344 ----a-w- c:\windows\system32\SmiEngine.dll
2011-02-25 10:48 . 2010-11-20 12:21 189952 ----a-w- c:\windows\system32\wdscore.dll
2011-02-25 10:48 . 2010-11-20 12:17 209920 ----a-w- c:\windows\system32\PkgMgr.exe
2011-02-25 10:48 . 2009-12-15 02:31 795104 ----a-w- c:\windows\system32\dpinst.exe
2011-02-25 10:47 . 2009-12-15 02:31 592488 ----a-w- c:\windows\system32\nvudisp.exe
2011-02-25 10:47 . 2010-11-20 12:18 323072 ----a-w- c:\windows\system32\drvstore.dll
2011-02-25 10:47 . 2010-11-20 12:18 257024 ----a-w- c:\windows\system32\dpx.dll
2011-02-25 10:47 . 2009-12-15 02:31 256616 ----a-w- c:\windows\system32\nvdecodemft.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-25 11:41 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-01-11 15:04 . 2011-01-11 15:04 183296 ----a-w- c:\windows\system32\Ncs2Setp.dll
2011-01-11 14:56 . 2011-01-11 14:56 659576 ----a-w- c:\windows\system32\ncs2dmix.dll
2011-01-11 14:56 . 2011-01-11 14:56 514168 ----a-w- c:\windows\system32\accesor.dll
2011-01-11 14:25 . 2011-01-11 14:25 135288 ----a-w- c:\windows\system32\ncs2instutility.dll
2011-01-11 14:01 . 2011-01-11 14:01 1930360 ----a-w- c:\windows\system32\ncscolib.dll
2011-01-08 03:27 . 2011-03-06 02:18 10920 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2011-01-07 14:06 . 2011-01-07 14:06 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-07 14:06 . 2011-01-07 14:06 3597416 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-07 14:06 . 2011-01-07 14:06 2620520 ----a-w- c:\windows\system32\nvsvc.dll
2011-01-07 14:06 . 2011-01-07 14:06 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-01-07 14:06 . 2011-01-07 14:06 608872 ----a-w- c:\windows\system32\nvvsvc.exe
2011-01-07 14:06 . 2011-01-07 14:06 288872 ----a-w- c:\windows\system32\nvhotkey.dll
2011-01-07 14:06 . 2011-01-07 14:06 2558568 ----a-w- c:\windows\system32\nvsvcr.dll
2011-01-07 14:06 . 2011-01-07 14:06 111208 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-13 15:28 . 2011-03-10 10:17 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 05:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 13:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 13:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 13:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SharingPrivate]
@="{08244EE6-92F0-47f2-9FC9-929BAA2E7235}"
[HKEY_CLASSES_ROOT\CLSID\{08244EE6-92F0-47f2-9FC9-929BAA2E7235}]
2010-11-20 12:20 442880 ----a-w- c:\windows\System32\ntshrui.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 05:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"= 1 (0x1)
"MaxRecentDocs"= 6 (0x6)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:1033 /KBD:2 /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EFS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Power]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcEptMapper]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kaspersky Security Scan.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kaspersky Security Scan.lnk
backup=c:\windows\pss\Kaspersky Security Scan.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Online Backup Status.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk
backup=c:\windows\pss\McAfee Online Backup Status.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TdmNotify.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\TdmNotify.lnk
backup=c:\windows\pss\TdmNotify.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Trend Micro SafeSync.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Trend Micro SafeSync.lnk
backup=c:\windows\pss\Trend Micro SafeSync.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 16:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellControlPoint]
2009-11-02 04:40 657920 ----a-w- c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2011-03-10 02:21 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-02-25 18:12 136176 ----atw- c:\users\goscuter1\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Immunet Protect]
2011-03-10 10:07 2584904 ----a-w- c:\program files\Immunet Protect\3.0.0\iptray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2011-01-17 09:15 1193848 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2011-01-07 14:06 288872 ----a-w- c:\windows\System32\nvhotkey.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 07:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USCService]
2010-06-22 04:33 34232 ----a-w- c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualDesk]
2011-02-23 10:17 6089576 ----a-w- c:\program files\TweakNow PowerPack 2011\VirDesk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xmarks]
2011-02-05 03:55 1092808 ----a-w- c:\program files\Xmarks\IE Extension\xmarkssync.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 1394ohci;1394 OHCI Compliant Host Controller;c:\windows\system32\drivers\1394ohci.sys [2010-11-20 164864]
R3 AcpiPmi;ACPI Power Meter Driver;c:\windows\system32\drivers\acpipmi.sys [2010-11-20 10240]
R3 adp94xx;adp94xx;c:\windows\system32\DRIVERS\adp94xx.sys [2009-07-14 422976]
R3 adpahci;adpahci;c:\windows\system32\DRIVERS\adpahci.sys [2009-07-14 297552]
R3 amdsata;amdsata;c:\windows\system32\drivers\amdsata.sys [2010-11-20 80256]
R3 amdsbs;amdsbs;c:\windows\system32\DRIVERS\amdsbs.sys [2009-07-14 159312]
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2007-03-06 14336]
R3 AppID;AppID Driver;c:\windows\system32\drivers\appid.sys [2010-11-20 50176]
R3 AppIDSvc;Application Identity;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 arcsas;arcsas;c:\windows\system32\DRIVERS\arcsas.sys [2009-07-14 86608]
R3 b06bdrv;Broadcom NetXtreme II VBD;c:\windows\system32\DRIVERS\bxvbdx.sys [2009-07-13 430080]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
R3 BDESVC;BitLocker Drive Encryption Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 BrFiltLo;Brother USB Mass-Storage Lower Filter Driver;c:\windows\system32\DRIVERS\BrFiltLo.sys [2009-07-13 13568]
R3 BrFiltUp;Brother USB Mass-Storage Upper Filter Driver;c:\windows\system32\DRIVERS\BrFiltUp.sys [2009-07-13 5248]
R3 Brserid;Brother MFC Serial Port Interface Driver (WDM);c:\windows\System32\Drivers\Brserid.sys [2009-07-14 272128]
R3 BrSerWdm;Brother WDM Serial driver;c:\windows\System32\Drivers\BrSerWdm.sys [2009-07-13 62336]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\System32\Drivers\BrUsbMdm.sys [2009-07-13 12160]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
R3 circlass;Consumer IR Devices;c:\windows\system32\DRIVERS\circlass.sys [2009-07-13 37888]
R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]
R3 defragsvc;Disk Defragmenter;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 ebdrv;Broadcom NetXtreme II 10 GigE VBD;c:\windows\system32\DRIVERS\evbdx.sys [2009-07-13 3100160]
R3 elxstor;elxstor;c:\windows\system32\DRIVERS\elxstor.sys [2009-07-14 453712]
R3 fdPHost;Function Discovery Provider Host;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 Filetrace;Filetrace;c:\windows\system32\drivers\filetrace.sys [2009-07-13 28160]
R3 FsDepends;File System Dependency Minifilter;c:\windows\system32\drivers\FsDepends.sys [2009-07-14 46160]
R3 hcw85cir;Hauppauge Consumer Infrared Receiver;c:\windows\system32\drivers\hcw85cir.sys [2009-07-13 26624]
R3 HomeGroupListener;HomeGroup Listener;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 HomeGroupProvider;HomeGroup Provider;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 HpSAMD;HpSAMD;c:\windows\system32\drivers\HpSAMD.sys [2009-07-14 67152]
R3 IPBusEnum;PnP-X IP Bus Enumerator;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 IPMIDRV;IPMIDRV;c:\windows\system32\drivers\IPMIDrv.sys [2010-11-20 65536]
R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [2010-11-20 233344]
R3 KtmRm;KtmRm for Distributed Transaction Coordinator;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 lltdsvc;Link-Layer Topology Discovery Mapper;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 LSI_FC;LSI_FC;c:\windows\system32\DRIVERS\lsi_fc.sys [2009-07-14 95824]
R3 LSI_SAS;LSI_SAS;c:\windows\system32\DRIVERS\lsi_sas.sys [2009-07-14 89168]
R3 LSI_SAS2;LSI_SAS2;c:\windows\system32\DRIVERS\lsi_sas2.sys [2009-07-14 54864]
R3 LSI_SCSI;LSI_SCSI;c:\windows\system32\DRIVERS\lsi_scsi.sys [2009-07-14 96848]
R3 megasas;megasas;c:\windows\system32\DRIVERS\megasas.sys [2009-07-14 30800]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 mpio;Microsoft Multi-Path Bus Driver;c:\windows\system32\drivers\mpio.sys [2010-11-20 130432]
R3 msahci;msahci;c:\windows\system32\drivers\msahci.sys [2010-11-20 28032]
R3 msdsm;Microsoft Multi-Path Device Specific Module;c:\windows\system32\drivers\msdsm.sys [2010-11-20 116096]
R3 mshidkmdf;Pass-through HID to KMDF Filter Driver;c:\windows\System32\drivers\mshidkmdf.sys [2009-07-13 4096]
R3 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 MsRPC;MsRPC; [x]
R3 MTConfig;Microsoft Input Configuration Driver;c:\windows\system32\DRIVERS\MTConfig.sys [2009-07-13 12288]
R3 NdisCap;NDIS Capture LightWeight Filter;c:\windows\system32\DRIVERS\ndiscap.sys [2009-07-13 27136]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 nfrd960;nfrd960;c:\windows\system32\DRIVERS\nfrd960.sys [2009-07-14 44624]
R3 nvstor;nvstor;c:\windows\system32\drivers\nvstor.sys [2010-11-20 143744]
R3 PcaSvc;Program Compatibility Assistant Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 PeerDistSvc;BranchCache;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 pla;Performance Logs & Alerts;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 PNRPAutoReg;PNRP Machine Name Publication Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 ql2300;ql2300;c:\windows\system32\DRIVERS\ql2300.sys [2009-07-14 1383488]
R3 ql40xx;ql40xx;c:\windows\system32\DRIVERS\ql40xx.sys [2009-07-14 106064]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 s3cap;s3cap;c:\windows\system32\drivers\vms3cap.sys [2010-11-20 5632]
R3 SCPolicySvc;Smart Card Removal Policy;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 SDRSVC;Windows Backup;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 SensrSvc;Adaptive Brightness;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 SessionEnv;Remote Desktop Configuration;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 sffp_mmc;SFF Storage Protocol Driver for MMC;c:\windows\system32\drivers\sffp_mmc.sys [2009-07-13 12288]
R3 SiSRaid4;SiSRaid4;c:\windows\system32\DRIVERS\sisraid4.sys [2009-07-14 77888]
R3 Smb;Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session);c:\windows\system32\DRIVERS\smb.sys [2009-07-13 71168]
R3 sppsvc;Software Protection;c:\windows\system32\sppsvc.exe [2010-11-20 3179520]
R3 sppuinotify;SPP Notification Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 stexstor;stexstor;c:\windows\system32\DRIVERS\stexstor.sys [2009-07-14 21072]
R3 storvsc;storvsc;c:\windows\system32\drivers\storvsc.sys [2010-11-20 28032]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TBS;TPM Base Services;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 THREADORDER;Thread Ordering Server;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 tssecsrv;Remote Desktop Services Security Filter Driver;c:\windows\system32\DRIVERS\tssecsrv.sys [2010-11-20 31232]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 UI0Detect;Interactive Services Detection;c:\windows\system32\UI0Detect.exe [2009-07-14 35840]
R3 uliagpkx;Uli AGP Bus Filter;c:\windows\system32\drivers\uliagpkx.sys [2009-07-14 57424]
R3 UmRdpService;Remote Desktop Services UserMode Port Redirector;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 usbcir;eHome Infrared Receiver (USBCIR);c:\windows\system32\drivers\usbcir.sys [2009-07-13 86016]
R3 VaultSvc;Credential Manager;c:\windows\system32\lsass.exe [2009-07-14 22528]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vhdmp;vhdmp;c:\windows\system32\drivers\vhdmp.sys [2010-11-20 160128]
R3 ViaC7;VIA C7 Processor Driver;c:\windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
R3 VMBusHID;VMBusHID;c:\windows\system32\drivers\VMBusHID.sys [2010-11-20 17920]
R3 vsmraid;vsmraid;c:\windows\system32\DRIVERS\vsmraid.sys [2009-07-14 141904]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\DRIVERS\wacompen.sys [2009-07-13 21632]
R3 wbengine;Block Level Backup Engine Service;c:\windows\system32\wbengine.exe [2010-11-20 1203200]
R3 WbioSrvc;Windows Biometric Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 wcncsvc;Windows Connect Now - Config Registrar;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WcsPlugInService;Windows Color System;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 Wd;Wd;c:\windows\system32\DRIVERS\wd.sys [2009-07-14 19024]
R3 Wecsvc;Windows Event Collector;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 wercplsupport;Problem Reports and Solutions Control Panel Support;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WerSvc;Windows Error Reporting Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WIMMount;WIMMount;c:\windows\system32\drivers\wimmount.sys [2009-07-14 19008]
R3 WinDefend;Windows Defender;c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\System32\svchost.exe [2009-07-14 20992]
R3 WPCSvc;Parental Controls;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 WPDBusEnum;Portable Device Enumerator Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R3 wrssweep;Webroots Volume Access Driver;c:\progra~1\Webroot\Security\Current\plugins\cleanup\wrssweep.sys [x]
R3 WwanSvc;WWAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 20992]
R4 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 278304]
R4 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 812448]
R4 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 27040]
R4 CscService;Offline Files;c:\windows\System32\svchost.exe [2009-07-14 20992]
R4 FDResPub;Function Discovery Resource Publication;c:\windows\system32\svchost.exe [2009-07-14 20992]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-03-10 136176]
R4 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-12-06 109728]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.199\McCHSvc.exe [2011-02-23 237008]
R4 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R4 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
R4 Mcx2Svc;Media Center Extender Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
R4 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
R4 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-13 229688]
R4 TabletInputService;Tablet PC Input Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S0 amdxata;amdxata;c:\windows\system32\drivers\amdxata.sys [2010-11-20 22400]
S0 CLFS;Common Log (CLFS);c:\windows\System32\CLFS.sys [2009-07-14 249408]
S0 CNG;CNG;c:\windows\System32\Drivers\cng.sys [2009-07-14 369568]
S0 FileInfo;File Information FS MiniFilter;c:\windows\system32\drivers\fileinfo.sys [2009-07-14 58448]
S0 fvevol;Bitlocker Drive Encryption Filter Driver;c:\windows\System32\DRIVERS\fvevol.sys [2010-11-20 194800]
S0 hwpolicy;Hardware Policy Driver;c:\windows\System32\drivers\hwpolicy.sys [2010-11-20 14208]
S0 iaStorV;Intel RAID Controller Windows 7;c:\windows\system32\drivers\iaStorV.sys [2010-11-20 332160]
S0 KSecPkg;KSecPkg;c:\windows\System32\Drivers\ksecpkg.sys [2009-07-14 133200]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S0 msisadrv;msisadrv;c:\windows\system32\drivers\msisadrv.sys [2009-07-14 13888]
S0 pcw;Performance Counters for Windows Driver;c:\windows\System32\drivers\pcw.sys [2009-07-14 43088]
S0 rdyboost;ReadyBoost;c:\windows\System32\drivers\rdyboost.sys [2010-11-20 173440]
S0 spldr;Security Processor Loader Driver; [x]
S0 storflt;Disk Virtual Machine Bus Acceleration Filter Driver;c:\windows\system32\drivers\vmstorfl.sys [2010-11-20 40704]
S0 vdrvroot;Microsoft Virtual Drive Enumerator Driver;c:\windows\system32\drivers\vdrvroot.sys [2009-07-14 32832]
S0 vmbus;Virtual Machine Bus;c:\windows\system32\drivers\vmbus.sys [2010-11-20 175360]
S0 volmgr;Volume Manager Driver;c:\windows\system32\drivers\volmgr.sys [2010-11-20 53120]
S0 volmgrx;Dynamic Volume Manager;c:\windows\System32\drivers\volmgrx.sys [2009-07-14 297040]
S1 blbdrive;blbdrive;c:\windows\system32\DRIVERS\blbdrive.sys [2009-07-13 35328]
S1 CSC;Offline Files Driver;c:\windows\system32\drivers\csc.sys [2010-11-20 388096]
S1 DfsC;DFS Namespace Client Driver;c:\windows\system32\Drivers\dfsc.sys [2010-11-20 78336]
S1 discache;System Attribute Cache;c:\windows\system32\drivers\discache.sys [2009-07-13 32256]
S1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\DRIVERS\ImmunetProtect.sys [2011-03-10 47440]
S1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\DRIVERS\ImmunetSelfProtect.sys [2011-03-10 31952]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-13 54776]
S1 nsiproxy;NSI proxy service driver.;c:\windows\system32\drivers\nsiproxy.sys [2009-07-13 16896]
S1 pwipf6;Privacyware Filter Driver;c:\windows\system32\DRIVERS\pwipf6.sys [2011-02-15 116592]
S1 RDPENCDD;RDP Encoder Mirror Driver;c:\windows\system32\drivers\rdpencdd.sys [2009-07-14 6656]
S1 RDPREFMP;Reflector Display Driver used to gain access to graphics data;c:\windows\system32\drivers\rdprefmp.sys [2009-07-14 7168]
S1 tdx;NetIO Legacy TDI Support Driver;c:\windows\system32\DRIVERS\tdx.sys [2010-11-20 74752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S1 Wanarpv6;Remote Access IPv6 ARP Driver;c:\windows\system32\DRIVERS\wanarp.sys [2010-11-20 63488]
S1 WfpLwf;WFP Lightweight Filter;c:\windows\system32\DRIVERS\wfplwf.sys [2009-07-13 9728]
S2 AudioEndpointBuilder;Windows Audio Endpoint Builder;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 BFE;Base Filtering Engine;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 CertPropSvc;Certificate Propagation;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 DPS;Diagnostic Policy Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 gpsvc;Group Policy Client;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 IKEEXT;IKE and AuthIP IPsec Keying Modules;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 ImmunetProtect;Immunet 3.0;c:\program files\Immunet Protect\3.0.0\agent.exe [2011-03-10 729424]
S2 iphlpsvc;IP Helper;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 lltdio;Link-Layer Topology Discovery Mapper I/O Driver;c:\windows\system32\DRIVERS\lltdio.sys [2009-07-13 48128]
S2 luafv;UAC File Virtualization;c:\windows\system32\drivers\luafv.sys [2009-07-13 86528]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-13 141792]
S2 MMCSS;Multimedia Class Scheduler;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 MpsSvc;Windows Firewall;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 NlaSvc;Network Location Awareness;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 nsi;Network Store Interface Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 PEAUTH;PEAUTH;c:\windows\system32\drivers\peauth.sys [2009-07-14 586752]
S2 Power;Power;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 ProfSvc;User Profile Service;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 RpcEptMapper;RPC Endpoint Mapper;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [2011-02-15 45072]
S2 SysMain;Superfetch;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 tcpipreg;TCP/IP Registry Compatibility;c:\windows\system32\drivers\tcpipreg.sys [2010-11-20 35328]
S2 UxSms;Desktop Window Manager Session Manager;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 Wlansvc;WLAN AutoConfig;c:\windows\system32\svchost.exe [2009-07-14 20992]
S3 Appinfo;Application Information;c:\windows\system32\svchost.exe [2009-07-14 20992]
S3 bowser;Browser Support Driver;c:\windows\system32\DRIVERS\bowser.sys [2009-07-13 69632]
S3 CompositeBus;Composite Bus Enumerator Driver;c:\windows\system32\drivers\CompositeBus.sys [2010-11-20 31232]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-11-03 33832]
S3 DXGKrnl;LDDM Graphics Subsystem;c:\windows\System32\drivers\dxgkrnl.sys [2010-11-20 728448]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-12 221912]
S3 KeyIso;CNG Key Isolation;c:\windows\system32\lsass.exe [2009-07-14 22528]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]
S3 monitor;Microsoft Monitor Class Function Driver Service;c:\windows\system32\DRIVERS\monitor.sys [2009-07-13 23552]
S3 mpsdrv;Windows Firewall Authorization Driver;c:\windows\system32\drivers\mpsdrv.sys [2009-07-13 60416]
S3 mrxsmb10;SMB 1.x MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb10.sys [2010-11-20 223232]
S3 mrxsmb20;SMB 2.0 MiniRedirector;c:\windows\system32\DRIVERS\mrxsmb20.sys [2010-11-20 96768]
S3 NativeWifiP;NativeWiFi Filter;c:\windows\system32\DRIVERS\nwifi.sys [2009-07-13 267264]
S3 netprofm;Network List Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-10-18 7122944]
S3 RasAgileVpn;WAN Miniport (IKEv2);c:\windows\system32\DRIVERS\AgileVpn.sys [2009-07-13 49152]
S3 rdpbus;Remote Desktop Device Redirector Bus Driver;c:\windows\system32\DRIVERS\rdpbus.sys [2009-07-14 18944]
S3 scfilter;Smart card PnP Class Filter Driver;c:\windows\system32\DRIVERS\scfilter.sys [2010-11-20 26624]
S3 srv2;Server SMB 2.xxx Driver;c:\windows\system32\DRIVERS\srv2.sys [2010-11-20 309248]
S3 srvnet;srvnet;c:\windows\system32\DRIVERS\srvnet.sys [2010-11-20 114176]
S3 TrustedInstaller;Windows Modules Installer;c:\windows\servicing\TrustedInstaller.exe [2010-11-20 204800]
S3 tunnel;Microsoft Tunnel Miniport Adapter Driver;c:\windows\system32\DRIVERS\tunnel.sys [2010-11-20 108544]
S3 umbus;UMBus Enumerator Driver;c:\windows\system32\DRIVERS\umbus.sys [2010-11-20 39936]
S3 vwifibus;Virtual WiFi Bus Driver;c:\windows\system32\DRIVERS\vwifibus.sys [2009-07-13 19968]
S3 WdiServiceHost;Diagnostic Service Host;c:\windows\System32\svchost.exe [2009-07-14 20992]
S3 WdiSystemHost;Diagnostic System Host;c:\windows\System32\svchost.exe [2009-07-14 20992]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
RPCSS REG_MULTI_SZ RpcEptMapper RpcSs
defragsvc REG_MULTI_SZ defragsvc
WerSvcGroup REG_MULTI_SZ wersvc
LocalServiceNoNetwork REG_MULTI_SZ DPS PLA BFE mpssvc WwanSvc
swprv REG_MULTI_SZ swprv
LocalServicePeerNet REG_MULTI_SZ PNRPSvc p2pimsvc p2psvc PnrpAutoReg
NetworkServiceAndNoImpersonation REG_MULTI_SZ KtmRm
regsvc REG_MULTI_SZ RemoteRegistry
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
DcomLaunch REG_MULTI_SZ Power PlugPlay DcomLaunch
NetworkServiceNetworkRestricted REG_MULTI_SZ PolicyAgent
sdrsvc REG_MULTI_SZ sdrsvc
WbioSvcGroup REG_MULTI_SZ WbioSrvc
wcssvc REG_MULTI_SZ WcsPlugInService
AxInstSVGroup REG_MULTI_SZ AxInstSV
secsvcs REG_MULTI_SZ WinDefend
PeerDist REG_MULTI_SZ PeerDistSvc
bdx REG_MULTI_SZ scan sysagent
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Nla
NWCWorkstation
SRService
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
BDESVC
AppMgmt
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
homegrouplistener
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
WdiServiceHost
sppuinotify
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetworkService
lanmanworkstation
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalServiceNetworkRestricted
BthHFSrv
homegroupprovider
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-10 02:20]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-10 02:21]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-10 02:21]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3282757158-1001404969-4251380021-1000Core.job
- c:\users\goscuter1\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-25 18:12]
.
2011-03-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3282757158-1001404969-4251380021-1000UA.job
- c:\users\goscuter1\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-25 18:12]
.
2011-03-11 c:\windows\Tasks\Immunet Scan 3192638.job
- c:\program files\Immunet Protect\ips.exe [2011-03-10 10:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.microsoft.com
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: LastPass - file://c:\users\goscuter1\AppData\Roaming\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\goscuter1\AppData\Roaming\LastPass\context.html?cmd=fillforms
Trusted Zone: microsoft.com\oas.support
Trusted Zone: microsoft.com\support
FF - ProfilePath - c:\users\goscuter1\AppData\Roaming\Mozilla\Firefox\Profiles\tlp8sxnt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.th/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{6B78A880-15CA-468f-8422-A7960AD6FBB9} - (no file)
ShellIconOverlayIdentifiers-{4EE7A346-5845-471e-9FAB-002EAF83F8B0} - (no file)
ShellIconOverlayIdentifiers-{53DABC15-4F29-44ad-B09A-E0D0F9A3D075} - (no file)
ShellIconOverlayIdentifiers-{493FC96E-B938-4924-9B38-C4088E9B8AC2} - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-sacsvr
SafeBoot-vmms
MSConfigStartUp-nwiz - nwiz.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-12 02:07
Windows 6.1.7601 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwEnumerateKey 0 != 116, ZwQueryKey 0 != 244, ZwOpenKey 0 != 182, ZwClose 0 != 50, ZwEnumerateValueKey 0 != 119, ZwQueryValueKey 0 != 266, ZwOpenFile 0 != 179, ZwQueryDirectoryFile 0 != 223, ZwQuerySystemInformation 0 != 261Initialization error
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{9F6B5CC3-5C7B-4B5C-97AF-19DEC1E380E5}"=hex:51,66,7a,6c,4c,1d,38,12,ad,5f,78,
9b,49,12,32,0e,e8,b9,5a,9e,c4,bd,c4,f1
"{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}"=hex:51,66,7a,6c,4c,1d,38,12,26,bd,a8,
0a,e6,f4,22,0e,f1,4c,12,2a,bb,94,a4,70
"{97AB88EF-346B-4179-A0B1-7445896547A5}"=hex:51,66,7a,6c,4c,1d,38,12,81,8b,b8,
93,59,7a,17,04,df,a7,37,05,8c,3b,03,b1
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,38,12,ce,d6,a1,
79,73,3c,17,0b,c9,9b,20,49,f5,42,16,25
"{95D9ECF5-2A4D-4550-BE49-70D42F71296E}"=hex:51,66,7a,6c,4c,1d,38,12,9b,ef,ca,
91,7f,64,3e,00,c1,5f,33,94,2a,2f,6d,7a
"{B164E929-A1B6-4A06-B104-2CD0E90A88FF}"=hex:51,66,7a,6c,4c,1d,38,12,47,ea,77,
b5,84,ef,68,0f,ce,12,6f,90,ec,54,cc,eb
"{C8D5D964-2BE8-4C5B-8CF5-6E975AA88504}"=hex:51,66,7a,6c,4c,1d,38,12,0a,da,c6,
cc,da,65,35,09,f3,e3,2d,d7,5f,f6,c1,10
"{D93EC24D-8741-4D41-B83D-A5793B998416}"=hex:51,66,7a,6c,4c,1d,38,12,23,c1,2d,
dd,73,c9,2f,08,c7,2b,e6,39,3e,c7,c0,02
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:7f,64,f2,20,37,d9,cb,01
.
[HKEY_USERS\S-1-5-21-3282757158-1001404969-4251380021-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\B*o*o*k*m*a*r*k*s* *b*a*r* \Favourites]
"Order"=hex:08,00,00,00,02,00,00,00,f8,00,00,00,01,00,00,00,02,00,00,00,60,00,
00,00,01,00,00,00,52,00,31,00,00,00,00,00,00,c5,1c,3b,10,00,52,4f,4f,54,4b,\
.
[HKEY_USERS\S-1-5-21-3282757158-1001404969-4251380021-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\B*o*o*k*m*a*r*k*s* *b*a*r* \Favourites\ROOTKIT]
"Order"=hex:08,00,00,00,02,00,00,00,08,05,00,00,01,00,00,00,08,00,00,00,f8,00,
00,00,00,00,00,00,ea,00,32,00,84,00,00,00,00,c9,f7,4c,20,00,45,52,52,4f,52,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1180)
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WUDFHost.exe
c:\windows\System32\snmp.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\windows\System32\wsqmcons.exe
c:\windows\system32\schtasks.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2011-03-12 02:11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-11 19:11
.
Pre-Run: 132,072,812,544 bytes free
Post-Run: 131,959,685,120 bytes free
.
- - End Of File - - C21FB2B653E2EAD6CD84338D0E2BD979


ComboFix didn't actually fix anything I don't think, as I then tried to install Kaspersky AV 2011 and nup.

Posted Image

#3 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 12 March 2011 - 12:03 AM

Thanks for your lightning quick response and assistance Edwin - I really appreciate it!

The real MS Security Esssentials, or a fakeAV claiming to be MSSE?


I think it has to be the 'patched' or corrupted MSSE, right? I've never had a problem uninstalling MSSE before, and I'm certain MSSE doesn't have a service which is simply impossible to disable.

Corrupted files can also be a sign of hardware files, not just malware.

Try doing a full memory scan by booting from one of these ISOs:
http://www.memtest86.com/download.html
http://www.memtest.org/#downiso


Sigh. I spent an hour bashing my thick head against a wall trying to launch the ISO image from a virtual drive as I've run out of writable discs. And then I remembered you posted 2 links lol - 30 seconds later, I was booting from a USB.

I only did one pass, as that took a pretty long time by itself, I'm hoping that's sufficient? The report was that everything was fine, no memory errors.

After the low-level format were your partitions still intact?



I was certain dban obliterated everything, even the BIOS. After the low-level format, when I turned on the laptop, there was just a black empty screen. I could only boot with the Win7 genuine advantage disc, and there was just the single partition when it installed (I believe it automatically creates a 2nd system reserved partition if user doesn't).

Can you post the Support Diagnostic Tool logs? (you can run it from Immunet's start menu)


Hmm - what's the best way to post the logs?


Immunet_Support_Tool_2011_03_12_06_53_38.7z

You aren't permitted to upload this kind of file



I had uninstalled Immunet and was trying to get Kaspersky installed but was unsuccessful, Kaspersky kept saying I had to get rid of clamav 1.0.26 and literally nothing I could think of was working. I was just about to reinstall Immunet and try uninstalling it again, when I noticed your response. So I'm not sure if the logs will have full history or just the last hour's...

I've run the failing Updater for the logs.

Posted Image

#4 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 12 March 2011 - 09:11 AM

I've been reading up on DISM all day, and I don't think I installed any OS installations on my Dell in the last month.

I think I triggered 20 deployments...

2011-02-25 19:52:46, Info CBS Starting TrustedInstaller initialization.
2011-02-25 19:52:46, Info CBS Loaded Servicing Stack v6.1.7601.17514 with Core: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\cbscore.dll
2011-02-25 19:52:48, Info CSI 00000001@2011/2/25:12:52:48.081 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x6d65d84e @0x6f655d7d @0x6f63205a @0x681c99 @0x681236 @0x76f775a8)
2011-02-25 19:52:48, Info CSI 00000002@2011/2/25:12:52:48.096 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x6d65d84e @0x6f697183 @0x6f694013 @0x681c99 @0x681236 @0x76f775a8)
2011-02-25 19:52:48, Info CSI 00000003@2011/2/25:12:52:48.099 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x6d65d84e @0x73d04bb0 @0x73d0548e @0x681327 @0x681245 @0x76f775a8)
2011-02-25 19:52:48, Info CBS Ending TrustedInstaller initialization.
2011-02-25 19:52:48, Info CBS Starting the TrustedInstaller main loop.
2011-02-25 19:52:48, Info CBS TrustedInstaller service starts successfully.
2011-02-25 19:52:48, Info CBS SQM: Initializing online with Windows opt-in: False
2011-02-25 19:52:48, Info CBS SQM: Cleaning up report files older than 10 days.
2011-02-25 19:52:48, Info CBS SQM: Requesting upload of all unsent reports.
2011-02-25 19:52:48, Info CBS SQM: Failed to start upload with file pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2 [HRESULT = 0x80004005 - E_FAIL]
2011-02-25 19:52:48, Info CBS SQM: Failed to start standard sample upload. [HRESULT = 0x80004005 - E_FAIL]
2011-02-25 19:52:48, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6
2011-02-25 19:52:48, Info CBS SQM: Warning: Failed to upload all unsent reports. [HRESULT = 0x80004005 - E_FAIL]
2011-02-25 19:52:48, Info CBS No startup processing required, TrustedInstaller service was not set as autostart, or else a reboot is still pending.
2011-02-25 19:52:48, Info CBS NonStart: Checking to ensure startup processing was not required.
2011-02-25 19:52:48, Info CSI 00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x58fb84
2011-02-25 19:52:48, Info CSI 00000005 Creating NT transaction (seq 1), objectname [6]"(null)"
2011-02-25 19:52:48, Info CSI 00000006 Created NT transaction (seq 1) result 0x00000000, handle @0x1d4
2011-02-25 19:52:48, Info CSI 00000007@2011/2/25:12:52:48.119 CSI perf trace:
CSIPERF:TXCOMMIT;497
2011-02-25 19:52:48, Info CBS NonStart: Success, startup processing not required as expected.
2011-02-25 19:52:48, Info CBS Startup processing thread terminated normally
2011-02-25 19:52:48, Info CSI 00000008 CSI Store 1700648 (0x0019f328) initialized
2011-02-25 19:52:48, Info CBS Session: 30135530_3883677421 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:48, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]
2011-02-25 19:52:48, Info CBS Session: 30135530_3883697422 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:48, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]
2011-02-25 19:52:48, Info CBS Session: 30135530_3883717423 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:48, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]
2011-02-25 19:52:48, Info CBS Session: 30135530_3883727424 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:48, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]
2011-02-25 19:52:48, Info CBS Session: 30135530_3884277455 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:48, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]
2011-02-25 19:52:48, Info CBS Session: 30135530_3884287456 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:48, Info CBS Failed to internally open package. [HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]
2011-02-25 19:52:48, Info CBS Session: 30135530_3884297457 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Session: 30135530_3934490327 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2479628~31bf3856ad364e35~x86~~6.1.1.4, ApplicableState: 112, CurrentState:112
2011-02-25 19:52:53, Info CBS Session: 30135530_3934580333 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2425227~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 112, CurrentState:112
2011-02-25 19:52:53, Info CBS Session: 30135530_3934690339 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB947821~31bf3856ad364e35~x86~~6.1.10.0, ApplicableState: 112, CurrentState:0
2011-02-25 19:52:53, Info CBS Session: 30135530_3934760343 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2475792~31bf3856ad364e35~x86~~6.1.1.3, ApplicableState: 112, CurrentState:112
2011-02-25 19:52:53, Info CBS Session: 30135530_3934860349 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2482017~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 112, CurrentState:112
2011-02-25 19:52:53, Info CBS Session: 30135530_3934980355 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2489256~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 80, CurrentState:0
2011-02-25 19:52:53, Info CBS Session: 30135530_3935030358 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2484033~31bf3856ad364e35~x86~~6.1.1.0, ApplicableState: 112, CurrentState:112
2011-02-25 19:52:53, Info CBS Session: 30135530_3935070361 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2485376~31bf3856ad364e35~x86~~6.1.1.2, ApplicableState: 112, CurrentState:112
2011-02-25 19:52:53, Info CBS Session: 30135530_3935100362 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2488113~31bf3856ad364e35~x86~~6.1.1.0, ApplicableState: 112, CurrentState:112
2011-02-25 19:52:53, Info CBS Session: 30135530_3935130364 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Session: 30135530_3935150365 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2393802~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 112, CurrentState:112
2011-02-25 19:52:53, Info CBS Session: 30135530_3935240370 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB976932~31bf3856ad364e35~x86~~6.1.1.17514, ApplicableState: 112, CurrentState:101
2011-02-25 19:52:53, Info CBS Session: 30135530_3936430438 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Microsoft-Windows-Security-WindowsActivationTechnologies-Package~31bf3856ad364e35~x86~~7.1.7600.16395, ApplicableState: 112, CurrentState:0
2011-02-25 19:52:53, Info CBS Session: 30135530_3936450440 initialized by client WindowsUpdateAgent.
2011-02-25 19:52:53, Info CBS Read out cached package applicability for package: Package_for_KB2502285~31bf3856ad364e35~x86~~6.1.1.1, ApplicableState: 112, CurrentState:112
2011-02-25 19:53:02, Info CBS Archived backup log: C:\Windows\Logs\CBS\CbsPersist_20110225125246.cab.
2011-02-25 19:59:15, Info CBS Session: 30135531_3462241678 initialized by client DISM Package Manager Provider.
2011-02-25 19:59:15, Info DPX Started DPX phase: Resume and Download Job
2011-02-25 19:59:15, Info DPX Started DPX phase: Apply Deltas Provided In File
2011-02-25 19:59:15, Info DPX Ended DPX phase: Apply Deltas Provided In File
2011-02-25 19:59:15, Info DPX Started DPX phase: Apply Deltas Provided In File
2011-02-25 19:59:15, Info DPX Ended DPX phase: Apply Deltas Provided In File
2011-02-25 19:59:15, Info DPX Ended DPX phase: Resume and Download Job
2011-02-25 19:59:15, Info CBS Opened cabinet package, package directory: C:\Windows\TEMP\IE9F824.tmp\IE9-neutral.Downloaded\, sandbox location: \\?\C:\Users\GOSCUT~1\AppData\Local\Temp\A1C18FB6-A337-4B95-8308-7396F4413FB7\, cabinet location: \\?\C:\Windows\TEMP\IE9F824.tmp\IE9-neutral.Downloaded\Windows6.1-KB982861-x86.cab, manifest location: \\?\C:\Users\GOSCUT~1\AppData\Local\Temp\A1C18FB6-A337-4B95-8308-7396F4413FB7\update.mum
2011-02-25 19:59:15, Info DPX Started DPX phase: Resume and Download Job
2011-02-25 19:59:15, Info DPX Started DPX phase: Apply Deltas Provided In File
2011-02-25 19:59:15, Info DPX Ended DPX phase: Apply Deltas Provided In File
2011-02-25 19:59:15, Info DPX Ended DPX phase: Resume and Download Job
2011-02-25 19:59:15, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present
2011-02-25 19:59:15, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, state: Superseded
2011-02-25 19:59:15, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed
2011-02-25 19:59:15, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, disposition state from detectParent: Installed
2011-02-25 19:59:15, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, applicable state: Installed
2011-02-25 19:59:15, Info CBS External EvaluateApplicability, package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, package applicable State: Installed, highest update applicable state: Installed, resulting applicable state:Installed
2011-02-25 19:59:15, Info CBS External EvaluateApplicability, package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, package applicable State: Installed, highest update applicable state: Installed, resulting applicable state:Installed
2011-02-25 19:59:15, Info CBS Blocked system sleep; prior state: 0x80000000
2011-02-25 19:59:15, Info CBS Exec: Processing started. Client: DISM Package Manager Provider, Session: 30135531_3462241678, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413
2011-02-25 19:59:15, Info CBS Exec: Using execution sequence: 212
2011-02-25 19:59:16, Info CBS Reboot mark refs incremented to: 1
2011-02-25 19:59:16, Info CBS Disabling LKG boot option
2011-02-25 19:59:16, Info CBS Perf: Begin: nested restore point - begin
2011-02-25 19:59:16, Info CBS Perf: Begin: nested restore point - complete
2011-02-25 19:59:16, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present
2011-02-25 19:59:16, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, state: Superseded
2011-02-25 19:59:16, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed
2011-02-25 19:59:16, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, disposition state from detectParent: Installed
2011-02-25 19:59:16, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, applicable state: Installed
2011-02-25 19:59:16, Info DPX Started DPX phase: Resume and Download Job
2011-02-25 19:59:16, Info DPX Started DPX phase: Apply Deltas Provided In File
2011-02-25 19:59:17, Info DPX Ended DPX phase: Apply Deltas Provided In File
2011-02-25 19:59:17, Info DPX Ended DPX phase: Resume and Download Job
2011-02-25 19:59:17, Info CBS Extracting all files from cabinet \\?\C:\Windows\TEMP\IE9F824.tmp\IE9-neutral.Downloaded\Windows6.1-KB982861-x86.cab
2011-02-25 19:59:17, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, current: Absent, pending: Default, start: Absent, applicable: Installed, targeted: Installed, limit: Installed
2011-02-25 19:59:17, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, Update: Microsoft-Windows-InternetExplorer-Package-Neutral, current: Absent, pending: Default, start: Absent, applicable: Installed, targeted: Installed, limit: Installed, selected: Default
2011-02-25 19:59:17, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~x86~~9.2.8080.16413, Update: Microsoft-Windows-InternetExplorer-Package-en-us-LP-Toplevel, current: Absent, pending: Default, start: Absent, applicable: Installed, targeted: Installed, limit: Installed, selected: Default
2011-02-25 19:59:18, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present
2011-02-25 19:59:18, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, state: Superseded
2011-02-25 19:59:18, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed
2011-02-25 19:59:18, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, disposition state from detectParent: Installed
2011-02-25 19:59:18, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, applicable state: Installed
2011-02-25 19:59:18, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413, current: Absent, pending: Default, start: Absent, applicable: Installed, targeted: Installed, limit: Installed
2011-02-25 19:59:18, Info CBS Appl: Old package found: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, force to remove/supersed, Target State: Installed
2011-02-25 19:59:19, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present
2011-02-25 19:59:19, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, related parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, which is not real parent
2011-02-25 19:59:19, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed
2011-02-25 19:59:19, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, disposition state from detectParent: Installed
2011-02-25 19:59:19, Info CBS Appl: Higher version found for package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, superseded. (Version on system:Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~9.2.8080.16413)
2011-02-25 19:59:19, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, applicable state: Superseded
2011-02-25 19:59:19, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514, current: Installed, pending: Default, start: Installed, applicable: Superseded, targeted: Superseded, limit: Installed
2011-02-25 19:59:19, Info CBS Appl: Old package found superseded, re-install: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385
2011-02-25 19:59:19, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, Parent: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, Disposition = Detect, VersionComp: EQ, ServiceComp: GE, BuildComp: GE, DistributionComp: GE, RevisionComp: GE, Exist: present
2011-02-25 19:59:19, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7600.16385, state: Superseded
2011-02-25 19:59:19, Info CBS Appl: detectParent: package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, parent found: Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514, state: Installed
2011-02-25 19:59:19, Info CBS Appl: detect Parent, Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, disposition state from detectParent: Installed
2011-02-25 19:59:19, Info CBS Appl: Higher version found for package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, superseded. (Version on system:Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7601.17514)
2011-02-25 19:59:19, Info CBS Appl: Evaluating package applicability for package Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, applicable state: Superseded
2011-02-25 19:59:19, Info CBS Plan: Package: Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~x86~~8.0.7600.16385, current: Superseded, pending: Default, start: Superseded, applicable: Superseded, targeted: Superseded, limit: Superseded
2011-02-25 19:59:19, Info CSI 00000009@2011/2/25:12:59:19.186 CSI Transaction @0x209518 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002 and client id [26]"TI5.30135531_3462241678:1/"

2011-02-25 19:59:19, Info CSI 0000000a@2011/2/25:12:59:19.192 CSI Transaction @0x209518 destroyed



I have a sinking feeling dban doesn't zero out virtual drives ;( - I didn't realise I had any...

#5 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 12 March 2011 - 11:31 PM

Create a .zip and try uploading that.


Cool, zip worked. Attached File  Immunet_Support_Tool_2011_03_12_06_53_38.zip   49KB   1 downloads

I was running a Full Scan and just woke up and it seems like it might have updated, the Yellow circle is now Green and says "Up To Date" - the scan is still going though, 10 hours and counting....seems long...

Is there any reason to believe your system is still infected?


Yes. Every time I run sfc /scannow, 5 minutes later a process silently corrupts the files again, uploading from an offline registry hive.

I ran Security Check and it says my Java is out of date (it's not), but when I try to d/l Java again, it gives this error message:

Posted Image



Googling the 1606 Error took me to Application Data (I forget why) but it says "Access is Denied" for my own folders.

Posted Image




I'm logged in as Administrator but I cannot take control of some of the Windows Image folders/files that are being used to make my life hell...

Posted Image


Posted Image




My systems are crawling. My desktop will be completely powered down and then it'll just switch on automatically, it really creeps me out.

It's all a huge mess.

Aren't the virtual drives ultimately stored on a physical drive ... that you wiped?



Well I thought so. But reading now, it seems like things weren't that simple.


Does DBAN wipe the Host Protected Area ("HPA")?
No.


Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA.

Does DBAN wipe remapped sectors?

Use the ATA-6 wipe method if you want to wipe remapped sectors. Most methods do not wipe remapped sectors.

Why doesn't DBAN detect the disks in a RAID array?
DBAN has drivers for most RAID implementations, but DBAN does not automatically disassemble RAID volumes.


The operator must manually disassemble RAID volumes and put each component into "JBOD" or "SINGLE" mode for the disks to be recognized by DBAN.


Stupid program.

#6 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 14 March 2011 - 09:09 AM

?

I can only assume anyone reading this is studying up on the threats I've brought to light.

Oh lol, apologies, I momentarily forgot where I was posting. In 3 weeks, I feel I know more than most AV 'experts'.

Children can run an AV scan. And professionals, if they're AV-industry professionals. Unfortunately, that appears to be the extent of it.



Posted Image



I've had 30 conversations like this with paid professionals in the last month.


Every forum, everyone goes silent. That's fine, not understanding something is fine, but I would have assumed professionals in this industry were problem solvers. In 3 weeks, from near computer illiteracy, I've come very close to learning enough to solve this myself - I would think it should take a literate computer expert mere minutes to study up, even if they knew nothing about it. I guess I thought wrong, by the number of threads on forums I find, where people are having very similar problems....


...and the SILENCE, is deafening.


lol. Tight industry.

#7 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 17 April 2011 - 06:52 AM

Are the same files corrupted (infected I assume) always, or they are random?
It would be useful to find out which process is corrupting the files, can you try running Procmon from here:
http://live.sysinter...com/Procmon.exe

Set it to log everything to a file.

Then do the 'sfc /scannow', wait the time required for the files to get corrupted again, run another sfc to be sure they changed, and now stop procmon, and save
the log it created.
If you compress that log, is it small enough to upload here?


Hi Edwin, thanks for your response. Apologies for not checking back, but my frustrations with the silences across a range of forums, and every expert I hired continuing to charge me without solving anything except the question of their competence...was wearing me down.

I can't say with any certainty that they were the same files as I've moved to Linux ubuntu, awaiting the Chrome OS. I think Windows is dead, and Microsoft is finished. But I am unable to know if considerations of justice are clouding my objectivity.

But I'm pretty sure the files were the same corrupted replacements. Because WFP is flawed beyond belief. It treats the deployed silent unattended installation as the 'correct' one, so I was effectively corrupting my OS with my Genuine Advantage discs and with SFC /scannow.

I've got some records lying around, if you're interested (and god knows no one else is):

This is simply one batch of silent corrupted files, then my SFC /scannow replacing them all. This is just one round. I did maybe 40 rounds lolz.

http://justpaste.it/98y

But who the hell knows really, when SFC command lines don't work:

http://i.imgur.com/0vYYA.png

Also you can set the Windows updates to install at a scheduled time, so they don't keep creating entries in your installer logs.


Oh they were. At least at my end.

Not sure what my System Administrator (aka hacker) was doing, but who am I to question his actions. After all, I was trying to hack into my own systems. Quite literally, thanks to Microsoft.

#8 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 28 April 2011 - 04:42 AM

Are the same files corrupted (infected I assume) always, or they are random?
It would be useful to find out which process is corrupting the files, can you try running Procmon from here:
http://live.sysinter...com/Procmon.exe

Set it to log everything to a file.

Then do the 'sfc /scannow', wait the time required for the files to get corrupted again, run another sfc to be sure they changed, and now stop procmon, and save
the log it created.
If you compress that log, is it small enough to upload here?



Hi Edwin, I installed Win7 Ultimate again after the issues were crashing my Linux distributions as well. And I remembered this post, so I ran Procmon and immediately hit sfc /scannow but..in the mere minutes it took to verify, over 8,000,000 (8 million) processes were recorded by Procmon.

And to top it off, I hadn't waited long enough for the files to be corrupted again lol, and it's been quite a few hours since the last corruption, the results of which I have logged of course (over 3000 cbs.log entries for the single sfc /scannow a few hours ago).

Posted Image


It filled 8 procmon log files in the 10 minutes or so that it took to run the scan which didn't find any violations. To get two sfc /scannow outputs, with the silent process replacing all the files in between, we're talking hundreds of millions of processes!

I assume that kind of output is of no use?

As I was writing that out, I thought "oh that can't be right, it must have been 800,000 or something" - so I just ran it again. In 7 minutes, 7 million processes monitored. This is non-stop.

Posted Image


#9 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 29 April 2011 - 10:26 AM

In that case I don't think that you are dealing with a virus, but rather some kind of hardware defect.
Which Linux distribution did you use, and with what error message did it crash?


ubuntu 10.4, 10.10 and 11.04 and Mint 10.10. The crashing isn't the concern, crashing is merely a side-effect of being hacked. Very similar problems to Windows but not as rapidly destructive (huge directories and sub-directories of folders /files no one could really explain; all inaccessible with sudo of course; some recursion which slowed my systems down but wasn't really a problem, it just reflected all the virtual terminals that I couldn't access, which were a problem; a lot of permission denied messages logged in as root or with sudo, trying to access SSH connections and services that I didn't install, were certainly not default, and which couldn't be killed by sudo, and even losing sudo altogether trying to uninstall a Samba service which was never installed - the huge directories of samba-related files I couldn't access certainly weren't default - which gave me flashbacks of how this all started with TrustedInstaller over-riding INBUILT Administrator permissions).

goscuter1@goscuter1-Latitude-E6500:~$ rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 55518 status
100024 1 tcp 37408 status
100021 1 udp 49813 nlockmgr
100021 3 udp 49813 nlockmgr
100021 4 udp 49813 nlockmgr
100021 1 tcp 43446 nlockmgr
100021 3 tcp 43446 nlockmgr
100021 4 tcp 43446 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 2 tcp 2049
100227 3 tcp 2049
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100227 2 udp 2049
100227 3 udp 2049
100005 1 udp 50908 mountd
100005 1 tcp 43996 mountd
100005 2 udp 50908 mountd
100005 2 tcp 43996 mountd
100005 3 udp 50908 mountd 100005 3 tcp 43996 mountd


The nlockmgr is part of the file locking manager system for NFS. It forwards local file locking requests to the lock manager on the server system. This service should be disabled if your system is not acting as either an NFS client or server.




The rootkit evidence is pretty overwhelming with every OTL, ComboFix, Gmer, HijackThis etc scan I've ever run (*when they run* or *when the options aren't all greyed out*). But I only just realised I've been stupidly distracted by it all the endless side-effects and not getting at the core issue, which is the deployments being recorded in my cbs.log and windowsupdate.log files. Even they aren't the core issue of course; the core issue is hardware hijacking - which is why my endless zero-filling has just been a complete waste of time.

I agree it's hardware defects, intentionally created, initially by a rootkit or the criminal Dell service technician they're refusing to take responsibility for. I just don't understand enough (or anything) about the hardware. So I get all distracted by the deployed Microsoft-signed patches screwing up Win7 and the entire hard drive's contents. Microsoft are the WORST. But getting at the root of the problem has forced me back to Window, because of course it's very hard to convince a Linux user that the problems are real - I mean, they're not having them! (this is literally their logic sigh).

In Windows, the side-effects are a lot more...overwhelming. Stuff like patched MSSE versions and non-default programs like WinMail being deployed; which all come up as "patched" on Secunia's PSI joke program - no doubt they are patched, but it's a joke program that gives non-default unauthorised installations like WinMail a green 100% thumbs up. They censored my thread politely enquiring about it, of course. Wonderful ethics.).

All these drivers were installed and showing as autoruns in SysInternal's handy app:

Posted Image


- I just unclicked them all after realising every single one of them seemed unnecessary and a vulnerability - this system is running a lot better now, but all these things are side-effects.

I need to secure my system from the network administrators who are using FEP and DISM to deploy all the crap onto my systems.

And they're getting access via the hardware. I have a stack of pics of all the controllers and whatnot, which I'll post shortly as I think they're the key...once I get over the fear of destroying my brand new HTC Desire HD (literally everything gets destroyed, my Nokia N97mini is currently RIP).

Look more closely at what those numbers mean:
"Showing 7,114,492 of 7,142,955 events"

They are events, not processes.



Ah okay. I'm the kind of guy who jumps to conclusions that a program called Process monitor, would be listing processes. But events, processes, it's all semantics to me I'm afraid...I'm quite certain 1,000,000 *events* per minute is not normal. Neither is 7000 cbs.log entries in 41 seconds for a single MSSE patch which MSSE already downloaded 6 hrs earlier.

It would be more interesting if you could start a procmon capture after your SFC scan is finished, and wait till files get corrupted.


It's just side effects, Edwin. In an case, I can see what's corrupting them, it's all being recorded in the logs. I need to focus on blocking the deployments, and I think the answer is either:
  • figuring out how to clean what DBAN and BIOS flashing and CMOS flushing and MBR fixing cannot; or
  • figuring out how to be 100% certain my Internet is secure, then just make a bonfire out of the electronics in my apartment.
Either would be fine. I've had 10 weeks of this. That's enough for me. Christ Microsoft are filthy.

Posted Image


#10 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 29 April 2011 - 12:15 PM

Hardware. Sigh, I just don't know what all these controllers are, but I'm pretty sure they're suspect. This is for my desktop:

Posted Image


After a 10 hour DBAN, I don't understand these because this BIOS is flashed. What are all these PCI Unknowns - do you think they're the culprit?

Posted Image


Posted Image


Posted Image


This is just more of the scan which starts above. 10 screens of PCI controllers that are too complicated for me to make sense of. I don't really like all the Unknowns. Far too many Unknowns, in this industry...

http://i.imgur.com/1uEW5.jpg

http://i.imgur.com/9lHFJl.jpg

http://i.imgur.com/qrs8Kl.jpg

http://i.imgur.com/LTqD4l.jpg

http://i.imgur.com/Wbx05.jpg

http://i.imgur.com/2Cbt3.jpg

http://i.imgur.com/J2Y3a.jpg

http://i.imgur.com/Exo9D.jpg

I dunno; after a 10 hour DBAN, seeing that just makes my stomach churn and god I hope it's the culprit because I have no other suspects now that my modem / router are looking annoyingly innocent.

Posted Image


No DBAN, no you did not.

I'm not sure if this meant anything as I think X: is used as the virtual drive for Recovery but I know corrupt files are being pulled from a repository, so the fact that I can't delete them struck me as annoying:

Posted Image

#11 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 29 April 2011 - 10:57 PM

Lets try to not jump to conclusions, and leave paranoia aside for a moment



No. It's not paranoia when there are endless breaches.

I'm sick right now, I'm just...I lost net connection for a half hour or so and my ISP said there wasn't any problem, so I went in to take a look. Sigh.

http://codepad.org/V6M50C5D

That explains the Broadcom drivers in my Autoruns.

Oh, and if it wasn't obvious, I'm not using Linux at this point in time. But I've seen "squashfs" and "NFS" before, on my systems where I didn't install them. I don't know what this means now, I was about to burn everything under the belief my connection was secure. But, they're coming through NAT and a hardware firewall with a yawn? vomit...

They're reactive also. It's incredibly creepy. After those PCI pics, I killed PlugNplay and RpcEptMapper and some other services on my laptop. My desktop crashed and I didn't bother zero-filling, I just formatted and installed Windows again, and they're reactive!

Posted Image


If you really want to disconnect the network cable, do a clean Windows install, and work that way for a while.



I'm not sure what you thought I was doing or trying to do; but I assure you the above has been it for a very long time now. The installation logs of a system that has all networking functionality disabled in BIOS; I even took it down to the other end of my building and checked for Wifi with my phone and in a complete dead spot, installed after a zero-fill format...never been online, the installation logs aren't complex.

Those files in /proc are normal: one is created for every process that runs.



Yes. I didn't run the processes.

It is normal that you cannot access them as a normal user, only root can access them.


Yes, I was root. And unable to access them.

You should be able to 'sudo ls -l /proc/2', etc, once you get sudo working.


Oh it always was. Until I'd lose it being too pesky trying to mount an unknown filesystem on my system. Somewhat rudely; as they were never my filesystems.

pts listmax, listentries are commands for Andrew File System: http://manpages.ubun..._listmax.1.html
Most likely you do not use Andrew File System, thus the output from these commands makes no sense.


Yeah you're not really getting it. I absolutely did not want to use AFS, But AFS was accessing my system, so I was attempting to query it. As root, you might note.

Probably because you've run some chmod -R, or chown -R commands in the wrong place

.


Oh good god. I've never run chmod or chown commands in my entire life. I barely do anything except query data until my systems crash. I'm tired of conversations like these; are you just wasting my time?

Linux has extensive logging, so it should be easy to find out why samba got installed (it could have been installed as a dependency of another package).
You can start from /var/log/apt/history.log, and (if you regain sudo) /var/log/apt/term.log.
/var/log/messages is also a good place

.

SO DOES WINDOWS!!!

You can also try asking on various Linux forums/IRC channels, I'm sure you'll find someone to help you if you are patient and willing to listen.



On Launchpad, I had a genius helping me out and he was mostly concerned about AFS accessing my system; more so than I was - I was all fretting over an unexplainable .local domain which was killing Avahi. But I'm using Windows for a few reasons currently, purely functional as I don't know my way around the Terminal yet. And don't have time to learn, because I keep getting pulled into ridiculous conversations proving what I've PROVEN 15 posts back.

It might be that your Windows install media is somehow corrupted, or some program that you install is malicious.



Or it might be what the evidence has been saying it is all along.

Posted Image


#12 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 29 April 2011 - 11:00 PM

Also if you are paranoid download the full install DVD, disconnect your network cable, install, and run that way for a while. Then see that nothing happens when you connect the internet cable.


I just don't know if you're levelling me or having a laugh. But literally what do you think I've been doing after hours of zero-filling? Just jumping straight on the network? for heaven's sake...

Again, if you are paranoid there is tripwire: it creates a secure hash of every file on your system, you can digitally sign it with a key that you keep on removable media, etc.


GREAT..! HOW DO I GET IT ON MY SYSTEMS? Or am I supposed to secure hash in the corruption, you understand that's what's happening? The second the control order from the disc is launched, the PCI controllers launch into action and execute their preset commands. It's all there in the installation logs, thousands of them.


That looks pretty normal: some USB controllers, Audio controllers, Video controller, etc. The unknown ID just means that its ID isn't in the PCI id database, because noone has added it yet.


No. It's not normal. That's utter nonsense. And I'm not going to accept anyone else claiming that 50 virtual terminals on a fresh install or BUILTIN Administrator being unable to do squat or really any of this crap from now on. You think it's normal? Fine, reproduce it. I'm sick of hearing that ridiculous line.

Is your windows installed on C: or X:?


It jumps around. Quite literally. There's a Q drive on my Dell I can't touch. Doesn't really matter much to me, LIKE IT REALLY DOESN'T CHANGE MUCH FOR ME.


Posted Image

#13 goscuter1

goscuter1

    Member

  • Members
  • PipPip
  • 17 posts

Posted 30 April 2011 - 10:49 AM

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image


This RedHat discussion seems to deal indirectly with the security issue I'm facing. I don't really understand it fully but 100% this is what's going on...

https://bugzilla.red...g.cgi?id=526713

Description of problem: PCIe switches allow peer to peer transactions that are routed by the switch and could bypass the VTd translation hardward potentially causing unexpected behavior in the system. ACS allows the system to force the PCIe switch route all traffic upstream so that the VTd hardware can validate all transactions. The virtualization management tools should not allow direct assignment of a device that is below a non-ACS enabled PCIe switch to a guest.


Chris Wright

Capabilities: [150] Access Control Services

With a standard RHEL 5 lspci, you'd see an unknown PCIe capability such as: Capabilities: [150] Unknown (13)

In the above example the '150' is a device specific offset into the PCIeExtended Configuration Space where the Capability is described. So '150' is not special here and may be different for different PCIe functions (just needs to be greater than 0xFF). The PCIe Capability ID for ACS is 0xD (13). So the string "Access Control Services" (using my patched lspci binary) or the string "Unknown (13)" are the important bit here. If you are not using a patched lspci binary it's much more difficult to describe what to look for to see ACS support enabled (easy to see whether it's capable or not by the (lack of) existance of "Capabilities: [???] Unknown(13)").




nb. my problem is that there are virtualisation management tools there in the first place. Virtualisation that I suspect these hidden drivers are related to?


I unticked every single one of them except for the Realtek Lan controller and my system was running brilliantly. At least for a short while....they certainly were not 'default', let alone ESSENTIAL.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users