# Task Mngr/Add/Remove Gone - HJT log -Thank you!



## canoli (Apr 26, 2010)

THANK YOU VERY MUCH for taking the time to look at my post. Any help at all will be appreciated.

At 6:37pm last evening I was surfing the net, clicked on a dumb site and up popped what appeared to be a Microsoft alert...the browser window closed and since then I've had all kinds of problems: no task manager, no add/remove programs - every time I want to run a program "Open With" dialog pops up... even when I try to install HJT - but right-clicking and choosing START worked, so I was able to get this log.

I unplugged my cable line to stop the internet and have kept it off most of the time since last night. I've heard a strange "clicking" about every 5 or 10 seconds, that happened for a few minutes - then when away.

I did a scan with UnHackMe and have 4 or 5 virus names that it found and supposedly deleted - actually maybe that was the Avast scan that told me the names. I can't remember now. I took pictures of my screen as the scan was going along, then later went to the Event Viewer and got this info:

here's the viruses I have according to the Event Viewer

Win32:JunkPoly (Cryp)
Win32:Ertfor(Trj)
Win32:Malware-gen
Win32:Qandr (Rtk)
Win32atched-MA(Trj)

I can tell you the locations they were found in as well if you want - some were in the Temp folder, most in sys32.

Here's my HJT log - and THANK YOU SO INCREDIBLY MUCH for taking the time to help me - if you can...I'm really hoping to avoid the Recovery Console on this laptop, as I have many programs installed, some big ones too - like Adobe CS4 and Office, and a ton of smaller ones as well. Anyway - whatever it takes! Thanks again!!

XP Pro sp3 on a Lenovo T500 laptop - about 16 months old. No prior infections. Avast subscription and Windows Firewall and Spybot are the extent of my protection from viruses/malware/etc. Up till now it's been sufficient. Thanks again!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:43 AM, on 4/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Documents and Settings\RKC\Desktop\procexp.exe
C:\Documents and Settings\RKC\Desktop\windows-kb890830-v3.6.exe
z:\5569a77aee76ea27b465e6bd82bf\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lenovo.com/welcome/thinkpad
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\ServicePackFiles\i386\msconfig.exe /auto
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\PROGRAM FILES\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\ADC.EXE
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Bret Taylor\Stickies\Stickies.exe
O4 - HKCU\..\Run: [Kana Reminder] "C:\Documents and Settings\RKC\Desktop\Reminder.exe"
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\RKC\LOCALS~1\TEMP\NVSVC32.EXE
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\RKC\LOCALS~1\Temp\cmd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: WinColor.exe.lnk = C:\Program Files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252886731015
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - Unknown owner - C:\WINDOWS\system32\AtService.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Update Service (gupdate1c9bebe93c143b0) (gupdate1c9bebe93c143b0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LKQCZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\RKC\LOCALS~1\Temp\LKQCZ.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 13489 bytes


----------



## canoli (Apr 26, 2010)

Can't tell if things are getting better or worse. Microsoft's Malware Removal tool didn't find anything but Avast keeps saying there's a virus, wants to shut down and do a scan. I did that but it didn't find anything. As I said earlier, Avast found 5 or 6 virus/trojans/malware the first time I scanned, right after the symptoms started.

Still can't get to Task Mngr or Add/Remove or Windows Firewall, and every app I click brings up the "Open With" dialog box. On the good side, the C: and the E: drive (E is a 5GB Lenovo "Recovery Partition") are now showing up in Disk Mngmt, which they weren't before (though all my other drives were - I have 3 ext HDDs)

Anyway just thought I'd keep a running account of what's going on with this computer...boy this will teach me to surf indiscriminately, just clicking on anything and everything... I thought I was protected with Windows Firewall and an updated Avast but I guess not.

just got the Avast popup - it says it found File Name: SVC: PRAGMAfpyycwxbvf - Type: Hidden services - lets me choose Delete or Ignore. I deleted it last time it came up, about 10 minutes ago and followed Avast's recommendation to do a boot scan, but it didn't find anything.


----------



## canoli (Apr 26, 2010)

Just another update - Avast found the virus again while I was online, recommended I do a boot scan so I did. This time it found C:\WINDOWS\PRAGMAfpyycwxbvf\PRAGMAd.sys is infected by win32:Rootkit-gen [Rtk]

So I deleted it.

Still no Task Mngr, Add/Remove/Windows Firewall...etc. "Open With" still pops up whenever I try to launch a program.

Thanks again for your time!


----------



## canoli (Apr 26, 2010)

another update - Task Manager is back. Still can't get to System Restore though. can't Right-Click on My Computer and get to Properties, or go to Programs>Accessories>System Tools - says that the C:\system32\rundll32.exe - Application not found.

anyway - got the Task Manager back - hopefully that means Progress! also, the C: and E: drives are showing up now in Disk Mngmt.


----------



## canoli (Apr 26, 2010)

update again - I booted into Safe Mode and was able to run regedit - didn't do anything, just wanted to see if I could get access and I did. 

still most of the same problems though - no System Restore "Turned off by Group Policy - see Administrator" - and of course I am logged in as Administrator. In Safe Mode I was able to right-click on My Computer but the System Restore tab is missing - I was able to access everything else, including Device Manager.

also - does the context (right-click) menu normally have the word "start" in it? For applications I mean. I don't recall seeing that before, though I never looked one way or the other.

Thanks again for you help!


----------



## canoli (Apr 26, 2010)

and yet another update (sorry if this is all useless - figure the more info the better)

Things seem to be getting back to normal. UnHackMe still doesn't like something and pops up a message but most stuff is working normally. It "feels" like I'm getting closer to cleaning out whatever grabbed me - did Housecall, Spybot (which found a bunch of stuff - I have a list if you're interested), Avast a few times, UnHackMe a bunch of times. So between all that, some in Safe Mode, some not, almost all with the Cable feed unplugged, I've got what appears to be a working computer again.

But there are still some ominous signs. Like a "Windows detected a corrupt file on volume 3" something-something...And another thing that's odd is that System Restore came back - it's on, monitoring - but the Turn Off System Restore option is grayed out. In parenthesis (also grayed out) it says "Disabled By Group Policy".

I did go to grpedit.msc but I didn't change anything. And I didn't change anything in the registry.

Also that word "start" that was in my context menu of program icons - that's gone. had a feeling it wasn't there before this mess. I'm sure by using it I screwed up things even more but that was the only way to open firefox and practically anything else. 

Anyway - like I said - sorry if this is OVERKILL on the information - and THANK YOU VERY MUCH whoever you may be who comes to my rescue!


----------



## canoli (Apr 26, 2010)

ran Malwarebytes - found a bunch of stuff - deleted it - set a Restore Point first. 

googled "system restore turned off by Group Policy" and found a registry fix - followed the instructions (backed up the key first) and "Turn off System Restore" is no longer grayed out.

Feels like I'm getting there but I wish I could be sure. Hopefully there's still some help you can give me. I can always post another HJT log if you think that'll be useful.

Thanks again!


----------



## canoli (Apr 26, 2010)

Avast keeps popping up with a Suspicious File - but it's weird because their advice is to Ignore it. You can choose Ignore or Delete and they recommend "Ignore." Doesn't that seem a little strange? It's starts with PRAGMA- and then a bunch of what appear to be random letters. I tried deleting it and I've ignored (but I didn't check "Don't tell me about this threat again" so I guess that's why it keeps popping up. No location - Avast says it's a Hidden Service...

Hope someone can take a look and help me out - THANKS!


----------



## canoli (Apr 26, 2010)

help...?

I know it says to be patient, and I am....seems like I'm getting buried in newer posts....


----------



## canoli (Apr 26, 2010)

Avast keeps popping up with a Suspicious File- PRAGMAffyy....more letters....

Don't know what to do here - I'm sure this computer is still infected ...

Please help if you can - Thanks...


----------



## canoli (Apr 26, 2010)

almost 3 days now...can someone tell me whether I should keep waiting or...should I post this again somewhere else?

If you don't think I need help or whatever then please just tell me and I can search elsewhere.

Thanks!


----------



## canoli (Apr 26, 2010)

wow - totally ignored. I didn't expect that.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *canoli*

Welcome.

Sorry for the delay. You are never ignore, but our trained personnel is very busy.

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop***

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

During the download, rename *Combofix* to *Combo-Fix* as follows:



















It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combo-Fix.exe* & follow the prompts.
Install the Recovery Console if prompted.
When finished, it will produce a report for you. 
Please post the *"C:\Combo-Fix.txt" *.
***Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall***

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.


----------



## canoli (Apr 26, 2010)

JS - 

Thanks so much for your reply. 

I wanted to ask you a question before I run Combofix . My computer is 99% back to normal. 
All is well except for one thing. Whenever I boot up Avast pops up a window that says:

Warning: Suspicious File Found. 

File name SVC: "PRAGMAfpycwxbvf...." 
Type Hidden services

Avast lets you choose "Delete" or "Ignore" and the recommendation from Avast is to "Ignore."
It also lets you choose "Do not tell me about this file in the futures." I won't do that until I'm sure this file can safely be ignored. 

So anyway my question is, should I still go through the process with Combofix and whatever else is after that?

Thanks again JS for your reply, and thank you very much for your help. It is very much appreciated.


----------



## JSntgRvr (Jul 1, 2003)

canoli said:


> JS -
> 
> Thanks so much for your reply.
> 
> ...


It is one of the Backdoor Trojans. Combofix should help you remove it.


----------



## canoli (Apr 26, 2010)

Thanks for your reply. 

yuk - is it really? Why would Avast recommend I IGNORE this file? Is it doing any harm right now? I mean, should I not be using this computer online right now?


----------



## JSntgRvr (Jul 1, 2003)

canoli said:


> Thanks for your reply.
> 
> yuk - is it really? Why would Avast recommend I IGNORE this file? Is it doing any harm right now? I mean, should I not be using this computer online right now?


Canoli, I have many people depending on me to help them solve their problems. I really don't have the time to explain myself. I am a trained professional. I give you an advise, you either take or leave it. If you feel your computer is safe let me know. I will close the thread and move on.

Thanks for understanding.


----------



## canoli (Apr 26, 2010)

I understand. I wasn't looking for a long explanation or anything, just whether I'm harming my computer by using it. Can you tell me that at least?


----------



## canoli (Apr 26, 2010)

okay - here's the Combo-fix log.

FYI - I got the same Avast warning dialog on the reboot - same file 
file name SVC: PRAGMAfpyycwxbvf 
type Hidden Services

Thank you.

ComboFix 10-04-30.03 - RKC 04/30/2010 23:15:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3066.2247 [GMT -4:00]
Running from: c:\documents and settings\RKC\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1368 [VPS 100430-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\RKC\Local Settings\Temporary Internet Files\0fEh0.jpg
c:\documents and settings\RKC\Local Settings\Temporary Internet Files\n7q33.jpg
c:\documents and settings\RKC\Local Settings\Temporary Internet Files\naQl8qC.jpg
c:\documents and settings\RKC\Local Settings\Temporary Internet Files\qjS2Gn.jpg
c:\program files\WindowsUpdate
c:\recycler\S-1-5-21-2373098477-2479653578-385586937-500
c:\windows\system32\drivers\npf.sys
c:\windows\system32\lsprst7.dll
c:\windows\system32\Packet.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_NPF
-------\Service_Ias
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-04-28 22:07 . 2010-04-28 22:09 -------- d-----w- c:\program files\Ubisoft
2010-04-28 21:42 . 2010-04-30 07:10 -------- d-----w- c:\program files\Texas Holdem
2010-04-27 23:59 . 2010-04-27 23:59 -------- d-----w- c:\program files\Synaptics
2010-04-27 23:47 . 2010-01-21 15:46 441168 ----a-w- c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
2010-04-27 07:15 . 2010-04-27 07:15 -------- d-----w- c:\documents and settings\RKC\Application Data\Malwarebytes
2010-04-27 07:14 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-27 07:14 . 2010-04-27 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-27 07:14 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 07:14 . 2010-04-27 07:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-27 01:14 . 2010-04-27 01:14 -------- d-----w- c:\program files\McAfeeRootkitDetect
2010-04-26 19:16 . 2010-04-26 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-26 19:14 . 2010-04-26 19:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-26 16:14 . 2010-04-26 16:14 10752 ----a-w- c:\windows\DCEBoot.exe
2010-04-26 16:07 . 2010-04-27 06:49 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-26 07:24 . 2010-04-26 07:24 -------- d-----w- c:\program files\Trend Micro
2010-04-26 02:01 . 2010-04-26 02:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-04-25 22:38 . 2010-04-25 22:38 36 ----a-w- c:\program files\skynet.dat
2010-04-05 16:46 . 2010-04-05 16:46 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 03:22 . 2008-11-08 03:44 -------- d-----w- c:\documents and settings\RKC\Application Data\WTablet
2010-05-01 03:21 . 2008-11-08 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-04-30 20:17 . 2009-04-16 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-30 14:49 . 2009-01-11 18:53 -------- d-----w- c:\documents and settings\RKC\Application Data\vlc
2010-04-28 22:43 . 2008-08-18 08:52 89632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-28 22:24 . 2008-08-18 08:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-28 20:53 . 2008-10-31 19:09 -------- d-----w- c:\program files\Canon
2010-04-27 03:31 . 2008-11-26 02:38 -------- d-----w- c:\program files\UnHackMe
2010-04-27 00:25 . 2008-11-08 20:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 22:41 . 2008-10-31 08:34 -------- d-----w- c:\documents and settings\RKC\Application Data\Azureus
2010-04-16 18:31 . 2008-12-06 23:45 -------- d-----w- c:\documents and settings\RKC\Application Data\dvdcss
2010-04-15 13:08 . 2009-11-23 16:47 -------- d-----w- c:\program files\MyDefrag v4.2.6
2010-04-11 19:11 . 2009-04-16 18:09 -------- d-----w- c:\program files\Google
2010-03-21 14:15 . 2010-01-03 18:33 -------- d-----w- c:\program files\Unlocker
2010-03-18 05:58 . 2010-03-18 05:23 224200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-18 05:39 . 2008-10-31 08:34 -------- d-----w- c:\program files\Azureus
2010-03-18 05:24 . 2010-03-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-18 05:23 . 2008-11-22 02:11 -------- d-----w- c:\program files\MSBuild
2010-03-18 05:22 . 2010-03-18 05:22 -------- d-----w- c:\program files\Reference Assemblies
2010-03-17 00:43 . 2010-03-17 00:43 1391 ----a-w- c:\program files\cs4_and_color_finesse_serials.txt
2010-03-15 18:12 . 2010-03-15 18:12 -------- d-----w- c:\program files\UCT
2010-03-11 12:38 . 2006-04-30 06:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-04-30 06:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-04-30 06:56 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-04-30 06:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-22 08:09 . 2008-12-14 02:52 38784 ----a-w- c:\documents and settings\RKC\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-16 14:08 . 2006-04-30 06:55 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-04-30 06:55 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-04-30 06:56 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-02 19:20 . 2010-01-02 19:20 575750 ----a-w- c:\program files\lame3.98.2.zip
2009-12-16 20:07 . 2009-12-16 20:07 19606 ----a-w- c:\program files\trapcodeform.log
2009-05-10 08:38 . 2009-05-10 04:13 4877 ----a-w- c:\program files\trapcode3Dstroke.log
2009-05-10 08:33 . 2009-05-10 08:33 1942 ----a-w- c:\program files\trapcodelux.log
2009-05-10 04:12 . 2009-05-10 04:12 17430 ----a-w- c:\program files\trapcodeparticular.log
2007-07-17 16:13 . 2008-02-08 21:21 61440 ----a-w- c:\program files\RGSGrowBounds.aex
2008-11-26 02:38 . 2008-11-26 02:38 2 --shatr- c:\windows\winstart.bat
2008-10-31 05:33 . 2008-10-31 05:33 8 --sh--r- c:\windows\system32\A845F5E83A.sys
2008-10-31 05:35 . 2008-10-31 05:33 1160 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\ADC.EXE" [2008-07-29 3780608]
"Stickies"="c:\program files\Bret Taylor\Stickies\Stickies.exe" [2007-03-14 335872]
"Kana Reminder"="c:\documents and settings\RKC\Desktop\Reminder.exe" [2007-11-15 1198592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\RKC\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2009-6-25 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2009-6-25 954368]
WinColor.exe.lnk - c:\program files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe [2005-10-31 371456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-05-10 14:24 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 07:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\t:\0autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path= 
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path= 
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\RKC\Start Menu\programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^Product Registration.lnk]
path= 
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^SCRABBLE Complete Registration.lnk]
path= 
backup=c:\windows\pss\SCRABBLE Complete Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2008-07-31 02:17 143360 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-01 18:00 419376 ----a-w- c:\progra~1\THINKV~1\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2008-06-14 03:08 3073336 ----a-w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-06-04 17:36 242976 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-06-08 18:00 124248 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-06-08 18:00 165208 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-16 18:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 7:21 PM 19496]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/12/2009 12:18 AM 114768]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 AM 46144]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2/1/2010 4:01 PM 57344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/12/2009 12:18 AM 20560]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [1/16/2008 11:52 AM 664840]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [6/25/2009 8:53 AM 14416]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/18/2008 5:04 AM 94208]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [3/14/2009 10:54 AM 23200]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [11/7/2008 11:43 PM 3032360]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 7:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 AM 360448]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [8/18/2008 4:53 AM 475136]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [8/18/2008 4:21 AM 243856]
R3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [6/25/2009 9:18 AM 44344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 6:54 PM 37312]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [11/7/2008 11:43 PM 15144]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [11/10/2006 9:08 AM 24064]
S2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe --> c:\windows\system32\AtService.exe [?]
S2 gupdate1c9bebe93c143b0;Google Update Service (gupdate1c9bebe93c143b0);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 2:10 PM 133104]
S2 SessionLauncher;SessionLauncher;c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 288112]
S3 AJISCOVC;AJISCOVC;c:\docume~1\ADMINI~1\LOCALS~1\Temp\AJISCOVC.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\AJISCOVC.exe [?]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [11/25/2008 10:57 PM 30946]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [1/16/2008 11:52 AM 894216]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 11:15 AM 1120752]
S4 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [5/10/2008 10:24 AM 102400]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-16 18:09]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-06-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]

2010-05-01 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-18 06:47]

2010-05-01 c:\windows\Tasks\SyncToyCmd TcreationsToY.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]

2010-05-01 c:\windows\Tasks\SyncToyCmd.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
Notify-ACNotify - ACNotify.dll
MSConfigStartUp-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
MSConfigStartUp-Kana Reminder - c:\documents and settings\RKC\Desktop\Reminder-2.0.0.122b\Reminder.exe
MSConfigStartUp-SandboxieControl - c:\program files\Sandboxie\SbieCtrl.exe
AddRemove-_{05D60953-9012-44DF-A1A6-9DD97AD6580A} - c:\program files\Corel\Corel Painter X\MSILauncher {05D60953-9012-44DF-A1A6-9DD97AD6580A}

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-30 23:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-468252708-3274475066-233985201-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:0c,ad,df,fd,f9,7d,0a,38,1d,f4,91,5a,c5,94,21,97,00,44,e9,8d,78,
88,ac,03,98,ec,dc,37,b7,51,8d,d2,98,da,db,d6,17,fd,3e,33,85,a2,95,1d,09,a6,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:0c,ad,df,fd,f9,7d,0a,38,1d,f4,91,5a,c5,94,21,97,00,44,e9,8d,78,
88,ac,03,98,ec,dc,37,b7,51,8d,d2,98,da,db,d6,17,fd,3e,33,85,a2,95,1d,09,a6,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\IBM0057\4&ef53bae&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\8&24e84269&0&0000\LogConf]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\9&21264f1c&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(3812)
c:\windows\system32\WININET.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\MouseHook.dll
c:\windows\system32\ieframe.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2010-04-30 23:27:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-01 03:27

Pre-Run: 113,594,933,248 bytes free
Post-Run: 113,528,881,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /PAE

- - End Of File - - BB94F5DDB7EFC14BFA38CF8E9C44F310


----------



## JSntgRvr (Jul 1, 2003)

If present, Combofix is not seeing it. Lets try that again, based on your observations.


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> File::
> c:\program files\skynet.dat
> 
> Folder::
> ...












Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report.


----------



## canoli (Apr 26, 2010)

Okay here's the 2nd long
FYI: got the same Avast warning again after the reboot.

ComboFix 10-04-30.03 - RKC 05/01/2010 9:41.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3066.2391 [GMT -4:00]
Running from: c:\documents and settings\RKC\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\RKC\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100430-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\skynet.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\skynet.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AJISCOVC
-------\Legacy_ATSERVICE
-------\Legacy_DISKCHK
-------\Legacy_PRAGMAFPYYCWXBVF
-------\Legacy_SESSIONLAUNCHER
-------\Service_AJISCOVC
-------\Service_ATService
-------\Service_diskchk
-------\Service_PRAGMAfpyycwxbvf
-------\Service_SessionLauncher

((((((((((((((((((((((((( Files Created from 2010-04-01 to 2010-05-01 )))))))))))))))))))))))))))))))
.

2010-04-28 22:07 . 2010-04-28 22:09 -------- d-----w- c:\program files\Ubisoft
2010-04-28 21:42 . 2010-04-30 07:10 -------- d-----w- c:\program files\Texas Holdem
2010-04-27 23:59 . 2010-04-27 23:59 -------- d-----w- c:\program files\Synaptics
2010-04-27 23:47 . 2010-01-21 15:46 441168 ----a-w- c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
2010-04-27 07:15 . 2010-04-27 07:15 -------- d-----w- c:\documents and settings\RKC\Application Data\Malwarebytes
2010-04-27 07:14 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-27 07:14 . 2010-04-27 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-27 07:14 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 07:14 . 2010-04-27 07:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-27 01:14 . 2010-04-27 01:14 -------- d-----w- c:\program files\McAfeeRootkitDetect
2010-04-26 19:16 . 2010-04-26 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-26 19:14 . 2010-04-26 19:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-26 16:14 . 2010-04-26 16:14 10752 ----a-w- c:\windows\DCEBoot.exe
2010-04-26 16:07 . 2010-04-27 06:49 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-26 07:24 . 2010-04-26 07:24 -------- d-----w- c:\program files\Trend Micro
2010-04-26 02:01 . 2010-04-26 02:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2010-04-05 16:46 . 2010-04-05 16:46 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 13:47 . 2008-11-08 03:44 -------- d-----w- c:\documents and settings\RKC\Application Data\WTablet
2010-05-01 13:47 . 2008-11-08 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-05-01 05:24 . 2009-01-11 18:53 -------- d-----w- c:\documents and settings\RKC\Application Data\vlc
2010-04-30 20:17 . 2009-04-16 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-28 22:43 . 2008-08-18 08:52 89632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-28 22:24 . 2008-08-18 08:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-28 20:53 . 2008-10-31 19:09 -------- d-----w- c:\program files\Canon
2010-04-27 03:31 . 2008-11-26 02:38 -------- d-----w- c:\program files\UnHackMe
2010-04-27 00:25 . 2008-11-08 20:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 22:41 . 2008-10-31 08:34 -------- d-----w- c:\documents and settings\RKC\Application Data\Azureus
2010-04-16 18:31 . 2008-12-06 23:45 -------- d-----w- c:\documents and settings\RKC\Application Data\dvdcss
2010-04-15 13:08 . 2009-11-23 16:47 -------- d-----w- c:\program files\MyDefrag v4.2.6
2010-04-11 19:11 . 2009-04-16 18:09 -------- d-----w- c:\program files\Google
2010-03-21 14:15 . 2010-01-03 18:33 -------- d-----w- c:\program files\Unlocker
2010-03-18 05:58 . 2010-03-18 05:23 224200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-18 05:39 . 2008-10-31 08:34 -------- d-----w- c:\program files\Azureus
2010-03-18 05:24 . 2010-03-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-18 05:23 . 2008-11-22 02:11 -------- d-----w- c:\program files\MSBuild
2010-03-18 05:22 . 2010-03-18 05:22 -------- d-----w- c:\program files\Reference Assemblies
2010-03-17 00:43 . 2010-03-17 00:43 1391 ----a-w- c:\program files\cs4_and_color_finesse_serials.txt
2010-03-15 18:12 . 2010-03-15 18:12 -------- d-----w- c:\program files\UCT
2010-03-11 12:38 . 2006-04-30 06:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-04-30 06:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-04-30 06:56 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-04-30 06:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-22 08:09 . 2008-12-14 02:52 38784 ----a-w- c:\documents and settings\RKC\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-16 14:08 . 2006-04-30 06:55 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-04-30 06:55 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-04-30 06:56 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-02 19:20 . 2010-01-02 19:20 575750 ----a-w- c:\program files\lame3.98.2.zip
2009-12-16 20:07 . 2009-12-16 20:07 19606 ----a-w- c:\program files\trapcodeform.log
2009-05-10 08:38 . 2009-05-10 04:13 4877 ----a-w- c:\program files\trapcode3Dstroke.log
2009-05-10 08:33 . 2009-05-10 08:33 1942 ----a-w- c:\program files\trapcodelux.log
2009-05-10 04:12 . 2009-05-10 04:12 17430 ----a-w- c:\program files\trapcodeparticular.log
2007-07-17 16:13 . 2008-02-08 21:21 61440 ----a-w- c:\program files\RGSGrowBounds.aex
2008-11-26 02:38 . 2008-11-26 02:38 2 --shatr- c:\windows\winstart.bat
2008-10-31 05:33 . 2008-10-31 05:33 8 --sh--r- c:\windows\system32\A845F5E83A.sys
2008-10-31 05:35 . 2008-10-31 05:33 1160 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\ADC.EXE" [2008-07-29 3780608]
"Stickies"="c:\program files\Bret Taylor\Stickies\Stickies.exe" [2007-03-14 335872]
"Kana Reminder"="c:\documents and settings\RKC\Desktop\Reminder.exe" [2007-11-15 1198592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\RKC\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2009-6-25 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2009-6-25 954368]
WinColor.exe.lnk - c:\program files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe [2005-10-31 371456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-05-10 14:24 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 07:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\t:\0autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path= 
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path= 
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\RKC\Start Menu\programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^Product Registration.lnk]
path= 
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^SCRABBLE Complete Registration.lnk]
path= 
backup=c:\windows\pss\SCRABBLE Complete Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2008-07-31 02:17 143360 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-01 18:00 419376 ----a-w- c:\progra~1\THINKV~1\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2008-06-14 03:08 3073336 ----a-w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-06-04 17:36 242976 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-06-08 18:00 124248 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-06-08 18:00 165208 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-16 18:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 7:21 PM 19496]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/12/2009 12:18 AM 114768]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 AM 46144]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2/1/2010 4:01 PM 57344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/12/2009 12:18 AM 20560]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [1/16/2008 11:52 AM 664840]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [6/25/2009 8:53 AM 14416]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/18/2008 5:04 AM 94208]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [3/14/2009 10:54 AM 23200]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [11/7/2008 11:43 PM 3032360]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 7:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 AM 360448]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [8/18/2008 4:53 AM 475136]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [8/18/2008 4:21 AM 243856]
R3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [6/25/2009 9:18 AM 44344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 6:54 PM 37312]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [11/7/2008 11:43 PM 15144]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [11/10/2006 9:08 AM 24064]
S2 gupdate1c9bebe93c143b0;Google Update Service (gupdate1c9bebe93c143b0);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 2:10 PM 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 288112]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [11/25/2008 10:57 PM 30946]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [1/16/2008 11:52 AM 894216]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 11:15 AM 1120752]
S4 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [5/10/2008 10:24 AM 102400]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-16 18:09]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-01 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-06-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]

2010-05-01 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-18 06:47]

2010-05-01 c:\windows\Tasks\SyncToyCmd TcreationsToY.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]

2010-05-01 c:\windows\Tasks\SyncToyCmd.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 09:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-468252708-3274475066-233985201-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:0c,ad,df,fd,f9,7d,0a,38,1d,f4,91,5a,c5,94,21,97,00,44,e9,8d,78,
88,ac,03,98,ec,dc,37,b7,51,8d,d2,98,da,db,d6,17,fd,3e,33,85,a2,95,1d,09,a6,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:0c,ad,df,fd,f9,7d,0a,38,1d,f4,91,5a,c5,94,21,97,00,44,e9,8d,78,
88,ac,03,98,ec,dc,37,b7,51,8d,d2,98,da,db,d6,17,fd,3e,33,85,a2,95,1d,09,a6,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\IBM0057\4&ef53bae&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\8&24e84269&0&0000\LogConf]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\9&21264f1c&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(3004)
c:\windows\system32\WININET.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\MouseHook.dll
c:\windows\system32\ieframe.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2010-05-01 09:52:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-01 13:52
ComboFix2.txt 2010-05-01 03:27

Pre-Run: 113,538,666,496 bytes free
Post-Run: 113,489,481,728 bytes free

- - End Of File - - 73072B04C54C836968EF63B81B31E44D


----------



## JSntgRvr (Jul 1, 2003)

I believe it has been quarantined.

Plese run Malwarebytes Antispyware and post its report.

Please run the *F-Secure Online Scanner*


For information click Here.
Allow the installation of the Add-ons and Accept the License Agreement.
Click *Full System Scan*
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the *Automatic cleaning (recommended)* button.
Click the *Show Report* button and Copy&Paste the entire report in your next reply.


----------



## canoli (Apr 26, 2010)

I'll do the other one you recommended next - meanwhile here's the first one:
btw, the link for "more info.." brings you to F-Secure's site but the page is DOA.
Looks like the scan is still working though.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4057

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/1/2010 9:55:04 PM
mbam-log-2010-05-01 (21-55-04).txt

Scan type: Full scan (C:\|G:\|I:\|J:\|L:\|M:\|N:\|S:\|T:\|V:\|Y:\|Z:\|)
Objects scanned: 450700
Time elapsed: 1 hour(s), 19 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## canoli (Apr 26, 2010)

Here's the one from F-Secure:

Scanning Report
Saturday, May 1, 2010 22:15:59 - 23:32:08

Computer name: LENOVO-1C927FAB
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ G:\ I:\ J:\ L:\ M:\ N:\ S:\ T:\ V:\ Y:\ Z:\ 

3 malware found


Suspicious:W32/Malware!Gemini (spyware)

* System (Disinfected) 

TrackingCookie.Atwola (spyware)

* System (Disinfected) 

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected) 


Statistics
Scanned:

* Files: 76901
* System: 5065
* Not scanned: 8 

Actions:

* Disinfected: 3
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0 


Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\RKC\LOCAL SETTINGS\TEMP\HSPERFDATA_RKC\2352
* C:\DOCUMENTS AND SETTINGS\RKC\LOCAL SETTINGS\TEMP\HSPERFDATA_RKC\4512 

Options
Scanning engines: 

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics


----------



## JSntgRvr (Jul 1, 2003)

*How is the computer doing?*


----------



## canoli (Apr 26, 2010)

Still getting the Avast Warning for the PRAGMAfpyycwxbvf whenever I reboot. Also a "Windows Update" popped up this morning on the reboot - it looks normal but I saw it earlier in the infection, asking for the same update - MS Genuine Advantage Notification Tool.

Other than that the computer functions perfectly normal. I would love to just IGNORE this dang PRAGMA thing once and for all if you think it's safe to do so. I did a Quick Scan with F-Secure also - just for the heck of it - and it didn't find anything at all. And my UnHackMe isn't troubled by this PRAGMA thing.

not sure why the MS Genuine-etc. is popping up again though...


----------



## JSntgRvr (Jul 1, 2003)

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

*Follow these steps to uninstall Combofix.*

 Rename Combofix to Uninstall and click on it. That should remove the application.
Once done, restart the computer and scan with AVAST. In the event of a detection, provide the file's name.


----------



## canoli (Apr 26, 2010)

I will do this next step later today - didn't want you to think I disappeared.

btw, I assume from the sentence in blue I should uninstall Malwarebytes and HJT as well?


----------



## canoli (Apr 26, 2010)

one more symptom (maybe): It seems on every reboot I have to switch my Folder Options back to showing all files, not hiding system files, etc.


----------



## JSntgRvr (Jul 1, 2003)

canoli said:


> I will do this next step later today - didn't want you to think I disappeared.
> 
> btw, I assume from the sentence in blue I should uninstall Malwarebytes and HJT as well?


No need to remove HJT and MBAM.



canoli said:


> one more symptom (maybe): It seems on every reboot I have to switch my Folder Options back to showing all files, not hiding system files, etc.


Lets take care of *PRAGMAfpyycwxbvf*, then we will check this.


----------



## canoli (Apr 26, 2010)

Okay...after 14:45:35 ... Avast came up with nothing. Scanned all files and folder at the deepest level I could set - 762.7 GB worth of data at 14.7 MB/s. 

The only thing that bothers me is the amount of files not scanned. A huge directory (2 GB) found on Lenovo laptops, C:\SWTOOLS, wasn't scanned because "Archive is password protected." Should I be concerned about this? I tried to right-click on the properties of some of the files (in the Avast log) but Windows "can't find the file...."

Anyway - I'll reboot now and see whether the PRAGMA... warning still pops up.


----------



## canoli (Apr 26, 2010)

Just rebooted - so far no PRAGMA warning but now I'm getting the MS Windows Genuine Advantage Wizard popping up (the 2nd time I've seen it). Both times I've canceled out of the wizard. I bought this laptop brand new in Dec '08 from J&R Music World in NYC, a reputable retailer and I've run the WGA before as part of the MS updates. But now I'm a little worried something got changed (or screwed up, whatever) and it won't pass now. There's no legitimate reason it should fail but I'm just a little skeptical why it's popping up now. Maybe Combofix or one of the other scanners I used changes something?

Anyway - usually I see the Avast PRAGMA warning by now so hopefully it's a good sign?

Sh-- It just popped up. Damn.

Avast found nothing, no infections, in over 14 hours of deep scanning. It did not move or rename anything. But then it pops up a warning about this PRAGMA thing? Seems a little weird...

Thanks again for helping me out here - hope it's not driving you too crazy!

[edit: I tried looking in Avast's "Log Viewer" - the logs have 7 categories - "Emergency" "Alert" "Critical" "Error" "Warning" "Notice" and "Info" 
This PRAGMA warning isn't listed in any of them.]

One more thing - my Folder Options are stable, at least on this last reboot. So - other than the PRAGMA warning the computer is working normally.

(Thanks again)


----------



## JSntgRvr (Jul 1, 2003)

Is there an option to Activate Windows?

Start -> Accessories _> System Tools.


----------



## canoli (Apr 26, 2010)

No - looks like just the usual stuff.

got the PRAGMA warning and the GWA wizard again on reboot again - Folder Options, System Restore, Add/Remove, IE and FFox etc. are all functioning normally.

I used Sysinternals Process Explorer and the best I can tell there's nothing running that shouldn't be running. Early in the infection, once I was able to run Proc Exp I saw that Internet Explorer was starting automatically, and restarting as soon as I closed it. That's not happening anymore...


----------



## JSntgRvr (Jul 1, 2003)

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


> :reg
> PRAGMA*
> 
> :filefing
> ...



Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*

The Windows Genuine Advantage is important. Without it you wont be able to receive updates. You must go thru it.

Run this command. It should activate Windows if you haven't. The go to Windows Updates and accept the WGA ActiveX installation.
*
oobe/msoobe /a*


----------



## canoli (Apr 26, 2010)

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:28 on 04/05/2010 by RKC (Administrator - Elevation successful)

========== reg ==========

[PRAGMA*]
Hive unrecognized.

Invalid Context: filefing

No Context: PRAGMA*

========== folderfind ==========

Searching for "PRAGMA* "
No folders found.

-=End Of File=-

I guess maybe that should've read "findfile" - I changed it but it still didn't find it:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:35 on 04/05/2010 by RKC (Administrator - Elevation successful)

========== reg ==========

[PRAGMA*]
Hive unrecognized.

========== filefind ==========

Searching for "PRAGMA*"
No files found.

========== folderfind ==========

Searching for "PRAGMA* "
No folders found.

-=End Of File=-

FYI: I have the Windows Genuine Advantage Validation Tool in Add/Remove Programs - should I uninstall that first?

Also - Something may be a little fishy about this MSWGA wizard - the hot text for "Learn about MS WGA" opens up FF. That's odd because whenever I click on MS hot text - even if I'm already in FF - it opens up Internet Explorer. My default browser is FF but MS always takes me to their pages via IE. But this wizard opens up FF.


----------



## JSntgRvr (Jul 1, 2003)

Use this script to search the registry



> :regfind
> PRAGMA*


Chances are you have Firefox as your default browser. All dealings with Microsoft must be done in Internet Explorer.


----------



## canoli (Apr 26, 2010)

Yes - I do have FF as my default - and I know "all dealings with MS...IE"
That's why I thought it curious that the WGA wizard opened up FF.

anyway - here's the latest seach:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:26 on 04/05/2010 by RKC (Administrator - Elevation successful)

========== regfind ==========

Searching for "PRAGMA* "
No data found.

-=End Of File=-


----------



## JSntgRvr (Jul 1, 2003)

It will open FF because it is your default browser. That is the reason I asked you to visit Windows Updates to install the WGA ActiveX. You must use Internet Explorer to do this.

There are no *PRAGMA* remnants in the computer.

Keep me posted about the *WGA* issue.


----------



## canoli (Apr 26, 2010)

Avast seems to think there is a PRAGMA threat. Still getting the Warning dialog on the reboot.

as far as the WGA - my default browser is FF. Up till now, even though FF is my default browser, whenever I have to access a MS page, the link will open up IE. This WGA wizard doesn't do that - it opens up FF.

So what do I do about the Avast warning?


----------



## JSntgRvr (Jul 1, 2003)

canoli said:


> Avast seems to think there is a PRAGMA threat. Still getting the Warning dialog on the reboot.
> 
> as far as the WGA - my default browser is FF. Up till now, even though FF is my default browser, whenever I have to access a MS page, the link will open up IE. This WGA wizard doesn't do that - it opens up FF.
> 
> So what do I do about the Avast warning?


Does AVAST indicate the name and location of the detection? Clear the Virus Chest.


----------



## canoli (Apr 26, 2010)

Unfortunately no it doesn't. It tells you the type, but all it says is that it's a "Hidden Services"
I'll clean out the chest.

another weird symptom - opened up Photoshop CS4 tonight and it asked me to register it - after registering it a year ago when I bought it. I have Production Premium CS4 - I bought the discs directly from Adobe - and I haven't opened any of the other apps yet. But this is definitely odd behavior.

[edit: checked Illustrator and AfterFX so far - these 2 did not prompt me to register.]


----------



## JSntgRvr (Jul 1, 2003)

Download the *GMER Rootkit Scanner*. Unzip it to your Desktop.

*Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.*

 Double click GMER.exe.








 If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on *NO*, then use the following settings for a more complete scan..
 In the right panel, you will see several boxes that have been checked. Ensure the following are *UNCHECKED* ...
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\)
 Show All (don't miss this one)

_Click the image to enlarge it_

 Then click the Scan button & wait for it to finish.
 Once done click on the *[Save..]* button, and in the File name area, type in *"ark.txt"* 
Save the log where you can easily find it, such as your desktop.
_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _
Please copy and paste the report into your Post.


----------



## canoli (Apr 26, 2010)

Okay - finished the scan - followed the directions. One thing - maybe important, maybe not. When the scan finished I saved the log, then went back just to scroll through GMER's results and it hung. I closed the app and tried to get online - no luck loading google, yahoo - nothing. Right-clicked on the desktop and the whole computer hung - forced to power down using the power button.

On reboot, got the WGA notification again - no PRAGMA warning yet but it's taking longer and longer for that to come up. Besides GMER and the computer hanging everything appears to be functioning normally after rebooting. Here's the log - nice to see something other than Avast found this PRAGMA file... (ah, there's the Avast PRAGMA warning - right after posting the log file)

Once again, and as always - THANK you for your help - it is MUCH appreciated.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-05 13:13:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\RKC\LOCALS~1\Temp\pfeorkod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA0F4A6B8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA0F4A574] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA0F4AA52] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA0F4A14C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA0F4A64E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA0F4A08C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA0F4A0F0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA0F4A76E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA0F4A72E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA0F4A8AE] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8397000, 0x199B48, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat  aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) PRAGMAfpyycwxbvf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAfpyycwxbvf 
Reg HKLM\SYSTEM\ControlSet002\Services\PRAGMAfpyycwxbvf (not active ControlSet) 
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version 
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\[email protected] 0x0C 0xAD 0xDF 0xFD ...

---- Files - GMER 1.0.15 ----

File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\css.dat 8192 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 646217 bytes
File C:\RRbackups\common\SAM 28672 bytes
File C:\RRbackups\common\seccache.dat 8192 bytes
File C:\RRbackups\common\secpolicy.dat  65536 bytes
File C:\RRbackups\common\settings.dat 32768 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\tvtns.bin 23 bytes
File C:\RRbackups\common\usersids.dat 18720 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\enroll.ini 50 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\ea409a7f-8f0d-44d7-ab65-b131c5ed087c 388 bytes
File  C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\ad773619-4cf4-4ed4-8434-fe384539a520 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500\458455c2-9853-412f-a37a-4494c28a8547 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500\652c0dc1-4754-4b19-9096-465727e51e81 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\6c5ae295-b679-49de-926e-89c4f79a80fe 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_11f28ebe-2579-42d2-8c7d-3003d80c9709 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_11f28ebe-2579-42d2-8c7d-3003d80c9709 47 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_11f28ebe-2579-42d2-8c7d-3003d80c9709 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\9921d43dc7a746715c0c2d40741ccd3c_11f28ebe-2579-42d2-8c7d-3003d80c9709 1273 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_11f28ebe-2579-42d2-8c7d-3003d80c9709 893 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution\enroll.ini 50 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\ea409a7f-8f0d-44d7-ab65-b131c5ed087c 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\ad773619-4cf4-4ed4-8434-fe384539a520 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\6c5ae295-b679-49de-926e-89c4f79a80fe 388 bytes
File  C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20\94498385663a229a93d423c6d144ae0b_11f28ebe-2579-42d2-8c7d-3003d80c9709 2519 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\472922b6-3fe4-4168-ab5a-72edf5a7729e 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\59deafac-bf52-44d2-b9f3-e25d0a6d931b 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\RKC 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\Client Security Solution\enroll.ini  50 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\6b29ae44e85efac3c72ff4d1865d73f1_11f28ebe-2579-42d2-8c7d-3003d80c9709 53 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\83aa4cc77f591dfc2374580bbd95f6ba_11f28ebe-2579-42d2-8c7d-3003d80c9709 45 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\8d8ef4b8eea82dea1440caaeb5057a5b_11f28ebe-2579-42d2-8c7d-3003d80c9709 44 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\8f71098770f72c7a67cd8f1151619865_11f28ebe-2579-42d2-8c7d-3003d80c9709 54 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\cfcd3282100a5c74f6fb046fab0c5a24_11f28ebe-2579-42d2-8c7d-3003d80c9709 66 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\CREDHIST 160 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\ea409a7f-8f0d-44d7-ab65-b131c5ed087c 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\ad773619-4cf4-4ed4-8434-fe384539a520 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\Preferred  24 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\0a8d3dae-5194-49d2-ad7a-df5aeda72859 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\16d2c31b-2b20-42fb-8af5-0e85a38c204b 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\1c27bd82-f1e8-427f-9fec-a5baf83ebfd1 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\28f25b2b-f42d-4b6c-abb5-25d34eb43b19 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\37ec564e-eb64-441e-96a6-e5db5c6fc73b 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\51740950-5063-46b6-88a2-2ea2f405a195 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\7be7b65a-6ab0-4698-b0ab-6147103961ee 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\f16d5553-1e81-46a5-9a06-4a09e61e11d4 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\6c5ae295-b679-49de-926e-89c4f79a80fe 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\FR 0 bytes
File C:\RRbackups\FR\KernelFileDigest.dat 17562 bytes
File C:\RRbackups\FR\UF 0 bytes
File C:\RRbackups\FR\UF\boot.ini 211 bytes
File C:\RRbackups\FR\UF\documents and settings 0 bytes
File C:\RRbackups\FR\UF\documents and settings\default user 0 bytes
File C:\RRbackups\FR\UF\documents and settings\default user\ntuser.dat 1048576 bytes
File C:\RRbackups\FR\UF\NTDETECT.COM 47564 bytes
File C:\RRbackups\FR\UF\NTLDR 250032 bytes
File C:\RRbackups\FR\UF\WINDOWS 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\explorer.exe 1033728 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\Fonts 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\mangal.ttf 143864 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\marlett.ttf 24124 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\micross.ttf 461672 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\mvboli.ttf 40500 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\vgaoem.fon 5168 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\advapi32.dll 617472 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\advpack.dll 124928 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\authz.dll 62464 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\autochk.exe 588800 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\basesrv.dll 52736 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\bootvid.dll 12288 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\browseui.dll 1025024 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\chkdsk.exe 11776 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\cmd.exe 389120 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\comctl32.dll 617472 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\comdlg32.dll 276992 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\config 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\default 3407872 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\SAM 28672 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\SECURITY 61440 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\software 46661632 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\system 6291456 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\userdiff  262144 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\crypt32.dll 599040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\cryptdll.dll 33280 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\cryptui.dll 512512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\cscdll.dll 101888 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\csrsrv.dll 33280 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\csrss.exe 6144 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\c_1252.nls 66082 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\c_936.nls 196642 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\dnsapi.dll 147968 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\doskey.exe 10752 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\dpcdll.dll 102912 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\acpi.sys 187776 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\acpiec.sys 11648 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\afd.sys 138496 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\amdk6.sys 37376 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\amdk7.sys  37760 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\arp1394.sys 60800 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\asyncmac.sys 14336 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atapi.sys 96512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atmarpc.sys 59904 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atmepvc.sys 31360 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atmlane.sys 55808 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atmuni.sys 352256 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\audstub.sys 3072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\beep.sys 4224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\bridge.sys 71552 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cbidf2k.sys 13952 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cdaudio.sys 18688 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cdfs.sys 63744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cdrom.sys 62976 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\classpnp.sys 49536 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cpqdap01.sys 11776 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\crusoe.sys  36736 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\disk.sys 36352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\diskdump.sys 14208 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dmboot.sys 799744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dmio.sys 153344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dmload.sys 5888 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dxapi.sys 10496 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dxg.sys 71168 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dxgthk.sys 3328 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fastfat.sys 143744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fdc.sys 27392 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fips.sys 44544 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\flpydisk.sys 20480 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fltMgr.sys 129792 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fsvga.sys 12160 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fs_rec.sys 7936 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ftdisk.sys 125056 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\hidclass.sys 36864 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\hidparse.sys 24960 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\hidusb.sys 10368 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\http.sys 265728 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\i8042prt.sys 52480 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\imapi.sys 42112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\intelppm.sys 36352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ip6fw.sys 36608 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ipfltdrv.sys 32896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ipinip.sys 20864 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ipnat.sys 152832 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ipsec.sys 75264 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\irenum.sys 11264 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\isapnp.sys 37248 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\kbdclass.sys 24576 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ks.sys 141056 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ksecdd.sys 92928 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mcd.sys 7680 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mf.sys 63744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\modem.sys 30080 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mouclass.sys 23040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mouhid.sys 12160 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mountmgr.sys 42368 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mrxdav.sys 180608 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mrxsmb.sys 455680 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\msfs.sys 19072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\msgpc.sys 35072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mssmbios.sys 15488 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mup.sys 105344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndis.sys 182656 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndistapi.sys 10112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndisuio.sys 14592 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndiswan.sys 91520 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndproxy.sys 40576 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\netbios.sys 34688 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\netbt.sys 162816 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nic1394.sys 61824 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nikedrv.sys 12032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\npfs.sys 30848 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ntfs.sys 574976 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\null.sys 2944 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnkflt.sys 12416 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnkfwd.sys 32512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnkipx.sys 88320 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnknb.sys 63232 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnkspx.sys 55936 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\oprghdlr.sys 3456 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\p3.sys 42752 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\parport.sys 80128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\partmgr.sys 19712 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\parvdm.sys 6784 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\pci.sys 68224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\pciide.sys  3328 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\pciidex.sys 24960 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\pcmcia.sys 120192 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\processr.sys 35840 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ptilink.sys 17792 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rasacd.sys 8832 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rasl2tp.sys 51328 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\raspppoe.sys 41472 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\raspptp.sys 48384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\raspti.sys 16512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rawwan.sys 34432 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rdbss.sys 175744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rdpcdd.sys 4224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rdpdr.sys 196224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rdpwd.sys 139656 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\redbook.sys 57600 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rio8drv.sys 12032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\riodrv.sys  12032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\RMCast.sys 203136 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rndismp.sys 30592 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rootmdm.sys 5888 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\scsiport.sys 96384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sdbus.sys 79232 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cinemst2.sys 262528 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\gm.dls 3440660 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mnmdd.sys 4224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nmnt.sys 40320 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\psched.sys 69120 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\secdrv.sys 20480 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tosdvd.sys 51712 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\serenum.sys 15744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\serial.sys 64512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sffdisk.sys 11904 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sffp_sd.sys 11008 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sfloppy.sys  11392 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\smclib.sys 14592 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sonydcam.sys 25344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sr.sys 73472 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\srv.sys 353792 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\stream.sys 49408 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\swenum.sys 4352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\syntp.sys 177664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tape.sys 14976 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tcpip.sys 361600 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tcpip6.sys 226880 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tdi.sys 19072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tdpipe.sys 12040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tdtcp.sys 21896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\termdd.sys 40840 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tsbvcap.sys 21376 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tunmp.sys 12288 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\udfs.sys  66048 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\update.sys 384768 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usb8023.sys 12800 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbcamd.sys 25600 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbcamd2.sys 25728 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbd.sys 4736 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbehci.sys 30208 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbhub.sys 59520 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbintel.sys 15872 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbport.sys 144128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbstor.sys 26368 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbuhci.sys 20608 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\vdmindvd.sys 58112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\vga.sys 20992 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\videoprt.sys 81664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\volsnap.sys 52352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\wanarp.sys 34560 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\wmilib.sys 4352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ws2ifsl.sys 12032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\duser.dll 304128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\eventlog.dll 56320 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\faultrep.dll 80384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\feclient.dll 21504 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\filemgmt.dll 337920 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fldrclnr.dll 87552 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fltlib.dll 16896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fmifs.dll 16384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fontext.dll 382976 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fontsub.dll 81920 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\framebuf.dll 9344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fsusd.dll 81408 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fwcfg.dll 60416 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\gdi32.dll 286720 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\hal.dll 134400 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\imagehlp.dll 144384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\imm32.dll 110080 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\iphlpapi.dll 94720 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\kdcom.dll 7040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\kernel32.dll 989696 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\licdll.dll 423936 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\locale.nls 265948 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\logonui.exe 514560 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\lsasrv.dll 730112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\lsass.exe 13312 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\lz32.dll 2560 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\l_intl.nls 7046 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\mfc42.dll 1028096 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\mfc42u.dll 981760 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\mmc.exe 1414656 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\mobsync.dll 207360 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msasn1.dll 58880 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msgina.dll 997376 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msimg32.dll 4608 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msprivs.dll 48128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msv1_0.dll 136192 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msvcp60.dll 413696 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msvcrt.dll 343040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ncobjapi.dll 36352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\nddeapi.dll 17920 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\netapi32.dll 337408 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\netrap.dll 11776 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\notepad.exe 69120 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ntdll.dll 714752 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ntdsapi.dll 67072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ntoskrnl.exe 2146304 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ntsdexts.dll 36864 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\odbc32.dll 249856 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\odbcint.dll 94208 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oembios.dat 4547 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\oembios.sig  7208 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\ole32.dll 1287168 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oleacc.dll 163328 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oleaccrc.dll 16896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oleaut32.dll 551936 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\profmap.dll 27648 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\psapi.dll 23040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\regapi.dll 49664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\rpcrt4.dll 585216 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\rpcss.dll 401408 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\rsaenh.dll 208384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\rundll32.exe 33280 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\samlib.dll 64000 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\samsrv.dll 415744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\scesrv.dll 314880 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\secupd.dat 4569 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\secupd.sig 7208 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\services.exe  110592 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\setupapi.dll 985088 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\sfc.dll 5120 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\sfc_os.dll 140288 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shdocvw.dll 1499136 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shell32.dll 8461312 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shfolder.dll 25088 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shgina.dll 68096 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shlwapi.dll 474112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shsvcs.dll 135168 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\smss.exe 50688 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\sortkey.nls 262148 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\sorttbls.nls 23044 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\svchost.exe 14336 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\sxs.dll 713216 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\umpnpmgr.dll 123392 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\unicode.nls 89588 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\usbmon.dll 16896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ctype.nls 8386 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\ftsrch.dll 176128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\mpr.dll 59904 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oembios.bin 13107200 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\secur32.dll 56832 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\usbui.dll 74240 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\user32.dll 578560 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\userenv.dll 727040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\userinit.exe 26112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\uxtheme.dll 218624 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\version.dll 18944 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\vga.dll 9344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\vga.drv 2176 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\watchdog.sys 17664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\win32k.sys 1850624 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\wininet.dll 832512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winlogon.exe 507904 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winmm.dll 176128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winspool.drv 146432 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winspool.exe 2112 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\winsrv.dll 293376 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winsta.dll 53760 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winstrm.dll 18944 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\wintrust.dll 177664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\wldap32.dll 172032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ws2help.dll 19968 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ws2_32.dll 82432 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\wsock32.dll 22528 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.cat 7232 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.Manifest 1819 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.cat 7238 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.Manifest 1784 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.cat  7433 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest 1862 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.Manifest 494 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.cat 7433 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.Manifest 500 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.cat 7236 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.Manifest 391 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.cat 7431 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.Manifest 397 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.cat 10678 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.cat 10678 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.Manifest 1187 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.cat 7236 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.Manifest 640 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.cat 10680 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.Manifest 1237 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.cat 7238 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.Manifest 1883 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies  0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.cat 7431 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.Policy 605 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.cat 10680 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.Policy 625 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.cat 10678 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.Policy 641 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.cat 10678 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.Policy 641 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.cat 7429 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy 621 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.cat 7433 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.Policy  623 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\atl.dll 74802 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\mfc42.dll 995383 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\mfc42u.dll 995384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\msvcp60.dll 401462 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 921088 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 1050624 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcirt.dll 50688 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll 54784 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll 343040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll 1700352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll 1712128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll 853504 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll 991232 bytes executable
File C:\RRbackups\FR\UpdatingFiles.dat 17 bytes

---- EOF - GMER 1.0.15 ----


----------



## JSntgRvr (Jul 1, 2003)

I'll be darn!

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> Driver::
> PRAGMAfpyycwxbvf












Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report.

Run GMER once again to confirm.


----------



## canoli (Apr 26, 2010)

I d/l ComboFix again - renamed it Combo-Fix and dropped in the script. I didn't shut off Sys Restore (dk if I was supposed to or not)

After it rebooted and the log popped up I got my old friend the Avast Warning dialog again...PRAGMAfpyycwxbvf - Hidden Services

One other thing - the Windows Genuine Validation Wizard popped up on the reboot, but only for a few seconds, then it disappeared by itself - first time it's done that. Also, a few reboots ago I got the MS Update in my system tray - clicked on it to see what it was, looked normal. But now that's gone too.

Should I run the GMER anyway? Here's the Combo-Fix log:

ComboFix 10-05-05.04 - RKC 05/05/2010 21:54:19.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3066.2310 [GMT -4:00]
Running from: c:\documents and settings\RKC\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\RKC\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100505-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PRAGMAfpyycwxbvf

((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-04 22:13 . 2010-05-04 22:19 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-03 07:00 . 2010-05-03 07:00 -------- d-----w- c:\windows\system32\KB905474
2010-05-03 07:00 . 2009-03-11 02:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-05-03 07:00 . 2009-03-11 02:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-05-02 02:15 . 2010-05-02 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-04-28 22:07 . 2010-04-28 22:09 -------- d-----w- c:\program files\Ubisoft
2010-04-28 21:42 . 2010-05-03 17:22 -------- d-----w- c:\program files\Texas Holdem
2010-04-27 23:59 . 2010-04-27 23:59 -------- d-----w- c:\program files\Synaptics
2010-04-27 23:47 . 2010-01-21 15:46 441168 ----a-w- c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
2010-04-27 07:14 . 2010-04-27 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 19:16 . 2010-04-26 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-26 19:14 . 2010-04-26 19:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-26 16:14 . 2010-04-26 16:14 10752 ----a-w- c:\windows\DCEBoot.exe
2010-04-26 16:07 . 2010-04-27 06:49 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-26 07:24 . 2010-04-26 07:24 -------- d-----w- c:\program files\Trend Micro
2010-04-26 02:01 . 2010-04-26 02:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 02:01 . 2008-11-08 03:44 -------- d-----w- c:\documents and settings\RKC\Application Data\WTablet
2010-05-06 02:01 . 2008-11-08 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-05-06 01:22 . 2009-04-16 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-05 15:04 . 2009-01-11 18:53 -------- d-----w- c:\documents and settings\RKC\Application Data\vlc
2010-05-04 22:21 . 2008-08-18 08:52 89632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 03:32 . 2008-11-23 03:15 -------- d-----w- c:\program files\MWSnap
2010-04-28 22:24 . 2008-08-18 08:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-28 20:53 . 2008-10-31 19:09 -------- d-----w- c:\program files\Canon
2010-04-27 03:31 . 2008-11-26 02:38 -------- d-----w- c:\program files\UnHackMe
2010-04-27 00:25 . 2008-11-08 20:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 22:41 . 2008-10-31 08:34 -------- d-----w- c:\documents and settings\RKC\Application Data\Azureus
2010-04-16 18:31 . 2008-12-06 23:45 -------- d-----w- c:\documents and settings\RKC\Application Data\dvdcss
2010-04-15 13:08 . 2009-11-23 16:47 -------- d-----w- c:\program files\MyDefrag v4.2.6
2010-04-11 19:11 . 2009-04-16 18:09 -------- d-----w- c:\program files\Google
2010-04-05 16:46 . 2010-04-05 16:46 -------- d-----w- c:\program files\Common Files\Java
2010-03-21 14:15 . 2010-01-03 18:33 -------- d-----w- c:\program files\Unlocker
2010-03-18 05:39 . 2008-10-31 08:34 -------- d-----w- c:\program files\Azureus
2010-03-18 05:24 . 2010-03-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-18 05:23 . 2008-11-22 02:11 -------- d-----w- c:\program files\MSBuild
2010-03-18 05:22 . 2010-03-18 05:22 -------- d-----w- c:\program files\Reference Assemblies
2010-03-17 00:43 . 2010-03-17 00:43 1391 ----a-w- c:\program files\cs4_and_color_finesse_serials.txt
2010-03-15 18:12 . 2010-03-15 18:12 -------- d-----w- c:\program files\UCT
2010-03-11 12:38 . 2006-04-30 06:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-04-30 06:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-04-30 06:56 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-04-30 06:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-22 08:09 . 2008-12-14 02:52 38784 ----a-w- c:\documents and settings\RKC\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-16 14:08 . 2006-04-30 06:55 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-04-30 06:55 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-04-30 06:56 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-02 19:20 . 2010-01-02 19:20 575750 ----a-w- c:\program files\lame3.98.2.zip
2009-12-16 20:07 . 2009-12-16 20:07 19606 ----a-w- c:\program files\trapcodeform.log
2009-05-10 08:38 . 2009-05-10 04:13 4877 ----a-w- c:\program files\trapcode3Dstroke.log
2009-05-10 08:33 . 2009-05-10 08:33 1942 ----a-w- c:\program files\trapcodelux.log
2009-05-10 04:12 . 2009-05-10 04:12 17430 ----a-w- c:\program files\trapcodeparticular.log
2007-07-17 16:13 . 2008-02-08 21:21 61440 ----a-w- c:\program files\RGSGrowBounds.aex
2008-11-26 02:38 . 2008-11-26 02:38 2 --shatr- c:\windows\winstart.bat
2008-10-31 05:33 . 2008-10-31 05:33 8 --sh--r- c:\windows\system32\A845F5E83A.sys
2008-10-31 05:35 . 2008-10-31 05:33 1160 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\ADC.EXE" [2008-07-29 3780608]
"Stickies"="c:\program files\Bret Taylor\Stickies\Stickies.exe" [2007-03-14 335872]
"Kana Reminder"="c:\documents and settings\RKC\Desktop\Reminder.exe" [2007-11-15 1198592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\RKC\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2009-6-25 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2009-6-25 954368]
WinColor.exe.lnk - c:\program files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe [2005-10-31 371456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-05-10 14:24 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 07:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\t:\0autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path= 
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path= 
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\RKC\Start Menu\programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^Product Registration.lnk]
path= 
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^SCRABBLE Complete Registration.lnk]
path= 
backup=c:\windows\pss\SCRABBLE Complete Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2008-07-31 02:17 143360 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-01 18:00 419376 ----a-w- c:\progra~1\THINKV~1\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2008-06-14 03:08 3073336 ----a-w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-06-04 17:36 242976 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-06-08 18:00 124248 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-06-08 18:00 165208 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-16 18:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 7:21 PM 19496]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/12/2009 12:18 AM 114768]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 AM 46144]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2/1/2010 4:01 PM 57344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/12/2009 12:18 AM 20560]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [1/16/2008 11:52 AM 664840]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [6/25/2009 8:53 AM 14416]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/18/2008 5:04 AM 94208]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [3/14/2009 10:54 AM 23200]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [11/7/2008 11:43 PM 3032360]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 7:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 AM 360448]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [8/18/2008 4:53 AM 475136]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [8/18/2008 4:21 AM 243856]
R3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [6/25/2009 9:18 AM 44344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 6:54 PM 37312]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [11/7/2008 11:43 PM 15144]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [11/10/2006 9:08 AM 24064]
S2 gupdate1c9bebe93c143b0;Google Update Service (gupdate1c9bebe93c143b0);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 2:10 PM 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 288112]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [11/25/2008 10:57 PM 30946]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [1/16/2008 11:52 AM 894216]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 11:15 AM 1120752]
S4 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [5/10/2008 10:24 AM 102400]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-16 18:09]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-06 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-06-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]

2010-05-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-18 06:47]

2010-05-05 c:\windows\Tasks\SyncToyCmd TcreationsToY.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]

2010-05-05 c:\windows\Tasks\SyncToyCmd.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]

2010-05-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-05-03 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 22:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-468252708-3274475066-233985201-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:0c,ad,df,fd,f9,7d,0a,38,1d,f4,91,5a,c5,94,21,97,00,44,e9,8d,78,
88,ac,03,98,ec,dc,37,b7,51,8d,d2,98,da,db,d6,17,fd,3e,33,85,a2,95,1d,09,a6,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:0c,ad,df,fd,f9,7d,0a,38,1d,f4,91,5a,c5,94,21,97,00,44,e9,8d,78,
88,ac,03,98,ec,dc,37,b7,51,8d,d2,98,da,db,d6,17,fd,3e,33,85,a2,95,1d,09,a6,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\IBM0057\4&ef53bae&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\8&24e84269&0&0000\LogConf]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\9&21264f1c&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(1216)
c:\windows\system32\WININET.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\MouseHook.dll
c:\windows\system32\ieframe.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2010-05-05 22:06:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 02:06
ComboFix2.txt 2010-05-01 13:52

Pre-Run: 113,974,644,736 bytes free
Post-Run: 113,889,644,544 bytes free

- - End Of File - - B7EF7A843D7E9992DDD994747D6C3A2D


----------



## JSntgRvr (Jul 1, 2003)

First, download the enclosed folder. Save and extract its contents to the desktop. Once extracted open the folder and click on the *Pragma.bat* file. The computer will restart.

Run GMER to confirm.


----------



## canoli (Apr 26, 2010)

I don't think I can run GMER again. I decided to run it anyway last night, and when it finally finished this morning (about 9 hours later, first time only took 40 minutes - same scan) I tried saving the report. The system hung, then went to the BSOD. 

Apparently GMER, at least that version of it, and my system don't play nice together.

But I will follow the first part of the instructions now.


----------



## canoli (Apr 26, 2010)

Okay I clicked the batch file and it flashed up the dreaded "system emergency" box (the red circle with an X). 

Then it rebooted my system. I couldn't tell what it said, it was only on the screen less than a second. 

After the reboot all the usual suspects are back - the PRAGMA warning from Avast, the WGVA wizard - and a report from MS telling me my system has "recovered from a serious error." (same note I got after the BSOD from GMER). This time it took quite a few clicks before the box would go away...


----------



## JSntgRvr (Jul 1, 2003)

Click on GMER. No need to Scan. It will automatically perform a quick scan. Once it finishes, click on the Rootkit tab and save the report. Post its contents.


----------



## canoli (Apr 26, 2010)

I don't know - twice now that thing has crashed my computer. I'll do it if it's absolutely necessary but BSOD are no fun. And the 2nd time (the last time) was extremely bad - it didn't let me save the log and took 9 hours to scan just the C: drive.

Is there anything else I can use instead? Or maybe a previous version?


----------



## canoli (Apr 26, 2010)

okay I tried running it again anyway - clicked on it, couple seconds went by, up popped the Warning that it found Rootkit infection. I didn't proceed past that, only enough to save the log and then the system crashed again. Reboot - same stuff - WGAV wizard, Avast PRAGMA warning...

Here's the log from GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-06 14:19:55
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\RKC\LOCALS~1\Temp\pfeorkod.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) PRAGMAfpyycwxbvf <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

oh btw - meaning to ask - should I run the MS update? The one that came into my system tray the other day? I believe it is legitimate since they're the same exact ones listed on Microsoft's site when I run the MS scan.


----------



## canoli (Apr 26, 2010)

full GMER log - d/l GMER from their site - the random letter name they use - and it ran better. Still hung the system but at least no BSOD.

Are we making any progress?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 18:51:33
Windows 5.1.2600 Service Pack 3
Running: kjqbuqx6.exe; Driver: C:\DOCUME~1\RKC\LOCALS~1\Temp\pfeorkod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x9518E6B8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9518E574] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9518EA52] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9518E14C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9518E64E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x9518E08C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9518E0F0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9518E76E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9518E72E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9518E8AE] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CD4 80504570 4 Bytes JMP 924A9518 
.text ntkrnlpa.exe!ZwCallbackReturn + 2FAC 80504848 4 Bytes CALL 4144DD65 
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8397000, 0x199B48, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp  aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) PRAGMAfpyycwxbvf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAfpyycwxbvf 
Reg HKLM\SYSTEM\ControlSet002\Services\PRAGMAfpyycwxbvf (not active ControlSet) 
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version 
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\[email protected] 0x0C 0xAD 0xDF 0xFD ...

---- Files - GMER 1.0.15 ----

File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\css.dat 8192 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log  651573 bytes
File C:\RRbackups\common\SAM 28672 bytes
File C:\RRbackups\common\seccache.dat 8192 bytes
File C:\RRbackups\common\secpolicy.dat 65536 bytes
File C:\RRbackups\common\settings.dat 32768 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\tvtns.bin 23 bytes
File C:\RRbackups\common\usersids.dat 18720 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\enroll.ini 50 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect  0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\ea409a7f-8f0d-44d7-ab65-b131c5ed087c 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\ad773619-4cf4-4ed4-8434-fe384539a520 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500\458455c2-9853-412f-a37a-4494c28a8547 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500\652c0dc1-4754-4b19-9096-465727e51e81 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\6c5ae295-b679-49de-926e-89c4f79a80fe 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs  0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_11f28ebe-2579-42d2-8c7d-3003d80c9709 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_11f28ebe-2579-42d2-8c7d-3003d80c9709 47 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_11f28ebe-2579-42d2-8c7d-3003d80c9709 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\9921d43dc7a746715c0c2d40741ccd3c_11f28ebe-2579-42d2-8c7d-3003d80c9709 1273 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_11f28ebe-2579-42d2-8c7d-3003d80c9709 893 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution\enroll.ini 50 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File  C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\ea409a7f-8f0d-44d7-ab65-b131c5ed087c 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\ad773619-4cf4-4ed4-8434-fe384539a520 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\6c5ae295-b679-49de-926e-89c4f79a80fe 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20\94498385663a229a93d423c6d144ae0b_11f28ebe-2579-42d2-8c7d-3003d80c9709 2519 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\472922b6-3fe4-4168-ab5a-72edf5a7729e 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\59deafac-bf52-44d2-b9f3-e25d0a6d931b 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\RKC 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\Client Security Solution\enroll.ini 50 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\6b29ae44e85efac3c72ff4d1865d73f1_11f28ebe-2579-42d2-8c7d-3003d80c9709 53 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\83aa4cc77f591dfc2374580bbd95f6ba_11f28ebe-2579-42d2-8c7d-3003d80c9709 45 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\8d8ef4b8eea82dea1440caaeb5057a5b_11f28ebe-2579-42d2-8c7d-3003d80c9709 44 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\8f71098770f72c7a67cd8f1151619865_11f28ebe-2579-42d2-8c7d-3003d80c9709 54 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto\RSA\S-1-5-21-468252708-3274475066-233985201-1008\cfcd3282100a5c74f6fb046fab0c5a24_11f28ebe-2579-42d2-8c7d-3003d80c9709 66 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\CREDHIST 160 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\ea409a7f-8f0d-44d7-ab65-b131c5ed087c 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\ad773619-4cf4-4ed4-8434-fe384539a520 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\0a8d3dae-5194-49d2-ad7a-df5aeda72859 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\16d2c31b-2b20-42fb-8af5-0e85a38c204b 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\1c27bd82-f1e8-427f-9fec-a5baf83ebfd1 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\28f25b2b-f42d-4b6c-abb5-25d34eb43b19 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\37ec564e-eb64-441e-96a6-e5db5c6fc73b 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\51740950-5063-46b6-88a2-2ea2f405a195 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\7be7b65a-6ab0-4698-b0ab-6147103961ee 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\f16d5553-1e81-46a5-9a06-4a09e61e11d4 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-1008\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\6c5ae295-b679-49de-926e-89c4f79a80fe 388 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\FR 0 bytes
File C:\RRbackups\FR\KernelFileDigest.dat 17562 bytes
File C:\RRbackups\FR\UF 0 bytes
File C:\RRbackups\FR\UF\boot.ini 211 bytes
File C:\RRbackups\FR\UF\documents and settings 0 bytes
File C:\RRbackups\FR\UF\documents and settings\default user 0 bytes
File C:\RRbackups\FR\UF\documents and settings\default user\ntuser.dat 1048576 bytes
File C:\RRbackups\FR\UF\NTDETECT.COM 47564 bytes
File C:\RRbackups\FR\UF\NTLDR 250032 bytes
File C:\RRbackups\FR\UF\WINDOWS 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\explorer.exe 1033728 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\Fonts 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\mangal.ttf 143864 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\marlett.ttf 24124 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\micross.ttf 461672 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\mvboli.ttf 40500 bytes
File C:\RRbackups\FR\UF\WINDOWS\Fonts\vgaoem.fon 5168 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\advapi32.dll 617472 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\advpack.dll 124928 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\authz.dll 62464 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\autochk.exe 588800 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\basesrv.dll 52736 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\bootvid.dll  12288 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\browseui.dll 1025024 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\chkdsk.exe 11776 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\cmd.exe 389120 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\comctl32.dll 617472 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\comdlg32.dll 276992 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\config 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\default 3407872 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\SAM 28672 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\SECURITY 61440 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\software 46661632 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\system 6291456 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\config\userdiff 262144 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\crypt32.dll 599040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\cryptdll.dll 33280 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\cryptui.dll 512512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\cscdll.dll 101888 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\csrsrv.dll 33280 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\csrss.exe 6144 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\c_1252.nls 66082 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\c_936.nls 196642 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\dnsapi.dll 147968 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\doskey.exe 10752 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\dpcdll.dll 102912 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\acpi.sys 187776 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\acpiec.sys  11648 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\afd.sys 138496 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\amdk6.sys 37376 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\amdk7.sys 37760 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\arp1394.sys 60800 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\asyncmac.sys 14336 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atapi.sys 96512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atmarpc.sys 59904 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atmepvc.sys 31360 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atmlane.sys 55808 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\atmuni.sys 352256 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\audstub.sys 3072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\beep.sys 4224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\bridge.sys 71552 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cbidf2k.sys 13952 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cdaudio.sys 18688 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cdfs.sys 63744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cdrom.sys  62976 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\classpnp.sys 49536 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cpqdap01.sys 11776 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\crusoe.sys 36736 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\disk.sys 36352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\diskdump.sys 14208 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dmboot.sys 799744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dmio.sys 153344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dmload.sys 5888 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dxapi.sys 10496 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dxg.sys 71168 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\dxgthk.sys 3328 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fastfat.sys 143744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fdc.sys 27392 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fips.sys 44544 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\flpydisk.sys 20480 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fltMgr.sys 129792 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fsvga.sys 12160 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\fs_rec.sys 7936 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ftdisk.sys 125056 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\hidclass.sys 36864 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\hidparse.sys 24960 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\hidusb.sys 10368 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\http.sys 265728 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\i8042prt.sys 52480 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\imapi.sys 42112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\intelppm.sys 36352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ip6fw.sys 36608 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ipfltdrv.sys 32896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ipinip.sys 20864 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ipnat.sys 152832 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ipsec.sys 75264 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\irenum.sys 11264 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\isapnp.sys 37248 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\kbdclass.sys 24576 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ks.sys 141056 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ksecdd.sys 92928 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mcd.sys 7680 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mf.sys 63744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\modem.sys 30080 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mouclass.sys 23040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mouhid.sys 12160 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mountmgr.sys 42368 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mrxdav.sys 180608 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mrxsmb.sys 455680 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\msfs.sys 19072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\msgpc.sys 35072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mssmbios.sys 15488 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mup.sys 105344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndis.sys 182656 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndistapi.sys 10112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndisuio.sys 14592 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndiswan.sys 91520 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ndproxy.sys 40576 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\netbios.sys 34688 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\netbt.sys 162816 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nic1394.sys 61824 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nikedrv.sys 12032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\npfs.sys 30848 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ntfs.sys 574976 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\null.sys 2944 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnkflt.sys 12416 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnkfwd.sys 32512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnkipx.sys 88320 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnknb.sys 63232 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nwlnkspx.sys 55936 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\oprghdlr.sys 3456 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\p3.sys 42752 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\parport.sys 80128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\partmgr.sys  19712 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\parvdm.sys 6784 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\pci.sys 68224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\pciide.sys 3328 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\pciidex.sys 24960 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\pcmcia.sys 120192 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\processr.sys 35840 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ptilink.sys 17792 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rasacd.sys 8832 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rasl2tp.sys 51328 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\raspppoe.sys 41472 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\raspptp.sys 48384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\raspti.sys 16512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rawwan.sys 34432 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rdbss.sys 175744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rdpcdd.sys 4224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rdpdr.sys 196224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rdpwd.sys  139656 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\redbook.sys 57600 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rio8drv.sys 12032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\riodrv.sys 12032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\RMCast.sys 203136 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rndismp.sys 30592 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\rootmdm.sys 5888 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\scsiport.sys 96384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sdbus.sys 79232 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\cinemst2.sys 262528 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\gm.dls 3440660 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\mnmdd.sys 4224 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\nmnt.sys 40320 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\psched.sys 69120 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\secdrv.sys 20480 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tosdvd.sys 51712 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\serenum.sys 15744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\serial.sys  64512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sffdisk.sys 11904 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sffp_sd.sys 11008 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sfloppy.sys 11392 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\smclib.sys 14592 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sonydcam.sys 25344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\sr.sys 73472 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\srv.sys 353792 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\stream.sys 49408 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\swenum.sys 4352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\syntp.sys 177664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tape.sys 14976 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tcpip.sys 361600 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tcpip6.sys 226880 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tdi.sys 19072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tdpipe.sys 12040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tdtcp.sys 21896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\termdd.sys  40840 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tsbvcap.sys 21376 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\tunmp.sys 12288 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\udfs.sys 66048 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\update.sys 384768 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usb8023.sys 12800 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbcamd.sys 25600 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbcamd2.sys 25728 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbd.sys 4736 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbehci.sys 30208 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbhub.sys 59520 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbintel.sys 15872 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbport.sys 144128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbstor.sys 26368 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\usbuhci.sys 20608 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\vdmindvd.sys 58112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\vga.sys 20992 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\videoprt.sys 81664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\volsnap.sys 52352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\wanarp.sys 34560 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\wmilib.sys 4352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\drivers\ws2ifsl.sys 12032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\duser.dll 304128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\eventlog.dll 56320 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\faultrep.dll 80384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\feclient.dll 21504 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\filemgmt.dll 337920 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fldrclnr.dll 87552 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fltlib.dll 16896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fmifs.dll 16384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fontext.dll 382976 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fontsub.dll 81920 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\framebuf.dll 9344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fsusd.dll 81408 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\fwcfg.dll 60416 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\gdi32.dll 286720 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\hal.dll 134400 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\imagehlp.dll 144384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\imm32.dll 110080 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\iphlpapi.dll 94720 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\kdcom.dll 7040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\kernel32.dll 989696 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\licdll.dll 423936 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\locale.nls 265948 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\logonui.exe 514560 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\lsasrv.dll 730112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\lsass.exe 13312 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\lz32.dll 2560 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\l_intl.nls 7046 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\mfc42.dll 1028096 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\mfc42u.dll 981760 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\mmc.exe 1414656 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\mobsync.dll  207360 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msasn1.dll 58880 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msgina.dll 997376 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msimg32.dll 4608 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msprivs.dll 48128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msv1_0.dll 136192 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msvcp60.dll 413696 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\msvcrt.dll 343040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ncobjapi.dll 36352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\nddeapi.dll 17920 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\netapi32.dll 337408 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\netrap.dll 11776 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\notepad.exe 69120 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ntdll.dll 714752 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ntdsapi.dll 67072 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ntoskrnl.exe 2146304 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ntsdexts.dll 36864 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\odbc32.dll  249856 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\odbcint.dll 94208 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oembios.dat 4547 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\oembios.sig 7208 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\ole32.dll 1287168 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oleacc.dll 163328 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oleaccrc.dll 16896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oleaut32.dll 551936 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\profmap.dll 27648 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\psapi.dll 23040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\regapi.dll 49664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\rpcrt4.dll 585216 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\rpcss.dll 401408 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\rsaenh.dll 208384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\rundll32.exe 33280 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\samlib.dll 64000 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\samsrv.dll 415744 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\scesrv.dll  314880 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\secupd.dat 4569 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\secupd.sig 7208 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\services.exe 110592 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\setupapi.dll 985088 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\sfc.dll 5120 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\sfc_os.dll 140288 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shdocvw.dll 1499136 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shell32.dll 8461312 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shfolder.dll 25088 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shgina.dll 68096 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shlwapi.dll 474112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\shsvcs.dll 135168 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\smss.exe 50688 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\sortkey.nls 262148 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\sorttbls.nls 23044 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\svchost.exe 14336 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\sxs.dll  713216 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\umpnpmgr.dll 123392 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\unicode.nls 89588 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\usbmon.dll 16896 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ctype.nls 8386 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\ftsrch.dll 176128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\mpr.dll 59904 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\oembios.bin 13107200 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\secur32.dll 56832 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\usbui.dll 74240 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\user32.dll 578560 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\userenv.dll 727040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\userinit.exe 26112 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\uxtheme.dll 218624 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\version.dll 18944 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\vga.dll 9344 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\vga.drv 2176 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\watchdog.sys 17664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\win32k.sys 1850624 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\wininet.dll 832512 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winlogon.exe 507904 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winmm.dll 176128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winspool.drv 146432 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winspool.exe 2112 bytes
File C:\RRbackups\FR\UF\WINDOWS\system32\winsrv.dll 293376 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winsta.dll 53760 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\winstrm.dll 18944 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\wintrust.dll 177664 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\wldap32.dll 172032 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ws2help.dll 19968 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\ws2_32.dll 82432 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\system32\wsock32.dll 22528 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.cat 7232 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7.Manifest 1819 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.cat 7238 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a.Manifest 1784 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.cat 7433 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9.Manifest 1862 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.Manifest 494 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.cat 7433 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9.Manifest 500 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.cat 7236 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13.Manifest 391 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.cat 7431 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82.Manifest 397 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.cat 10678 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.cat 10678 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.Manifest 1187 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.cat 7236 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.0.0_x-ww_fc342b0b.Manifest 640 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.cat 10680 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.Manifest 1237 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a.cat 7238 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.Manifest 1883 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.cat 7431 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.2180.Policy 605 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.cat 10680 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.Policy 625 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.cat 10678 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.Policy 641 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.cat 10678 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.Policy 641 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.cat 7429 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy 621 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.cat 7433 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.2180.Policy 623 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\atl.dll 74802 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\mfc42.dll 995383 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\mfc42u.dll 995384 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7\msvcp60.dll 401462 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 921088 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 1050624 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcirt.dll 50688 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcirt.dll 54784 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll 343040 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll 1700352 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll 1712128 bytes executable
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll 853504 bytes executable
File  C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95 0 bytes
File C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll 991232 bytes executable
File C:\RRbackups\FR\UpdatingFiles.dat 17 bytes

---- EOF - GMER 1.0.15 ----


----------



## canoli (Apr 26, 2010)

Are you able to help me any further you think? You think this PRAGMA file hurting my computer?

I decided to post over at bleepingcomputer too - gave them all the info and acknowledged your help so far. Don't know whether anyone will reply as I'm already working with you but I figured it was worth a shot...

Anyway - I hope to continue and eagerly await your next instructions.......

Thanks!


----------



## JSntgRvr (Jul 1, 2003)

canoli said:


> Are you able to help me any further you think? You think this PRAGMA file hurting my computer?
> 
> I decided to post over at bleepingcomputer too - gave them all the info and acknowledged your help so far. Don't know whether anyone will reply as I'm already working with you but I figured it was worth a shot...
> 
> ...


The Rootkit is inactive. Just an empty hidden entry in the registry is left.

Run GMER once again. *No need to scan.*

Under the Services or Rootkit tab, right click the *PRAGMAfpyycwxbvf* entry and select Delete.

Restart and run GMER once again, *No need to scan.* and post its report


----------



## canoli (Apr 26, 2010)

Awesome! Thank you thank you! for the news. I still have a problem though because unfortunately GMER won't delete it from either tab. 

What did you mean "No need to scan"? As soon as I open GMER it starts scanning. Or am I using it wrong?

Did you mean "let it run to where it detects the PRAGMA file and then choose No when it asks if you want to run a full scan." Is that the idea? 

Well that's what I did, I let it run till it detected PRAGMA, said "No" and tried deleting it. No luck.  So I tried to disable it and that's when GMER crashed my computer again. 

So it doesn't look like GMER will be able to help me - at least the way I'm using it now.

Can I just tell Avast to stop nagging me about it? (naturally I'd prefer getting it the heck out of there...)

Thanks again! Keeping my fingers crossed you come up with yet another plan of attack!

edit:
-2 things I forgot to ask:

- any reason I should be suspicious of this Windows Genuine etc... Wizard? It's still popping up on the reboots, and as I mentioned, I already have the Validation Tool in my Add/Remove. I've run it successfully a number of times in the 18 months I've had this laptop...just seems a little "fishy" that it's popping up now...

and...

- can I do the MS Updates that came into my system tray now?

Thanks again for all your help! Looks like we're close to wrapping it up, and I really want you to know I'm grateful for your assistance.


----------



## JSntgRvr (Jul 1, 2003)

Right. When you click on GMER, it will perform a quick scan on its own. There is no need to click on Scan. Locate the Pragma entry, usually in the Rootkit tab, rightclick on the entry and select DELETE.


----------



## canoli (Apr 26, 2010)

Tried that. After the crash - same old WGA wizard and Avast PRAGMA warning.
Is there perhaps another utility I can use - or can I delete it manually using regedit?



canoli said:


> Well that's what I did, I let it run till it detected PRAGMA, said "No" and tried deleting it. No luck.  So I tried to disable it and that's when GMER crashed my computer again.
> 
> So it doesn't look like GMER will be able to help me - at least the way I'm using it now.


----------



## JSntgRvr (Jul 1, 2003)

Lets try that again.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat file. The MSDOS windows will popup, icons will disappear and the computer will re-start.

Upon restart check for PRAGMA detection..


----------



## canoli (Apr 26, 2010)

after running the file in the zip archive and rebooting - it's still there - same Avast warning, same suspicious Windows Genuine blah blah blah...


----------



## JSntgRvr (Jul 1, 2003)

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Right click on the Avenger.zip folder and select "Extract All..."
 Follow the prompts and extract the *avenger* folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Begin copying here:
Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAfpyycwxbvf
HKLM\SYSTEM\ControlSet002\Services\PRAGMAfpyycwxbvf
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, open the avenger folder and *start The Avenger program* by clicking on its icon.

 Right click on the window under *Input script here:*, and select Paste.
 You can also click on this window and press (*Ctrl+V*) to paste the contents of the clipboard.
 Click on *Execute*
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Delete*", The Avenger will actually *restart your system twice.*)
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.


----------



## canoli (Apr 26, 2010)

Avenger didn't see it. I opened regedit and went to the key that it didn't see.
It's there - in both spots. Regedit wouldn't let me open it or see the permissions in either location...

On the reboot Avast came up with the usual Suspicious File Found - PRAGMA--.
And the same WGAV wizard popped up.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAfpyycwxbvf" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAfpyycwxbvf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\ControlSet002\Services\PRAGMAfpyycwxbvf" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Services\PRAGMAfpyycwxbvf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.


----------



## JSntgRvr (Jul 1, 2003)

Crazy, isn't? The fact is that even if the entry is present, the rootkit is neutralized as files were deleted.


Download RootRepeal from the following location and save it to your desktop.
*Zip Mirrors (Recommended)*
Primary Mirror
Secondary Mirror
Secondary Mirror

*Rar Mirrors* - Only if you know what a RAR is and can extract it.
Primary Mirror
Secondary Mirror
Secondary Mirror


Extract RootRepeal.exe from the archive.
Open







on your desktop.
Click the







tab.
Click the







button.
Check all seven boxes:








Push Ok
Check the box for your main system drive (Usually C, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the







button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


----------



## canoli (Apr 26, 2010)

_"Crazy, isn't? The fact is that even if the entry is present, the rootkit is neutralized as files were deleted."_

It most certainly is!! Thanks very much for your continued efforts - your help is greatly appreciated!

Here's the log...

(nice to see RootRepeal found it - though I'm not sure if that's a good thing or a bad thing...)

Thanks again!

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/08 13:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x94D4E000 Size: 897024 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xBA671000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x8F913000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xBA5AE000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RRbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\common
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\common\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\common\css.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\mnd.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\regcerts.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\restore.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\rr.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\seccache.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\secpolicy.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\settings.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\tvtcmn.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\tvtns.bin
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RKC
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\KernelFileDigest.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UpdatingFiles.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RKC\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\boot.ini
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\documents and settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\NTDETECT.COM
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\NTLDR
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RKC\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\documents and settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\documents and settings\default user
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\WINDOWS\explorer.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\documents and settings\default user\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\documents and settings\default user\ntuser.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\Fonts\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\mangal.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\marlett.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\micross.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\mvboli.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\vgaoem.fon
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\system32\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\advapi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\advpack.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\authz.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\autochk.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\basesrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\bootvid.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\browseui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\chkdsk.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cmd.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\comctl32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\comdlg32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\config
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\crypt32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cryptdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cryptui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cscdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\csrsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\csrss.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\c_1252.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\c_936.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\dnsapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\doskey.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\dpcdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\drivers
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\duser.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\eventlog.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\faultrep.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\feclient.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\filemgmt.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fldrclnr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fltlib.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fmifs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fontext.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fontsub.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\framebuf.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fsusd.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fwcfg.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\gdi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\hal.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\imagehlp.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\imm32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\iphlpapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\kdcom.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\kernel32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\licdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\locale.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\logonui.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lsasrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lsass.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lz32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\l_intl.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mfc42.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mfc42u.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mmc.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mobsync.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msasn1.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msgina.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msimg32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msprivs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msv1_0.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msvcp60.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msvcrt.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ncobjapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\nddeapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\netapi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\netrap.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\notepad.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntdsapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntoskrnl.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntsdexts.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\odbc32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\odbcint.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.sig
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ole32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleacc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleaccrc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleaut32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\profmap.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\psapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\regapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rpcrt4.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rpcss.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rsaenh.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rundll32.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\samlib.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\samsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\scesrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secupd.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secupd.sig
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\services.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\setupapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sfc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sfc_os.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shdocvw.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shell32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shfolder.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shgina.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shlwapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shsvcs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\smss.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sortkey.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sorttbls.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\svchost.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sxs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\umpnpmgr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\unicode.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\usbmon.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ctype.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ftsrch.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mpr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.bin
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secur32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\usbui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\user32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\userenv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\userinit.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\uxtheme.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\version.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\vga.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\vga.drv
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\watchdog.sys
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\win32k.sys
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wininet.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winlogon.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winmm.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winspool.drv
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winspool.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winsta.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winstrm.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wintrust.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wldap32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ws2help.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ws2_32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wsock32.dll
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\WinSxS\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution\enroll.ini
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2373098477-2479653578-385586937-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2535219779-713585050-1688782907-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-468252708-3274475066-233985201-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-946717588-3743035659-1223884851-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and SettSSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1fa52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0x94f1f8ae

Hidden Services
-------------------
Service Name: PRAGMAfpyycwxbvf
Image Path: C:\WINDOWS\system32\drivers\PRAGMAfpyycwxbvf.sys

==EOF==


----------



## JSntgRvr (Jul 1, 2003)

Lets try this again.

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 



> Rootkit::
> C:\WINDOWS\system32\drivers\PRAGMAfpyycwxbvf.sys
> 
> Driver::
> PRAGMAfpyycwxbvf












Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report.


----------



## canoli (Apr 26, 2010)

after reboot - same avast warning...again. 
but no wga wizard and the MS updates are gone from the system tray...

rebooted again - had a feeling the WGA and the updates would come back - they did.

combofix updated itself during the process.

rebooted again a few minutes ago - same stuff still popping up.

ComboFix 10-05-08.02 - RKC 05/08/2010 20:44:52.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3066.2371 [GMT -4:00]
Running from: c:\documents and settings\RKC\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\RKC\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100508-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PRAGMAfpyycwxbvf

((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-07 04:17 . 2010-05-07 04:17 -------- d-----w- c:\documents and settings\RKC\Application Data\Malwarebytes
2010-05-07 04:16 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 04:16 . 2010-05-07 04:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 04:16 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-04 22:13 . 2010-05-04 22:19 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-03 07:00 . 2010-05-03 07:00 -------- d-----w- c:\windows\system32\KB905474
2010-05-02 02:15 . 2010-05-02 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-04-28 22:07 . 2010-04-28 22:09 -------- d-----w- c:\program files\Ubisoft
2010-04-28 21:42 . 2010-05-08 16:14 -------- d-----w- c:\program files\Texas Holdem
2010-04-27 23:59 . 2010-04-27 23:59 -------- d-----w- c:\program files\Synaptics
2010-04-27 23:47 . 2010-01-21 15:46 441168 ----a-w- c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
2010-04-27 07:14 . 2010-04-27 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 19:16 . 2010-04-26 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-26 19:14 . 2010-04-26 19:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-26 16:14 . 2010-04-26 16:14 10752 ----a-w- c:\windows\DCEBoot.exe
2010-04-26 16:07 . 2010-04-27 06:49 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-26 07:24 . 2010-04-26 07:24 -------- d-----w- c:\program files\Trend Micro
2010-04-26 02:01 . 2010-04-26 02:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 00:50 . 2008-11-08 03:44 -------- d-----w- c:\documents and settings\RKC\Application Data\WTablet
2010-05-09 00:50 . 2008-11-08 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-05-08 14:02 . 2009-01-11 18:53 -------- d-----w- c:\documents and settings\RKC\Application Data\vlc
2010-05-08 03:24 . 2009-04-16 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-04 22:21 . 2008-08-18 08:52 89632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 03:32 . 2008-11-23 03:15 -------- d-----w- c:\program files\MWSnap
2010-04-28 22:24 . 2008-08-18 08:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-28 20:53 . 2008-10-31 19:09 -------- d-----w- c:\program files\Canon
2010-04-27 03:31 . 2008-11-26 02:38 -------- d-----w- c:\program files\UnHackMe
2010-04-27 00:25 . 2008-11-08 20:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 22:41 . 2008-10-31 08:34 -------- d-----w- c:\documents and settings\RKC\Application Data\Azureus
2010-04-16 18:31 . 2008-12-06 23:45 -------- d-----w- c:\documents and settings\RKC\Application Data\dvdcss
2010-04-15 13:08 . 2009-11-23 16:47 -------- d-----w- c:\program files\MyDefrag v4.2.6
2010-04-11 19:11 . 2009-04-16 18:09 -------- d-----w- c:\program files\Google
2010-04-05 16:46 . 2010-04-05 16:46 -------- d-----w- c:\program files\Common Files\Java
2010-03-21 14:15 . 2010-01-03 18:33 -------- d-----w- c:\program files\Unlocker
2010-03-18 05:39 . 2008-10-31 08:34 -------- d-----w- c:\program files\Azureus
2010-03-18 05:24 . 2010-03-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-18 05:23 . 2008-11-22 02:11 -------- d-----w- c:\program files\MSBuild
2010-03-18 05:22 . 2010-03-18 05:22 -------- d-----w- c:\program files\Reference Assemblies
2010-03-17 00:43 . 2010-03-17 00:43 1391 ----a-w- c:\program files\cs4_and_color_finesse_serials.txt
2010-03-15 18:12 . 2010-03-15 18:12 -------- d-----w- c:\program files\UCT
2010-03-11 12:38 . 2006-04-30 06:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-04-30 06:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-04-30 06:56 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-04-30 06:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-22 08:09 . 2008-12-14 02:52 38784 ----a-w- c:\documents and settings\RKC\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-16 14:08 . 2006-04-30 06:55 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-04-30 06:55 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-04-30 06:56 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-02 19:20 . 2010-01-02 19:20 575750 ----a-w- c:\program files\lame3.98.2.zip
2009-12-16 20:07 . 2009-12-16 20:07 19606 ----a-w- c:\program files\trapcodeform.log
2009-05-10 08:38 . 2009-05-10 04:13 4877 ----a-w- c:\program files\trapcode3Dstroke.log
2009-05-10 08:33 . 2009-05-10 08:33 1942 ----a-w- c:\program files\trapcodelux.log
2009-05-10 04:12 . 2009-05-10 04:12 17430 ----a-w- c:\program files\trapcodeparticular.log
2007-07-17 16:13 . 2008-02-08 21:21 61440 ----a-w- c:\program files\RGSGrowBounds.aex
2008-11-26 02:38 . 2008-11-26 02:38 2 --shatr- c:\windows\winstart.bat
2008-10-31 05:33 . 2008-10-31 05:33 8 --sh--r- c:\windows\system32\A845F5E83A.sys
2008-10-31 05:35 . 2008-10-31 05:33 1160 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\ADC.EXE" [2008-07-29 3780608]
"Stickies"="c:\program files\Bret Taylor\Stickies\Stickies.exe" [2007-03-14 335872]
"Kana Reminder"="c:\documents and settings\RKC\Desktop\Reminder.exe" [2007-11-15 1198592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\RKC\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2009-6-25 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2009-6-25 954368]
WinColor.exe.lnk - c:\program files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe [2005-10-31 371456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-05-10 14:24 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 07:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\t:\0autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path= 
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path= 
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\RKC\Start Menu\programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^Product Registration.lnk]
path= 
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^SCRABBLE Complete Registration.lnk]
path= 
backup=c:\windows\pss\SCRABBLE Complete Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2008-07-31 02:17 143360 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-01 18:00 419376 ----a-w- c:\progra~1\THINKV~1\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2008-06-14 03:08 3073336 ----a-w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-06-04 17:36 242976 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-06-08 18:00 124248 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-06-08 18:00 165208 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-16 18:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 7:21 PM 19496]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/12/2009 12:18 AM 114768]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 AM 46144]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2/1/2010 4:01 PM 57344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/12/2009 12:18 AM 20560]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [1/16/2008 11:52 AM 664840]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [6/25/2009 8:53 AM 14416]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/18/2008 5:04 AM 94208]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [3/14/2009 10:54 AM 23200]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [11/7/2008 11:43 PM 3032360]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 7:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 AM 360448]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [8/18/2008 4:53 AM 475136]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [8/18/2008 4:21 AM 243856]
R3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [6/25/2009 9:18 AM 44344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 6:54 PM 37312]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [11/7/2008 11:43 PM 15144]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [11/10/2006 9:08 AM 24064]
S2 gupdate1c9bebe93c143b0;Google Update Service (gupdate1c9bebe93c143b0);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 2:10 PM 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 288112]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [11/25/2008 10:57 PM 30946]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [1/16/2008 11:52 AM 894216]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 11:15 AM 1120752]
S4 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [5/10/2008 10:24 AM 102400]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-16 18:09]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

2009-06-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]

2010-05-09 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-18 06:47]

2010-05-08 c:\windows\Tasks\SyncToyCmd TcreationsToY.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]

2010-05-08 c:\windows\Tasks\SyncToyCmd.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]

2010-05-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-05-03 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-468252708-3274475066-233985201-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:0c,ad,df,fd,f9,7d,0a,38,1d,f4,91,5a,c5,94,21,97,00,44,e9,8d,78,
88,ac,03,98,ec,dc,37,b7,51,8d,d2,98,da,db,d6,17,fd,3e,33,85,a2,95,1d,09,a6,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:0c,ad,df,fd,f9,7d,0a,38,1d,f4,91,5a,c5,94,21,97,00,44,e9,8d,78,
88,ac,03,98,ec,dc,37,b7,51,8d,d2,98,da,db,d6,17,fd,3e,33,85,a2,95,1d,09,a6,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\IBM0057\4&ef53bae&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\8&24e84269&0&0000\LogConf]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\9&21264f1c&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(4208)
c:\windows\system32\WININET.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\MouseHook.dll
c:\windows\system32\ieframe.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2010-05-08 20:56:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-09 00:56
ComboFix2.txt 2010-05-09 00:36
ComboFix3.txt 2010-05-06 02:06
ComboFix4.txt 2010-05-01 13:52

Pre-Run: 113,654,194,176 bytes free
Post-Run: 113,609,547,776 bytes free

- - End Of File - - DD1129A17C3CDC0B01C2F8F192D98BDD


----------



## JSntgRvr (Jul 1, 2003)

Download *Win32kDiag.exe* from any of the following links to your desktop:

http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
http://rootrepeal.psikotick.com/Win32kDiag.exe

Run it, it will create a file "Win32kDiag.txt" on the desktop. Post its report in a reply.


----------



## canoli (Apr 26, 2010)

Won't create a report. 

It open a cmd window, Warns that it can't get backup privileges, says it's searching then says Finished! Press any key...

all this takes about 4 seconds. I tried all 3 mirrors.


----------



## JSntgRvr (Jul 1, 2003)

Lets try that again.

Delete the previous *PragmaFix*

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the RunMe.bat file. The MSDOS windows will popup, icons will disappear and the computer will re-start.

Upon restart check for PRAGMA detection..


----------



## canoli (Apr 26, 2010)

"let's try this again"

and so we get the same results...again.

you weren't really expecting anything different were you?

sure hope this thing isn't eating away the insides of my computer...seems like it's pretty nasty...


----------



## JSntgRvr (Jul 1, 2003)

The last fix was a different routine and approach. Unfortunately this type of Trojan changes the Registry Key permissions and unless we attempt to restore these, it will never allow itself to be deleted.

I will consult this issue with a colleague. Will let you know soon.


----------



## canoli (Apr 26, 2010)

Ah...that explains it - thanks. I hated thinking we were running the same exact thing again...

Thank you very much for your continuing efforts to squash this damn thing...
I'll keep my fingers crossed that the next one does it!


----------



## JSntgRvr (Jul 1, 2003)

I would like to take a look at your system from an external source. That can give us the advantage to see what we can't under an environment controlled by Windows.

Save these instructions in a Notepad document in the *C:\* folder so you can have access to it while in the PE environment. Printing it can also facilitate the instructions herein.

Here is what you need to do.

Two programs to download

*First *

Download ISOBurner. Click Here  for ISOBurner Instructions. Install the program, and follow the next set of steps.

*Second*


Download * OTLPE.iso* and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
When downloaded double click and this will then open ISOBurner to burn the file to CD
Boot the Non working computer using the boot CD you just created.
In order to do so, the computer must be set to boot from the CD first
_Note :_ For information click here

Your system should now display a REATOGO-X-PE desktop.
Double-click on the *OTLPE* icon.
When asked "*Do you wish to load the remote registry*", select *Yes*
When asked "*Do you wish to load remote user profile(s) for scanning*", select *Yes*
Ensure the box "*Automatically Load All Remaining Users*" is checked and press *OK*
OTL should now start. Change the following settings
Change *Drivers* to *All*
Change *Standart Registry* to *All*
Under the Custom Scan box paste this in
*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
userinit.exe
explorer.exe
ntoskrnl.exe
/md5stop
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
%systemroot%\System32\config\*.sav 
HKEY_LOCAL_MACHINE\SOFTWARE
*​

Press *Run Scan* to start the scan.
When finished, the file will be saved in drive *C:\OTL.txt*
Copy this file to your USB drive.
Please post the contents of the *C:\OTL.txt* file in your reply.


----------



## canoli (Apr 26, 2010)

unfortunately no report to post...

2 problems. The first one was that OTLPE never asked if I wanted to load the remote registry, which I guess means the 2nd problem won't surprise you.

Once the scan got to PRAGMAfpyycwxbvf it popped up with "Invalid variant type conversion"
After that the scan hung.

I tried it 3 times - never gave me the option re: remote registry - so I got the same result on all 3 scans.

rebooting - same 2 windows still popping up - WGAV wizard and the Avast warning.
_
(btw - kindly tell me if _*REATOGO*_ changes anything other than the system clock. thank you.)
_
Thanks! I know it's not good news ... still hoping we can make this go away...

[edit: i used imgburn instead of isoburner]


----------



## JSntgRvr (Jul 1, 2003)

There is no doubt, the issue is due to invalid permissions. Lets try another approach:


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *CFScript.txt* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 


```
File::
c:\windows\Tasks\WGASetup.job
c:\windows\system32\KB905474\wgasetup.exe
c:\windows\Tasks\OGALogon.job
c:\windows\system32\OGAEXEC.exe

RegLockDel::
HKLM\SYSTEM\ControlSet002\Services\PRAGMAfpyycwxbvf
HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAfpyycwxbvf

Driver::
PRAGMAfpyycwxbvf

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\8&24e84269&0&0000\LogConf]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c517&MI_01&Col01\9&21264f1c&0&0000\LogConf]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\IBM0057\4&ef53bae&0\LogConf]

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
```










Once saved, referring to the picture above, drag *CFScript.txt * into *ComboFix.exe*, and post back the resulting report.


----------



## JSntgRvr (Jul 1, 2003)

BTW:

*Reatogo* shouldn't change anything at all. Time and date is usually controlled y the BIOS.


----------



## canoli (Apr 26, 2010)

I rebooted a couple times to make sure and it appears the Win Gen Adv Validation wizard is gone.

re: Avast's PRAGMA warning - it's only been a minute - by the time I'm finished posting the Combofix log it should rear its ugly head if it's still there...

oh btw - I asked you about REATOGO because it did change my system clock - set the date back by 1 day and set the hour 1 hour advanced...easy enough to change back but it made me wonder. I noticed REATOGO was indicating an hour ahead while I was in that environment...

Anyway - here's the log:
(ah - there it is, of course - the Avast "Suspicious File Found" popup)

ComboFix 10-05-10.05 - RKC 05/11/2010 20:06:35.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3066.2274 [GMT -4:00]
Running from: c:\documents and settings\RKC\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\RKC\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100511-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\KB905474\wgasetup.exe"
"c:\windows\system32\OGAEXEC.exe"
"c:\windows\Tasks\OGALogon.job"
"c:\windows\Tasks\WGASetup.job"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\KB905474\wgasetup.exe
c:\windows\system32\OGAEXEC.exe
c:\windows\Tasks\OGALogon.job
c:\windows\Tasks\WGASetup.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PRAGMAfpyycwxbvf

((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-10 02:04 . 2010-05-10 02:04 1956808 ----a-w- c:\documents and settings\RKC\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-05-09 22:29 . 2010-05-09 22:29 -------- d-----w- c:\program files\Audacity
2010-05-09 14:56 . 2010-05-09 14:56 -------- d-----w- c:\documents and settings\RKC\Local Settings\Application Data\Microsoft Corporation
2010-05-07 04:17 . 2010-05-07 04:17 -------- d-----w- c:\documents and settings\RKC\Application Data\Malwarebytes
2010-05-07 04:16 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 04:16 . 2010-05-07 04:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 04:16 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-04 22:13 . 2010-05-04 22:19 -------- d-----w- c:\windows\SxsCaPendDel
2010-05-03 07:00 . 2010-05-12 00:10 -------- d-----w- c:\windows\system32\KB905474
2010-05-02 02:15 . 2010-05-02 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-04-28 22:07 . 2010-04-28 22:09 -------- d-----w- c:\program files\Ubisoft
2010-04-28 21:42 . 2010-05-10 14:13 -------- d-----w- c:\program files\Texas Holdem
2010-04-27 23:59 . 2010-04-27 23:59 -------- d-----w- c:\program files\Synaptics
2010-04-27 23:47 . 2010-01-21 15:46 441168 ----a-w- c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
2010-04-27 07:14 . 2010-04-27 07:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 19:16 . 2010-04-26 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-04-26 19:14 . 2010-04-26 19:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-26 16:14 . 2010-04-26 16:14 10752 ----a-w- c:\windows\DCEBoot.exe
2010-04-26 16:07 . 2010-04-27 06:49 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-26 07:24 . 2010-04-26 07:24 -------- d-----w- c:\program files\Trend Micro
2010-04-26 02:01 . 2010-04-26 02:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 00:12 . 2008-11-08 03:44 -------- d-----w- c:\documents and settings\RKC\Application Data\WTablet
2010-05-12 00:12 . 2008-11-08 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-05-11 17:23 . 2009-01-11 18:53 -------- d-----w- c:\documents and settings\RKC\Application Data\vlc
2010-05-11 06:27 . 2009-04-16 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-04 22:21 . 2008-08-18 08:52 89632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 03:32 . 2008-11-23 03:15 -------- d-----w- c:\program files\MWSnap
2010-04-28 22:24 . 2008-08-18 08:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-28 20:53 . 2008-10-31 19:09 -------- d-----w- c:\program files\Canon
2010-04-27 03:31 . 2008-11-26 02:38 -------- d-----w- c:\program files\UnHackMe
2010-04-27 00:25 . 2008-11-08 20:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-25 22:41 . 2008-10-31 08:34 -------- d-----w- c:\documents and settings\RKC\Application Data\Azureus
2010-04-16 18:31 . 2008-12-06 23:45 -------- d-----w- c:\documents and settings\RKC\Application Data\dvdcss
2010-04-15 13:08 . 2009-11-23 16:47 -------- d-----w- c:\program files\MyDefrag v4.2.6
2010-04-11 19:11 . 2009-04-16 18:09 -------- d-----w- c:\program files\Google
2010-04-05 16:46 . 2010-04-05 16:46 -------- d-----w- c:\program files\Common Files\Java
2010-03-21 14:15 . 2010-01-03 18:33 -------- d-----w- c:\program files\Unlocker
2010-03-18 05:39 . 2008-10-31 08:34 -------- d-----w- c:\program files\Azureus
2010-03-18 05:24 . 2010-03-18 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-18 05:23 . 2008-11-22 02:11 -------- d-----w- c:\program files\MSBuild
2010-03-18 05:22 . 2010-03-18 05:22 -------- d-----w- c:\program files\Reference Assemblies
2010-03-17 00:43 . 2010-03-17 00:43 1391 ----a-w- c:\program files\cs4_and_color_finesse_serials.txt
2010-03-15 18:12 . 2010-03-15 18:12 -------- d-----w- c:\program files\UCT
2010-03-11 12:38 . 2006-04-30 06:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-04-30 06:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-04-30 06:55 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2006-04-30 06:56 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-04-30 06:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-23 03:43 . 2009-05-08 16:21 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-02-22 08:09 . 2008-12-14 02:52 38784 ----a-w- c:\documents and settings\RKC\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-16 14:08 . 2006-04-30 06:55 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-04-30 06:55 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-04-30 06:56 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-01-02 19:20 . 2010-01-02 19:20 575750 ----a-w- c:\program files\lame3.98.2.zip
2009-12-16 20:07 . 2009-12-16 20:07 19606 ----a-w- c:\program files\trapcodeform.log
2009-05-10 08:38 . 2009-05-10 04:13 4877 ----a-w- c:\program files\trapcode3Dstroke.log
2009-05-10 08:33 . 2009-05-10 08:33 1942 ----a-w- c:\program files\trapcodelux.log
2009-05-10 04:12 . 2009-05-10 04:12 17430 ----a-w- c:\program files\trapcodeparticular.log
2007-07-17 16:13 . 2008-02-08 21:21 61440 ----a-w- c:\program files\RGSGrowBounds.aex
2008-11-26 02:38 . 2008-11-26 02:38 2 --shatr- c:\windows\winstart.bat
2008-10-31 05:33 . 2008-10-31 05:33 8 --sh--r- c:\windows\system32\A845F5E83A.sys
2008-10-31 05:35 . 2008-10-31 05:33 1160 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Active Desktop Calendar"="c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\ADC.EXE" [2008-07-29 3780608]
"Stickies"="c:\program files\Bret Taylor\Stickies\Stickies.exe" [2007-03-14 335872]
"Kana Reminder"="c:\documents and settings\RKC\Desktop\Reminder.exe" [2007-11-15 1198592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-09-25 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-09-25 208896]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-11-13 611712]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\RKC\Start Menu\Programs\Startup\AutorunsDisabled
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-12 805392]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2009-6-25 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2009-6-25 954368]
WinColor.exe.lnk - c:\program files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe [2005-10-31 371456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2008-05-10 14:24 180224 ----a-w- c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 07:02 34080 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\t:\0autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path= 
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path= 
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\RKC\Start Menu\programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^Product Registration.lnk]
path= 
backup=c:\windows\pss\Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^RKC^Start Menu^Programs^Startup^SCRABBLE Complete Registration.lnk]
path= 
backup=c:\windows\pss\SCRABBLE Complete Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2008-07-31 02:17 143360 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
2007-02-01 18:00 419376 ----a-w- c:\progra~1\THINKV~1\AMSG\Amsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2008-06-14 03:08 3073336 ----a-w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-06-04 17:36 242976 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-06-08 18:00 124248 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-06-08 18:00 165208 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-07-07 07:34 167936 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-04-16 18:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Atari\\Scrabble Complete\\ScrabbleComplete.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [5/14/2008 7:21 PM 19496]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/12/2009 12:18 AM 114768]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 8:50 AM 46144]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2/1/2010 4:01 PM 57344]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/12/2009 12:18 AM 20560]
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [1/16/2008 11:52 AM 664840]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [6/25/2009 8:53 AM 14416]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/18/2008 5:04 AM 94208]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [3/14/2009 10:54 AM 23200]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [11/7/2008 11:43 PM 3032360]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 7:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 8:50 AM 360448]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 10:22 PM 11776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [8/18/2008 4:53 AM 475136]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [8/18/2008 4:21 AM 243856]
R3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [6/25/2009 9:18 AM 44344]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 6:54 PM 37312]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 10:23 PM 3584]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [11/7/2008 11:43 PM 15144]
S1 SysTool;SysTool Overclocking Utility;c:\windows\system32\drivers\SysTool.sys [11/10/2006 9:08 AM 24064]
S2 gupdate1c9bebe93c143b0;Google Update Service (gupdate1c9bebe93c143b0);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 2:10 PM 133104]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 288112]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [11/25/2008 10:57 PM 30946]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [1/16/2008 11:52 AM 894216]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [4/25/2008 11:15 AM 1120752]
S4 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [5/10/2008 10:24 AM 102400]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-16 18:09]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 18:10]

2009-06-28 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]

2010-05-12 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-08-18 06:47]

2010-05-11 c:\windows\Tasks\SyncToyCmd TcreationsToY.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]

2010-05-11 c:\windows\Tasks\SyncToyCmd.job
- c:\program files\SyncToy 2.1\SyncToyCmd.exe [2009-10-19 07:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\documents and settings\RKC\Application Data\Mozilla\Firefox\Profiles\haps8vox.default\extensions\[email protected]\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 20:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-468252708-3274475066-233985201-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\FpWinLogonNp.dll
c:\program files\Lenovo Fingerprint Software\ATCSSINT.dll
c:\program files\Lenovo Fingerprint Software\SharedResources.dll
c:\program files\Lenovo Fingerprint Software\FPResource.dll
c:\program files\Lenovo\Client Security Solution\CSS_Enroll.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\WININET.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\MouseHook.dll
c:\windows\system32\ieframe.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2010-05-11 20:18:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-12 00:18
ComboFix2.txt 2010-05-09 00:56
ComboFix3.txt 2010-05-09 00:36
ComboFix4.txt 2010-05-06 02:06
ComboFix5.txt 2010-05-12 00:05

Pre-Run: 113,367,162,880 bytes free
Post-Run: 113,330,810,880 bytes free

- - End Of File - - 6AB80900E0626ABE98BD9525678471FB


----------



## JSntgRvr (Jul 1, 2003)

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
OTL should now start. Change the following settings
Change *Drivers* to *All*
Change *Standard Registry* to *All*
Under *File Scans*, change *File age* to *30*

Under the Custom Scan box paste this in

*netsvcs
msconfig
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%SYSTEMDRIVE%\*pragma* /s
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav 
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
HKEY_LOCAL_MACHINE\SOFTWARE
*

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt* (first run only). These are saved in the same location as OTL.
Please post the contents of these files in your next reply.


Run RootRepeal once again and post its report.

Also, locate and delete the following file:

C:\Windows\*ntbtlog.txt*

Then proceed as follows:

1. Restart the computer and press F8 when Windows start booting. This will bring up the startup options.

2. Select Enable Boot Logging option and press enter.

3. Windows prompts for you to select a Windows Installation

This boots windows normally and creates a boot log named *ntbtlog.txt* and saves it to C:\Windows (%systemroot%) folder. Attach that report in your next reply.


----------



## canoli (Apr 26, 2010)

OTL won't run. It just pops up a "OTL has encountered a problem and needs to close" window...


----------



## JSntgRvr (Jul 1, 2003)

Skip it and go on.


----------



## canoli (Apr 26, 2010)

okay - got the RR log and the boot log is attached.

hey - do you mind telling me whether that WGAV wizard (now gone for good - ya!) was something evil?
A quick "yes" or "no" will suffice; I'm just really curious if that was legit or not.

Thanks.

and thank you very much for your continued help with this PRAGMA thing...

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/05/12 13:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA3789000 Size: 897024 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xBA671000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9F8EE000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xBA5AE000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RRbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\common
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\common\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\common\css.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\mnd.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\regcerts.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\restore.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\rr.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\seccache.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\secpolicy.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\settings.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\tvtcmn.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\tvtns.bin
Status: Invisible to the Windows API!

Path: C:\RRbackups\common\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RKC
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\KernelFileDigest.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UpdatingFiles.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RKC\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\boot.ini
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\documents and settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\NTDETECT.COM
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\NTLDR
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RKC\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\documents and settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\documents and settings\default user
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\WINDOWS\explorer.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Lenovo\Client Security Solution
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\RKC\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\documents and settings\default user\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\documents and settings\default user\ntuser.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\Fonts\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\mangal.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\marlett.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\micross.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\mvboli.ttf
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\Fonts\vgaoem.fon
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\system32\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\advapi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\advpack.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\authz.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\autochk.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\basesrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\bootvid.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\browseui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\chkdsk.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cmd.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\comctl32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\comdlg32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\config
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\crypt32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cryptdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cryptui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\cscdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\csrsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\csrss.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\c_1252.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\c_936.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\dnsapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\doskey.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\dpcdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\drivers
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\duser.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\eventlog.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\faultrep.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\feclient.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\filemgmt.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fldrclnr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fltlib.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fmifs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fontext.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fontsub.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\framebuf.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fsusd.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\fwcfg.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\gdi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\hal.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\imagehlp.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\imm32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\iphlpapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\kdcom.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\kernel32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\licdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\locale.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\logonui.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lsasrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lsass.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\lz32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\l_intl.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mfc42.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mfc42u.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mmc.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mobsync.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msasn1.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msgina.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msimg32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msprivs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msv1_0.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msvcp60.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\msvcrt.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ncobjapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\nddeapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\netapi32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\netrap.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\notepad.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntdll.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntdsapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntoskrnl.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ntsdexts.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\odbc32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\odbcint.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.sig
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ole32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleacc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleaccrc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oleaut32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\profmap.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\psapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\regapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rpcrt4.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rpcss.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rsaenh.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\rundll32.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\samlib.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\samsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\scesrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secupd.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secupd.sig
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\services.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\setupapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sfc.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sfc_os.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shdocvw.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shell32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shfolder.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shgina.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shlwapi.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\shsvcs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\smss.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sortkey.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sorttbls.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\svchost.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\sxs.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\umpnpmgr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\unicode.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\usbmon.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ctype.nls
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ftsrch.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\mpr.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\oembios.bin
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\secur32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\usbui.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\user32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\userenv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\userinit.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\uxtheme.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\version.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\vga.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\vga.drv
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\watchdog.sys
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\win32k.sys
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wininet.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winlogon.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winmm.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winspool.drv
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winspool.exe
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winsrv.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winsta.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\winstrm.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wintrust.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wldap32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ws2help.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\ws2_32.dll
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\system32\wsock32.dll
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\FR\UF\WINDOWS\WinSxS\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\Manifests
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\Policies
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.0.0_x-ww_ff9986d7
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7
Status: Invisible to the Windows API!

Path: C:\RRbackups\FR\UF\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\-_Demonoid.com_-Mindwalk_[1990_]_XviD_[Eng]_Dankoni_82352.9408 [mininova].torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\14750 [mininova].torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\1968 08 03 (L) Central Park NYC 60.53 4th gen Stage (Yojimbo).torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\1971-07-23 Damrosch Park, Lincoln Center, NYC ( Summertime In NYC ).torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\1974 09 25 Goteborg Sweden 106.24 SBD (blackpage).torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\1974-11-16 Pink Floyd BBC Archives 1974 (HRV CDR 033).torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\1977 10 28 (E) Palladium NYC 139.25 AUD MC (JS-doctorzap-TFEC-flambay).torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\1988 02 04 Beacon Theater NYC 136.27 Aud MC (fzmoi69-Adttull-flambay).torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\1988 02 14 Upper Darby PA (blackpage).torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\1988 02 14 Upper Darby PA 147.56 Aud MC (ZOMBIWOOF-blackpage-fl).torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\3D_Fluff_Training_for_CINEMA_4D_Volume_2_-_Radiosity_Interiors.4501681.TPB.torrent
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\RKC\Application Data\Azureus\torrents\3D_Fluff_Training_for_CINEMA_4D_Volume_3_-_Non-Organic_Modeling.4514409.TPB.torrent
Status: Visible to the Windows API, but not on disk.

PatSSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395aa52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa395a8ae

Hidden Services
-------------------
Service Name: PRAGMAfpyycwxbvf
Image Path: C:\WINDOWS\system32\drivers\PRAGMAfpyycwxbvf.sys

==EOF==


----------



## JSntgRvr (Jul 1, 2003)

> hey - do you mind telling me whether that WGAV wizard (now gone for good - ya!) was something evil?
> A quick "yes" or "no" will suffice; I'm just really curious if that was legit or not.


I believe the entry was legit. Windows Updates may put it back as your system must pass the Genuine Advantage test. What I don't know is why it didn't, including the Microsoft Office test.

I am reviewing these results with a colleague. Will post soon.


----------



## JSntgRvr (Jul 1, 2003)

Run *RootRepeal*. Once the scan is done, select the *Hidden Services* tab. Highlight *PRAGMAfpyycwxbvf*. then from the menu, select *Tools* ->* Delete Registry Key*.

Let me know if an error is returned.


----------



## JSntgRvr (Jul 1, 2003)

A colleague wants to analyze the registry hive in question. Please follow these steps.

Boot to the Recovery Console. At the *C:\Windows* prompt type the following and press Enter after each line:

*cd \ *(Leave a space between cd and \. The prompt should change to C:\>)
*Copy C:\Windows\System32\Config\System*
*Exit*

This will copy the *System* hive to the *C:\* folder.

In Normal Mode, right click on the *Start* button and select* Explore*. Navigate to the *C:\* folder. Right click on the *System* file and select *Send to* ->*Compressed (zipped) Folder*. That should create a zipped folder in the C:\ folder. Please upload that zipped folder to the following site:

http://noahdfear.net/max/upload.php


----------



## canoli (Apr 26, 2010)

So you want it to delete the entire HKLM hive? Is that what you're expecting? 
and don't back it up first right? 

Because when I go to delete the PRAGMA-file there's 2 dropdown windows, one with the whole key and the other is blank. 
then a "warning may make your pc unbootable" screen...
seems like there should be something in that blank window...


----------



## canoli (Apr 26, 2010)

I haven't done the RootRepeal procedure yet - just saw your latest post...
what should I do?


----------



## JSntgRvr (Jul 1, 2003)

Upload the file first and let me know when done. Then attempt *RootRepeal*.


----------



## JSntgRvr (Jul 1, 2003)

PS.

You are not deleting the *HKLM* but the *HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAfpyycwxbvf* subkey.


----------



## canoli (Apr 26, 2010)

okay so there's not supposed to be anything in that blank dropdown?

on the LH side window there's only four hives to choose from - the actual PRAGMA key isn't supposed to be on the RH side?

maybe you haven't used RR in awhile so if you want to see exactly what I mean I attached a small .jpg...


----------



## JSntgRvr (Jul 1, 2003)

Take a screenshot of that same window but without the context menu. I would like to see what's behind it.


----------



## canoli (Apr 26, 2010)

here it is... (good thing I double checked eh? - it was set to delete the whole HKLM wasn't it?)


----------



## JSntgRvr (Jul 1, 2003)

Did you upload the system hive?

The information gathered by *RootRepeal* comes from the registry. I am sure is you select *Wipe, copy and delete* the file will not be found. I need some clarification on the Delete Registry Key feature. Will post back about this soon.


----------



## canoli (Apr 26, 2010)

Okay - no, I haven't uploaded the sys32 yet - I will in a few minutes. 

So as far as RootRepeal - just leave it alone for now - close it down?
btw you were right of course - "could not find file on disk" when I tried to wipe it.

(many many thanks for your help - as always...!)


----------



## JSntgRvr (Jul 1, 2003)

Yes. Lets leave all in standby until we are able to review that hive.


----------



## canoli (Apr 26, 2010)

well...bad news. The Recovery Console won't boot - BSOD. I tried it 3 times but no go. 
(I even tried copying the file in Safe Mode with Cmd Prompt - "cannot execute...file in use")

Should I try reinstalling the Rec Console?
If "yes," please remind me where/when I installed it. I remember it was part of an earlier process but I forget which one now...

Hope you're not getting discouraged...(I assume you enjoy doing this work since you're volunteering your time but this has to be frustrating by now... It certainly is for me!)

Thanks for hangin' in there!


----------



## JSntgRvr (Jul 1, 2003)

We may need to burn a Boot CD.

Please download ARCDC from Artellos.com.

Double click ARCDC.exe
Follow the dialog until you see 6 options. Please pick: *Windows Professional or Windows XP Home SP2 & SP3* which ever applies.
You will be prompted with a Terms of Use by Microsoft, please accept.
You will see a few dos screens flash by, this is normal.
Next you will be able to choose to add extra files. Select the Default Files.
The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.

Insert this CD and restart the computer. If prompted, select any options required to boot from the CD. You will be prompted with the following options:



> A. To setup Windows XP, press Enter.
> B. To repair Windows XP installation using recovery console, press R.


Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

You will be presented with the following:



> Microsoft Windows(R) Recovery Console
> The Recovery Console provides system repair and recovery functionality.
> Type EXIT to quit the Recovery Console and restart the computer.
> 
> ...


Press the number assigned to the installation you need access to on your keyboard and hit Enter.

In this case and if only the above is displayed is 1.

At the command prompt, type the following commands and press Enter:

*CD \
Copy C:\Windows\System32\Config\System
Exit*

Follow the process to zip the System hive in your C:\ folder and upload.


----------



## JSntgRvr (Jul 1, 2003)

Check the Windows folder for a *minidump* folder. If recent files are available within this folder, gather these in a new folder, zip the folder and attach it to a reply. I would like to see the reason for the BSOD.


----------



## canoli (Apr 26, 2010)

unfortunately there's only 2 files from the past month.
They were both created after the infection so I zipped both. 

nothing from today though...

I've burned the ISO from ARCDC and will upload the system file in the next few minutes if all goes well.


----------



## canoli (Apr 26, 2010)

more bad news - another BSOD during the CD boot.

a word about that process: 
I assume you were expecting (I hope) a Windows Setup screen to appear, and then along the bottom 
you see it loading all sorts of drivers and whatnot. But to someone who doesn't know better...
...that is a *SCARY *screen. Truth be told I was glad to see the BSOD stop the process.
I could reboot and check if XP (not to mention all my work files!) was still intact.

You're probably laughing by now but...well I don't mind  You deserve a good laugh through all this...!

But maybe you want to warn folks that they'll see a Windows Setup screen and a new OS being installed.
Or at least that's what it _looks _like is happening...

I checked the minidump folder again for the latest BSOD but only the same 2 "recent" .dmp files.

I'm happy to try again as long as you were expecting all that "Windows Setup" stuff...!

Oh btw, full disclosure: I pressed f8 as it was loading.
I know that gets me to Boot Options but it didn't this time, it went right to the "Win Setup." 
I'm almost positive my CD drives are 1, 2 (or 2,3) in the Boot order so it was stupid of me to press anything I guess...


----------



## JSntgRvr (Jul 1, 2003)

On Post 73, I asked you to burn a CD to run OTLPE. Can you boot the computer with that CD?, no need to run OTLPE. What I would like to know is if you are able to boot to the Reatogo desktop, and also able to browse (using Explorer) to the C: drive and view all folders therein.


----------



## canoli (Apr 26, 2010)

I was able to before so I'll try that now. Should I do anything if I get there?


----------



## JSntgRvr (Jul 1, 2003)

If you are able to see the C: drive and its contents. Open a command prompt (Start->Run type CMD and click OK.

At the prompt type the following and press Enter:

*Copy C:\Windows\System32\Config\System C:\*

You should receive a 1 file copied message. If all goes well, a copy of the System hive will be copied to the C:\ folder. Boot in Normal Mode. Zip and upload the file.


----------



## canoli (Apr 26, 2010)

okay - will try it now.


----------



## canoli (Apr 26, 2010)

Okay that worked. I uploaded it to the noahdfear site...

btw - does that file contain personal data and/or stored passwords?
just curious, I trust you guys...in any case it's done so...!

was that a surprise, that Windows Setup screen on the ARCDC?
Or did you get a good laugh at my paranoia?

Thanks again for your help!!


----------



## JSntgRvr (Jul 1, 2003)

canoli said:


> Okay that worked. I uploaded it to the noahdfear site...
> 
> btw - does that file contain personal data and/or stored passwords?
> just curious, I trust you guys...in any case it's done so...!
> ...


The System hive just contains the System's Configuration. ARCDC should have worked as an alternate Recovery Console. It doesn't contain setup files.

Download *Regdelnull.zip* to your desktop. Extract its contents to the C:\ folder. Once extracted open a command prompt. At the prompt type the following and press Enter:

*Regdelnull hklm -s*

The application will search the registry for Null entries. Do not delete anything is asked. Just let me know if Null entries are found (write them down if possible) and if our friend, Pragma is one of them.


----------



## canoli (Apr 26, 2010)

oh okay thanks (re: ARCDC, sys hive)

RegDelNull found PRAGMA and that was all - but it found it in 3 different places.
.jpg is attached.


----------



## JSntgRvr (Jul 1, 2003)

Thanks for the file. It has been reviewed and it does contains embedded Nulls entries. Please rerun this command and delete those entries:

*Regdelnull hklm -s*

Restart and check for its detection.


----------



## canoli (Apr 26, 2010)

I was able to delete only 2 of the 3 that were there on the first scan.
The one in ...\CurrentControlSet\ is either still there or ... ? ...

I rebooted twice and waited 10 minutes each time. No Avast pop-up...

Is it too much to hope that it's gone for good? 
As for that 3rd spot in the registry...?


----------



## JSntgRvr (Jul 1, 2003)

The *CurrentControlSet* is a mirror of other ControlSet, such as *ControlSet001*. It is created every time you boot. So if it was removed from the other ControlSets, it must be gone.

Lets scan for remnants:








Please download Malwarebytes' Anti-Malware from *Here*.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*

Please run the *F-Secure Online Scanner*


For information click Here.
Allow the installation of the Add-ons and Accept the License Agreement.
Click *Full System Scan*
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the *Automatic cleaning (recommended)* button.
Click the *Show Report* button and Copy&Paste the entire report in your next reply.


----------



## canoli (Apr 26, 2010)

was out all day and night - will follow up tomorrow and follow your latest instructions...

thanks for explaining about the currentcontrolset - good news then...!

And thanks so much for all your help...it is very much appreciated!

I will run the scans and post the results tomorrow (saturday)...

Thanks again!


----------



## canoli (Apr 26, 2010)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4103

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/15/2010 5:50:57 AM
mbam-log-2010-05-15 (05-50-57).txt

Scan type: Quick scan
Objects scanned: 138061
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Scanning Report
Saturday, May 15, 2010 06:03:43 - 07:54:41

Computer name: LENOVO-1C927FAB
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ G:\ I:\ J:\ L:\ M:\ N:\ S:\ T:\ V:\ Y:\ Z:\
20 malware found
TrackingCookie.Questionmarket (spyware)

* System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

* C:\WINDOWS\SWREG.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\WINDOWS\SWSC.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP9\A0004300.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP6\A0003767.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP6\A0003771.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP6\A0003940.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP6\A0004009.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP6\A0004021.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP6\A0004025.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP6\A0004180.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP3\A0001702.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP10\A0004450.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP10\A0004462.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP10\A0004466.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{A8393674-085C-4723-B63E-39928C5F4C89}\RP10\A0004634.EXE (Not cleaned)

Statistics
Scanned:

* Files: 79062
* System: 5174
* Not scanned: 8

Actions:

* Disinfected: 5
* Renamed: 0
* Deleted: 0
* Not cleaned: 15
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\RKC\LOCAL SETTINGS\TEMP\HSPERFDATA_RKC\4276
* C:\DOCUMENTS AND SETTINGS\RKC\LOCAL SETTINGS\TEMP\HSPERFDATA_RKC\1660

Options
Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics


----------



## JSntgRvr (Jul 1, 2003)

Besides some housekeeping, I believe you are ready go.

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

*Follow these steps to uninstall Combofix.*

 Rename Combofix to Uninstall and click on it. That should remove the application.
Launch *OTL* and click on the *Cleanup* button. Follow the prompts.

Manually remove any tool left.

*Create a Restore point*:

Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "After Cleanup", then click *Create*.

Test Safe Mode. You were having problems before. Let me know also how is the computer doing in general.


----------



## canoli (Apr 26, 2010)

Okay...beautiful! 

Cleaned out Sys Restore and uninstalled and/or deleted the programs...
no warnings from Avast...no Validation Wizard...laptop is running just fine...

2 last things I need advice about:

1. the Recovery Console - can I (should I?) uninstall it? If "yes" - can you tell me how to do it?
(that's where I was getting the BSOD, attempting to boot into it - haven't tried since then.
Safe Mode works fine though, I did check that.)

2. the Validation "issue" - this laptop passed several times before. 
I have the tool in Add/Remove - should I try running it? 
(I bought the computer new, don't know why it would fail now...)

Other than those 2 things I am 100% good to go and I have YOU to thank for it.
Thank you very much for your time and attention.
It is greatly appreciated by me and I'm sure many others.


----------



## JSntgRvr (Jul 1, 2003)

Keep the Recovery Console. You'll never know when would it be needed.

In regard to the WGA, all I can suggest is to post a new thread in the Windows XP forum. There are good experts in that forum that can assist you.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

*Windows Updates* - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read * this article * by *Miekiemoes*.

Best wishes!


----------



## JSntgRvr (Jul 1, 2003)

I receive information in regard to WGA..

It's not uncommon to get re-activation prompts with some of the rootkits. The system may think that there has been a change in hardware, and eventually gets enough points to trigger re-activation.

Now that the rootkit is gone, give Windows updates a try and go through the WGA process.


----------



## canoli (Apr 26, 2010)

The Win updates went through. No other problems - I searched for the WGA process and found a "browser plug-in" but I'm not going to d/l and install it without an uninstaller - I'm sure MS will ask for validation in of one of their updates soon enough... 

so unless there's anything else I need to do...?


----------



## JSntgRvr (Jul 1, 2003)

I believe you are ready to go. Marking the thread as *Solved.*


----------



## canoli (Apr 26, 2010)

Beautiful!

Thanks again...


----------

