# Removed xp security 2012 & sys32 -still having issues want to make sure it's all gone



## Zappafrank

*Removed xp security 2012 & sys32 -still having issues want to make sure it's all gone*

Hi and thanks in advance for the help

Dell dimension e520
Win XP media edition SP2 
Have a Dell Win xp media edition reinstallation CD
Malwarebytes and Avira antivir for security latest updates and scans show no infections

Had an xp security 2012 infection and a sys32 virus
after digging them out was unable to reboot
Performed a system repair from Dell reinstalation CD--noticed one thing here, I was asked for the disc containing the Service Pack2 files - I don't have that - my upgrade to SP2 was online from microsoft updates.
I continued, but have not reinstalled SP2 online --figured I'd better wait for the experts advice [thats you guys]

I'm having the following issues

1.Won't boot normally with the video driver installed --hangs at a black screen just after the windows splash screen. If I boot to safe mode and unistall the video drivers the machine will boot normally -re install driver set resolution and all is fine. Each reboot requires the same process.

2nd Not aquiring IP address --DHCP and TCIP are not loading on their own Go in to services and manually start them everything seems ok .Again required at each reboot

3rd --Cant print -- local area network printer, have reinstalled it several times- no clue here,everything apears to comunicate can even tell the ink levels and scan--it's a mutifunction printer scanner fax--but not print. Network is just my computer, a router, and a modem. Printer plugged into the router

After going through 1 & 2 everything is fine except for the printing.
I don't know if the issues are caused by an active virus or residual damage done by the viruses [or the fix ]

If it turns out to be residual damage I'd be interested in any advice on how to repair that too

Scans requested are included as instructed and I'll be awaiting your directions.

Thanks again 

Bob.

DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by Bob Zoppa at 21:24:21 on 2011-12-07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1555 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://mail.csgrp.com/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.csgrp.com/owa/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [YMPXRXjVhBlnS.exe] c:\documents and settings\all users\application data\YMPXRXjVhBlnS.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [3IxbEWXA] c:\documents and settings\all users\application data\3IxbEWXA.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_Plugin.exe -update plugin
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1323208587515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{DE0BE8F6-8A47-4821-BEBB-BBF78E2CC944} : DhcpNameServer = 192.168.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob zoppa\application data\mozilla\firefox\profiles\kn6t9xu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://headlines.verizon.com/headlines/portals/headlines.portal
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\bob zoppa\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-29 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-29 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-29 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-29 66616]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== Created Last 30 ================
.
2011-12-07 12:27:17	485920	----a-w-	c:\windows\system32\nvuninst.exe
2011-12-07 12:27:17	485920	----a-w-	c:\windows\system32\nvudisp.exe
2011-12-06 21:07:59	18944	-c--a-w-	c:\windows\system32\dllcache\simptcp.dll
2011-12-06 21:06:59	92160	-c--a-w-	c:\windows\system32\dllcache\evntwin.exe
2011-12-06 20:44:04	24661	-c--a-w-	c:\windows\system32\dllcache\spxcoins.dll
2011-12-06 20:44:04	24661	----a-w-	c:\windows\system32\spxcoins.dll
2011-12-06 20:44:04	13312	-c--a-w-	c:\windows\system32\dllcache\irclass.dll
2011-12-06 20:44:04	13312	----a-w-	c:\windows\system32\irclass.dll
2011-12-06 20:44:00	22339	----a-r-	c:\windows\SETE9.tmp
2011-12-06 20:44:00	10559	----a-r-	c:\windows\SETEA.tmp
2011-12-06 20:43:52	13753	----a-r-	c:\windows\SETA6.tmp
2011-12-06 20:43:50	1086058	----a-r-	c:\windows\SET9A.tmp
2011-12-06 20:43:50	106147	----a-r-	c:\windows\SET97.tmp
2011-12-06 18:02:23	22339	----a-r-	c:\windows\SET150.tmp
2011-12-06 18:02:23	10559	----a-r-	c:\windows\SET151.tmp
2011-12-06 18:02:14	13753	----a-r-	c:\windows\SET10C.tmp
2011-12-06 18:02:11	1086058	----a-r-	c:\windows\SET100.tmp
2011-12-06 18:02:11	106147	----a-r-	c:\windows\SETFD.tmp
2011-11-30 02:46:03	81920	----a-w-	c:\windows\system32\BrWebIns.dll
2011-11-30 02:46:03	65536	----a-w-	c:\windows\system32\Brwebup.exe
2011-11-30 02:46:03	513536	----a-w-	c:\program files\common files\installshield\webupdate\Iftw.exe
2011-11-30 02:46:03	331776	----a-w-	c:\program files\common files\installshield\webupdate\WebUpdate.exe
2011-11-30 02:46:03	24576	----a-w-	c:\program files\common files\installshield\webupdate\RasThunk.dll
2011-11-30 02:46:03	176128	----a-w-	c:\windows\system32\Pdrvinst.dll
2011-11-30 02:46:03	132096	----a-w-	c:\program files\common files\installshield\webupdate\ISiteLite.dll
2011-11-30 02:45:59	126976	----a-w-	c:\windows\system32\BrfxD04a.dll
2011-11-30 02:44:56	57344	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-11-30 02:44:56	5632	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-11-30 02:44:56	237568	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-11-30 02:44:56	155648	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-11-30 02:44:55	692224	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-11-30 02:44:55	163972	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-11-30 02:44:54	282756	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-11-30 02:43:46	--------	d-----w-	c:\program files\common files\ScanSoft Shared
2011-11-30 02:01:31	--------	d-----w-	c:\windows\_ISTMP1.DIR
.
==================== Find3M ====================
.
2011-09-19 13:19:53	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 21:25:06.89 ===============


----------



## turtledove

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
**Please run no scans or fixes on your ow.
**Please note that if there is no reply within 3 days to this thread it may be closed; please let me know ahead of time if you need extra time.
**Please only attach further logs if I ask, post them directly in a reply.

Please be patient with me during this time.

Thank you


----------



## turtledove

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hello Zappafrank,

Please do the following: If any questions/problems, stop and ask first please.

Please download aswMBR.exe from a clean computer: to a thumbdrive, and save it to your infected computers' desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)

Click *Scan*

Upon completion of the scan, click *Save log* and save it to your desktop, and post that log in your next reply for review. * Note - do NOT attempt any Fix yet. *

You will also notice another file created on the desktop named *MBR.dat*. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Thank you


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thank you Turtledove -- the scans are attached as requested.
Instant notification is on

Sorry for the 1/2 day delay had a long in the field work day yesterday -- it's Friday now - I'll be home for the next few days and will check for your replies hrly at a minimum. 

Since my first post I've made one change - 
I replaced the C:\WINDOWS\system32\svchost.exe with one from another computer running win xp sp2

The video drivers now load and the machine boots to XP .

DHCP and TCP/IP NetBIOS helper still need to be manually started in services and the Network printer still not working- Times out - try to use the scanner and it says network not found.
I'd planned to install a usb printer just to see if it's a network issue or a print issue.
No urgency I'll wait to hear back from you before I do anything else.

One thing Bugging me is not having the SP2 files during the windows "repair" Should I Reinstall Win SP2 at some point? It may be running [or not as the case may be  ] on some old system files

Bob.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-09 09:03:13
-----------------------------
09:03:13.562 OS Version: Windows 5.1.2600 Service Pack 2
09:03:13.562 Number of processors: 2 586 0x407
09:03:13.562 ComputerName: ROBERTZOPPA UserName: Bob Zoppa
09:03:14.296 Initialize success
09:06:05.765 AVAST engine defs: 11120901
09:06:19.593 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
09:06:19.593 Disk 0 Vendor: ST325082 3.AE Size: 238475MB BusType: 3
09:06:19.593 Disk 0 MBR read successfully
09:06:19.593 Disk 0 MBR scan
09:06:19.640 Disk 0 Windows XP default MBR code
09:06:19.656 Disk 0 scanning sectors +488376000
09:06:19.718 Disk 0 scanning C:\WINDOWS\system32\drivers
09:06:31.703 Service scanning
09:06:32.765 Modules scanning
09:06:36.671 Disk 0 trace - called modules:
09:06:36.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
09:06:36.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89ddb8c8]
09:06:36.687 3 CLASSPNP.SYS[b80e905b] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-2[0x89e43030]
09:06:37.265 AVAST engine scan C:\WINDOWS
09:06:52.578 AVAST engine scan C:\WINDOWS\system32
09:09:14.984 AVAST engine scan C:\WINDOWS\system32\drivers
09:09:31.718 AVAST engine scan C:\Documents and Settings\Bob Zoppa
09:09:56.312 File: C:\Documents and Settings\Bob Zoppa\Application Data\Sun\Java\Deployment\cache\6.0\35\5da37e63-4e0d5813 **INFECTED** Win32:FakeAlert-BOG [Trj]
09:20:32.859 AVAST engine scan C:\Documents and Settings\All Users
09:21:11.765 Scan finished successfully
09:22:55.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bob Zoppa\Desktop\MBR.dat"
09:22:55.875 The log file has been saved successfully to "C:\Documents and Settings\Bob Zoppa\Desktop\aswMBR.txt"


----------



## turtledove

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Zappafrank,

Please do the following after copying these instructions to notepad. Please wait on the printer issue.
Please do no other changes to your files like you did without my instructing to do so. It is important that you follow only the instructions given, and in order; this keeps things in order and less confusing for proceeding.

Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

*Link 1*
*Link 2*


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => How to obtain Windows XP Setup disks for a floppy boot installation

Scroll down to *Step 1*, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

* Note: If you have SP3, use the SP2 package.*


---------------------------------------------------------------------

*Transfer all files you just downloaded, to the desktop of the infected computer.*

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.












At the next prompt, click 'Yes' to run the full ComboFix scan.

When the tool is finished, it will produce a report for you.
Please post the *C:\ComboFix.txt* in your next reply.

**If you have any problems with this tool running, note down any details or error messages and let me know please.

Thank You


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Turtledove -- running combo fix now will post when done.

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Turtledove 
Ok scans all done found "rootkit.zero access 
Combo fix rebooted itself once during the process.

DHCP and TCP/IP NetBIOS helper still not loading on their own - I rebooted twice - so can't get a network address unless after boot up I go to services and manually start them

After manually starting them everything is ok network finds an address, access to the internet is fine after that.

Network printer and scanner now working -- don't recall if I checked them after installing the C:\WINDOWS\system32\svchost.exe I mentioned last time -- either way I'm happy that's back -- printer is used daily.

Something just came to mind - all the scans I've run and attached were done after I'd already started DHCP and TCP/IP NetBIOS helper manually -- didn't occur to me to go into services and turn them off.
Would that tell you anything other than they weren't running. If so I'll be happy to rerun the scans with those services off -- the way they would be if I didn't manually start them.

Last-- one of the Combofix pop up boxes -after mentioning the zero access root-kit said I may not have internet access after combo -fix was done and said to run combo fix again.
Is this what they meant? 
Should I run it again? 

Ok Combofix log pasted below

Bob

ComboFix 11-12-09.03 - Bob Zoppa 12/09/2011 18:24:42.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1613 [GMT -5:00]
Running from: c:\documents and settings\Bob Zoppa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob Zoppa\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\B64.dtd
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Bob Zoppa\g2mdlhlpx.exe
c:\documents and settings\Bob Zoppa\Recent\Thumbs.db
c:\documents and settings\Bob Zoppa\WINDOWS
c:\windows\$NtUninstallKB61424$
c:\windows\$NtUninstallKB61424$\1999608031\@
c:\windows\$NtUninstallKB61424$\1999608031\bckfg.tmp
c:\windows\$NtUninstallKB61424$\1999608031\cfg.ini
c:\windows\$NtUninstallKB61424$\1999608031\Desktop.ini
c:\windows\$NtUninstallKB61424$\1999608031\keywords
c:\windows\$NtUninstallKB61424$\1999608031\kwrd.dll
c:\windows\$NtUninstallKB61424$\1999608031\L\zmiqparx
c:\windows\$NtUninstallKB61424$\1999608031\lsflt7.ver
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\3941833289
c:\windows\CSC\d6
.
.
((((((((((((((((((((((((( Files Created from 2011-11-09 to 2011-12-09 )))))))))))))))))))))))))))))))
.
.
2011-12-07 12:27 . 2009-08-17 04:57	485920	----a-w-	c:\windows\system32\nvuninst.exe
2011-12-07 12:27 . 2009-08-17 04:57	485920	----a-w-	c:\windows\system32\nvudisp.exe
2011-12-06 21:07 . 2004-08-10 11:00	18944	-c--a-w-	c:\windows\system32\dllcache\simptcp.dll
2011-12-06 21:06 . 2004-08-10 11:00	92160	-c--a-w-	c:\windows\system32\dllcache\evntwin.exe
2011-12-06 20:44 . 2004-08-10 11:00	24661	-c--a-w-	c:\windows\system32\dllcache\spxcoins.dll
2011-12-06 20:44 . 2004-08-10 11:00	24661	----a-w-	c:\windows\system32\spxcoins.dll
2011-12-06 20:44 . 2004-08-10 11:00	13312	-c--a-w-	c:\windows\system32\dllcache\irclass.dll
2011-12-06 20:44 . 2004-08-10 11:00	13312	----a-w-	c:\windows\system32\irclass.dll
2011-12-06 20:44 . 2006-03-30 10:03	22339	----a-r-	c:\windows\SETE9.tmp
2011-12-06 20:44 . 2005-03-30 17:54	10559	----a-r-	c:\windows\SETEA.tmp
2011-12-06 20:43 . 2004-08-10 11:00	13753	----a-r-	c:\windows\SETA6.tmp
2011-12-06 20:43 . 2004-08-10 11:00	1086058	----a-r-	c:\windows\SET9A.tmp
2011-12-06 20:43 . 2004-08-10 11:00	106147	----a-r-	c:\windows\SET97.tmp
2011-12-06 18:02 . 2006-03-30 10:03	22339	----a-r-	c:\windows\SET150.tmp
2011-12-06 18:02 . 2005-03-30 17:54	10559	----a-r-	c:\windows\SET151.tmp
2011-12-06 18:02 . 2004-08-10 11:00	13753	----a-r-	c:\windows\SET10C.tmp
2011-12-06 18:02 . 2004-08-10 11:00	1086058	----a-r-	c:\windows\SET100.tmp
2011-12-06 18:02 . 2004-08-10 11:00	106147	----a-r-	c:\windows\SETFD.tmp
2011-11-30 02:01 . 2011-11-30 02:04	--------	d-----w-	c:\windows\_ISTMP1.DIR
2011-11-30 01:58 . 2011-11-30 01:58	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-19 13:19 . 2011-06-17 19:15	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2010-05-12 21:42 . 2010-05-12 21:42	124344	----a-w-	c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-12 22:22 . 2010-05-12 22:22	13240	----a-w-	c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 21:43 . 2010-05-12 21:43	70592	----a-w-	c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 21:42 . 2010-05-12 21:42	91576	----a-w-	c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 21:42 . 2010-05-12 21:42	22464	----a-w-	c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 21:41 . 2010-05-12 21:41	255416	----a-w-	c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 21:42 . 2010-05-12 21:42	31160	----a-w-	c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 21:42 . 2010-05-12 21:42	40384	----a-w-	c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 18:55 . 2010-04-14 18:55	652640	----a-w-	c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 21:43 . 2010-05-12 21:43	24000	----a-w-	c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-10-15 16:43 . 2011-04-15 12:21	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2010-01-21 24576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-11 281768]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/29/2010 9:00 PM 136360]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.csgrp.com/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.csgrp.com/owa/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Bob Zoppa\Application Data\Mozilla\Firefox\Profiles\kn6t9xu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://headlines.verizon.com/headlines/portals/headlines.portal
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-YMPXRXjVhBlnS.exe - c:\documents and settings\All Users\Application Data\YMPXRXjVhBlnS.exe
HKCU-Run-3IxbEWXA - c:\documents and settings\All Users\Application Data\3IxbEWXA.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-12-09 18:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-412668190-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\brss01a.exe
c:\windows\stsystra.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2011-12-09 18:41:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-09 23:41
ComboFix2.txt 2010-05-31 14:02
.
Pre-Run: 209,320,017,920 bytes free
Post-Run: 209,762,471,936 bytes free
.
- - End Of File - - 91C328D4624996EF98D93970C39616A3


----------



## turtledove

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Good evening Zappafrank,

As before, copy instructions for reference please. If needed also tranfer via removable media the following tool.

Please download *Farbar Service Scanner* and run it on the computer with the issue.
Make sure "Include All Files" option remains checked.
Press "*Scan*".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Thank you


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Turtledove 
Here you go -- 
Note this is after I've manually started DHCP and TCPIP - netbios helper 
Let me know if you want any scans run before I start them manually 
I have to start them to access the internet.

Bob


Farbar Service Scanner 
Ran by Bob Zoppa (administrator) on 09-12-2011 at 23:09:49
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************

Service Check:
==============

File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-10 06:00] - [2004-08-10 06:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-10 06:00] - [2004-08-10 06:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe
[2004-08-10 06:00] - [2004-08-10 06:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-10 06:00] - [2004-08-10 06:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-10 06:00] - [2004-08-10 06:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-10 06:00] - [2004-08-10 06:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-10 06:00] - [2004-08-10 06:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

**** End of log ****


----------



## turtledove

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Good evening Zappafrank,

Copy these out please. Careful to follow the instructions for TDSSKiller to Skip Please.
I'll need you to rerun the one tool as above, without restarting your internet connection services please. But do download the other tool below before disconnecting.

Please rerun *Farbar Service Scanner* on the computer with the issue.
Make sure "Include All Files" option remains checked.
Press "*Scan*".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

-----------------------------


Download TDSSKiller.exe and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Press *Start Scan*
If Malicious objects are found, *do NOT *select * Cure*. * Change the action to Skip*, and save the log.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply. 

Thank You


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Turtledove 
Thanks again -- here are the scans -- both were run before I manually started DHCP and NetBIOS helper.

Bob
09:24:22.0218 3604	TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
09:24:22.0500 3604	============================================================
09:24:22.0500 3604	Current date / time: 2011/12/10 09:24:22.0500
09:24:22.0500 3604	SystemInfo:
09:24:22.0500 3604	
09:24:22.0500 3604	OS Version: 5.1.2600 ServicePack: 2.0
09:24:22.0500 3604	Product type: Workstation
09:24:22.0500 3604	ComputerName: ROBERTZOPPA
09:24:22.0500 3604	UserName: Bob Zoppa
09:24:22.0500 3604	Windows directory: C:\WINDOWS
09:24:22.0500 3604	System windows directory: C:\WINDOWS
09:24:22.0500 3604	Processor architecture: Intel x86
09:24:22.0500 3604	Number of processors: 2
09:24:22.0500 3604	Page size: 0x1000
09:24:22.0500 3604	Boot type: Normal boot
09:24:22.0500 3604	============================================================
09:24:22.0734 3604	Initialize success
09:24:57.0750 2444	============================================================
09:24:57.0750 2444	Scan started
09:24:57.0750 2444	Mode: Manual; 
09:24:57.0750 2444	============================================================
09:24:57.0843 2444	Abiosdsk - ok
09:24:57.0859 2444	abp480n5 - ok
09:24:57.0906 2444	ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:24:57.0921 2444	ACPI - ok
09:24:57.0968 2444	ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:24:57.0968 2444	ACPIEC - ok
09:24:57.0968 2444	adpu160m - ok
09:24:58.0000 2444	aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
09:24:58.0000 2444	aec - ok
09:24:58.0031 2444	AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
09:24:58.0031 2444	AFD - ok
09:24:58.0031 2444	Aha154x - ok
09:24:58.0046 2444	aic78u2 - ok
09:24:58.0062 2444	aic78xx - ok
09:24:58.0109 2444	AIRPLUS (b8e77ffad750ae818a0c0363f9d1544d) C:\WINDOWS\system32\DRIVERS\AIRPLUS.sys
09:24:58.0109 2444	AIRPLUS - ok
09:24:58.0109 2444	AliIde - ok
09:24:58.0125 2444	amsint - ok
09:24:58.0140 2444	asc - ok
09:24:58.0140 2444	asc3350p - ok
09:24:58.0156 2444	asc3550 - ok
09:24:58.0203 2444	AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:24:58.0203 2444	AsyncMac - ok
09:24:58.0281 2444	atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\drivers\atapi.sys
09:24:58.0281 2444	atapi - ok
09:24:58.0296 2444	Atdisk - ok
09:24:58.0343 2444	ATIAVPCI (c3d7f4b7a5ca967eafaec6675940c03a) C:\WINDOWS\system32\DRIVERS\atinavrr.sys
09:24:58.0343 2444	ATIAVPCI - ok
09:24:58.0390 2444	Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:24:58.0406 2444	Atmarpc - ok
09:24:58.0421 2444	audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:24:58.0421 2444	audstub - ok
09:24:58.0531 2444	avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
09:24:58.0531 2444	avgio - ok
09:24:58.0578 2444	avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
09:24:58.0578 2444	avgntflt - ok
09:24:58.0640 2444	avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
09:24:58.0640 2444	avipbb - ok
09:24:58.0703 2444	Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:24:58.0703 2444	Beep - ok
09:24:58.0828 2444	catchme - ok
09:24:58.0906 2444	cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:24:58.0906 2444	cbidf2k - ok
09:24:58.0968 2444	CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
09:24:58.0984 2444	CCDECODE - ok
09:24:59.0015 2444	cd20xrnt - ok
09:24:59.0062 2444	Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:24:59.0062 2444	Cdaudio - ok
09:24:59.0140 2444	Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
09:24:59.0140 2444	Cdfs - ok
09:24:59.0203 2444	Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:24:59.0203 2444	Cdrom - ok
09:24:59.0250 2444	cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
09:24:59.0250 2444	cercsr6 - ok
09:24:59.0296 2444	Changer - ok
09:24:59.0343 2444	CmdIde - ok
09:24:59.0390 2444	Cpqarray - ok
09:24:59.0484 2444	ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
09:24:59.0500 2444	ctsfm2k - ok
09:24:59.0609 2444	CTUSFSYN (4ee8822adb764edd28ce44e808097995) C:\WINDOWS\system32\drivers\ctusfsyn.sys
09:24:59.0609 2444	CTUSFSYN - ok
09:24:59.0640 2444	dac2w2k - ok
09:24:59.0687 2444	dac960nt - ok
09:24:59.0796 2444	Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
09:24:59.0796 2444	Disk - ok
09:24:59.0875 2444	DLABOIOM (d8d58a84f3ece3359df95fd2e459b330) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
09:24:59.0875 2444	DLABOIOM - ok
09:24:59.0953 2444	DLACDBHM (ec6ae8bc9f773382d2eed49e4dfdae2a) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
09:24:59.0953 2444	DLACDBHM - ok
09:24:59.0984 2444	DLADResN (27c78078bd9c4f2de2ad3eb04bfe101b) C:\WINDOWS\system32\DLA\DLADResN.SYS
09:24:59.0984 2444	DLADResN - ok
09:25:00.0031 2444	DLAIFS_M (7f2d93e560b763ef5d11422d78da8ed0) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
09:25:00.0031 2444	DLAIFS_M - ok
09:25:00.0062 2444	DLAOPIOM (f643637de6aac57e38d197aa63d9ea74) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
09:25:00.0062 2444	DLAOPIOM - ok
09:25:00.0125 2444	DLAPoolM (340705474807f57a46d59d18fc2959f1) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
09:25:00.0125 2444	DLAPoolM - ok
09:25:00.0171 2444	DLARTL_N (0605b66052f82b6f07204dbdb61c13ff) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
09:25:00.0187 2444	DLARTL_N - ok
09:25:00.0187 2444	DLAUDFAM (6984ea763907c045ce813468882bc587) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
09:25:00.0187 2444	DLAUDFAM - ok
09:25:00.0234 2444	DLAUDF_M (12b30c449cfd36adbed53eb6560933c6) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
09:25:00.0234 2444	DLAUDF_M - ok
09:25:00.0359 2444	dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
09:25:00.0359 2444	dmboot - ok
09:25:00.0437 2444	dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
09:25:00.0437 2444	dmio - ok
09:25:00.0468 2444	dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:25:00.0468 2444	dmload - ok
09:25:00.0562 2444	DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
09:25:00.0562 2444	DMusic - ok
09:25:00.0578 2444	dpti2o - ok
09:25:00.0656 2444	drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
09:25:00.0656 2444	drmkaud - ok
09:25:00.0671 2444	DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
09:25:00.0671 2444	DRVMCDB - ok
09:25:00.0687 2444	DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
09:25:00.0687 2444	DRVNDDM - ok
09:25:00.0750 2444	e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
09:25:00.0750 2444	e1express - ok
09:25:00.0843 2444	Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
09:25:00.0843 2444	Fastfat - ok
09:25:00.0906 2444	Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
09:25:00.0906 2444	Fdc - ok
09:25:00.0968 2444	Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
09:25:00.0968 2444	Fips - ok
09:25:01.0015 2444	Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
09:25:01.0015 2444	Flpydisk - ok
09:25:01.0093 2444	FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
09:25:01.0093 2444	FltMgr - ok
09:25:01.0125 2444	Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:25:01.0125 2444	Fs_Rec - ok
09:25:01.0203 2444	Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:25:01.0203 2444	Ftdisk - ok
09:25:01.0234 2444	Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:25:01.0234 2444	Gpc - ok
09:25:01.0296 2444	HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:25:01.0296 2444	HDAudBus - ok
09:25:01.0359 2444	hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:25:01.0359 2444	hidusb - ok
09:25:01.0390 2444	hpn - ok
09:25:01.0437 2444	HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
09:25:01.0453 2444	HTTP - ok
09:25:01.0484 2444	i2omgmt - ok
09:25:01.0484 2444	i2omp - ok
09:25:01.0562 2444	i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys
09:25:01.0562 2444	i8042prt - ok
09:25:01.0625 2444	iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
09:25:01.0625 2444	iastor - ok
09:25:01.0640 2444	Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:25:01.0640 2444	Imapi - ok
09:25:01.0671 2444	ini910u - ok
09:25:01.0687 2444	IntelIde - ok
09:25:01.0765 2444	intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:25:01.0765 2444	intelppm - ok
09:25:01.0828 2444	Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
09:25:01.0828 2444	Ip6Fw - ok
09:25:01.0906 2444	IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:25:01.0906 2444	IpFilterDriver - ok
09:25:01.0968 2444	IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:25:01.0968 2444	IpInIp - ok
09:25:02.0000 2444	IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:25:02.0000 2444	IpNat - ok
09:25:02.0078 2444	IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:25:02.0078 2444	IPSec - ok
09:25:02.0125 2444	IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:25:02.0125 2444	IRENUM - ok
09:25:02.0187 2444	isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:25:02.0187 2444	isapnp - ok
09:25:02.0218 2444	Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:25:02.0218 2444	Kbdclass - ok
09:25:02.0281 2444	kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:25:02.0281 2444	kbdhid - ok
09:25:02.0359 2444	kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
09:25:02.0359 2444	kmixer - ok
09:25:02.0406 2444	KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
09:25:02.0406 2444	KSecDD - ok
09:25:02.0453 2444	lbrtfdc - ok
09:25:02.0546 2444	MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
09:25:02.0546 2444	MHNDRV - ok
09:25:02.0640 2444	mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:25:02.0640 2444	mnmdd - ok
09:25:02.0703 2444	Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
09:25:02.0703 2444	Modem - ok
09:25:02.0828 2444	monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
09:25:02.0843 2444	monfilt - ok
09:25:02.0890 2444	Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:25:02.0890 2444	Mouclass - ok
09:25:02.0953 2444	mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:25:02.0953 2444	mouhid - ok
09:25:03.0031 2444	MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
09:25:03.0031 2444	MountMgr - ok
09:25:03.0078 2444	MPE (55a9a7e6bb297bf0f5b144029dcb79cc) C:\WINDOWS\system32\DRIVERS\MPE.sys
09:25:03.0078 2444	MPE - ok
09:25:03.0125 2444	mraid35x - ok
09:25:03.0187 2444	MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:25:03.0187 2444	MRxDAV - ok
09:25:03.0234 2444	MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:25:03.0250 2444	MRxSmb - ok
09:25:03.0281 2444	Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
09:25:03.0281 2444	Msfs - ok
09:25:03.0312 2444	MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:25:03.0312 2444	MSKSSRV - ok
09:25:03.0375 2444	MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:25:03.0375 2444	MSPCLOCK - ok
09:25:03.0437 2444	MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
09:25:03.0453 2444	MSPQM - ok
09:25:03.0484 2444	mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:25:03.0484 2444	mssmbios - ok
09:25:03.0531 2444	MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
09:25:03.0531 2444	MSTEE - ok
09:25:03.0578 2444	Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
09:25:03.0578 2444	Mup - ok
09:25:03.0656 2444	NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
09:25:03.0656 2444	NABTSFEC - ok
09:25:03.0734 2444	NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
09:25:03.0734 2444	NAL - ok
09:25:03.0765 2444	NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
09:25:03.0765 2444	NDIS - ok
09:25:03.0812 2444	NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
09:25:03.0812 2444	NdisIP - ok
09:25:03.0890 2444	NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:25:03.0890 2444	NdisTapi - ok
09:25:03.0921 2444	Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:25:03.0921 2444	Ndisuio - ok
09:25:03.0984 2444	NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:25:03.0984 2444	NdisWan - ok
09:25:04.0015 2444	NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
09:25:04.0015 2444	NDProxy - ok
09:25:04.0031 2444	NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:25:04.0031 2444	NetBIOS - ok
09:25:04.0093 2444	NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:25:04.0093 2444	NetBT - ok
09:25:04.0125 2444	Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
09:25:04.0125 2444	Npfs - ok
09:25:04.0187 2444	Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
09:25:04.0187 2444	Ntfs - ok
09:25:04.0234 2444	Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:25:04.0234 2444	Null - ok
09:25:04.0593 2444	nv (4f15e1e56703f59c0ac00022162e5308) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
09:25:04.0640 2444	nv - ok
09:25:04.0734 2444	NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:25:04.0734 2444	NwlnkFlt - ok
09:25:04.0765 2444	NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:25:04.0765 2444	NwlnkFwd - ok
09:25:04.0812 2444	ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
09:25:04.0812 2444	ossrv - ok
09:25:04.0859 2444	Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
09:25:04.0859 2444	Parport - ok
09:25:04.0890 2444	PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
09:25:04.0890 2444	PartMgr - ok
09:25:04.0937 2444	ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:25:04.0937 2444	ParVdm - ok
09:25:04.0968 2444	PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
09:25:04.0984 2444	PCI - ok
09:25:04.0984 2444	PCIDump - ok
09:25:05.0031 2444	PCIIde - ok
09:25:05.0078 2444	Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:25:05.0078 2444	Pcmcia - ok
09:25:05.0109 2444	PDCOMP - ok
09:25:05.0156 2444	PDFRAME - ok
09:25:05.0187 2444	PDRELI - ok
09:25:05.0218 2444	PDRFRAME - ok
09:25:05.0250 2444	perc2 - ok
09:25:05.0281 2444	perc2hib - ok
09:25:05.0359 2444	PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:25:05.0359 2444	PptpMiniport - ok
09:25:05.0375 2444	PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
09:25:05.0375 2444	PSched - ok
09:25:05.0390 2444	Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:25:05.0390 2444	Ptilink - ok
09:25:05.0453 2444	PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
09:25:05.0453 2444	PxHelp20 - ok
09:25:05.0484 2444	ql1080 - ok
09:25:05.0515 2444	Ql10wnt - ok
09:25:05.0531 2444	ql12160 - ok
09:25:05.0531 2444	ql1240 - ok
09:25:05.0593 2444	ql1280 - ok
09:25:05.0656 2444	RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:25:05.0656 2444	RasAcd - ok
09:25:05.0703 2444	Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:25:05.0703 2444	Rasl2tp - ok
09:25:05.0734 2444	RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:25:05.0734 2444	RasPppoe - ok
09:25:05.0812 2444	Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:25:05.0812 2444	Raspti - ok
09:25:05.0890 2444	Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:25:05.0890 2444	Rdbss - ok
09:25:05.0906 2444	RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:25:05.0906 2444	RDPCDD - ok
09:25:05.0984 2444	rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:25:05.0984 2444	rdpdr - ok
09:25:06.0093 2444	RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
09:25:06.0093 2444	RDPWD - ok
09:25:06.0171 2444	redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:25:06.0171 2444	redbook - ok
09:25:06.0218 2444	Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:25:06.0218 2444	Secdrv - ok
09:25:06.0265 2444	Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
09:25:06.0265 2444	Serial - ok
09:25:06.0312 2444	Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:25:06.0312 2444	Sfloppy - ok
09:25:06.0312 2444	Simbad - ok
09:25:06.0343 2444	SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
09:25:06.0343 2444	SLIP - ok
09:25:06.0390 2444	Sparrow - ok
09:25:06.0453 2444	splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
09:25:06.0453 2444	splitter - ok
09:25:06.0562 2444	sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
09:25:06.0562 2444	sr - ok
09:25:06.0640 2444	Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
09:25:06.0640 2444	Srv - ok
09:25:06.0671 2444	ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
09:25:06.0671 2444	ssmdrv - ok
09:25:06.0765 2444	STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
09:25:06.0781 2444	STHDA - ok
09:25:06.0843 2444	StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
09:25:06.0843 2444	StillCam - ok
09:25:06.0921 2444	streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
09:25:06.0921 2444	streamip - ok
09:25:07.0000 2444	swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:25:07.0000 2444	swenum - ok
09:25:07.0062 2444	swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
09:25:07.0062 2444	swmidi - ok
09:25:07.0093 2444	symc810 - ok
09:25:07.0125 2444	symc8xx - ok
09:25:07.0140 2444	sym_hi - ok
09:25:07.0218 2444	sym_u3 - ok
09:25:07.0281 2444	sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
09:25:07.0281 2444	sysaudio - ok
09:25:07.0359 2444	Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:25:07.0359 2444	Tcpip - ok
09:25:07.0406 2444	TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:25:07.0406 2444	TDPIPE - ok
09:25:07.0468 2444	TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
09:25:07.0468 2444	TDTCP - ok
09:25:07.0531 2444	TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:25:07.0546 2444	TermDD - ok
09:25:07.0546 2444	TosIde - ok
09:25:07.0640 2444	Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
09:25:07.0640 2444	Udfs - ok
09:25:07.0640 2444	ultra - ok
09:25:07.0718 2444	Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
09:25:07.0734 2444	Update - ok
09:25:07.0796 2444	usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:25:07.0796 2444	usbehci - ok
09:25:07.0828 2444	usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:25:07.0828 2444	usbhub - ok
09:25:07.0906 2444	usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:25:07.0906 2444	usbscan - ok
09:25:07.0953 2444	usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:25:07.0953 2444	usbstor - ok
09:25:08.0015 2444	usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:25:08.0015 2444	usbuhci - ok
09:25:08.0062 2444	VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
09:25:08.0062 2444	VgaSave - ok
09:25:08.0078 2444	ViaIde - ok
09:25:08.0093 2444	VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
09:25:08.0093 2444	VolSnap - ok
09:25:08.0140 2444	Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:25:08.0140 2444	Wanarp - ok
09:25:08.0171 2444	WDICA - ok
09:25:08.0265 2444	wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
09:25:08.0265 2444	wdmaud - ok
09:25:08.0312 2444	WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:25:08.0312 2444	WS2IFSL - ok
09:25:08.0375 2444	WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
09:25:08.0375 2444	WSTCODEC - ok
09:25:08.0406 2444	MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:25:08.0546 2444	\Device\Harddisk0\DR0 - ok
09:25:08.0546 2444	Boot (0x1200) (0be61a02ddfc491f219f18a61d176e3c) \Device\Harddisk0\DR0\Partition0
09:25:08.0546 2444	\Device\Harddisk0\DR0\Partition0 - ok
09:25:08.0546 2444	============================================================
09:25:08.0546 2444	Scan finished
09:25:08.0546 2444	============================================================
09:25:08.0562 0192	Detected object count: 0
09:25:08.0562 0192	Actual detected object count: 0
09:25:32.0765 3692	Deinitialize success

and 

Farbar Service Scanner 
Ran by Bob Zoppa (administrator) on 10-12-2011 at 09:20:36
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-10 06:00] - [2004-08-10 06:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2004-08-10 06:00] - [2004-08-10 06:00] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680

C:\WINDOWS\system32\services.exe
[2004-08-10 06:00] - [2004-08-10 06:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-10 06:00] - [2004-08-10 06:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-10 06:00] - [2004-08-10 06:00] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-10 06:00] - [2004-08-10 06:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-10 06:00] - [2004-08-10 06:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****

Thanks 

Bob


----------



## turtledove

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Zappafrank,

I'm not seeing anything in the logs to explain the issue of connecting. To continue, please do the following:

Go here: Get Service Pack 3 please.
Download: Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers - Microsoft Download Center - Download Details

Install the Service Pack, do a final reboot when done and let me know how the computer is running now please.

Thank you


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Turtledove -- All done

Sadly still the same 
DHCP &TCP/IP NetBIOS helper still not loading on their own so network address not acquired, launch them manually and everything seems to work as it should

If it helps what I'm reading on the web tells me it is either one of the applicable registry keys, windows\system32 driver or files and recommended just replacing them 

Another said it was just a "registry security setting" stopping the loading

And I found a similar problem here on the forum see link below

http://www.techsupportforum.com/for...registry-setting-damage-suspected-616612.html

FSS file showing sp3 running

Bob

Farbar Service Scanner 
Ran by Bob Zoppa (administrator) on 10-12-2011 at 18:50:54
Microsoft Windows XP Service Pack 3 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit

Connection Status:
==================
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

**** End of log ****


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob,

If you don't mind, since you referenced a thread I'm working on, please allow me to address your concerns. :smile:


> If it helps what I'm reading on the web tells me it is either one of the applicable registry keys, windows\system32 driver or files and recommended just replacing them
> 
> Another said it was just a "registry security setting" stopping the loading


Understandable thoughts, and good research on your part, but those have been checked thoroughly by the scans that turtledove had you run. If any of those drivers were patched or missing, it would have turned up either in Farbars Service Scanner report, or in the TDSSK report. Additionally, SP3 upgrade would have replaced all those drivers in system32, so that rules that out. 



> And I found a similar problem here on the forum see link below
> 
> http://www.techsupportforum.com/for...registry-setting-damage-suspected-616612.html


That thread I'm working, is a different issue that what you are experiencing. Notice that the legacy_netbt key was reported as missing in the FSS.txt. Yours is not, or it would have been reported. As such, we need to traverse a different path to try to get to the bottom of your issue.

As I understand it, the services are there, and you can connect to the internet -- it's just that they will not start automatically.

Couple things I'd like for you to do:

*1.* Download dds.exe from here and save it to your desktop. (note - this is not the same as dds.scr you downloaded and ran earlier)

Double click to run it, then click on the + next to 'Options for dds.txt' to expand that area.
Place a check next to 'disable whitelist' and click the Start button
You'll see a message asking you to confirm if that's what you want to do. Click Yes.
When finished, a log will be produced and saved on your desktop. That will be a long log, so please attach it to your next reply.

*2. *Open Notepad and copy/paste the contents inside the quote box below, into Notepad.



> sc qc DHCP > log.txt
> sc qc NetBT >>log.txt
> notepad log.txt


Save this as *look.bat* Choose to "Save type as - All Files"
It should look like this:









Double click on look.bat & allow it to run. Then post the log which it produces


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Reed

Thanks for you offer of help -- I need it  

You are correct -- the services are there but are not loading on their own.
Once I go in and manually start them all services seem to work as they should 

I'll have to write a log of all the steps taken to date - it goes back to 11/17/11 and includes a system "repair" from original discs, a missing registry key inserted netbt IIRC, WINDOWS\system32\svchost.exe file replaced and all the scans requested by Turtledove [and a few more] run,and last [I think] an upgrade to service pack 3 

the scans you requested are attached and/or pasted as instructed

Bob


SC] GetServiceConfig SUCCESS

SERVICE_NAME: DHCP
TYPE : 20 WIN32_SHARE_PROCESS 
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs 
LOAD_ORDER_GROUP : TDI 
TAG : 0 
DISPLAY_NAME : DHCP Client 
DEPENDENCIES : Tcpip 
: Afd 
: NetBT 
SERVICE_START_NAME : LocalSystem 
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: NetBT
TYPE : 1 KERNEL_DRIVER 
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : System32\DRIVERS\netbt.sys 
LOAD_ORDER_GROUP : PNP_TDI 
TAG : 6 
DISPLAY_NAME : NetBios over Tcpip 
DEPENDENCIES : Tcpip 
SERVICE_START_NAME :


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

You're welcome. Let's take a look at the netbt key you replaced, if you don't mind. 

Open Notepad and copy/paste the contents inside the quote box below, into Notepad.



> regedit /a peek.txt "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT"
> nircmd wait 2000
> notepad peek.txt


Save this as *netbtexport.bat* Choose to "Save type as - All Files"

Double click on the .bat file & allow it to run. Then post the log which it produces


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reid 

here it is -

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6e,65,74,\
62,74,2e,73,79,73,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,63,70,69,70,00,00
"DependOnGroup"=hex(7):00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,63,70,69,70,00,00
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,44,38,30,44,30,41,\
39,33,2d,42,42,37,33,2d,34,43,34,39,2d,42,35,38,42,2d,34,39,32,35,30,39,37,\
44,30,34,35,35,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,\
41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,\
70,5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,\
35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,54,\
63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,\
42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00
"Route"=hex(7):22,54,63,70,69,70,22,20,22,7b,44,38,30,44,30,41,39,33,2d,42,42,\
37,33,2d,34,43,34,39,2d,42,35,38,42,2d,34,39,32,35,30,39,37,44,30,34,35,35,\
7d,22,00,22,54,63,70,69,70,22,20,22,7b,42,38,36,46,33,43,39,38,2d,31,45,43,\
45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,\
22,00,22,54,63,70,69,70,22,20,22,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,\
2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,22,\
00,22,54,63,70,69,70,22,20,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,\
44,38,30,44,30,41,39,33,2d,42,42,37,33,2d,34,43,34,39,2d,42,35,38,42,2d,34,\
39,32,35,30,39,37,44,30,34,35,35,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,\
54,5f,54,63,70,69,70,5f,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,39,\
30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,5c,44,65,\
76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,44,41,38,33,36,42,31,\
37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,\
31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,\
5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,35,\
2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,4e,65,\
74,42,54,5f,54,63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,\
34,43,31,36,2d,42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{D80D0A93-BB73-4C49-B58B-4925097D0455}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks. I'm not sure this will resolve the issue, but you are missing a subkey.

Open Notepad and copy/paste the following:



> Windows Registry Editor Version 5.00
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Enum]
> "0"="Root\\LEGACY_NETBT\\0000"
> "Count"=dword:00000001
> "NextInstance"=dword:00000001


Save this as fix.reg and as type All Files

Double click, and allow it to merge with the registry.

Reboot.

Any change?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed -- doing it now --back in a few min


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed -

Sorry no change -- 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

One more thing to check, then I need to call it quits for the night and we'll have to continue tomorrow.

Click Start>Run and type the following into the Run box and click OK

*devmgmt.msc*

Click View>Show Hidden Devices

Click Non Plug n Play to expand the list. Do any of them have an exclamation point next to them?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Yes -- two

Parport and serial

Screenshot attached 

Thanks again for your help -- 
Do you have a known time you'll be around tomorrow? 
I'll make sure to be around then if you do.

saw these in the scans and just have to ask

whats this?mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

And does NetBT need a "SERVICE_START_NAME :" ?

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

I'll be in and out tomorrow. I wish I could give you a specific time table, but it's Sunday. :smile:

I do check my email notifications periodically througout the day, and typically am online solidly after 9pm (EST)

I saw that key, and it did get my attention. I needed to rule out other possiblilities that may have caused that.

Last job for you for the night. :smile:

Export that key for me, if you will. Open Notepad and copy/paste the following:



> regedit /a system.txt "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system"
> nircmd wait 2000
> notepad system.txt


Save it as *systemexport.bat* and as type All Files.

Double click, allow it to run and post the log it produces.

I'll review it tomorrow and have further instructions for you.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed -- 

Thanks I'll keep an eye on emails also and will be sure to be around from 9pm on 


This the right key? Think this is the key above the one I mentioned -anyway here it is 

Bob 

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
"DisableRegistryTools"=dword:00000000


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Correct, I did have you export a different key. I was looking for something else due to the presence of that other key.

Did you or are you remoting into this computer?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed,

I am not currently remoting in although a friend [network engineer] was earlier yesterday.

Think he was using team viewer 
Company uses "go to meeting" & I'll occasionally give someone else remote control
I use Citrix to access work servers.
Think that's it so anything else would be unauthorized.

_"I was looking for something else due to the presence of that other key.?_
And I'll quit 2nd guessing you now   

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

If allowing someone else to remote in, then that key is legit.

Just for the heck of it, change that dWord value to 0. Do you know how to do that?

If not, or if you're uncomfortable touching the registry, export that full key for me:



> regedit /a check.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Allow-LogonScript-NetBIOSDisabled"
> notepad check.txt


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed --

Ok with changing the value, it's done I'm rebooting now back in a few min

Just in case it's relevant -- boot up and loading of all the normal running sevices is taking 2-3 min total-- lots longer than normal 
Could something be timing out? 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hard to say at this point. We can do a quick check for system errors - run dds.scr and post both logs it creates.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed --

No change
Tried to attach the key so you can make sure it's correct got a pop up saying "notepad check.txt" can't be found


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

See if you can export the key manually. Navigate to the key, right click and select Export.

Zip it so you can attach it.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok 
Here it is in text form and attached as a zip

Bob
indows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\system]
"Allow-LogonScript-NetbiosDisabled"=dword:00000000


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Oh wow, sorry about that. Obviously I botched the export script. 

You did fine changing it to 0.

The only other thing I can think of, would be tcpip key. May as well get a look at that. Same as before, create a batch file:



> regedit /a tcpip.txt "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP"
> nircmd wait 2000
> notepad tcpip.txt


Save it as tcpip.bat, double click and post the log it produces.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks Reed 

Ok --Here it is

Bob

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,74,63,70,\
69,70,2e,73,79,73,00
"DisplayName"="TCP/IP Protocol Driver"
"Group"="PNP_TDI"
"DependOnService"=hex(7):49,50,53,65,63,00,00
"DependOnGroup"=hex(7):00
"Description"="TCP/IP Protocol Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Linkage]
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,7b,44,38,30,44,30,41,39,33,2d,42,42,37,\
33,2d,34,43,34,39,2d,42,35,38,42,2d,34,39,32,35,30,39,37,44,30,34,35,35,7d,\
00,5c,44,65,76,69,63,65,5c,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,\
39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,5c,44,\
65,76,69,63,65,5c,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,\
2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,\
63,65,5c,4e,64,69,73,57,61,6e,49,70,00,00
"Route"=hex(7):22,7b,44,38,30,44,30,41,39,33,2d,42,42,37,33,2d,34,43,34,39,2d,\
42,35,38,42,2d,34,39,32,35,30,39,37,44,30,34,35,35,7d,22,00,22,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,22,00,22,7b,44,41,38,33,36,42,31,37,2d,46,30,35,\
41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,\
22,00,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,44,38,30,44,30,41,\
39,33,2d,42,42,37,33,2d,34,43,34,39,2d,42,35,38,42,2d,34,39,32,35,30,39,37,\
44,30,34,35,35,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,\
41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,\
70,5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,\
35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,54,\
63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,\
42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters]
"NV Hostname"="robertzoppa"
"DataBasePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,64,72,69,76,65,72,73,5c,65,74,63,00
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="robertzoppa"
"DeadGWDetectDefault"=dword:00000001
"CitrixBackupTcpWindowSize"=dword:00000000
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableICMPRedirect"=dword:00000001
"EnableSecurityFilters"=dword:00000000
"DhcpNameServer"="192.168.0.1"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,\
46,36,2d,41,31,31,35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,54,63,70,\
69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,65,72,66,61,63,65,73,5c,\
7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,42,36,41,44,2d,\
42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:84,2a,35,14,b3,b8,f6,40,a1,15,9b,3c,65,16,7b,83,40,fe,34,73,\
39,2f,16,4c,b6,ad,bd,cf,a0,bf,5f,98

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters\{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,39,\
30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters\{D80D0A93-BB73-4C49-B58B-4925097D0455}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,44,38,30,44,30,41,39,33,2d,42,42,37,33,2d,34,43,\
34,39,2d,42,35,38,42,2d,34,39,32,35,30,39,37,44,30,34,35,35,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters\{DA836B17-F05A-455A-804B-6AD9C2381057}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,\
35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{14352A84-B8B3-40F6-A115-9B3C65167B83}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):00
"UDPAllowedPorts"=hex(7):00
"RawIPAllowedProtocols"=hex(7):00
"NTEContextList"=hex(7):00
"DhcpClassIdBin"=hex:
"DhcpServer"="255.255.255.255"
"Lease"=dword:00000e10
"LeaseObtainedTime"=dword:4c975827
"T1"=dword:4c975f2f
"T2"=dword:4c976475
"LeaseTerminatesTime"=dword:4c976637
"AddressType"=dword:00000000
"DisableDynamicUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{D80D0A93-BB73-4C49-B58B-4925097D0455}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00
"UDPAllowedPorts"=hex(7):30,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00
"NTEContextList"=hex(7):30,78,30,30,30,30,30,30,30,32,00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.0.1"
"Lease"=dword:00093a80
"LeaseObtainedTime"=dword:4ee4eda7
"T1"=dword:4ee98ae7
"T2"=dword:4eed00d7
"LeaseTerminatesTime"=dword:4eee2827
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"IsServerNapAware"=dword:00000000
"DhcpIPAddress"="192.168.0.100"
"DhcpSubnetMask"="255.255.255.0"
"DhcpRetryTime"=dword:00049d40
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="192.168.0.1"
"DhcpDefaultGateway"=hex(7):31,39,32,2e,31,36,38,2e,30,2e,31,00,00
"DhcpSubnetMaskOpt"=hex(7):32,35,35,2e,32,35,35,2e,32,35,35,2e,30,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{DA836B17-F05A-455A-804B-6AD9C2381057}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):00
"UDPAllowedPorts"=hex(7):00
"RawIPAllowedProtocols"=hex(7):00
"NTEContextList"=hex(7):30,78,30,30,30,30,30,30,30,33,00,00
"DhcpClassIdBin"=hex:
"AddressType"=dword:00000000
"DisableDynamicUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,\
6d,33,32,5c,77,73,68,74,63,70,69,70,2e,64,6c,6c,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Performance]
"Close"="CloseTcpIpPerformanceData"
"Collect"="CollectTcpIpPerformanceData"
"Library"="Perfctrs.dll"
"Open"="OpenTcpIpPerformanceData"
"Object List"="502 510 546 582 638 658"
"WbemAdapFileSignature"=hex:96,49,2c,72,1c,6e,a5,17,e2,bf,d5,38,1f,ef,55,e3
"WbemAdapFileTime"=hex:00,f8,16,2e,c9,7e,c4,01
"WbemAdapFileSize"=dword:00009c00
"WbemAdapStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:000007d0
"HostsPriority"=dword:000001f4
"LocalPriority"=dword:000001f3
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,73,6f,63,6b,33,32,2e,64,6c,6c,00
"NetbtPriority"=dword:000007d1
"Name"="TCP/IP"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Enum]
"0"="Root\\LEGACY_TCPIP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

I'm not seeing any problem there, either.

All the dependencies are in order. Services that should be set as System are indeed set properly, as well as the other dependencies being set correctly as Automatic.

RPC Locator is even set properly as Manual.

Let's confirm that the active malware has indeed been cleared. Would you please run another gmer scan, following the same configuration as earlier, and post the log.

One more question - when you boot into Safe Mode with Networking, are those services automatically starting for you?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok let me reboot into safe mode and see

I'll reply back after that and then run gmer -- Is that one that takes a while?


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Yes, that one takes a while.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed
The services do not Safe Mode either 

Off to run gmer

Do you want that run with the services started or not? 

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed 

Running GMER with services started.

Going to take care of some errands while it's running --after that, it's sunny here [mid Atlantic coast] need an hr play time
Dog sitting for friends --he's been patiently waiting with a ball in his mouth and legs crossed since lunch time 

Back by 6m ish

Thanks yet again for your help --especially on a sunny Sunday .

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

I was just about to tell you the same thing. :grin:

We'll continue this evening - enjoy the sunshine!


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Reed
I'm back -errands done-dog walked & fed, he's still hopefully carring the ball around though.

GMER--either it takes a really long time or it's hanging up 
I've looked at it every few hrs and once found it doing nothing, the next saw it stop and then do nothing -- each time after watching it for 20 min or so I've restarted it.Wait longer ? 

Just restarted it again -it'd been running [or hanging ] for close to 2 hrs 

Each time the last line is device \filesystem\cdf's\cdf's and the time I saw it stop it was scanning the windows folder

How long does it take on average == I think it's about a 250 gb sata drive 1/2 full

I've run it succesfully twice in the last week -- since then only major changes are the SP3 upgrade and replacing win\system32\svchost32.exe 

I've turned off the virus software, screen saver and am not using it for anything. This email sent from work laptop

Ideas? 

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reed,

last gmer scan ran for around 2 hrs -- file scanning ended at 9:04 pm, no reports & no obvious signs of activity -it's 9:26 now
Normal? 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Sorry for the delay. Okay, thanks. I need to go through the registry exports you gave me earlier, and double check the Tag settings. Be back in a bit.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

They appear as they should be. May as ell get a look at Ipsec, since it plays in integral part in all this.

We'll need 2 more exports. Create yet another batch file:



> regedit /a ipsec.txt "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\Ipsec"
> notepad ipsec.txt


Save it as ipseclook.bat and as type All Files

Double click, and post the log it produces.

=======================================

And this one...



> regedit /a grouporder.txt "HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\grouporderlist"
> nircmd wait 2000
> notepad grouporder.txt


Save as grouporder.bat and as Type All Files

Double click and post the log. You may have to attach it.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Reed

Thanks for coming back -- I'm ready to run screaming myself 

Note --3rd try at GMER never produced any logs either - waited around 1 1/2 after the scanning stopped.

Ok here's your scans 

Bob

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\Ipsec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000005
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,69,70,73,\
65,63,2e,73,79,73,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\Ipsec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\Ipsec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

And

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\grouporderlist]
"Base"=hex:13,00,00,00,0e,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,\
00,00,05,00,00,00,06,00,00,00,07,00,00,00,08,00,00,00,09,00,00,00,0a,00,00,\
00,0b,00,00,00,0c,00,00,00,0d,00,00,00,0f,00,00,00,10,00,00,00,11,00,00,00,\
12,00,00,00,13,00,00,00
"Boot Bus Extender"=hex:05,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,\
00,00,05,00,00,00
"Extended Base"=hex:10,00,00,00,01,00,00,00,02,00,00,00,04,00,00,00,03,00,00,\
00,10,00,00,00,05,00,00,00,0b,00,00,00,0e,00,00,00,08,00,00,00,06,00,00,00,\
0d,00,00,00,07,00,00,00,09,00,00,00,0a,00,00,00,0c,00,00,00,0f,00,00,00
"Keyboard Class"=hex:01,00,00,00,01,00,00,00
"Keyboard Port"=hex:04,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,00,\
00
"Ndis"=hex:0e,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,00,00,05,00,\
00,00,06,00,00,00,07,00,00,00,08,00,00,00,09,00,00,00,0a,00,00,00,0b,00,00,\
00,0c,00,00,00,0d,00,00,00,0e,00,00,00
"Network"=hex:06,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,00,00,05,\
00,00,00,06,00,00,00
"Parallel arbitrator"=hex:01,00,00,00,01,00,00,00
"PNP_TDI"=hex:08,00,00,00,05,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,\
00,00,00,06,00,00,00,07,00,00,00,08,00,00,00
"Pointer Class"=hex:01,00,00,00,01,00,00,00
"Pointer Port"=hex:04,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,00,00
"Primary Disk"=hex:05,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,00,00,\
05,00,00,00
"SCSI CDROM Class"=hex:02,00,00,00,01,00,00,00,02,00,00,00
"SCSI Class"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"SCSI Miniport"=hex:3f,00,00,00,00,01,00,00,01,01,00,00,19,00,00,00,01,00,00,\
00,02,00,00,00,03,00,00,00,04,00,00,00,05,00,00,00,06,00,00,00,07,00,00,00,\
08,00,00,00,09,00,00,00,0a,00,00,00,0b,00,00,00,0c,00,00,00,0d,00,00,00,0e,\
00,00,00,0f,00,00,00,10,00,00,00,11,00,00,00,12,00,00,00,13,00,00,00,14,00,\
00,00,15,00,00,00,16,00,00,00,17,00,00,00,1a,00,00,00,18,00,00,00,1b,00,00,\
00,1c,00,00,00,1d,00,00,00,1e,00,00,00,1f,00,00,00,20,00,00,00,23,00,00,00,\
24,00,00,00,25,00,00,00,26,00,00,00,27,00,00,00,28,00,00,00,29,00,00,00,2a,\
00,00,00,2b,00,00,00,2c,00,00,00,2d,00,00,00,2e,00,00,00,2f,00,00,00,30,00,\
00,00,31,00,00,00,32,00,00,00,33,00,00,00,34,00,00,00,35,00,00,00,36,00,00,\
00,37,00,00,00,38,00,00,00,39,00,00,00,3a,00,00,00,3b,00,00,00,3c,00,00,00,\
3d,00,00,00,3e,00,00,00,3f,00,00,00
"SpoolerGroup"=hex:02,00,00,00,01,00,00,00,02,00,00,00
"System Bus Extender"=hex:0a,00,00,00,03,00,00,00,04,00,00,00,01,00,00,00,08,\
00,00,00,09,00,00,00,0a,00,00,00,0b,00,00,00,0c,00,00,00,0d,00,00,00,0e,00,\
00,00
"Video"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"Video Init"=hex:01,00,00,00,01,00,00,00
"Video Save"=hex:01,00,00,00,01,00,00,00
"FSFilter Infrastructure"=hex:04,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,\
04,00,00,00
"FSFilter System"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter Bottom"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter Copy Protection"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter Security Enhancer"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,\
00
"FSFilter Open File"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter Physical Quota Management"=hex:03,00,00,00,01,00,00,00,02,00,00,00,\
03,00,00,00
"FSFilter Encryption"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter Compression"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter HSM"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter Cluster File System"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,\
00,00
"FSFilter System Recovery"=hex:04,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,\
04,00,00,00
"FSFilter Quota Management"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,\
00
"FSFilter Content Screener"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,\
00
"FSFilter Continuous Backup"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,\
00
"FSFilter Replication"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter Anti-Virus"=hex:07,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,\
00,00,00,05,00,00,00,06,00,00,00,07,00,00,00
"FSFilter Undelete"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"FSFilter Activity Monitor"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,\
00
"FSFilter Top"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00
"Filter"=hex:06,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00,04,00,00,00,05,00,\
00,00,06,00,00,00
"Pnp Filter"=hex:02,00,00,00,01,00,00,00,02,00,00,00
"NetBIOSGroup"=hex:01,00,00,00,01,00,00,00
"Streams Drivers"=hex:01,00,00,00,01,00,00,00


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks. :grin:

I need some time to compare that grouporder with my clean XP. I'll be back...


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Could you do me one more favor? Download *VEW.exe*


Double click on VEW.exe to start the program. If you recieve an "Open File" security warning, press Run. 
In the "*Select log to query*" section check: 
Application
System


In the "*Select type to list*" section check: 
Error


In the "*Number or dates of events*" section check : 
*Number of events*... then enter any number from 1 thru 20 in the entry box -- enter 10.


Press the Run button.
When the process completes, it only takes a few seconds...
Notepad will open with a report file named: VEW.txt... located on %SystemDrive%\VEW.txt ... usually C:\VEW.txt. Send me the VEW.txt


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Happy to 
Here it is.

Bob

ino's Event Viewer v01c run on Windows XP in English
Report run at 11/12/2011 11:13:33 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 10/12/2011 12:12:11 PM
Type: error Category: 0
Event: 1001 Source: Application Hang
Fault bucket -1665931649. 

Log: 'Application' Date/Time: 10/12/2011 12:12:05 PM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application firefox.exe, version 7.0.1.4288, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Log: 'Application' Date/Time: 09/12/2011 9:34:31 PM
Type: error Category: 0
Event: 1001 Source: Application Hang
Fault bucket 127043675. 

Log: 'Application' Date/Time: 09/12/2011 9:34:28 PM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application explorer.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Log: 'Application' Date/Time: 08/12/2011 8:52:20 AM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application wfica32.exe, version 12.0.3.6, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Log: 'Application' Date/Time: 06/12/2011 3:57:57 PM
Type: error Category: 1
Event: 1031 Source: ASP.NET 1.0.3705.6018
The event description cannot be found.

Log: 'Application' Date/Time: 06/12/2011 1:16:32 PM
Type: error Category: 1
Event: 1031 Source: ASP.NET 1.0.3705.6018
The event description cannot be found.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 10/12/2011 3:36:56 PM
Type: error Category: 8
Event: 20 Source: Windows Update Agent
Installation Failure: Windows failed to install the following update with error 0x8007f070: Microsoft .NET Framework 1.0 Service Pack 3 Security Update for Windows XP Tablet PC and Media Center (KB953295). 

Log: 'System' Date/Time: 10/12/2011 3:09:02 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: NetBT 

Log: 'System' Date/Time: 10/12/2011 3:09:00 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 10/12/2011 3:09:00 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 10/12/2011 1:53:52 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: NetBT 

Log: 'System' Date/Time: 10/12/2011 1:53:50 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 10/12/2011 1:53:50 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 10/12/2011 9:18:14 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: NetBT 

Log: 'System' Date/Time: 10/12/2011 9:18:10 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 10/12/2011 9:18:10 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks. 

In your very first post with the attach.txt that dds.scr produced, the D-Link AirPlus DWL-520+ Wireless PCI Adapter is listed as being disabled in Device Manager. Can you tell me more about that?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hey Ried --

Seems to always come back to netbt -- I replaced the netbt reg key but not Windows\system32\drivers\netbt.sys 

It was still there, even though the key had been deleted 
could it be corrupt? the driver?

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Good thought, but system32\drivers\netbt.sys was replaced when you installed SP3.

We posted around the same time - scroll up to see my last question. :smile:

**edit**

Also, if it were corrupt, you wouldn't be able to manually start NetBT.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Thanks.
> 
> In your very first post with the attach.txt that dds.scr produced, the D-Link AirPlus DWL-520+ Wireless PCI Adapter is listed as being disabled in Device Manager. Can you tell me more about that?


Yes --I have a wireless card in my desktop -- used to use when the DSL outlet was across the room -- moved the outlet, now able to plug directly into the router so disabled the wireless card.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Well, that makes sense. :smile:

Please go to *Virus Total* 
Use the Browse button to navigate to the following file

*c:\windows\system32\drivers\AIRPLUS.SYS*​
Double click the file so it shows up in the *'Upload a file'* section.


Click 'Send File'

If you see a message 'File has already been analysed'. Click Reanalyse file now.

Post the link to those results in your next reply.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hey Reid

From an Avira -anti vir log file the day of the infection 11-16-11
See towards the bottom what it did with the netBT driver and reg key



Avira AntiVir Personal
Report file date: Wednesday, November 16, 2011 23:00

Scanning for 3549193 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ROBERTZOPPA

Version information:
BUILD.DAT : 10.2.0.704 35934 Bytes 9/28/2011 13:34:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 7/3/2011 21:00:18
AVSCAN.DLL : 10.0.5.0 47464 Bytes 7/3/2011 21:00:18
LUKE.DLL : 10.3.0.5 45416 Bytes 7/3/2011 21:00:19
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 7/3/2011 21:00:20
AVREG.DLL : 10.3.0.9 88833 Bytes 7/12/2011 11:39:15
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 12:41:30
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 12:41:30
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 12:41:30
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 21:46:41
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 19:54:56
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 12:30:19
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 11:06:40
VBASE008.VDF : 7.11.15.107 2048 Bytes 10/5/2011 11:06:40
VBASE009.VDF : 7.11.15.108 2048 Bytes 10/5/2011 11:06:40
VBASE010.VDF : 7.11.15.109 2048 Bytes 10/5/2011 11:06:40
VBASE011.VDF : 7.11.15.110 2048 Bytes 10/5/2011 11:06:40
VBASE012.VDF : 7.11.15.111 2048 Bytes 10/5/2011 11:06:40
VBASE013.VDF : 7.11.15.144 161792 Bytes 10/7/2011 11:06:41
VBASE014.VDF : 7.11.15.177 130048 Bytes 10/10/2011 11:06:41
VBASE015.VDF : 7.11.15.213 113664 Bytes 10/11/2011 11:06:42
VBASE016.VDF : 7.11.16.1 163328 Bytes 10/14/2011 12:22:40
VBASE017.VDF : 7.11.16.34 187904 Bytes 10/18/2011 12:06:36
VBASE018.VDF : 7.11.16.77 139264 Bytes 10/20/2011 02:50:54
VBASE019.VDF : 7.11.16.112 162816 Bytes 10/24/2011 10:59:56
VBASE020.VDF : 7.11.16.150 167424 Bytes 10/26/2011 11:05:59
VBASE021.VDF : 7.11.16.187 171520 Bytes 10/28/2011 11:54:34
VBASE022.VDF : 7.11.16.209 190976 Bytes 10/31/2011 12:44:08
VBASE023.VDF : 7.11.16.243 158208 Bytes 11/2/2011 12:44:09
VBASE024.VDF : 7.11.17.21 194560 Bytes 11/6/2011 00:09:46
VBASE025.VDF : 7.11.17.101 202752 Bytes 11/9/2011 12:17:06
VBASE026.VDF : 7.11.17.137 214528 Bytes 11/11/2011 12:17:09
VBASE027.VDF : 7.11.17.154 278528 Bytes 11/14/2011 03:37:55
VBASE028.VDF : 7.11.17.197 175616 Bytes 11/16/2011 03:37:55
VBASE029.VDF : 7.11.17.198 2048 Bytes 11/16/2011 03:37:55
VBASE030.VDF : 7.11.17.199 2048 Bytes 11/16/2011 03:37:56
VBASE031.VDF : 7.11.17.203 25600 Bytes 11/16/2011 03:37:56
Engineversion : 8.2.6.112 
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/27/2011 11:06:14
AESCRIPT.DLL : 8.1.3.85 463227 Bytes 11/13/2011 12:17:28
AESCN.DLL : 8.1.7.2 127349 Bytes 4/11/2011 12:41:30
AESBX.DLL : 8.2.1.34 323957 Bytes 6/1/2011 21:46:51
AERDL.DLL : 8.1.9.15 639348 Bytes 9/12/2011 16:52:43
AEPACK.DLL : 8.2.13.4 684406 Bytes 11/13/2011 12:17:26
AEOFFICE.DLL : 8.1.2.19 201084 Bytes 11/5/2011 12:08:26
AEHEUR.DLL : 8.1.2.190 3813752 Bytes 11/13/2011 12:17:23
AEHELP.DLL : 8.1.18.0 254327 Bytes 10/27/2011 11:06:05
AEGEN.DLL : 8.1.5.13 405877 Bytes 11/8/2011 12:04:26
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/11/2011 12:41:30
AECORE.DLL : 8.1.24.0 196983 Bytes 10/27/2011 11:06:03
AEBB.DLL : 8.1.1.0 53618 Bytes 4/11/2011 12:41:30
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 17:03:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 7/3/2011 21:00:18
AVREP.DLL : 10.0.0.10 174120 Bytes 5/21/2011 23:14:18
AVARKT.DLL : 10.0.26.1 255336 Bytes 7/3/2011 21:00:18
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 7/3/2011 21:00:18
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 17:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 20:38:56
NETNT.DLL  : 10.0.0.0 11624 Bytes 2/19/2010 19:41:00
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 7/3/2011 21:00:17
RCTEXT.DLL : 10.0.64.0 97640 Bytes 7/3/2011 21:00:17

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, 
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced
Deviating risk categories...........: +GAME,+PFS,

Start of the scan: Wednesday, November 16, 2011 23:00

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '28' Module(s) have been scanned
Scan process 'jucheck.exe' - '46' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '44' Module(s) have been scanned
Scan process 'vssvc.exe' - '47' Module(s) have been scanned
Scan process 'avscan.exe' - '68' Module(s) have been scanned
Scan process 'avcenter.exe' - '59' Module(s) have been scanned
Scan process 'wuauclt.exe' - '35' Module(s) have been scanned
Scan process 'alg.exe' - '38' Module(s) have been scanned
Scan process 'ehmsas.exe' - '19' Module(s) have been scanned
Scan process 'dllhost.exe' - '58' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '37' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\system32\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'avshadow.exe' - '24' Module(s) have been scanned
Scan process 'jqs.exe' - '36' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\system32\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'Iaantmon.exe' - '11' Module(s) have been scanned
Scan process 'ehSched.exe' - '19' Module(s) have been scanned
Scan process 'ehRecvr.exe' - '87' Module(s) have been scanned
Scan process 'CTsvcCDA.exe' - '8' Module(s) have been scanned
Scan process 'CreativeLicensing.exe' - '8' Module(s) have been scanned
Scan process 'avguard.exe' - '53' Module(s) have been scanned
Scan process 'wfcrun32.exe' - '46' Module(s) have been scanned
Scan process 'ctfmon.exe' - '23' Module(s) have been scanned
Scan process 'jusched.exe' - '20' Module(s) have been scanned
Scan process 'concentr.exe' - '31' Module(s) have been scanned
Scan process 'avgnt.exe' - '45' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '38' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '27' Module(s) have been scanned
Scan process 'ehtray.exe' - '33' Module(s) have been scanned
Scan process 'Iaanotif.exe' - '36' Module(s) have been scanned
Scan process 'issch.exe' - '10' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '27' Module(s) have been scanned
Scan process 'AndreaVC.exe' - '31' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'sched.exe' - '42' Module(s) have been scanned
Scan process 'brss01a.exe' - '10' Module(s) have been scanned
Scan process 'brsvc01a.exe' - '8' Module(s) have been scanned
Scan process 'Explorer.EXE' - '76' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\system32\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\system32\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'svchost.exe' - '152' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\system32\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '51' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '36' Module(s) have been scanned
Scan process 'lsass.exe' - '61' Module(s) have been scanned
Module is OK -> <\\.\globalroot\systemroot\system32\mswsock.dll>
[WARNING] The file could not be opened!
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'winlogon.exe' - '63' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '480' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Bob Zoppa\Application Data\Sun\Java\Deployment\cache\6.0\48\6c52a970-3ed27d46
[0] Archive type: ZIP
--> json/Search.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.KR.2 Java virus
C:\Documents and Settings\Bob Zoppa\Application Data\Sun\Java\Deployment\cache\6.0\6\21af7106-532bba11
[0] Archive type: ZIP
--> json/Parser.class
[DETECTION] Contains recognition pattern of the EXP/2010-0840.P exploit
--> json/XML.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.FH exploit
C:\Documents and Settings\Bob Zoppa\Application Data\Sun\Java\Deployment\cache\6.0\61\7c5c0c3d-182f8bb5
[0] Archive type: ZIP
--> json/Search.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.KR.2 Java virus
C:\Documents and Settings\Bob Zoppa\Local Settings\temp\jar_cache5485400568630636405.tmp
[0] Archive type: ZIP
--> cut.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.FE exploit
C:\Documents and Settings\Bob Zoppa\Local Settings\temp\jar_cache742365888782948280.tmp
[0] Archive type: ZIP
--> shena.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0842.Z exploit
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OZ2327YR\d76782c14c1137556d85063ecd026129[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen2 HTML script virus
C:\System Volume Information\_restore{EDF618B8-38CE-4D98-BA49-20573AE49D70}\RP373\A0032307.sys
[DETECTION] Is the TR/Rootkit.Gen2 Trojan
C:\WINDOWS\system32\drivers\netbt.sys
[DETECTION] Is the TR/Rootkit.Gen2 Trojan

Beginning disinfection:
C:\WINDOWS\system32\drivers\netbt.sys
[DETECTION] Is the TR/Rootkit.Gen2 Trojan
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\ImagePath> was successfully repaired.
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT\ImagePath> was successfully repaired.
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NetBT\ImagePath> was successfully repaired.
[NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetBT\ImagePath> was successfully repaired.
[NOTE] The file was moved to the quarantine directory under the name '4d9e15ad.qua'.
C:\System Volume Information\_restore{EDF618B8-38CE-4D98-BA49-20573AE49D70}\RP373\A0032307.sys
[DETECTION] Is the TR/Rootkit.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '54c53a35.qua'.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OZ2327YR\d76782c14c1137556d85063ecd026129[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen2 HTML script virus
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Documents and Settings\Bob Zoppa\Local Settings\temp\jar_cache742365888782948280.tmp
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0842.Z exploit
[NOTE] The file was moved to the quarantine directory under the name '616f2f5a.qua'.
C:\Documents and Settings\Bob Zoppa\Local Settings\temp\jar_cache5485400568630636405.tmp
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.FE exploit
[NOTE] The file was moved to the quarantine directory under the name '24eb0264.qua'.
C:\Documents and Settings\Bob Zoppa\Application Data\Sun\Java\Deployment\cache\6.0\61\7c5c0c3d-182f8bb5
[DETECTION] Contains recognition pattern of the JAVA/Agent.KR.2 Java virus
[NOTE] The file was moved to the quarantine directory under the name '5a3f3007.qua'.
C:\Documents and Settings\Bob Zoppa\Application Data\Sun\Java\Deployment\cache\6.0\6\21af7106-532bba11
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.FH exploit
[NOTE] The file was moved to the quarantine directory under the name '175b1c1f.qua'.
C:\Documents and Settings\Bob Zoppa\Application Data\Sun\Java\Deployment\cache\6.0\48\6c52a970-3ed27d46
[DETECTION] Contains recognition pattern of the JAVA/Agent.KR.2 Java virus
[NOTE] The file was moved to the quarantine directory under the name '6a9f5c1d.qua'.


End of the scan: Thursday, November 17, 2011 01:59
Used time: 52:22 Minute(s)

The scan has been done completely.

6946 Scanned directories
219550 Files were scanned
9 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
7 Files were moved to quarantine
0 Files were renamed
6 Files cannot be scanned
219535 Files not concerned
2080 Archives were scanned
6 Warnings
8 Notes
399398 Objects were scanned with rootkit scan
0 Hidden objects were found


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Well, that makes sense. :smile:
> 
> Please go to *Virus Total*
> Use the Browse button to navigate to the following file
> 
> *c:\windows\system32\drivers\AIRPLUS.SYS*​
> Double click the file so it shows up in the *'Upload a file'* section.
> 
> 
> Click 'Send File'
> 
> If you see a message 'File has already been analysed'. Click Reanalyse file now.
> 
> Post the link to those results in your next reply.


Ried,
Ok Here it is - not sure what to copy --this ok? 

File name:
AIRPLUS.SYS
Submission date:
2011-12-12 04:30:17 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: - 
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3	2011.12.10.02	2011.12.11	-
AntiVir	7.11.19.61	2011.12.12	-
Antiy-AVL	2.0.3.7	2011.12.12	-
Avast	6.0.1289.0	2011.12.11	-
AVG	10.0.0.1190	2011.12.11	-
BitDefender	7.2	2011.12.12	-
ByteHero	1.0.0.1	2011.12.07	-
CAT-QuickHeal	12.00	2011.12.11	-
ClamAV	0.97.3.0	2011.12.12	-
Commtouch	5.3.2.6	2011.12.11	-
Comodo	10927	2011.12.12	-
DrWeb	5.0.2.03300	2011.12.12	-
Emsisoft	5.1.0.11	2011.12.12	-
eSafe	7.0.17.0	2011.12.11	-
eTrust-Vet	37.0.9616	2011.12.09	-
F-Prot 4.6.5.141	2011.11.29	-
F-Secure	9.0.16440.0	2011.12.12	-
Fortinet	4.3.388.0	2011.12.12	-
GData	22	2011.12.12	-
Ikarus	T3.1.1.109.0	2011.12.12	-
Jiangmin	13.0.900	2011.12.11	-
K7AntiVirus	9.119.5640	2011.12.09	-
Kaspersky	9.0.0.837	2011.12.12	-
McAfee	5.400.0.1158	2011.12.12	-
McAfee-GW-Edition	2010.1E	2011.12.11	-
Microsoft	1.7903	2011.12.11	-
NOD32	6691	2011.12.07	-
Norman	6.07.13	2011.12.11	-
nProtect	2011-12-11.01	2011.12.12	-
Panda	10.0.3.5	2011.12.11	-
PCTools	8.0.0.5	2011.12.12	-
Prevx	3.0	2011.12.12	-
Rising	23.87.03.02	2011.12.08	-
Sophos	4.72.0	2011.12.12	-
SUPERAntiSpyware	4.40.0.1006	2011.12.10	-
Symantec	20111.2.0.82	2011.12.11	-
TheHacker	6.7.0.1.356	2011.12.11	-
TrendMicro	9.500.0.1008	2011.12.12	-
TrendMicro-HouseCall	9.500.0.1008	2011.12.12	-
VBA32	3.12.16.4	2011.12.09	-
VIPRE	11239	2011.12.12	-
ViRobot	2011.12.12.4820	2011.12.12	-
VirusBuster	14.1.110.0	2011.12.11	-
Additional information
MD5 : b8e77ffad750ae818a0c0363f9d1544d
SHA1 : 4184250b48755c0ed839aaeb1f4906ed03ff0b8e
SHA256: 0c84be4c181a68b629c3a657f5e7eecbb69cb9256f6223739a23680d6ccb5f2c


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks, and there goes that theory. :normal:

I wanted to actual link to the VT results so I could click on the Show All button and get file version info, but no need. 


As far as your AV results, I'm not surprised. We run across this all the time when commercial AVs try to disinfect ZAccess infection, which is why I had you run FSS. It is designed specifically for checking that internet services are intact, with proper image paths, etc.

The exports I had you do, confirm the tool was accurate. 

======================================

What I'd like you to do is run an online scan and see if it turns up any infected files. Please go to *here* to run the online scannner from ESET.
 Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activex control to install
Click *Start*
Make sure that the option *Remove found threats* is *unticked*, and the option *Scan unwanted applications* is *checked*
Click on *Advanced Settings* and ensure these options are ticked:
*Scan for potentially unwanted applications*
*Scan for potentially unsafe applications*
*Enable Anti-Stealth Technology*

Click *Scan*
Wait for the scan to finish
If any threats were found, click the *'List of found threats' *, then click* Export to text file...*. 
Save it to your desktop, then please copy and paste that log as a reply to this topic.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Ok Scanning now.

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried 
Still scanning 95% done

Found this in the windows repair install log
Mean anything? 
NETBT, vetoed and failed all in the same paragraph got my attention 

#I125 Installing NULL driver for "ROOT\LEGACY_NETBT\0000".
#W100 Query-removal during install of "ROOT\LEGACY_NETBT\0000" was vetoed by "Root\LEGACY_NETBT\0000" (veto type 1: PNP_VetoLegacyDevice).
#W104 Device "ROOT\LEGACY_NETBT\0000" required reboot: Query remove failed (install) CfgMgr32 returned: 0x17: CR_REMOVE_VETOED.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

There were likely other legacy drivers that showed that same error, no?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Done - that last 5% took awhile

here they are 

Will be signing off soon --back on tomorrow 6:30-7:00 am will be on all day [while working ] 
Thanks again for your help
Bob

C:\Documents and Settings\Bob Zoppa\Application Data\Sun\Java\Deployment\cache\6.0\35\5da37e63-4e0d5813	a variant of Win32/Kryptik.WSK trojan
C:\System Volume Information\_restore{EDF618B8-38CE-4D98-BA49-20573AE49D70}\RP1\A0001512.exe	a variant of Win32/Kryptik.WSK trojan


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Those findings are not anything significant, nor would they have anything to do with the services needing to be started manually. :sigh:

System Volume Information is where System Restore's cache is stored. We'll clear that when we are through. 

For the first detection in Sun Java cache, download *TFC *(Temp File Cleaner) to your desktop.

Save any unsaved work as TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Get some rest, we'll continue tomorrow. :sayyes:


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> There were likely other legacy drivers that showed that same error, no?


yes wasn't looking for them but noticed a few
My thought was if it netbt wasn't removed & replaced it could still be corrupt

Freely admit grasping at straws here 

Wish I knew the process exactly the way it happens

Seems to me it can only be several things
Whatever the trigger is to launch the processes the exe & dll's , or the drivers.
What else is there? 
The processes work once started so it's got to be the initialization process failed or something is blocking it.

Only other thing I keep seeing is "_ the NetBios over Tcpip service failed to start because of the following error A device attached to the system is not functioning."_

So during boot up isn't being seen so the launch fails


Aaarrgh

Till tomorrow.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Just had a thought - you mentioned in your first post that your printer is connected directly to the router, and it isn't working quite right.

Disconnect the printer from the Router. Did that help?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Geez 1am post? making me feel guilty it's my machine and I gave up before that 

Anyway no luck there -- rebooted with the printer unplugged and then the router unplugged - same issue.

Note One of things done along the way -- I think replacing the existing win service32 svchost.exe file with one from a working machine -got the printer back up and running.
This was after the windows "repair" was done -- may be part of the reason I don't have complete faith that all of the existing necessary files are ok

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Those findings are not anything significant, nor would they have anything to do with the services needing to be started manually. :sigh:
> 
> System Volume Information is where System Restore's cache is stored. We'll clear that when we are through.
> 
> For the first detection in Sun Java cache, download *TFC *(Temp File Cleaner) to your desktop.
> 
> Save any unsaved work as TFC will close all open application windows.
> Double-click TFC.exe to run the program.
> If prompted, click "Yes" to reboot.
> 
> Get some rest, we'll continue tomorrow. :sayyes:


Ried --done.

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried -

Another quote from a virus scan log.

Good? bad?

Windows was configured to use a proxy! Proxy settings have been removed.
The Proxy Server that was configured is: 
If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Given that you just updated to SP3, I would put a bit more faith that the files are okay. If you wish, you could run sfc /scannow from the Run command box, and see if it does find any corrupted files. 

ZAccess can be a real pain - it sometimes borks networking and can sometimes be impossible to find what it did to make that happen.

Another idea - click Start>Run and type in *devmgmt.msc* to open the Device Manager.

Locate the Network Adapter, right click and select *Uninstall*. Reboot, and upon reboot, Windows should automatically reinstall it. 

Any change in dhcp starting as it should?


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Sorry Bob, was testing and posting to you and didn't look to see that you had replied.

Often times the malware will throw in a proxy. The AV did okay with that one - it needed to go.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Given that you just updated to SP3, I would put a bit more faith that the files are okay. If you wish, you could run sfc /scannow from the Run command box, and see if it does find any corrupted files.
> 
> ZAccess can be a real pain - it sometimes borks networking and can sometimes be impossible to find what it did to make that happen.
> 
> Another idea - click Start>Run and type in *devmgmt.msc* to open the Device Manager.
> 
> Locate the Network Adapter, right click and select *Uninstall*. Reboot, and upon reboot, Windows should automatically reinstall it.
> 
> Any change in dhcp starting as it should?


Ried -- hope you're looking

1st removed network adapter --windows found and reinstalled 
No change services still not loading on their own but work fine as soon as I load them

2nd HELP --Running sfc \scannow --inserted Windows disc when propted.
It scanned for 1/2 hour or so but now saying " Files that are required for windows to run properly must be copied to the DLL Cache" Insert your windows XP Professional CD2 now"

First I'm running XP media edition not Professional 
Second there is no CD# 2 ?? I only have one disc from dell

3 choices offered retry -more information and cancel

More information says "you have inserted the wrong CD (I.E, Adifferent windows product from the version installed"

Nope --only ever had 1 version of XP 
Are there different versions of theSP3 upgrade ?

What should I do? Cancel or is there a way to direct it to the new DLL's from the SP3 upgrade? 

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried --
Chose to cancel out of sfc /scannow.

It would let me decline loading the individual files -- I tried one -- but having no idea how many it was going to ask, for didn't want to wreck things.

Clearly it's looking for files -- that's not good but should give us more options.
Can you walk me thru creating a slipstreamed win xp media sp3 disc? 
I assume thats what it's looking for.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob,

This link provides really good instructions --> Create a Slip Stream version of

You do need to have the actual Windows Install disc - not the Dell Recovery disc.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Hi Bob,
> 
> This link provides really good instructions --> Create a Slip Stream version of
> 
> You do need to have the actual Windows Install disc - not the Dell Recovery disc.


How can I tell? 
It's the original disc that came with the machine.

I'm 99% sure it's what I used when I loaded xp onto this drive.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Does it say Windows Media Center Edition by Microsoft?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Does it say Windows Media Center Edition by Microsoft?


Sorry Ried got called away for a bit.
it says Microsoft windows xp media center version 2005 with update rollup 2

If it helps it's Orange and also says Dell for distribution only with a new dell pc
Was also thinking that scannow may just have been looking for the sp3 files.
Can I burn burn those and insert that when asked for disc 2? 

It was happy with the disc I gave it until the very end

Any other things for me to do till i figure this out?

Going to read the slip streaming info now. 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob. No worries, I was called away as well.

Yes, you can use that disc to create a slipstreamed SP3 disc to use.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Couple more ideas, Bob. I don't know if it will pan out, but it couldn't hurt. 

Since the main problem is this


> The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.


First thing to try is Control Panel>Network Connections. Right click the LAN and select Properties. 

Click 'Internet Protocol (TCP/IP) and click the Properties button
In the next dialoge box, look toward the bottom right corner and click the Advanced button.
Next, click the WINS tab and toward the bottom, place a check next to the box that says 'Disable NetBios over TCP/IP
Ok your way out.

Reboot. 

Any luck?

If not, perhaps a regsearch might reveal something that 'shouldn't be'

Download *SystemLook* from one of the links below and save it to your desktop.

*Download Mirror #1
Download Mirror #2*
Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:



Code:


:regfind
NetBIOS


Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*

===============================

One more tool for you to run, if you don't mind. Download the MiniToolBox, save it to your desktop and run it.

Check the box next to *List Devices*. The radio button next to 'Only Problems' should be marked by default - leave it like that. 

Click Go

When it has completed, post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Good morning Ried

First night in days I haven't been messing with this till midnight !

Back to it today -- will be around till about noon, then in meetings tilll 6ish after that--I'll be here.

Disabling netbios over tcpip had no effect turn it back on? 

Ok Yesterday -- slipstreaming XP SP 3 
The software from the link, that does it for you wouldn't recognize the operating system on the CD. The site also directs you towards 'nlite' was able to use that to create [I think] an XP MEDIA SP3 bootable disc -- just have to burn it on a CD and see. One thing -- the file is huge 2.49 GB ? Didn't take all that long , may do it again and see what I come up with.

Your scans -- both run with netbios over tcpip disabled -.Want them run with it back on automatic?
Here's system look.

Thanks for not giving up 

Bob

SystemLook 30.07.11 by jpshortstuff
Log created at 07:40 on 13/12/2011 by Bob Zoppa
Administrator - Elevation successful

========== regfind ==========

Searching for "NetBIOS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\Exchange Provider]
"Rpc_Binding_Order"="ncalrpc,ncacn_ip_tcp,ncacn_spx,ncacn_np,netbios,ncacn_vns_spp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE\Parameters\NetBIOS]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\NetBios]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009]
"Counter"="1 1847 2 System 4 Memory 6 % Processor Time 10 File Read Operations/sec 12 File Write Operations/sec 14 File Control Operations/sec 16 File Read Bytes/sec 18 File Write Bytes/sec 20 File Control Bytes/sec 24 Available Bytes 26 Committed Bytes 28 Page Faults/sec 30 Commit Limit 32 Write Copies/sec 34 Transition Faults/sec 36 Cache Faults/sec 38 Demand Zero Faults/sec 40 Pages/sec 42 Page Reads/sec 44 Processor Queue Length 46 Thread State 48 Pages Output/sec 50 Page Writes/sec 52 Browser 54 Announcements Server/sec 56 Pool Paged Bytes 58 Pool Nonpaged Bytes 60 Pool Paged Allocs 64 Pool Nonpaged Allocs 66 Pool Paged Resident Bytes 68 System Code Total Bytes 70 System Code Resident Bytes 72 System Driver Total Bytes 74 System Driver Resident Bytes 76 System Cache Resident Bytes 78 Announcements Domain/sec 80 Election Packets/sec 82 Mailslot Writes/sec 84 Server List Requests/sec 86 Cache 88 Data Maps/sec 90 Sync Data Maps/s
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009]
"Help"="3 The System performance object consists of counters that apply to more than one instance of a component processors on the computer. 5 The Memory performance object consists of counters that describe the behavior of physical and virtual memory on the computer. Physical memory is the amount of random access memory on the computer. Virtual memory consists of the space in physical memory and on disk. Many of the memory counters monitor paging, which is the movement of pages of code and data between disk and physical memory. Excessive paging, a symptom of a memory shortage, can cause delays which interfere with all system processes. 7 % Processor Time is the percentage of elapsed time that the processor spends to execute a non-Idle thread. It is calculated by measuring the duration of the idle thread is active in the sample interval, and subtracting that time from interval duration. (Each processor has an idle thread tha
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\{0D339983-CEDF-4A23-A101-F232523AA2FF}\Ndi\Interfaces]
"LowerRange"="netbios,netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"InfSection"="NetBIOS.ndi"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"Description"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"ComponentId"="ms_netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi]
"Service"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi]
"CoServices"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi\Interfaces]
"LowerRange"="netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{FB0E806A-FC5E-495B-8006-277FD26B1BBD}\Ndi\Interfaces]
"LowerRange"="netbios,ipx,netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Linkage]
"Export"="\Device\NetbiosSmb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Ndi]
"BindForm"="NetbiosSmb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Ndi\Interfaces]
"UpperRange"="netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{EC271065-8FFF-4203-8256-DB9AF2726DA7}\Ndi\Interfaces]
"UpperRange"="netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\NetBIOSGroup]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder]
"List"="System Reserved Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extende
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LMHOSTS\0000]
"DeviceDesc"="TCP/IP NetBIOS Helper"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETBIOS\0000]
"Service"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETBIOS\0000]
"DeviceDesc"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETBIOS\0000\Control]
"ActiveService"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETBT\0000]
"DeviceDesc"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options\DhcpNetbiosOptions]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options\DhcpNetbiosOptions]
"RegLocation"="SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_?\DhcpNetbiosOptions"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System]
"Sources"="WZCSVC Workstation WindowsMedia Windows Update Agent Windows Script Host Windows Installer 3.1 Windows File Protection Win32k WGA W32Time VolSnap viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst SMSvcHost 3.0.0.0 Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule Schannel SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched PrintFilterPipelineSvc Print PptpMiniport PolicyAgent PlugPlayManager perc2 PCTCore pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF nv null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan NdisIP ndis napipsecenf napagent Mup msfs MSDTC WS-AT Protocol MSDTC Gateway msadlib MrxSmb MRxDAV mraid35x mouhid mouclass M
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Linkage]
"Bind"="\Device\NetbiosSmb \Device\NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Linkage]
"Route"=""NetbiosSmb" "NetBT" "Tcpip" "{CB04D831-A721-4082-84B9-8C0062C24FA2}" "NetBT" "Tcpip" "{B86F3C98-1ECE-4901-86C7-5065033C27CB}" "NetBT" "Tcpip" "{DA836B17-F05A-455A-804B-6AD9C2381057}" "NetBT" "Tcpip" "NdisWanIp""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Linkage]
"Export"="\Device\LanmanServer_NetbiosSmb \Device\LanmanServer_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\LanmanServer_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\LanmanServer_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\LanmanServer_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\LanmanServer_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\Linkage]
"Bind"="\Device\NetbiosSmb \Device\NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\Linkage]
"Route"=""NetbiosSmb" "NetBT" "Tcpip" "{CB04D831-A721-4082-84B9-8C0062C24FA2}" "NetBT" "Tcpip" "{B86F3C98-1ECE-4901-86C7-5065033C27CB}" "NetBT" "Tcpip" "{DA836B17-F05A-455A-804B-6AD9C2381057}" "NetBT" "Tcpip" "NdisWanIp""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\Linkage]
"Export"="\Device\LanmanWorkstation_NetbiosSmb \Device\LanmanWorkstation_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\LanmanWorkstation_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\LanmanWorkstation_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\LanmanWorkstation_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\LanmanWorkstation_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LmHosts]
"DisplayName"="TCP/IP NetBIOS Helper"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LmHosts]
"Description"="Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger]
"DependOnService"="LanmanWorkstation NetBIOS PlugPlay RpcSS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBIOS]
"DisplayName"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBIOS]
"Group"="NetBIOSGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBIOS]
"Description"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBIOS\Linkage]
"Export"="\Device\NetBIOS_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBIOS_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBIOS_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBIOS_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBIOS_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBIOS\Enum]
"0"="Root\LEGACY_NETBIOS\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBT]
"DisplayName"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBT]
"Description"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasAuto]
"Description"="Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess]
"DependOnGroup"="NetBIOSGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Parameters]
"Transports"="Tcpip NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration]
"Provider List"="Tcpip NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\{0D339983-CEDF-4A23-A101-F232523AA2FF}\Ndi\Interfaces]
"LowerRange"="netbios,netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"InfSection"="NetBIOS.ndi"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"Description"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"ComponentId"="ms_netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi]
"Service"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi]
"CoServices"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi\Interfaces]
"LowerRange"="netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{FB0E806A-FC5E-495B-8006-277FD26B1BBD}\Ndi\Interfaces]
"LowerRange"="netbios,ipx,netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Linkage]
"Export"="\Device\NetbiosSmb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Ndi]
"BindForm"="NetbiosSmb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Ndi\Interfaces]
"UpperRange"="netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{EC271065-8FFF-4203-8256-DB9AF2726DA7}\Ndi\Interfaces]
"UpperRange"="netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\NetBIOSGroup]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\ServiceGroupOrder]
"List"="System Reserved Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Extende
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_LMHOSTS\0000]
"DeviceDesc"="TCP/IP NetBIOS Helper"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETBIOS\0000]
"Service"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETBIOS\0000]
"DeviceDesc"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_NETBT\0000]
"DeviceDesc"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Dhcp\Parameters\Options\DhcpNetbiosOptions]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Dhcp\Parameters\Options\DhcpNetbiosOptions]
"RegLocation"="SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_?\DhcpNetbiosOptions"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System]
"Sources"="WZCSVC Workstation WindowsMedia Windows Update Agent Windows Script Host Windows Installer 3.1 Windows File Protection Win32k WGA W32Time VolSnap viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst SMSvcHost 3.0.0.0 Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule Schannel SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched PrintFilterPipelineSvc Print PptpMiniport PolicyAgent PlugPlayManager perc2 PCTCore pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF nv null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan NdisIP ndis napipsecenf napagent Mup msfs MSDTC WS-AT Protocol MSDTC Gateway msadlib MrxSmb MRxDAV mraid35x mouhid mouclass M
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanserver\Linkage]
"Bind"="\Device\NetbiosSmb \Device\NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanserver\Linkage]
"Route"=""NetbiosSmb" "NetBT" "Tcpip" "{CB04D831-A721-4082-84B9-8C0062C24FA2}" "NetBT" "Tcpip" "{B86F3C98-1ECE-4901-86C7-5065033C27CB}" "NetBT" "Tcpip" "{DA836B17-F05A-455A-804B-6AD9C2381057}" "NetBT" "Tcpip" "NdisWanIp""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanserver\Linkage]
"Export"="\Device\LanmanServer_NetbiosSmb \Device\LanmanServer_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\LanmanServer_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\LanmanServer_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\LanmanServer_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\LanmanServer_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanworkstation\Linkage]
"Bind"="\Device\NetbiosSmb \Device\NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanworkstation\Linkage]
"Route"=""NetbiosSmb" "NetBT" "Tcpip" "{CB04D831-A721-4082-84B9-8C0062C24FA2}" "NetBT" "Tcpip" "{B86F3C98-1ECE-4901-86C7-5065033C27CB}" "NetBT" "Tcpip" "{DA836B17-F05A-455A-804B-6AD9C2381057}" "NetBT" "Tcpip" "NdisWanIp""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\lanmanworkstation\Linkage]
"Export"="\Device\LanmanWorkstation_NetbiosSmb \Device\LanmanWorkstation_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\LanmanWorkstation_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\LanmanWorkstation_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\LanmanWorkstation_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\LanmanWorkstation_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LmHosts]
"DisplayName"="TCP/IP NetBIOS Helper"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\LmHosts]
"Description"="Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Messenger]
"DependOnService"="LanmanWorkstation NetBIOS PlugPlay RpcSS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBIOS]
"DisplayName"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBIOS]
"Group"="NetBIOSGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBIOS]
"Description"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBIOS\Linkage]
"Export"="\Device\NetBIOS_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBIOS_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBIOS_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBIOS_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBIOS_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBT]
"DisplayName"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\NetBT]
"Description"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RasAuto]
"Description"="Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RemoteAccess]
"DependOnGroup"="NetBIOSGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winsock\Parameters]
"Transports"="Tcpip NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winsock\Setup Migration]
"Provider List"="Tcpip NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Winsock\Setup Migration\Providers\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\{0D339983-CEDF-4A23-A101-F232523AA2FF}\Ndi\Interfaces]
"LowerRange"="netbios,netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"InfSection"="NetBIOS.ndi"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"Description"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}]
"ComponentId"="ms_netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi]
"Service"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi]
"CoServices"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{348E617D-53A6-4F11-B57A-3B5B23F3ACB5}\Ndi\Interfaces]
"LowerRange"="netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\{FB0E806A-FC5E-495B-8006-277FD26B1BBD}\Ndi\Interfaces]
"LowerRange"="netbios,ipx,netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Linkage]
"Export"="\Device\NetbiosSmb"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Ndi]
"BindForm"="NetbiosSmb"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{DFBDC12B-14C3-433D-BCA0-63B71FF62B54}\Ndi\Interfaces]
"UpperRange"="netbios_smb"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\{EC271065-8FFF-4203-8256-DB9AF2726DA7}\Ndi\Interfaces]
"UpperRange"="netbios"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder]
"List"="System Reserved Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Encryption FSFilter Compression FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Event Log Streams Drivers NDIS Wrapper COM Infrastructure UIGroup LocalValidation PlugPlay PNP_TDI NDIS TDI NetBIOSGroup ShellSvcGroup SchedulerGroup SpoolerGroup AudioGroup SmartCardGroup NetworkProvider RemoteValidation NetDDEGroup Parallel arbitrator Ext
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LMHOSTS\0000]
"DeviceDesc"="TCP/IP NetBIOS Helper"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBIOS\0000]
"Service"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBIOS\0000]
"DeviceDesc"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBIOS\0000\Control]
"ActiveService"="NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT\0000]
"DeviceDesc"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\DhcpNetbiosOptions]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\DhcpNetbiosOptions]
"RegLocation"="SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_?\DhcpNetbiosOptions"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System]
"Sources"="WZCSVC Workstation WindowsMedia Windows Update Agent Windows Script Host Windows Installer 3.1 Windows File Protection Win32k WGA W32Time VolSnap viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst SMSvcHost 3.0.0.0 Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule Schannel SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched PrintFilterPipelineSvc Print PptpMiniport PolicyAgent PlugPlayManager perc2 PCTCore pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF nv null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan NdisIP ndis napipsecenf napagent Mup msfs MSDTC WS-AT Protocol MSDTC Gateway msadlib MrxSmb MRxDAV mraid35x mouhid moucla
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Linkage]
"Bind"="\Device\NetbiosSmb \Device\NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Linkage]
"Route"=""NetbiosSmb" "NetBT" "Tcpip" "{CB04D831-A721-4082-84B9-8C0062C24FA2}" "NetBT" "Tcpip" "{B86F3C98-1ECE-4901-86C7-5065033C27CB}" "NetBT" "Tcpip" "{DA836B17-F05A-455A-804B-6AD9C2381057}" "NetBT" "Tcpip" "NdisWanIp""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Linkage]
"Export"="\Device\LanmanServer_NetbiosSmb \Device\LanmanServer_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\LanmanServer_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\LanmanServer_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\LanmanServer_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\LanmanServer_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Linkage]
"Bind"="\Device\NetbiosSmb \Device\NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Linkage]
"Route"=""NetbiosSmb" "NetBT" "Tcpip" "{CB04D831-A721-4082-84B9-8C0062C24FA2}" "NetBT" "Tcpip" "{B86F3C98-1ECE-4901-86C7-5065033C27CB}" "NetBT" "Tcpip" "{DA836B17-F05A-455A-804B-6AD9C2381057}" "NetBT" "Tcpip" "NdisWanIp""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\Linkage]
"Export"="\Device\LanmanWorkstation_NetbiosSmb \Device\LanmanWorkstation_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\LanmanWorkstation_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\LanmanWorkstation_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\LanmanWorkstation_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\LanmanWorkstation_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"DisplayName"="TCP/IP NetBIOS Helper"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Description"="Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"DependOnService"="LanmanWorkstation NetBIOS PlugPlay RpcSS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS]
"ImagePath"="system32\DRIVERS\netbios.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS]
"DisplayName"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS]
"Group"="NetBIOSGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS]
"Description"="NetBIOS Interface"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS\Linkage]
"Export"="\Device\NetBIOS_NetBT_Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2} \Device\NetBIOS_NetBT_Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB} \Device\NetBIOS_NetBT_Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057} \Device\NetBIOS_NetBT_Tcpip_{14352A84-B8B3-40F6-A115-9B3C65167B83} \Device\NetBIOS_NetBT_Tcpip_{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBIOS\Enum]
"0"="Root\LEGACY_NETBIOS\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"DisplayName"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"Description"="NetBios over Tcpip"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]
"Description"="Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
"DependOnGroup"="NetBIOSGroup"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters]
"Transports"="Tcpip NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration]
"Provider List"="Tcpip NetBIOS"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers\NetBIOS]

-= EOF =-

And now Mini Toolbox
MiniToolBox by Farbar 
Ran by Bob Zoppa (administrator) on 13-12-2011 at 07:50:25
Microsoft Windows XP Professional Service Pack 3 (X86)

***************************************************************************

========================= Devices: ================================

Name: D-Link AirPlus DWL-520+ Wireless PCI Adapter
Description: D-Link AirPlus DWL-520+ Wireless PCI Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: D-Link
Service: AIRPLUS
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


**** End of log ****


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Felt good to get a bit of a break from this, didn't it. :smile:

We're going to use SystemLook again. Double click to run it. 

Copy the content of the following codebox into the main textfield:



Code:


:filefind
netbt.sys


Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried,

Yes it did -- 
Still aching to find the issue and fix it though -- either that or heave the whole thing off the nearest pier and see if it can swim. If it finds it's way home and promises to behave I'll let it back in 

Before I forget -Disabling netbios over tcpip prevented the printer from printing. Enabled it again and printing is back - Make sense ? Network printer plugged into the router.

Here's the requested SystemLook scan
SystemLook 30.07.11 by jpshortstuff
Log created at 18:12 on 13/12/2011 by Bob Zoppa
Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"
C:\WINDOWS\$NtServicePackUninstall$\netbt.sys	-----c- 162816 bytes	[21:49 10/12/2011]	[11:00 10/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\ServicePackFiles\i386\netbt.sys	------- 162816 bytes	[21:54 10/12/2011]	[05:51 14/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbt.sys	--a---- 162816 bytes	[16:15 30/04/2010]	[19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\dllcache\netbt.sys	--a--c- 162816 bytes	[11:00 10/08/2004]	[05:51 14/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
C:\WINDOWS\system32\drivers\netbt.sys	--a---- 162816 bytes	[11:00 10/08/2004]	[05:51 14/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D

-= EOF =-


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

:grin: Seems that the likelihood of the machine learning to swim, is more 'do-able' than us finding the cause of this issue. 



> Disabling netbios over tcpip prevented the printer from printing. Enabled it again and printing is back - Make sense ?


 Yes it does, and that rules out the printer as the issue.

The purpose of SystemLook for netbt.sys was to confirm that the file was indeed replaced when you upgraded to SP3, and it has been. Additionally, it has the proper file size and md5.

Try enabling the D-Link card and see if that does any good.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



> Try enabling the D-Link card and see if that does any good.


Ok doing it now back in 5 min

What about the Load_Order_Group TDI 
If that got changed and the services are starting in the wrong order could that do it? 
I did change what to do if the service fails to start options to retry endlessly at 1 min increments -- didn't help 

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Nope didn't work just ended up with 2 little screens in the sys tray blinking at me


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok, thanks.



> What about the Load_Order_Group TDI


 That's what I was doing in the posts prior to Post 35 and Post #43


Ried said:


> I need to go through the registry exports you gave me earlier, and double check the Tag settings. Be back in a bit.


I need time to think about all this and make sure I'm not overlooking something. Be back in a bit.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried 

Had a thought -- I hope a good one
Back at the beginning of all this -- the power supply to my router failed, while waiting for the replacement part to arrive I tried plugging directly into the modem -- didn't work -- pulling out the modem directions told me the modem needed to be set up differently for use with / and without a router.
I called my DSL provider and had them reconfigure the modem for use without a router. I have not called to have them change anything back yet.
When the the replacement part arrived, I fired up the router so I could use the wireless on my work laptop.
Was still digging thru the infected desktop so it would boot -- it was only after the machine would boot that that I noticed the DHCP client wasn't launching on it's own.

Please tell me the DHCP in conflict with or not getting a needed signal from the modem or router because of the configuration
Could one of them be the device not functioning? 

Have my fingers crossed here & don't mind feeling foolish if this fixes the problem

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

It's worth a shot, Bob. Disconnect the router. Reboot and tell me it's 'magic'. :grin:


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> It's worth a shot, Bob. Disconnect the router. Reboot and tell me it's 'magic'. :grin:


No luck - was all excited there for a few min though -felt good.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*










I really thought that was going to be it.

Give me some time to go over all this again and give it another good think. Back in a bit.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok next thought

I mentioned that I replaced c:\windows\system32\svchost.exe 
Does it need to be "installed" in any way? 
All I did was copy & paste it in

and why in DHCP path to executable is it 
"c:\windows\system32\svchost.exe -k netsvcs" 
That file doesn't exist unless it's hidden in which case I replaced the wrong one.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Well now you're getting into more complicated questions. :smile:

It's because DHCP is a netsvc. It loads under svchost.exe. Which is why you don't specifically see dchp related files in the running processes in Task Manager. They would simply appear in the list of running processes as svchost.exe


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Maybe this tool will give us a clue. Download Process Monitor and save it to your desktop. Extract all files, then double click on Procmon.exe to start the tool.

Click Options, then click *Enable boot logging*.

A box will pop up that states it will monitor log activity during the next boot. Click OK and restart the machine.

Execute procmon.exe again. A dialog box will open that tells you a log of the boot-time activity was created by the previous instance of process monitor. To save the collected Data, press the Yes Button. 

Name it whatever you wish, but keep the default file extension of .pml

Zip that up and attach it to your next post.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried --

Says file too large

Even zipped it's 14 mb

Let me look at it [and your instructions] again


Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

That's possible. Upload it to Rapidshare (use free version) then please post the link to that download here for me. I'll grab it, then delete the link.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reid --doing it now
Ended up with 2 files
the small one was 14 meg : ) big one is 25 ! not able to tell them apart yet so uploaded them both.

Links will be in next email --5 min to go.

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Let me know you found them --Not 100% sure I got their process right

Off to Bed again after I get your confirmation -- will be around most of tomorrow in the day, and all evening again

Thanks Ried

Bob

<removed links for privacy>


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks, I've downloaded them. :wave:

Will take me time to unzip and run it on test machine, so we'll continue tomorrow. I do have to work, so won't be online until evening.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Sorry to tell you Bob, the upload was corrupted - both files. One of my colleagues also tried downloading them and was met with the same message.

I'm going to have you delete those .pml files and make a fresh one.

Same as before, launch procmon.exe and click Options>*Enable boot logging*

A box will pop up that states it will monitor log activity during the next boot. Click OK and restart the machine.

Execute procmon.exe again. A dialog box will open that tells you a log of the boot-time activity was created by the previous instance of process monitor. To save the collected Data, press the Yes Button. 

Name it whatever you wish, but keep the default file extension of .pml

Zip it up and this time, use Mediafire. I tested an upload of a zipped .pml file and had no problem downloading and opening it from there.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok ried I'm here -
Have run it 3 times -- all files are in excess of 200meg this time ????
going to do it again.

Back in a few


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok Ried --
Way better this time -- only 7meg 

let me know if this works
Proc mon boot-1.zip
I haven't read media fires instructions yet wanted to get this posted quickly

One more thing-- I burned what I hope is a bootable slipstreamed win xp media sp3 disc

Want to try scannow again but don't want to mess with your work -- let me know your preferences 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks, downloaded file and it opened for me. Silly question, but you let it reboot and run procmon before manually starting dhcp, right?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Thanks, downloaded file and it opened for me. Silly question, but you let it reboot and run procmon before manually starting dhcp, right?



I think so -- no indication if procmon had run or not that I recall
But procmon is quick & boot up is 3-4 min and then a Little longer before I launch the services

So going to say yes


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Let me phrase it this way - did you let procmon complete, and did you save the boot log before you started the services?


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Bob - is this a personal folder on your desktop? K2a02832 - do you know what that is?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Let me phrase it this way - did you let procmon complete, and did you save the boot log before you started the services?


I honestly can't say --was working on auto pilot - more than happy to do it again.

Just let me know


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Bob - is this a personal folder on your desktop? K2a02832 - do you know what that is?



Nope -- I'll go snoop around for it.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Zappafrank said:


> Nope -- I'll go snoop around for it.


Ried,
A search didn't turn up anything with that name

bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Zappafrank said:


> Ried,
> A search didn't turn up anything with that name
> 
> bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Nice job! :grin:

Too bad, though - There were a ton of writes to that on boot up. Thought I might have been onto something there. :sigh:



> One more thing-- I burned what I hope is a bootable slipstreamed win xp media sp3 disc
> 
> Want to try scannow again but don't want to mess with your work


Please proceed with sfc /scannow

Let me know how that goes.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried -- 
running sfc/scannow now.
Will let you know

Could I use this disc for another system "repair" also? 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Yes. I was considering that as well if the scannow doesn't find/resolve the issue.

What would make this Repair install different from the one you did before posting this thread (besides the difference in Service Pack) is that you did the first Repair install while the machine was still infected with ZAccess. You are no longer infected, so perhaps this Repair install may work out.

Don't get your hopes up though - there have been several OS issues that remain even after cleaning ZAccess, where even a Repair install didn't resolve the issue. A format and fresh install of the OS is what it took to get it back in proper running order.

While we can remove infections from machines, sadly, we cannot always repair or undo the damage it has done to the OS.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried, 

Running sfc/scannow didn't fix it--
Any new idea's? Should I tray a repair?

Bob.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Yes, try the Repair Install, but just out of curiosity, before you do that, create a new User acct with admin priveleges. Log out of your account and boot into the new one and see if you get the same problem with those services in that new account as well.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Yes, try the Repair Install, but just out of curiosity, before you do that, create a new User acct with admin priveleges. Log out of your account and boot into the new one and see if you get the same problem with those services in that new account as well.


Ried, 

New account has the same problem -- 
I like your comment that the machine is not infected now so another repair may solve the problem.

I'll let you know.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks for checking. That at least tells us it's a global issue.

Repair still may not work out. A Repair install does not rewrite everything, so.. here's hoping anyway.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Thanks for checking. That at least tells us it's a global issue.
> 
> Repair still may not work out. A Repair install does not rewrite everything, so.. here's hoping anyway.


Ok Repair didn't like my slipstreamed disc -- ended up with a BSOD --Windows has detected a problem and has shut down for your saftey ect ect.
It manually rebooted normally though-- well normal except for the dhcp and tcip netbios issues.

I may try a repair with the original disc tomorrow - to late to deal with the 200 plus upgrades that need to be done after a repair with out sp3..

Still willing to try & fix if any idea's come to mind after sleeping on it.
Machine is fine once the services are manually launched so no hurry.
Last thing I'm going to do is call my dsl providor and have the modem reconfigured the way it was just for kicks.

Main reason I'm resisting reformatting [other than being stubborn ] is the hassle of backing up the data 150gb or so.
I do have another drive --the original one from dell - the factory restore partition is corrupted so the "f 11 return to factory condition" function isn't working - I either need to reset the MBR or figure out the manual process --can then just import the data over.
Since I've been "meaning to do that" for around a year now it may be faster just to get a 3rd drive 

Let me know what you'd like to do

Thanks
Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried -- a google search mentioned running combofix after the infection was already gone,and the SP3 upgrade was installed -- article said combo fix would repair some things ? true? 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

I'm still thinking, and working on it. In the meantime, can you link me to the article you're referring to?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> I'm still thinking, and working on it. In the meantime, can you link me to the article you're referring to?


Ried,

Glad you're still on it --sounds like you hate not getting to the root of things much as I do !

I'll do another search and see if I can find that statement again-- In the last few weeks I've literally read thousands of statements generated by internet searches -

That search was Google "repair zero access damage" 

Heading out for work --should be back 5ish.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Well, I'll tell ya - many people post a lot of unauthorized info on ComboFix. 
While it is a fantastic and 'magical' tool that will handle the nastiest of rootkits that no other tool can handle, it can't fix everything. Somehow ZAccess screws up networking on machines. This doesn't happen with every ZA infection - it doesn't break networking the same way on all machines - this is what makes it so darn difficult to find the source. It's like looking for a needle in a haystack and thus far, when all service keys are present, and all appropriate drivers are present, if still no internet - format and reinstall is what has to be done to rectify it.

What makes your situation so unique, is that you DO have access. You _can_ manually start yours . Others cannot, no matter what we do.

Let's see if I can get a clue from a different type of log. First, check to make sure you don't already have a C:\windows\ntbtlog.txt. If there is one there, zip it up and attach it to your next reply, then delete it.

Now, please restart your machine and tap F8 - select *Enable Boot Logging *and restart the machine. When it completes booting into Windows, go to C:\Windows\ntbtlog.txt I'll want to see that one too. If you had a previous log, rename this one to ntbtlog2.txt so you can zip it and attach it.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Doing it now --back in a few.

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Boot logs attached 


Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks. I need time to go over these. I'll get back to you within the hour.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Bob - how do you connect your mouse to the machine, usb or PS2?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Bob - how do you connect your mouse to the machine, usb or PS2?


Ried,

Usb mouse from dell


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

From another google search



> 2 WinXP machines. Both were recently infected with a virus. Since the virus removal both machines boot up fine with no problems. However the DHCP client service will not start automatically on both machines even though they are both set to start automatically in services. All dependencies are starting. I've tried the winsock repair via dos command, application and registry and each time I restart the computers, the DHCP client still does not start automatically. I have to start it manually after the restart and it works fine after that



After a few posts the original poster posted this



> The problem turned out to be a corrupted afd.sys file. Replace the afd.sys file and then run the tcp/ip and winsock fix. Restart the computer and that should do it!


I recall from one of the boot logs -- afd system driver not loading for a looooooong time.

A programmer friend --custom stuff not windows --said just replace all the dependent services completely and the windows system32 drivers.
I mentioned the sp3 install & he agreed with you, but said some upgrades don't overwrite everything -- files that haven't changed will only be inserted if missing.
His point was if a file is still there but corrupted -- it may not have been replaced -- if we manually replace them --they're replaced for sure.

I'm willing to experiment 
Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

:grin:

I was looking at that afd.sys and been tossing that idea in my head for a while now. Only thing is that it shows it's loading in most recent ntbtlog.txt

Still - I agree with your friend - couldn't hurt to check and replace.

Let me see what copies you have onboard, that I can select from. Run SystemLook and copy/paste the following into the open field, then click the Look button.



> :filefind
> afd.sys


Post the log, please


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reid 

Here it is-
SystemLook 30.07.11 by jpshortstuff
Log created at 20:44 on 15/12/2011 by Bob Zoppa
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys "
C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys	--a---- 138496 bytes	[15:07 16/10/2008]	[15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys	--a---- 138496 bytes	[16:37 11/12/2011]	[13:41 17/08/2011] F6B7B1ECD7B41736BDB6FF4B092BCB79
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys	--a---- 138368 bytes	[10:44 20/06/2008]	[10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys	--a---- 138496 bytes	[11:40 20/06/2008]	[11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys	--a---- 138496 bytes	[11:48 20/06/2008]	[11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys	--a---- 138368 bytes	[00:05 04/10/2009]	[09:48 14/08/2008] 6A0397376853E604DE8E1E7A87FC08AC
C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys	--a---- 138496 bytes	[00:05 04/10/2009]	[10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys	--a---- 138496 bytes	[00:05 04/10/2009]	[10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\$NtServicePackUninstall$\afd.sys	-----c- 138368 bytes	[21:49 10/12/2011]	[09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702
C:\WINDOWS\$NtUninstallKB2509553$\afd.sys	-----c- 138496 bytes	[06:41 12/12/2011]	[10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\$NtUninstallKB2592799$\afd.sys	-----c- 138496 bytes	[06:54 12/12/2011]	[14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\$NtUninstallKB951748$\afd.sys	-----c- 138496 bytes	[20:40 10/12/2011]	[11:00 10/08/2004] 5AC495F4CB807B2B98AD2AD591E6D92E
C:\WINDOWS\$NtUninstallKB956803$\afd.sys	-----c- 138368 bytes	[21:02 10/12/2011]	[10:44 20/06/2008] 944CA435BFCFC82CC1ED9E3A7D731AA9
C:\WINDOWS\ServicePackFiles\i386\afd.sys	------- 138112 bytes	[21:55 10/12/2011]	[05:49 14/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\afd.sys	--a---- 138112 bytes	[16:14 30/04/2010]	[19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\SoftwareDistribution\Download\a94a6432dbac6901fc5bf15157f718f8\SP2GDR\afd.sys	--a---- 138368 bytes	[20:25 10/12/2011]	[09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702
C:\WINDOWS\SoftwareDistribution\Download\a94a6432dbac6901fc5bf15157f718f8\SP2QFE\afd.sys	--a---- 138368 bytes	[20:25 10/12/2011]	[09:48 14/08/2008] 6A0397376853E604DE8E1E7A87FC08AC
C:\WINDOWS\SoftwareDistribution\Download\a94a6432dbac6901fc5bf15157f718f8\SP3GDR\afd.sys	--a---- 138496 bytes	[20:25 10/12/2011]	[10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\SoftwareDistribution\Download\a94a6432dbac6901fc5bf15157f718f8\SP3QFE\afd.sys	--a---- 138496 bytes	[20:25 10/12/2011]	[10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\afd.sys	--a---- 138496 bytes	[11:40 20/06/2008]	[11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154\SP3GDR\afd.sys	--a---- 138496 bytes	[16:37 11/12/2011]	[13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9
C:\WINDOWS\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154\SP3QFE\afd.sys	--a---- 138496 bytes	[16:37 11/12/2011]	[13:41 17/08/2011] F6B7B1ECD7B41736BDB6FF4B092BCB79
C:\WINDOWS\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3gdr\afd.sys	--a---- 138496 bytes	[14:43 16/10/2008]	[14:43 16/10/2008] 7618D5218F2A614672EC61A80D854A37
C:\WINDOWS\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\sp3qfe\afd.sys	--a---- 138496 bytes	[15:07 16/10/2008]	[15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\system32\dllcache\afd.sys	--a--c- 138496 bytes	[11:00 10/08/2004]	[13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9
C:\WINDOWS\system32\drivers\afd.sys	--a---- 138496 bytes	[11:00 10/08/2004]	[13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9

-= EOF =-


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Really, there's no point in replacing it. It was overwritten with the latest SP3 upgrade.



> C:\WINDOWS\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154\SP3GDR\afd.sys --a---- 138496 bytes [16:37 11/12/2011] [13:49 17/08/2011] *1E44BC1E83D8FD2305F8D452DB109CF9*
> 
> C:\WINDOWS\system32\dllcache\afd.sys --a--c- 138496 bytes [11:00 10/08/2004] [13:49 17/08/2011] *1E44BC1E83D8FD2305F8D452DB109CF9*
> 
> *C:\WINDOWS\system32\drivers\afd.sys *--a---- 138496 bytes [11:00 10/08/2004] [13:49 17/08/2011] *1E44BC1E83D8FD2305F8D452DB109CF9*


The file highlighted in blue is the file that is called by the key

The file in purple is the dllcache, which is where it would pull a copy from if the system32\drivers file had a problem

The top file path is the SP3 file. Notice how the *MD5*'s and file sizes are all the same.

Additionally, if the key itself were messed up in any way:

1. You would not have internet access at all
2. It would have shown up in previous tools I had you run

Let me give this a bit more thought. I'll get back to you later.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok thinking about what I've manually replaced

Netbt reg key
WINDOWS\system32\drivers\system32 and svchost.exe
Winsock repair done

So off the top of my head WINDOWS\system32\drivers\afd and netbt could be replaced along with many more I don't know of [yet]


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Sorry posting at the same time again


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Bob - one more thing I'd like you to do...

Run MiniToolbox again.

Check the box next to *List Devices*, and this time, click the radio button next to* All *and click Go

When it has completed, post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Reid 

Here it is.
MiniToolBox by Farbar 
Ran by Bob Zoppa (administrator) on 15-12-2011 at 21:23:10
Microsoft Windows XP Professional Service Pack 3 (X86)

***************************************************************************

========================= Devices: ================================

Name: ACPI Multiprocessor PC
Description: ACPI Multiprocessor PC
Class Guid: {4D36E966-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard computers)
Service: \Driver\ACPI_HAL

Name: Microsoft ACPI-Compliant System
Description: Microsoft ACPI-Compliant System
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: ACPI

Name: ACPI Power Button
Description: ACPI Power Button
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: Intel(R) Pentium(R) D CPU 2.80GHz
Description: Intel Processor
Class Guid: {50127DC3-0F36-415E-A6CC-4CB3BE910B65}
Manufacturer: Intel
Service: intelppm

Name: Intel(R) Pentium(R) D CPU 2.80GHz
Description: Intel Processor
Class Guid: {50127DC3-0F36-415E-A6CC-4CB3BE910B65}
Manufacturer: Intel
Service: intelppm

Name: PCI bus
Description: PCI bus
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: pci

Name: Intel(R) P965/G965 Processor to I/O Controller – 29A0
Description: Intel(R) P965/G965 Processor to I/O Controller – 29A0
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: 

Name: Intel(R) P965/G965 PCI Express Root Port – 29A1
Description: Intel(R) P965/G965 PCI Express Root Port – 29A1
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: pci

Name: NVIDIA GeForce 7300 LE
Description: NVIDIA GeForce 7300 LE
Class Guid: {4D36E968-E325-11CE-BFC1-08002BE10318}
Manufacturer: NVIDIA
Service: nv

Name: HP w19b/w19e Wide LCD Monitor
Description: HP w19b/w19e Wide LCD Monitor
Class Guid: {4D36E96E-E325-11CE-BFC1-08002BE10318}
Manufacturer: HP
Service: 

Name: Intel(R) 82562V 10/100 Network Connection
Description: Intel(R) 82562V 10/100 Network Connection
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: e1express

Name: Intel(R) ICH8 Family USB Universal Host Controller - 2834
Description: Intel(R) ICH8 Family USB Universal Host Controller - 2834
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: Intel
Service: usbuhci

Name: USB Root Hub
Description: USB Root Hub
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service: usbhub

Name: USB Human Interface Device
Description: USB Human Interface Device
Class Guid: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Manufacturer: (Standard system devices)
Service: HidUsb

Name: HID-compliant mouse
Description: HID-compliant mouse
Class Guid: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: mouhid

Name: USB Human Interface Device
Description: USB Human Interface Device
Class Guid: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Manufacturer: (Standard system devices)
Service: HidUsb

Name: HID Keyboard Device
Description: HID Keyboard Device
Class Guid: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard keyboards)
Service: kbdhid

Name: Intel(R) ICH8 Family USB Universal Host Controller - 2835
Description: Intel(R) ICH8 Family USB Universal Host Controller - 2835
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: Intel
Service: usbuhci

Name: USB Root Hub
Description: USB Root Hub
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service: usbhub

Name: Intel(R) ICH8 Family USB2 Enhanced Host Controller - 283A
Description: Intel(R) ICH8 Family USB2 Enhanced Host Controller - 283A
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: Intel
Service: usbehci

Name: USB Root Hub
Description: USB Root Hub
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service: usbhub

Name: Microsoft UAA Bus Driver for High Definition Audio
Description: Microsoft UAA Bus Driver for High Definition Audio
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: HDAudBus

Name: SigmaTel High Definition Audio CODEC
Description: SigmaTel High Definition Audio CODEC
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: SigmaTel
Service: STHDA

Name: Intel(R) ICH8 Family PCI Express Root Port 1 - 283F
Description: Intel(R) ICH8 Family PCI Express Root Port 1 - 283F
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: pci

Name: ATI Unified AVStream Driver
Description: ATI Unified AVStream Driver
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: ATI Technologies
Service: ATIAVPCI

Name: Intel(R) ICH8 Family USB Universal Host Controller - 2830
Description: Intel(R) ICH8 Family USB Universal Host Controller - 2830
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: Intel
Service: usbuhci

Name: USB Root Hub
Description: USB Root Hub
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service: usbhub

Name: Intel(R) ICH8 Family USB Universal Host Controller - 2831
Description: Intel(R) ICH8 Family USB Universal Host Controller - 2831
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: Intel
Service: usbuhci

Name: USB Root Hub
Description: USB Root Hub
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service: usbhub

Name: Intel(R) ICH8 Family USB Universal Host Controller - 2832
Description: Intel(R) ICH8 Family USB Universal Host Controller - 2832
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: Intel
Service: usbuhci

Name: USB Root Hub
Description: USB Root Hub
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service: usbhub

Name: Intel(R) ICH8 Family USB2 Enhanced Host Controller - 2836
Description: Intel(R) ICH8 Family USB2 Enhanced Host Controller - 2836
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: Intel
Service: usbehci

Name: USB Root Hub
Description: USB Root Hub
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service: usbhub

Name: USB Mass Storage Device
Description: USB Mass Storage Device
Class Guid: {36FC9E60-C465-11CF-8056-444553540000}
Manufacturer: Compatible USB storage device
Service: USBSTOR

Name: TEAC USB HS-CF Card USB Device
Description: Disk drive
Class Guid: {4D36E967-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard disk drives)
Service: disk

Name: Generic volume
Description: Generic volume
Class Guid: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Manufacturer: Microsoft
Service: 

Name: TEAC USB HS-xD/SM USB Device
Description: Disk drive
Class Guid: {4D36E967-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard disk drives)
Service: disk

Name: Generic volume
Description: Generic volume
Class Guid: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Manufacturer: Microsoft
Service: 

Name: TEAC USB HS-MS Card USB Device
Description: Disk drive
Class Guid: {4D36E967-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard disk drives)
Service: disk

Name: Generic volume
Description: Generic volume
Class Guid: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Manufacturer: Microsoft
Service: 

Name: TEAC USB HS-SD Card USB Device
Description: Disk drive
Class Guid: {4D36E967-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard disk drives)
Service: disk

Name: Generic volume
Description: Generic volume
Class Guid: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Manufacturer: Microsoft
Service: 

Name: Intel(R) 82801 PCI Bridge - 244E
Description: Intel(R) 82801 PCI Bridge - 244E
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: pci

Name: Intel(R) ICH8DH LPC Interface Controller - 2812
Description: Intel(R) ICH8DH LPC Interface Controller - 2812
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: isapnp

Name: ISAPNP Read Data Port
Description: ISAPNP Read Data Port
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: System board
Description: System board
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: Direct memory access controller
Description: Direct memory access controller
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: Numeric data processor
Description: Numeric data processor
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: Programmable interrupt controller
Description: Programmable interrupt controller
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: System speaker
Description: System speaker
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: System CMOS/real time clock
Description: System CMOS/real time clock
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: System timer
Description: System timer
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: Intel(R) ICH8R/DO/DH SATA RAID Controller
Description: Intel(R) ICH8R/DO/DH SATA RAID Controller
Class Guid: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: iaStor

Name: ST3250824NS
Description: Disk drive
Class Guid: {4D36E967-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard disk drives)
Service: disk

Name: HL-DT-ST DVD-ROM GDRH10N
Description: CD-ROM Drive
Class Guid: {4D36E965-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard CD-ROM drives)
Service: cdrom

Name: TSSTcorp DVD+-RW TS-H553A
Description: CD-ROM Drive
Class Guid: {4D36E965-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard CD-ROM drives)
Service: cdrom

Name: Intel(R) ICH8 Family SMBus Controller - 283E
Description: Intel(R) ICH8 Family SMBus Controller - 283E
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: 

Name: System board
Description: System board
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: Motherboard resources
Description: Motherboard resources
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: High Precision Event Timer
Description: High Precision Event Timer
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel
Service: 

Name: ACPI Fixed Feature Button
Description: ACPI Fixed Feature Button
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: 

Name: Logical Disk Manager
Description: Logical Disk Manager
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: dmio

Name: Volume Manager
Description: Volume Manager
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: ftdisk

Name: Generic volume
Description: Generic volume
Class Guid: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Manufacturer: Microsoft
Service: 

Name: Brother MFC-5840CN LAN #2
Description: Brother MFC-5840CN LAN
Class Guid: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Manufacturer: Brother
Service: StillCam

Name: AFD
Description: AFD
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: AFD

Name: avgio
Description: avgio
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: avgio

Name: avipbb
Description: avipbb
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: avipbb

Name: Beep
Description: Beep
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: Beep

Name: catchme
Description: catchme
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: catchme

Name: Creative SoundFont Management Device Driver
Description: Creative SoundFont Management Device Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ctsfm2k

Name: dmboot
Description: dmboot
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: dmboot

Name: dmload
Description: dmload
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: dmload

Name: Fips
Description: Fips
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: Fips

Name: Generic Packet Classifier
Description: Generic Packet Classifier
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: Gpc

Name: HTTP
Description: HTTP
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: HTTP

Name: IP Network Address Translator
Description: IP Network Address Translator
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: IpNat

Name: IPSEC driver
Description: IPSEC driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: IPSec

Name: ksecdd
Description: ksecdd
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ksecdd

Name: mnmdd
Description: mnmdd
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: mnmdd

Name: mountmgr
Description: mountmgr
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: mountmgr

Name: NDIS System Driver
Description: NDIS System Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: NDIS

Name: Remote Access NDIS TAPI Driver
Description: Remote Access NDIS TAPI Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: NdisTapi

Name: NDIS Usermode I/O Protocol
Description: NDIS Usermode I/O Protocol
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: Ndisuio

Name: NDProxy
Description: NDProxy
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: NDProxy

Name: NetBios over Tcpip
Description: NetBios over Tcpip
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: NetBT

Name: Null
Description: Null
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: Null

Name: Creative OS Services Driver
Description: Creative OS Services Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ossrv

Name: PartMgr
Description: PartMgr
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: PartMgr

Name: ParVdm
Description: ParVdm
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ParVdm

Name: Remote Access Auto Connection Driver
Description: Remote Access Auto Connection Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: RasAcd

Name: RDPCDD
Description: RDPCDD
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: RDPCDD

Name: ssmdrv
Description: ssmdrv
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: ssmdrv

Name: TCP/IP Protocol Driver
Description: TCP/IP Protocol Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: Tcpip

Name: VgaSave
Description: VgaSave
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: VgaSave

Name: VolSnap
Description: VolSnap
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: VolSnap

Name: Remote Access IP ARP Driver
Description: Remote Access IP ARP Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: Wanarp

Name: Windows Socket 2.0 Non-IFS Service Provider Support Environment
Description: Windows Socket 2.0 Non-IFS Service Provider Support Environment
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: WS2IFSL

Name: Audio Codecs
Description: Audio Codecs
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: audstub

Name: Legacy Audio Drivers
Description: Legacy Audio Drivers
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: audstub

Name: Media Control Devices
Description: Media Control Devices
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: audstub

Name: Legacy Video Capture Devices
Description: Legacy Video Capture Devices
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: audstub

Name: Video Codecs
Description: Video Codecs
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: audstub

Name: WAN Miniport (L2TP)
Description: WAN Miniport (L2TP)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: Rasl2tp

Name: WAN Miniport (IP)
Description: WAN Miniport (IP)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NdisWan

Name: WAN Miniport (PPPOE)
Description: WAN Miniport (PPPOE)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: RasPppoe

Name: WAN Miniport (PPTP)
Description: WAN Miniport (PPTP)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: PptpMiniport

Name: WAN Miniport (IP) - Packet Scheduler Miniport
Description: Packet Scheduler Miniport
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: PSched

Name: Intel(R) 82562V 10/100 Network Connection - Packet Scheduler Miniport
Description: Packet Scheduler Miniport
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: PSched

Name: D-Link AirPlus DWL-520+ Wireless PCI Adapter - Packet Scheduler Miniport
Description: Packet Scheduler Miniport
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: PSched

Name: Direct Parallel
Description: Direct Parallel
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: Raspti

Name: Terminal Server Device Redirector
Description: Terminal Server Device Redirector
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: rdpdr

Name: Terminal Server Keyboard Driver
Description: Terminal Server Keyboard Driver
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: TermDD

Name: Terminal Server Mouse Driver
Description: Terminal Server Mouse Driver
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: TermDD

Name: Plug and Play Software Device Enumerator
Description: Plug and Play Software Device Enumerator
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: swenum

Name: Microsoft WINMM WDM Audio Compatibility Driver
Description: Microsoft WINMM WDM Audio Compatibility Driver
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: wdmaud

Name: Microsoft Kernel System Audio Device
Description: Microsoft Kernel System Audio Device
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: sysaudio

Name: Microsoft Streaming Quality Manager Proxy
Description: Microsoft Streaming Quality Manager Proxy
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: MSPQM

Name: RAS Async Adapter
Description: RAS Async Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: AsyncMac

Name: Microsoft Kernel Wave Audio Mixer
Description: Microsoft Kernel Wave Audio Mixer
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: kmixer

Name: Microcode Update Device
Description: Microcode Update Device
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: update

Name: Microsoft System Management BIOS Driver
Description: Microsoft System Management BIOS Driver
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard system devices)
Service: mssmbios

Name: D-Link AirPlus DWL-520+ Wireless PCI Adapter
Description: D-Link AirPlus DWL-520+ Wireless PCI Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: D-Link
Service: AIRPLUS
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


**** End of log ****


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks. And yet another tool from which I'd like to try to see if any clues can be garnered.

Download driver_service_info.exe and save it to your desktop.

Double click to run it.

A command type window will open and prompt you to enter choices.

We're going to start off with Driver info. At the prompt, type in the letter *D* and press Enter.

At the next prompt, type in the letter *B* for both

It will begin to gather info, then ask you if you want to include LoadOrderGroup info. Type in the letter *Y* for yes and press Enter.

A log will open - please save it to your desktop so you can zip it and attach it to your next post.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

All done -sorry for the delay -- was dealing with my DSL ISP setting their modem back to bridge mode -- didn't work either DHCP & TCPIP NetBIOS Helper still need launched manually

was also going thru notes & re reading this post- don't see that I mentioned the "ping.exe" infection anywhere -- same time as the original issues -- minor compared to what followed , but in case it's relevant -- infected and removed so the virus scan said.

Zip file with requested log attached

Bob

apparently no spell check in the "File naming box"


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



> DSL ISP setting their modem back to bridge mode


 That would have been too easy, wouldn't it. :winkgrin:


Regarding spell check - send a note to Microsoft as a suggestion. :grin:

Ok, now repeat the same steps as above, but in the first prompt, type in *S *for Services.

We still want B for both and still want LoadOrderGroup

Save the log, and please attach it. 

After that, I have to call it a night. I'll go over them tomorrow.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> That would have been too easy, wouldn't it. :winkgrin:
> 
> 
> Regarding spell check - send a note to Microsoft as a suggestion. :grin:
> 
> Ok, now repeat the same steps as above, but in the first prompt, type in *S *for Services.
> 
> We still want B for both and still want LoadOrderGroup
> 
> Save the log, and please attach it.
> 
> After that, I have to call it a night. I'll go over them tomorrow.



Ried -- File attached 

Till tomorrow
Thanks again

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks, Bob. More for you to do, if you don't mind. (I know - gee, what a surprise):winkgrin:

Open SystemLook and copy/paste the following, and click Look button



> :filefind
> parport.sys
> serial.sys


Post the log in your next reply.

====================================

Next, ppen Notepad and copy/paste the contents inside the quote box below, into Notepad.



Code:


@echo off
>nbt.txt (
nbtstat -n
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces /s
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces /s
)
notepad nbt.txt
del %0

Save it as nbt.bat and as type All Files.

Double click to run it, and please attach the log it produces. No need to zip it, just attach it.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Reed 

Will never be a problem to do more scans/ searches
You guys ever remote in ? 

Ok here they are 

Bob
system look
SystemLook 30.07.11 by jpshortstuff
Log created at 19:08 on 16/12/2011 by Bob Zoppa
Administrator - Elevation successful

========== filefind ==========

Searching for "parport.sys"
C:\WINDOWS\$NtServicePackUninstall$\parport.sys	-----c- 80128 bytes	[21:49 10/12/2011]	[11:00 10/08/2004] 29744EB4CE659DFE3B4122DEB45BC478
C:\WINDOWS\ServicePackFiles\i386\parport.sys	------- 80128 bytes	[21:54 10/12/2011]	[05:10 14/04/2008] 5575FAF8F97CE5E713D108C2A58D7C7C
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\parport.sys	--a---- 80128 bytes	[16:15 30/04/2010]	[18:40 13/04/2008] 5575FAF8F97CE5E713D108C2A58D7C7C
C:\WINDOWS\system32\dllcache\parport.sys	--a--c- 80128 bytes	[22:59 03/08/2004]	[05:10 14/04/2008] 5575FAF8F97CE5E713D108C2A58D7C7C
C:\WINDOWS\system32\drivers\parport.sys	--a---- 80128 bytes	[22:59 03/08/2004]	[05:10 14/04/2008] 5575FAF8F97CE5E713D108C2A58D7C7C

Searching for "serial.sys "
C:\WINDOWS\$NtServicePackUninstall$\serial.sys	-----c- 64896 bytes	[21:49 10/12/2011]	[11:00 10/08/2004] CD9404D115A00D249F70A371B46D5A26
C:\WINDOWS\ServicePackFiles\i386\serial.sys	------- 64512 bytes	[21:54 10/12/2011]	[05:45 14/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\serial.sys	--a---- 64512 bytes	[16:15 30/04/2010]	[19:15 13/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7
C:\WINDOWS\system32\dllcache\serial.sys	--a--c- 64512 bytes	[11:00 10/08/2004]	[05:45 14/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7
C:\WINDOWS\system32\drivers\serial.sys	--a---- 64512 bytes	[11:00 10/08/2004]	[05:45 14/04/2008] CCA207A8896D4C6A0C9CE29A4AE411A7

-= EOF =-


And NBT.BAT results

Local Area Connection 4:
Node IpAddress: [192.168.0.100] Scope Id: [] NetBIOS Local Name Table Name Type Status --------------------------------------------- ROBERTZOPPA <00> UNIQUE Registered ROBERTZOPPA <20> UNIQUE Registered MSHOME <00> GROUP Registered 
! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{14352A84-B8B3-40F6-A115-9B3C65167B83}
UseZeroBroadcast	REG_DWORD	0x0
EnableDHCP	REG_DWORD	0x0
IPAddress	REG_MULTI_SZ	0.0.0.0\0\0
SubnetMask	REG_MULTI_SZ	0.0.0.0\0\0
DefaultGateway	REG_MULTI_SZ	\0
EnableDeadGWDetect	REG_DWORD	0x1
DontAddDefaultGateway	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}
UseZeroBroadcast	REG_DWORD	0x0
EnableDHCP	REG_DWORD	0x0
IPAddress	REG_MULTI_SZ	0.0.0.0\0\0
SubnetMask	REG_MULTI_SZ	0.0.0.0\0\0
DefaultGateway	REG_MULTI_SZ	\0
EnableDeadGWDetect	REG_DWORD	0x1
DontAddDefaultGateway	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B86F3C98-1ECE-4901-86C7-5065033C27CB}
UseZeroBroadcast	REG_DWORD	0x0
EnableDeadGWDetect	REG_DWORD	0x1
EnableDHCP	REG_DWORD	0x1
IPAddress	REG_MULTI_SZ	0.0.0.0\0\0
SubnetMask	REG_MULTI_SZ	0.0.0.0\0\0
DefaultGateway	REG_MULTI_SZ	\0
DefaultGatewayMetric	REG_MULTI_SZ	\0
NameServer	REG_SZ	
Domain	REG_SZ	
RegistrationEnabled	REG_DWORD	0x1
RegisterAdapterName	REG_DWORD	0x0
TCPAllowedPorts	REG_MULTI_SZ	\0
UDPAllowedPorts	REG_MULTI_SZ	\0
RawIPAllowedProtocols	REG_MULTI_SZ	\0
NTEContextList	REG_MULTI_SZ	\0
DhcpClassIdBin	REG_BINARY	
DhcpServer	REG_SZ	255.255.255.255
Lease	REG_DWORD	0xe10
LeaseObtainedTime	REG_DWORD	0x4ee8037b
T1	REG_DWORD	0x4ee80a83
T2	REG_DWORD	0x4ee80fc9
LeaseTerminatesTime	REG_DWORD	0x4ee8118b
AddressType	REG_DWORD	0x0
DisableDynamicUpdate	REG_DWORD	0x0
IPAutoconfigurationAddress	REG_SZ	0.0.0.0
IPAutoconfigurationMask	REG_SZ	255.255.0.0
IPAutoconfigurationSeed	REG_DWORD	0x0
IsServerNapAware	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CB04D831-A721-4082-84B9-8C0062C24FA2}
UseZeroBroadcast	REG_DWORD	0x0
EnableDeadGWDetect	REG_DWORD	0x1
EnableDHCP	REG_DWORD	0x1
IPAddress	REG_MULTI_SZ	0.0.0.0\0\0
SubnetMask	REG_MULTI_SZ	0.0.0.0\0\0
DefaultGateway	REG_MULTI_SZ	\0
DefaultGatewayMetric	REG_MULTI_SZ	\0
NameServer	REG_SZ	
Domain	REG_SZ	
RegistrationEnabled	REG_DWORD	0x1
RegisterAdapterName	REG_DWORD	0x0
TCPAllowedPorts	REG_MULTI_SZ	0\0\0
UDPAllowedPorts	REG_MULTI_SZ	0\0\0
RawIPAllowedProtocols	REG_MULTI_SZ	0\0\0
NTEContextList	REG_MULTI_SZ	0x00000002\0\0
DhcpClassIdBin	REG_BINARY	
DhcpServer	REG_SZ	192.168.0.1
Lease	REG_DWORD	0x93a80
LeaseObtainedTime	REG_DWORD	0x4eeb3f03
T1	REG_DWORD	0x4eefdc43
T2	REG_DWORD	0x4ef35233
LeaseTerminatesTime	REG_DWORD	0x4ef47983
IPAutoconfigurationAddress	REG_SZ	0.0.0.0
IPAutoconfigurationMask	REG_SZ	255.255.0.0
IPAutoconfigurationSeed	REG_DWORD	0x0
AddressType	REG_DWORD	0x0
IsServerNapAware	REG_DWORD	0x0
DhcpIPAddress	REG_SZ	192.168.0.100
DhcpSubnetMask	REG_SZ	255.255.255.0
DhcpRetryTime	REG_DWORD	0x49d40
DhcpRetryStatus	REG_DWORD	0x0
DhcpNameServer	REG_SZ	192.168.0.1
DhcpDefaultGateway	REG_MULTI_SZ	192.168.0.1\0\0
DhcpSubnetMaskOpt	REG_MULTI_SZ	255.255.255.0\0\0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DA836B17-F05A-455A-804B-6AD9C2381057}
UseZeroBroadcast	REG_DWORD	0x0
EnableDeadGWDetect	REG_DWORD	0x1
EnableDHCP	REG_DWORD	0x1
IPAddress	REG_MULTI_SZ	0.0.0.0\0\0
SubnetMask	REG_MULTI_SZ	0.0.0.0\0\0
DefaultGateway	REG_MULTI_SZ	\0
DefaultGatewayMetric	REG_MULTI_SZ	\0
NameServer	REG_SZ	
Domain	REG_SZ	
RegistrationEnabled	REG_DWORD	0x1
RegisterAdapterName	REG_DWORD	0x0
TCPAllowedPorts	REG_MULTI_SZ	\0
UDPAllowedPorts	REG_MULTI_SZ	\0
RawIPAllowedProtocols	REG_MULTI_SZ	\0
NTEContextList	REG_MULTI_SZ	0x00000003\0\0
DhcpClassIdBin	REG_BINARY	
AddressType	REG_DWORD	0x0
DisableDynamicUpdate	REG_DWORD	0x0

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB}
NameServerList	REG_MULTI_SZ	\0
NetbiosOptions	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2}
NameServerList	REG_MULTI_SZ	\0
NetbiosOptions	REG_DWORD	0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057}
NameServerList	REG_MULTI_SZ	\0
NetbiosOptions	REG_DWORD	0x0


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

No, we do not remote in. 

I need to do some research and think on this a bit more. I'll be back as soon as possible. Thanks for your patience.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried- HELP

I don't freaking believe this 
While on the net shopping for tires got nailed again !!!!

win32.Zacess,aml and to add insult to injury - XPsecurity 2012
Kasperski got out the rootkit and I found and dug out most of the xpsecurity 2012 stuff but am still having trouble launching any exe files -- I get sent to the open with box

Otherwise though after I deal with that same as always everything works after I launch DHCP manually

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Can we run Combofix and repair the Reg key blocking the exe ?

In the meantime I'll try to run all the scans again

Can't swear here right ? This allowed? %&*^#@$ and #@$%&*^

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

I wish you hadn't allowed Kaspersky to do anything with it, or you digging into registry. You remove potential markers that would trigger specific routines in our specialty tools. :sad:

Before you run ComboFix, I need to see the current state of the machine. Run a scan with dds.scr and gmer, same as you did in the beginning of this thread. Try renaming gmer.exe to gmer.com to run it.

Post those logs, don't do anything else - wait for instructions from me.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok got back the ability to run .exe's 

Bob
PS the people that set these viruses loose deserve to be horsewhipped,tarred & feathered, thrown in jail ect ect. --
Ok sorry rant over

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Rant understandable. 

Getting those logs for me?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> I wish you hadn't allowed Kaspersky to do anything with it, or you digging into registry. You remove potential markers that would trigger specific routines in our specialty tools. :sad:
> 
> Before you run ComboFix, I need to see the current state of the machine. Run a scan with dds.scr and gmer, same as you did in the beginning of this thread. Try renaming gmer.exe to gmer.com to run it.
> 
> Post those logs, don't do anything else - wait for instructions from me.


Whoops sorry see above post  

Going to run the scans now.
I'll post the dds then run gmer -- that one runs for close to 2 hrs right? And as I recall last few times ran but didn't generate any reports.

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Here's the DDS scans -- I'll start the gmer now.

Bob

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by Bob Zoppa at 16:36:09 on 2011-12-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1374 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://mail.csgrp.com/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.csgrp.com/owa/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1323208587515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CB04D831-A721-4082-84B9-8C0062C24FA2} : DhcpNameServer = 192.168.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bob zoppa\application data\mozilla\firefox\profiles\kn6t9xu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://headlines.verizon.com/headlines/portals/headlines.portal
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\bob zoppa\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-29 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-29 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-29 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-29 66616]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== Created Last 30 ================
.
2011-12-15 04:39:12	221184	-c--a-w-	c:\windows\system32\dllcache\wmpns.dll
2011-12-13 14:59:06	72080	----a-w-	c:\documents and settings\bob zoppa\g2mdlhlpx.exe
2011-12-13 01:52:25	--------	d-----w-	c:\program files\nLite
2011-12-12 19:31:19	116224	-c--a-w-	c:\windows\system32\dllcache\xrxwiadr.dll
2011-12-12 19:31:16	23040	-c--a-w-	c:\windows\system32\dllcache\xrxwbtmp.dll
2011-12-12 19:31:15	18944	-c--a-w-	c:\windows\system32\dllcache\xrxscnui.dll
2011-12-12 19:31:11	27648	-c--a-w-	c:\windows\system32\dllcache\xrxftplt.exe
2011-12-12 19:31:07	4608	-c--a-w-	c:\windows\system32\dllcache\xrxflnch.exe
2011-12-12 19:29:59	29311	-c--a-w-	c:\windows\system32\dllcache\watv01nt.sys
2011-12-12 19:28:59	224802	-c--a-w-	c:\windows\system32\dllcache\usr1807a.sys
2011-12-12 19:27:58	11520	-c--a-w-	c:\windows\system32\dllcache\twotrack.sys
2011-12-12 19:26:57	138528	-c--a-w-	c:\windows\system32\dllcache\tgiulnt5.sys
2011-12-12 19:25:57	10240	-c--a-w-	c:\windows\system32\dllcache\swpdflt2.dll
2011-12-12 19:24:59	20752	-c--a-w-	c:\windows\system32\dllcache\sonync.sys
2011-12-12 19:23:57	157696	-c--a-w-	c:\windows\system32\dllcache\sisv256.dll
2011-12-12 19:22:58	11648	-c--a-w-	c:\windows\system32\dllcache\scsiprnt.sys
2011-12-12 19:21:59	82432	-c--a-w-	c:\windows\system32\dllcache\rwia450.dll
2011-12-12 19:20:59	49024	-c--a-w-	c:\windows\system32\dllcache\ql1280.sys
2011-12-12 19:19:59	173696	-c--a-w-	c:\windows\system32\dllcache\philcam2.sys
2011-12-12 19:18:58	20480	-c--a-w-	c:\windows\system32\dllcache\ovcomc.dll
2011-12-12 19:17:59	87040	-c--a-w-	c:\windows\system32\dllcache\nm6wdm.sys
2011-12-12 19:16:57	21888	-c--a-w-	c:\windows\system32\dllcache\mxcard.sys
2011-12-12 19:16:52	103296	-c--a-w-	c:\windows\system32\dllcache\mtxvideo.sys
2011-12-12 19:16:46	49024	-c--a-w-	c:\windows\system32\dllcache\mstape.sys
2011-12-12 19:16:42	12416	-c--a-w-	c:\windows\system32\dllcache\msriffwv.sys
2011-12-12 19:16:37	2944	-c--a-w-	c:\windows\system32\dllcache\msmpu401.sys
2011-12-12 19:16:36	22016	-c--a-w-	c:\windows\system32\dllcache\msircomm.sys
2011-12-12 19:16:29	35200	-c--a-w-	c:\windows\system32\dllcache\msgame.sys
2011-12-12 19:16:26	6016	-c--a-w-	c:\windows\system32\dllcache\msfsio.sys
2011-12-12 19:16:25	51200	-c--a-w-	c:\windows\system32\dllcache\msdv.sys
2011-12-12 19:16:19	17280	-c--a-w-	c:\windows\system32\dllcache\mraid35x.sys
2011-12-12 19:16:07	16128	-c--a-w-	c:\windows\system32\dllcache\modemcsa.sys
2011-12-12 19:16:03	6528	-c--a-w-	c:\windows\system32\dllcache\miniqic.sys
2011-12-12 19:14:57	15744	-c--a-w-	c:\windows\system32\dllcache\lit220p.sys
2011-12-12 19:13:57	45632	-c--a-w-	c:\windows\system32\dllcache\ip5515.sys
2011-12-12 19:12:58	9216	-c--a-w-	c:\windows\system32\dllcache\ibmsgnet.dll
2011-12-12 19:11:59	19456	-c--a-w-	c:\windows\system32\dllcache\hr1w.dll
2011-12-12 19:10:58	1733120	-c--a-w-	c:\windows\system32\dllcache\g400d.dll
2011-12-12 19:09:56	43008	-c--a-w-	c:\windows\system32\dllcache\esucm.dll
2011-12-12 19:08:58	19594	-c--a-w-	c:\windows\system32\dllcache\e100isa4.sys
2011-12-12 19:07:58	110592	-c--a-w-	c:\windows\system32\dllcache\dc260usd.dll
2011-12-12 19:06:58	8192	-c--a-w-	c:\windows\system32\dllcache\changer.sys
2011-12-12 19:05:59	9728	-c--a-w-	c:\windows\system32\dllcache\brcoinst.dll
2011-12-12 19:04:59	762780	-c--a-w-	c:\windows\system32\dllcache\3cwmcru.sys
2011-12-12 19:04:59	689216	-c--a-w-	c:\windows\system32\dllcache\3dfxvs.dll
2011-12-12 19:04:59	11264	-c--a-w-	c:\windows\system32\dllcache\1394vdbg.sys
2011-12-12 19:04:58	53376	-c--a-w-	c:\windows\system32\dllcache\1394bus.sys
2011-12-12 19:04:39	66048	-c--a-w-	c:\windows\system32\dllcache\s3legacy.dll
2011-12-12 04:50:55	--------	d-----w-	c:\program files\ESET
2011-12-10 21:55:59	22528	-c--a-w-	c:\windows\system32\dllcache\lpdsvc.dll
2011-12-10 21:54:55	218112	-c--a-w-	c:\windows\system32\dllcache\c_g18030.dll
2011-12-10 21:54:52	26624	-c--a-w-	c:\windows\system32\dllcache\fxsdrv.dll
2011-12-10 21:54:51	29184	-c--a-w-	c:\windows\system32\dllcache\rw330ext.dll
2011-12-10 21:54:46	35328	-c--a-w-	c:\windows\system32\dllcache\iprip.dll
2011-12-10 21:54:43	142848	-c--a-w-	c:\windows\system32\dllcache\fxsclnt.exe
2011-12-10 21:54:42	6144	-c--a-w-	c:\windows\system32\dllcache\kbdax2.dll
2011-12-10 21:54:42	456192	-c--a-w-	c:\windows\system32\dllcache\smtpsvc.dll
2011-12-10 21:54:40	33792	-c--a-w-	c:\windows\system32\dllcache\lmmib2.dll
2011-12-10 21:54:31	39936	-c--a-w-	c:\windows\system32\dllcache\snmpthrd.dll
2011-12-10 21:54:31	331264	-c--a-w-	c:\windows\system32\dllcache\aqueue.dll
2011-12-10 21:54:31	101888	-c--a-w-	c:\windows\system32\dllcache\evntagnt.dll
2011-12-10 21:13:42	--------	d-----w-	c:\documents and settings\bob zoppa\application data\TeamViewer
2011-12-10 20:23:08	2192768	-c--a-w-	c:\windows\system32\dllcache\ntoskrnl.exe
2011-12-10 20:15:32	5120	----a-w-	c:\windows\system32\xpsp4res.dll
2011-12-09 23:59:57	81920	------w-	c:\windows\system32\BrWebIns.dll
2011-12-09 23:59:57	65536	------w-	c:\windows\system32\Brwebup.exe
2011-12-09 23:59:57	513536	------w-	c:\program files\common files\installshield\webupdate\Iftw.exe
2011-12-09 23:59:57	331776	------w-	c:\program files\common files\installshield\webupdate\WebUpdate.exe
2011-12-09 23:59:57	24576	------w-	c:\program files\common files\installshield\webupdate\RasThunk.dll
2011-12-09 23:59:57	176128	------w-	c:\windows\system32\Pdrvinst.dll
2011-12-09 23:59:57	132096	------w-	c:\program files\common files\installshield\webupdate\ISiteLite.dll
2011-12-09 23:59:54	126976	------w-	c:\windows\system32\BrfxD04a.dll
2011-12-09 23:58:42	692224	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-12-09 23:58:42	57344	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-12-09 23:58:42	5632	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-12-09 23:58:42	237568	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-12-09 23:58:42	155648	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-12-09 23:58:41	282756	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-12-09 23:58:41	163972	----a-w-	c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-12-09 23:57:40	--------	d-----w-	c:\program files\common files\ScanSoft Shared
2011-12-09 23:16:56	98816	----a-w-	c:\windows\sed.exe
2011-12-09 23:16:56	518144	----a-w-	c:\windows\SWREG.exe
2011-12-09 23:16:56	256000	----a-w-	c:\windows\PEV.exe
2011-12-09 23:16:56	208896	----a-w-	c:\windows\MBR.exe
2011-12-07 12:27:17	485920	----a-w-	c:\windows\system32\nvuninst.exe
2011-12-07 12:27:17	485920	----a-w-	c:\windows\system32\nvudisp.exe
2011-12-06 21:07:59	18944	-c--a-w-	c:\windows\system32\dllcache\simptcp.dll
2011-12-06 21:06:59	43520	-c--a-w-	c:\windows\system32\dllcache\EXCH_fcachdll.dll
2011-12-06 20:44:04	24661	-c--a-w-	c:\windows\system32\dllcache\spxcoins.dll
2011-12-06 20:44:04	24661	----a-w-	c:\windows\system32\spxcoins.dll
2011-12-06 20:44:04	13312	-c--a-w-	c:\windows\system32\dllcache\irclass.dll
2011-12-06 20:44:04	13312	----a-w-	c:\windows\system32\irclass.dll
2011-11-30 02:01:31	--------	d-----w-	c:\windows\_ISTMP1.DIR
.
==================== Find3M ====================
.
2011-12-17 19:48:28	62976	----a-w-	c:\windows\system32\drivers\cdrom.sys
2011-10-10 14:22:41	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 16:41:20	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 16:41:14	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-19 13:19:53	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 16:36:26.00 ===============


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Are you having trouble with gmer?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried,

It's still scanning just over 90min so far

How do I tell when it's all done and I should hit save ? 
Last few times it stopped scanning around the 2 hr mark but nothing obvious told me it was done -- each time waited a half hr or so and tried again -- nothing

Sent from anther computer --don't want to mess up the scan.

Oh One more thing -I'm set for instant notification --Who's it notifiing???
Nothing changes at my end -- I just refresh the page peridically to see if you've replied

Bob.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

It's notifying you via email. When I make a reply, you should receive an email telling you that. It would be sent to the email address that you used when you registered with the forum.

How far along is it in the scan? Look toward the bottom of the window and you'll see the file path it's currently scanning


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok --didn't look at that email account -have to change the "check for new mail" settings--I usually use 1/2 hr time frames to check email and messages -- otherwise I'd never get anything done.

Path as of 6:27 pm is c:\windows\servicepackfile\i386

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

May as well find something to do and let it scan. You'll know when it's done. It does not automatically save a log - you have to tell it to - so be sure to click Save Log when it has completed.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Success !! 2hrs 10 min of sitting on pins and needles 

Here it it.

Bob

gmer ark log zipped


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Sorry for the delay - needed dinner. :smile:

Now that I can see what's there, we can run ComboFix. The copy you have will be quite outdated, so please delete it and download the latest version from *here*. Save it to the desktop.

Disable all active protection programs, then double click ComboFix.exe and let it run. Follow all prompts, then please post the C:\ComboFix.txt when it has completed.

** If you run into any problems running ComboFix - don't do anything - contact me and post the issue that you're having and I'll guide you from there.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok Combofix running now 8:12pm

noticed two things was asked to turn off my virus software -- it already was off
Was asked to install recovery console [i accepted] but it's already been installed -
Combo fix just said it found it found zero acess rootkit 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

How did you disable the AV?



> Was asked to install recovery console [i accepted] but it's already been installed


Note the full message when prompted to install the Recovery Console --










You did fine allowing it to install again.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

While waiting what if any is the best defense against reinfection.
I'm online alot -- work primarily from home, lots of research, all my shopping too.

Was on a forum researching tires - a video link opened and a sec later my virus software informed me of the infection.
Pop ups are disabled, auto run is off, updates current

I swear I'm at the point of another machine just for web access -nothing else on it so when it gets whacked I can just reformat and install xp and a browser

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,


> [/How did you disable the AV?QUOTE]
> 
> Open the software and disable it
> 
> Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Is the little umbrella in the task bar closed? :smile:


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried,

Yep umbrella closed

Yay Combofix done the log attached to long to post

Bob
ps dhcp and netbios helper still need manually started

ComboFix 11-12-17.05 - Bob Zoppa 12/17/2011 20:17:08.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT -5:00]
Running from: c:\documents and settings\Bob Zoppa\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bob Zoppa\g2mdlhlpx.exe
c:\windows\$NtUninstallKB61424$
c:\windows\$NtUninstallKB61424$\1999608031\@
c:\windows\$NtUninstallKB61424$\1999608031\bckfg.tmp
c:\windows\$NtUninstallKB61424$\1999608031\cfg.ini
c:\windows\$NtUninstallKB61424$\1999608031\Desktop.ini
c:\windows\$NtUninstallKB61424$\1999608031\kwrd.dll
c:\windows\$NtUninstallKB61424$\1999608031\L\zmiqparx
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\1999608031\U\[email protected]
c:\windows\$NtUninstallKB61424$\2986275336
.
.
((((((((((((((((((((((((( Files Created from 2011-11-18 to 2011-12-18 )))))))))))))))))))))))))))))))
.
.
2011-12-15 02:12 . 2011-12-15 02:20	--------	d-----w-	c:\documents and settings\Bob Zoppa\Application Data\ImgBurn
2011-12-15 02:07 . 2011-12-15 02:07	--------	d-----w-	c:\program files\ImgBurn
2011-12-13 01:52 . 2011-12-13 02:32	--------	d-----w-	c:\program files\nLite
2011-12-12 19:23 . 2001-07-21 19:29	161568	-c--a-w-	c:\windows\system32\dllcache\sgsmusb.sys
2011-12-12 19:23 . 2001-07-21 19:29	18400	-c--a-w-	c:\windows\system32\dllcache\sgsmld.sys
2011-12-12 19:23 . 2001-08-17 17:51	98080	-c--a-w-	c:\windows\system32\dllcache\sgiulnt5.sys
2011-12-12 19:23 . 2001-08-18 03:36	386560	-c--a-w-	c:\windows\system32\dllcache\sgiul50.dll
2011-12-12 19:23 . 2001-08-17 17:19	36480	-c--a-w-	c:\windows\system32\dllcache\sfmanm.sys
2011-12-12 19:23 . 2001-08-17 18:48	17664	-c--a-w-	c:\windows\system32\dllcache\sermouse.sys
2011-12-12 19:23 . 2001-08-17 18:53	6912	-c--a-w-	c:\windows\system32\dllcache\seaddsmc.sys
2011-12-12 19:23 . 2008-04-14 05:15	11520	-c--a-w-	c:\windows\system32\dllcache\scsiscan.sys
2011-12-12 19:21 . 2001-08-18 03:36	82432	-c--a-w-	c:\windows\system32\dllcache\rwia450.dll
2011-12-12 19:20 . 2001-08-17 18:52	49024	-c--a-w-	c:\windows\system32\dllcache\ql1280.sys
2011-12-12 19:19 . 2001-08-17 19:04	173696	-c--a-w-	c:\windows\system32\dllcache\philcam2.sys
2011-12-12 19:18 . 2001-08-18 03:36	20480	-c--a-w-	c:\windows\system32\dllcache\ovcomc.dll
2011-12-12 19:17 . 2001-08-17 17:20	87040	-c--a-w-	c:\windows\system32\dllcache\nm6wdm.sys
2011-12-12 19:16 . 2001-08-17 18:50	21888	-c--a-w-	c:\windows\system32\dllcache\mxcard.sys
2011-12-12 19:16 . 2001-08-17 17:50	103296	-c--a-w-	c:\windows\system32\dllcache\mtxvideo.sys
2011-12-12 19:16 . 2008-04-14 05:16	49024	-c--a-w-	c:\windows\system32\dllcache\mstape.sys
2011-12-12 19:16 . 2001-08-17 18:48	12416	-c--a-w-	c:\windows\system32\dllcache\msriffwv.sys
2011-12-12 19:16 . 2001-08-17 19:00	2944	-c--a-w-	c:\windows\system32\dllcache\msmpu401.sys
2011-12-12 19:16 . 2008-04-14 05:24	22016	-c--a-w-	c:\windows\system32\dllcache\msircomm.sys
2011-12-12 19:16 . 2001-08-17 19:02	35200	-c--a-w-	c:\windows\system32\dllcache\msgame.sys
2011-12-12 19:16 . 2001-08-17 18:48	6016	-c--a-w-	c:\windows\system32\dllcache\msfsio.sys
2011-12-12 19:16 . 2008-04-14 05:16	51200	-c--a-w-	c:\windows\system32\dllcache\msdv.sys
2011-12-12 19:16 . 2001-08-17 18:52	17280	-c--a-w-	c:\windows\system32\dllcache\mraid35x.sys
2011-12-12 19:16 . 2001-08-17 18:57	16128	-c--a-w-	c:\windows\system32\dllcache\modemcsa.sys
2011-12-12 19:16 . 2001-08-17 18:52	6528	-c--a-w-	c:\windows\system32\dllcache\miniqic.sys
2011-12-12 19:14 . 2001-08-17 18:51	15744	-c--a-w-	c:\windows\system32\dllcache\lit220p.sys
2011-12-12 19:13 . 2001-08-17 17:12	45632	-c--a-w-	c:\windows\system32\dllcache\ip5515.sys
2011-12-12 19:12 . 2001-08-18 03:34	9216	-c--a-w-	c:\windows\system32\dllcache\ibmsgnet.dll
2011-12-12 19:11 . 2001-08-18 03:36	19456	-c--a-w-	c:\windows\system32\dllcache\hr1w.dll
2011-12-12 19:10 . 2001-08-17 19:56	1733120	-c--a-w-	c:\windows\system32\dllcache\g400d.dll
2011-12-12 19:09 . 2008-04-14 03:06	137088	-c--a-w-	c:\windows\system32\dllcache\essm2e.sys
2011-12-12 19:08 . 2001-08-17 17:12	19594	-c--a-w-	c:\windows\system32\dllcache\e100isa4.sys
2011-12-12 19:07 . 2001-08-18 03:36	110592	-c--a-w-	c:\windows\system32\dllcache\dc260usd.dll
2011-12-12 19:06 . 2008-04-14 05:11	8192	-c--a-w-	c:\windows\system32\dllcache\changer.sys
2011-12-12 19:05 . 2001-08-18 03:36	9728	-c--a-w-	c:\windows\system32\dllcache\brcoinst.dll
2011-12-12 19:04 . 2001-08-17 19:55	689216	-c--a-w-	c:\windows\system32\dllcache\3dfxvs.dll
2011-12-12 19:04 . 2001-08-17 19:06	11264	-c--a-w-	c:\windows\system32\dllcache\1394vdbg.sys
2011-12-12 19:04 . 2001-08-17 18:28	762780	-c--a-w-	c:\windows\system32\dllcache\3cwmcru.sys
2011-12-12 19:04 . 2008-04-14 05:16	53376	-c--a-w-	c:\windows\system32\dllcache\1394bus.sys
2011-12-12 19:04 . 2001-08-17 19:56	66048	-c--a-w-	c:\windows\system32\dllcache\s3legacy.dll
2011-12-12 04:50 . 2011-12-12 04:50	--------	d-----w-	c:\program files\ESET
2011-12-10 21:55 . 2008-04-14 10:41	22528	-c--a-w-	c:\windows\system32\dllcache\lpdsvc.dll
2011-12-10 21:54 . 2008-04-14 10:41	218112	-c--a-w-	c:\windows\system32\dllcache\c_g18030.dll
2011-12-10 21:54 . 2008-04-14 10:41	26624	-c--a-w-	c:\windows\system32\dllcache\fxsdrv.dll
2011-12-10 21:54 . 2008-04-14 10:42	29184	-c--a-w-	c:\windows\system32\dllcache\rw330ext.dll
2011-12-10 21:54 . 2008-04-14 10:41	35328	-c--a-w-	c:\windows\system32\dllcache\iprip.dll
2011-12-10 21:54 . 2008-04-14 10:42	142848	-c--a-w-	c:\windows\system32\dllcache\fxsclnt.exe
2011-12-10 21:54 . 2008-04-14 10:39	6144	-c--a-w-	c:\windows\system32\dllcache\kbdax2.dll
2011-12-10 21:54 . 2008-04-14 10:41	33792	-c--a-w-	c:\windows\system32\dllcache\lmmib2.dll
2011-12-10 21:54 . 2008-04-14 10:41	101888	-c--a-w-	c:\windows\system32\dllcache\evntagnt.dll
2011-12-10 21:54 . 2008-04-14 10:41	331264	-c--a-w-	c:\windows\system32\dllcache\aqueue.dll
2011-12-10 21:13 . 2011-12-10 21:13	--------	d-----w-	c:\documents and settings\Bob Zoppa\Application Data\TeamViewer
2011-12-10 20:23 . 2010-12-09 13:38	2192768	-c--a-w-	c:\windows\system32\dllcache\ntoskrnl.exe
2011-12-10 20:15 . 2011-02-17 12:32	5120	----a-w-	c:\windows\system32\xpsp4res.dll
2011-12-10 19:46 . 2011-12-10 19:46	--------	d-----w-	c:\documents and settings\Bob Zoppa\Application Data\Media Player Classic
2011-12-09 23:59 . 2002-02-13 06:16	176128	------w-	c:\windows\system32\Pdrvinst.dll
2011-12-09 23:59 . 2002-02-05 06:08	81920	------w-	c:\windows\system32\BrWebIns.dll
2011-12-09 23:59 . 2002-02-05 06:07	65536	------w-	c:\windows\system32\Brwebup.exe
2011-12-09 23:59 . 2000-01-28 17:19	513536	------w-	c:\program files\Common Files\InstallShield\WebUpdate\Iftw.exe
2011-12-09 23:59 . 2000-01-28 17:19	331776	------w-	c:\program files\Common Files\InstallShield\WebUpdate\WebUpdate.exe
2011-12-09 23:59 . 2000-01-28 17:19	24576	------w-	c:\program files\Common Files\InstallShield\WebUpdate\RasThunk.dll
2011-12-09 23:59 . 2000-01-28 17:19	132096	------w-	c:\program files\Common Files\InstallShield\WebUpdate\ISiteLite.dll
2011-12-09 23:59 . 2004-04-06 06:00	126976	------w-	c:\windows\system32\BrfxD04a.dll
2011-12-09 23:58 . 2002-12-05 19:12	692224	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-12-09 23:58 . 2002-12-05 19:10	155648	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-12-09 23:58 . 2002-12-02 20:22	5632	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-12-09 23:58 . 2002-12-02 18:33	57344	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-12-09 23:58 . 2002-12-02 18:33	237568	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-12-09 23:58 . 2011-12-09 23:58	282756	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-12-09 23:58 . 2011-12-09 23:58	163972	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-12-09 23:57 . 2011-12-09 23:57	--------	d-----w-	c:\program files\Common Files\ScanSoft Shared
2011-12-09 23:57 . 2011-12-09 23:57	--------	d-----w-	c:\documents and settings\All Users\Application Data\ScanSoft
2011-12-07 12:27 . 2009-08-17 04:57	485920	----a-w-	c:\windows\system32\nvuninst.exe
2011-12-07 12:27 . 2009-08-17 04:57	485920	----a-w-	c:\windows\system32\nvudisp.exe
2011-12-06 21:08 . 2001-08-18 03:36	7168	-c--a-w-	c:\windows\system32\dllcache\EXCH_snprfdll.dll
2011-12-06 21:08 . 2001-08-18 03:36	12288	-c--a-w-	c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2011-12-06 21:06 . 2001-08-18 03:36	43520	-c--a-w-	c:\windows\system32\dllcache\EXCH_fcachdll.dll
2011-12-06 20:44 . 2004-08-10 11:00	24661	----a-w-	c:\windows\system32\spxcoins.dll
2011-12-06 20:44 . 2004-08-10 11:00	13312	-c--a-w-	c:\windows\system32\dllcache\irclass.dll
2011-12-06 20:44 . 2004-08-10 11:00	13312	----a-w-	c:\windows\system32\irclass.dll
2011-11-30 02:01 . 2011-11-30 02:04	--------	d-----w-	c:\windows\_ISTMP1.DIR
2011-11-30 01:58 . 2011-11-30 01:58	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Help
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-17 19:48 . 2004-08-10 11:00	62976	----a-w-	c:\windows\system32\drivers\cdrom.sys
2011-10-10 14:22 . 2009-10-03 22:20	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-10 11:00	599040	----a-w-	c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59	611328	----a-w-	c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-10 11:00	220160	----a-w-	c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-10 11:00	20480	----a-w-	c:\windows\system32\oleaccrc.dll
2011-09-19 13:19 . 2011-06-17 19:15	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl
2010-05-12 21:42 . 2010-05-12 21:42	124344	----a-w-	c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-12 22:22 . 2010-05-12 22:22	13240	----a-w-	c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 21:43 . 2010-05-12 21:43	70592	----a-w-	c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 21:42 . 2010-05-12 21:42	91576	----a-w-	c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 21:42 . 2010-05-12 21:42	22464	----a-w-	c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 21:41 . 2010-05-12 21:41	255416	----a-w-	c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 21:42 . 2010-05-12 21:42	31160	----a-w-	c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 21:42 . 2010-05-12 21:42	40384	----a-w-	c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 18:55 . 2010-04-14 18:55	652640	----a-w-	c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 21:43 . 2010-05-12 21:43	24000	----a-w-	c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-12-10 18:57 . 2011-04-15 12:21	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_23.37.05 )))))))))))))))))))))))))))))))))))))))))
.

**edited snapshot section due to character limitations**

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2010-01-21 24576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-11 281768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55	937920	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 14:34	851968	----a-w-	c:\program files\Brother\ControlCenter2\brctrcen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-11-07 09:20	122940	----a-w-	c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 17:56	64512	----a-w-	c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 11:15	151552	----a-w-	c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 20:04	40960	----a-w-	c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 20:50	221184	----a-w-	c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 20:50	81920	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-08-17 08:03	13877248	----a-w-	c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-08-17 08:03	86016	----a-w-	c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-08-13 04:40	1657376	----a-w-	c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 19:46	57393	----a-w-	c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 20:00	282624	----a-w-	c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22	155648	----a-r-	c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59	254696	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00	90112	----a-w-	c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 13:20	1118208	----a-w-	c:\program files\Creative\VoiceCenter\AndreaVC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/29/2010 9:00 PM 136360]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.csgrp.com/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.csgrp.com/owa/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Bob Zoppa\Application Data\Mozilla\Firefox\Profiles\kn6t9xu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://headlines.verizon.com/headlines/portals/headlines.portal
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-88994184.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-12-17 20:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-412668190-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\brss01a.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2011-12-17 20:31:31 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-18 01:31
ComboFix2.txt 2011-12-10 03:00
ComboFix3.txt 2011-12-09 23:41
ComboFix4.txt 2010-05-31 14:02
.
Pre-Run: 197,235,564,544 bytes free
Post-Run: 197,204,393,984 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /noexecute=optout
.
- - End Of File - - 00DD0578292D15D43FE839BE077070D8


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Here's the kaspersky log -- figured it couldn't hurt

Bob

14:45:16.0421 2212	TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50
14:45:18.0437 2212	============================================================
14:45:18.0437 2212	Current date / time: 2011/12/17 14:45:18.0437
14:45:18.0437 2212	SystemInfo:
14:45:18.0437 2212	
14:45:18.0437 2212	OS Version: 5.1.2600 ServicePack: 3.0
14:45:18.0437 2212	Product type: Workstation
14:45:18.0437 2212	ComputerName: ROBERTZOPPA
14:45:18.0437 2212	UserName: Bob Zoppa
14:45:18.0437 2212	Windows directory: C:\WINDOWS
14:45:18.0437 2212	System windows directory: C:\WINDOWS
14:45:18.0437 2212	Processor architecture: Intel x86
14:45:18.0437 2212	Number of processors: 2
14:45:18.0437 2212	Page size: 0x1000
14:45:18.0437 2212	Boot type: Normal boot
14:45:18.0437 2212	============================================================
14:45:19.0640 2212	Initialize success
14:45:21.0296 4344	============================================================
14:45:21.0296 4344	Scan started
14:45:21.0296 4344	Mode: Manual; 
14:45:21.0296 4344	============================================================
14:45:26.0187 4344	Abiosdsk - ok
14:45:26.0281 4344	abp480n5 - ok
14:45:26.0546 4344	ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:45:26.0546 4344	ACPI - ok
14:45:26.0640 4344	ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:45:26.0671 4344	ACPIEC - ok
14:45:26.0890 4344	adpu160m - ok
14:45:27.0109 4344	aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:45:27.0359 4344	aec - ok
14:45:27.0781 4344	AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:45:27.0781 4344	AFD - ok
14:45:28.0046 4344	Aha154x - ok
14:45:28.0234 4344	aic78u2 - ok
14:45:28.0484 4344	aic78xx - ok
14:45:28.0796 4344	AIRPLUS (b8e77ffad750ae818a0c0363f9d1544d) C:\WINDOWS\system32\DRIVERS\AIRPLUS.sys
14:45:28.0843 4344	AIRPLUS - ok
14:45:29.0093 4344	AliIde - ok
14:45:29.0250 4344	amsint - ok
14:45:29.0390 4344	asc - ok
14:45:29.0531 4344	asc3350p - ok
14:45:29.0640 4344	asc3550 - ok
14:45:29.0796 4344	AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:45:29.0968 4344	AsyncMac - ok
14:45:30.0187 4344	atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
14:45:30.0234 4344	atapi - ok
14:45:30.0359 4344	Atdisk - ok
14:45:30.0625 4344	ATIAVPCI (c3d7f4b7a5ca967eafaec6675940c03a) C:\WINDOWS\system32\DRIVERS\atinavrr.sys
14:45:30.0750 4344	ATIAVPCI - ok
14:45:31.0250 4344	Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:45:31.0343 4344	Atmarpc - ok
14:45:31.0656 4344	audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:45:31.0671 4344	audstub - ok
14:45:31.0859 4344	avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
14:45:31.0890 4344	avgio - ok
14:45:32.0140 4344	avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
14:45:32.0140 4344	avgntflt - ok
14:45:32.0328 4344	avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
14:45:32.0406 4344	avipbb - ok
14:45:32.0609 4344	Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:45:32.0656 4344	Beep - ok
14:45:32.0875 4344	catchme - ok
14:45:33.0250 4344	cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:45:33.0281 4344	cbidf2k - ok
14:45:33.0468 4344	CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:45:33.0500 4344	CCDECODE - ok
14:45:33.0718 4344	cd20xrnt - ok
14:45:33.0890 4344	Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:45:33.0953 4344	Cdaudio - ok
14:45:34.0234 4344	Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:45:34.0234 4344	Cdfs - ok
14:45:34.0406 4344	Cdrom (f836560d4c204345ea1b574108bb57e6) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:45:34.0406 4344	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: f836560d4c204345ea1b574108bb57e6, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
14:45:34.0421 4344	Cdrom ( Rootkit.Win32.ZAccess.aml ) - infected
14:45:34.0421 4344	Cdrom - detected Rootkit.Win32.ZAccess.aml (0)
14:45:34.0593 4344	cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
14:45:34.0625 4344	cercsr6 - ok
14:45:34.0765 4344	Changer - ok
14:45:34.0984 4344	CmdIde - ok
14:45:35.0156 4344	Cpqarray - ok
14:45:35.0343 4344	ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
14:45:35.0453 4344	ctsfm2k - ok
14:45:35.0578 4344	CTUSFSYN (4ee8822adb764edd28ce44e808097995) C:\WINDOWS\system32\drivers\ctusfsyn.sys
14:45:35.0625 4344	CTUSFSYN - ok
14:45:35.0843 4344	dac2w2k - ok
14:45:36.0078 4344	dac960nt - ok
14:45:36.0328 4344	Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:45:36.0328 4344	Disk - ok
14:45:36.0562 4344	DLABOIOM (d8d58a84f3ece3359df95fd2e459b330) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
14:45:36.0593 4344	DLABOIOM - ok
14:45:36.0734 4344	DLACDBHM (ec6ae8bc9f773382d2eed49e4dfdae2a) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
14:45:36.0734 4344	DLACDBHM - ok
14:45:36.0953 4344	DLADResN (27c78078bd9c4f2de2ad3eb04bfe101b) C:\WINDOWS\system32\DLA\DLADResN.SYS
14:45:37.0046 4344	DLADResN - ok
14:45:37.0281 4344	DLAIFS_M (7f2d93e560b763ef5d11422d78da8ed0) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
14:45:37.0390 4344	DLAIFS_M - ok
14:45:37.0640 4344	DLAOPIOM (f643637de6aac57e38d197aa63d9ea74) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
14:45:37.0656 4344	DLAOPIOM - ok
14:45:37.0796 4344	DLAPoolM (340705474807f57a46d59d18fc2959f1) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
14:45:37.0828 4344	DLAPoolM - ok
14:45:38.0140 4344	DLARTL_N (0605b66052f82b6f07204dbdb61c13ff) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
14:45:38.0140 4344	DLARTL_N - ok
14:45:38.0359 4344	DLAUDFAM (6984ea763907c045ce813468882bc587) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
14:45:38.0390 4344	DLAUDFAM - ok
14:45:38.0578 4344	DLAUDF_M (12b30c449cfd36adbed53eb6560933c6) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
14:45:38.0609 4344	DLAUDF_M - ok
14:45:38.0984 4344	dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:45:39.0468 4344	dmboot - ok
14:45:39.0703 4344	dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
14:45:39.0703 4344	dmio - ok
14:45:40.0000 4344	dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:45:40.0000 4344	dmload - ok
14:45:40.0218 4344	DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:45:40.0250 4344	DMusic - ok
14:45:40.0343 4344	dpti2o - ok
14:45:40.0515 4344	drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:45:40.0531 4344	drmkaud - ok
14:45:40.0671 4344	DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
14:45:40.0671 4344	DRVMCDB - ok
14:45:40.0859 4344	DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
14:45:40.0859 4344	DRVNDDM - ok
14:45:40.0984 4344	e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
14:45:41.0125 4344	e1express - ok
14:45:41.0281 4344	Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:45:41.0296 4344	Fastfat - ok
14:45:41.0343 4344	Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:45:41.0359 4344	Fdc - ok
14:45:41.0406 4344	Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:45:41.0421 4344	Fips - ok
14:45:41.0625 4344	Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:45:41.0640 4344	Flpydisk - ok
14:45:41.0703 4344	FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:45:41.0718 4344	FltMgr - ok
14:45:41.0734 4344	Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:45:41.0750 4344	Fs_Rec - ok
14:45:41.0765 4344	Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:45:41.0765 4344	Ftdisk - ok
14:45:42.0093 4344	Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:45:42.0156 4344	Gpc - ok
14:45:42.0453 4344	HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:45:42.0484 4344	HDAudBus - ok
14:45:42.0703 4344	hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:45:42.0734 4344	hidusb - ok
14:45:43.0062 4344	hpn - ok
14:45:43.0531 4344	HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:45:43.0593 4344	HTTP - ok
14:45:43.0796 4344	i2omgmt - ok
14:45:44.0046 4344	i2omp - ok
14:45:44.0265 4344	i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
14:45:44.0281 4344	i8042prt - ok
14:45:44.0500 4344	iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
14:45:44.0515 4344	iastor - ok
14:45:44.0750 4344	Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:45:44.0781 4344	Imapi - ok
14:45:45.0046 4344	ini910u - ok
14:45:45.0359 4344	IntelIde - ok
14:45:45.0562 4344	intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:45:45.0609 4344	intelppm - ok
14:45:45.0765 4344	Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:45:45.0781 4344	Ip6Fw - ok
14:45:46.0265 4344	IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:45:46.0359 4344	IpFilterDriver - ok
14:45:46.0640 4344	IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:45:46.0671 4344	IpInIp - ok
14:45:47.0062 4344	IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:45:47.0140 4344	IpNat - ok
14:45:47.0515 4344	IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:45:47.0515 4344	IPSec - ok
14:45:47.0718 4344	IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:45:47.0750 4344	IRENUM - ok
14:45:48.0046 4344	isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:45:48.0046 4344	isapnp - ok
14:45:48.0296 4344	Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:45:48.0328 4344	Kbdclass - ok
14:45:48.0609 4344	kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:45:48.0640 4344	kbdhid - ok
14:45:49.0125 4344	kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:45:49.0187 4344	kmixer - ok
14:45:49.0359 4344	KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:45:49.0359 4344	KSecDD - ok
14:45:49.0484 4344	lbrtfdc - ok
14:45:49.0734 4344	MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
14:45:49.0750 4344	MHNDRV - ok
14:45:50.0171 4344	mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:45:50.0203 4344	mnmdd - ok
14:45:50.0687 4344	Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:45:50.0750 4344	Modem - ok
14:45:51.0468 4344	monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
14:45:52.0359 4344	monfilt - ok
14:45:52.0703 4344	Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:45:52.0734 4344	Mouclass - ok
14:45:53.0109 4344	mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:45:53.0156 4344	mouhid - ok
14:45:53.0281 4344	MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:45:53.0281 4344	MountMgr - ok
14:45:53.0328 4344	MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
14:45:53.0328 4344	MPE - ok
14:45:53.0375 4344	mraid35x - ok
14:45:53.0390 4344	MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:45:53.0390 4344	MRxDAV - ok
14:45:53.0468 4344	MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:45:53.0500 4344	MRxSmb - ok
14:45:53.0781 4344	Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:45:53.0796 4344	Msfs - ok
14:45:54.0156 4344	MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:45:54.0218 4344	MSKSSRV - ok
14:45:54.0609 4344	MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:45:54.0640 4344	MSPCLOCK - ok
14:45:54.0937 4344	MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:45:55.0046 4344	MSPQM - ok
14:45:55.0468 4344	mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:45:55.0515 4344	mssmbios - ok
14:45:55.0750 4344	MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:45:55.0765 4344	MSTEE - ok
14:45:56.0375 4344	Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:45:56.0375 4344	Mup - ok
14:45:56.0734 4344	NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:45:56.0968 4344	NABTSFEC - ok
14:45:57.0500 4344	NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:45:57.0500 4344	NDIS - ok
14:45:57.0656 4344	NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:45:57.0687 4344	NdisIP - ok
14:45:57.0781 4344	NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:45:57.0781 4344	NdisTapi - ok
14:45:58.0031 4344	Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:45:58.0078 4344	Ndisuio - ok
14:45:58.0640 4344	NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:45:58.0718 4344	NdisWan - ok
14:45:59.0000 4344	NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:45:59.0000 4344	NDProxy - ok
14:45:59.0343 4344	NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:45:59.0343 4344	NetBIOS - ok
14:45:59.0468 4344	NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:45:59.0562 4344	NetBT - ok
14:45:59.0640 4344	Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:45:59.0640 4344	Npfs - ok
14:46:00.0421 4344	Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:46:00.0484 4344	Ntfs - ok
14:46:00.0796 4344	Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:46:00.0843 4344	Null - ok
14:46:03.0093 4344	nv (4f15e1e56703f59c0ac00022162e5308) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:46:07.0468 4344	nv - ok
14:46:07.0843 4344	NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:46:08.0062 4344	NwlnkFlt - ok
14:46:08.0390 4344	NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:46:08.0781 4344	NwlnkFwd - ok
14:46:09.0000 4344	ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
14:46:09.0093 4344	ossrv - ok
14:46:09.0296 4344	Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
14:46:09.0609 4344	Parport - ok
14:46:10.0078 4344	PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:46:10.0125 4344	PartMgr - ok
14:46:10.0265 4344	ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:46:10.0281 4344	ParVdm - ok
14:46:10.0328 4344	PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:46:10.0328 4344	PCI - ok
14:46:10.0421 4344	PCIDump - ok
14:46:10.0718 4344	PCIIde - ok
14:46:10.0875 4344	Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:46:10.0953 4344	Pcmcia - ok
14:46:10.0984 4344	PDCOMP - ok
14:46:11.0031 4344	PDFRAME - ok
14:46:11.0078 4344	PDRELI - ok
14:46:11.0125 4344	PDRFRAME - ok
14:46:11.0156 4344	perc2 - ok
14:46:11.0218 4344	perc2hib - ok
14:46:11.0328 4344	PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:46:11.0437 4344	PptpMiniport - ok
14:46:11.0812 4344	PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:46:11.0843 4344	PSched - ok
14:46:11.0984 4344	Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:46:12.0031 4344	Ptilink - ok
14:46:12.0109 4344	PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:46:12.0109 4344	PxHelp20 - ok
14:46:12.0140 4344	ql1080 - ok
14:46:12.0218 4344	Ql10wnt - ok
14:46:12.0234 4344	ql12160 - ok
14:46:12.0296 4344	ql1240 - ok
14:46:12.0390 4344	ql1280 - ok
14:46:12.0531 4344	RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:46:12.0593 4344	RasAcd - ok
14:46:12.0796 4344	Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:46:12.0812 4344	Rasl2tp - ok
14:46:12.0890 4344	RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:46:12.0937 4344	RasPppoe - ok
14:46:13.0234 4344	Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:46:13.0312 4344	Raspti - ok
14:46:13.0359 4344	Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:46:13.0359 4344	Rdbss - ok
14:46:13.0375 4344	RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:46:13.0390 4344	RDPCDD - ok
14:46:13.0484 4344	rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:46:13.0953 4344	rdpdr - ok
14:46:14.0453 4344	RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
14:46:14.0718 4344	RDPWD - ok
14:46:14.0968 4344	redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:46:14.0968 4344	redbook - ok
14:46:15.0203 4344	Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:46:15.0234 4344	Secdrv - ok
14:46:15.0359 4344	Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:46:15.0437 4344	Serial - ok
14:46:15.0609 4344	Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:46:15.0625 4344	Sfloppy - ok
14:46:15.0671 4344	Simbad - ok
14:46:15.0687 4344	SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
14:46:15.0703 4344	SLIP - ok
14:46:15.0750 4344	Sparrow - ok
14:46:15.0812 4344	splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:46:15.0812 4344	splitter - ok
14:46:15.0859 4344	sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:46:15.0859 4344	sr - ok
14:46:16.0031 4344	Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:46:16.0046 4344	Srv - ok
14:46:16.0125 4344	ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
14:46:16.0171 4344	ssmdrv - ok
14:46:16.0390 4344	STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
14:46:16.0515 4344	STHDA - ok
14:46:16.0562 4344	StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
14:46:16.0578 4344	StillCam - ok
14:46:16.0640 4344	streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
14:46:16.0656 4344	streamip - ok
14:46:16.0781 4344	swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:46:16.0812 4344	swenum - ok
14:46:16.0875 4344	swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:46:16.0890 4344	swmidi - ok
14:46:16.0953 4344	symc810 - ok
14:46:16.0984 4344	symc8xx - ok
14:46:17.0000 4344	sym_hi - ok
14:46:17.0031 4344	sym_u3 - ok
14:46:17.0078 4344	sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:46:17.0109 4344	sysaudio - ok
14:46:17.0187 4344	Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:46:17.0187 4344	Tcpip - ok
14:46:17.0234 4344	TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:46:17.0250 4344	TDPIPE - ok
14:46:17.0296 4344	TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:46:17.0312 4344	TDTCP - ok
14:46:17.0359 4344	TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:46:17.0375 4344	TermDD - ok
14:46:17.0421 4344	TosIde - ok
14:46:17.0484 4344	Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:46:17.0484 4344	Udfs - ok
14:46:17.0515 4344	ultra - ok
14:46:17.0671 4344	Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:46:17.0703 4344	Update - ok
14:46:17.0875 4344	usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:46:17.0890 4344	usbehci - ok
14:46:18.0046 4344	usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:46:18.0078 4344	usbhub - ok
14:46:18.0125 4344	usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:46:18.0140 4344	usbscan - ok
14:46:18.0234 4344	usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:46:18.0234 4344	usbstor - ok
14:46:18.0343 4344	usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:46:18.0375 4344	usbuhci - ok
14:46:18.0406 4344	VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:46:18.0421 4344	VgaSave - ok
14:46:18.0453 4344	ViaIde - ok
14:46:18.0562 4344	VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:46:18.0562 4344	VolSnap - ok
14:46:18.0640 4344	Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:46:18.0687 4344	Wanarp - ok
14:46:18.0765 4344	WDICA - ok
14:46:18.0859 4344	wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:46:18.0875 4344	wdmaud - ok
14:46:18.0953 4344	WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:46:18.0968 4344	WS2IFSL - ok
14:46:19.0015 4344	WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
14:46:19.0031 4344	WSTCODEC - ok
14:46:19.0062 4344	MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
14:46:19.0203 4344	\Device\Harddisk0\DR0 - ok
14:46:19.0218 4344	Boot (0x1200) (0be61a02ddfc491f219f18a61d176e3c) \Device\Harddisk0\DR0\Partition0
14:46:19.0218 4344	\Device\Harddisk0\DR0\Partition0 - ok
14:46:19.0218 4344	============================================================
14:46:19.0218 4344	Scan finished
14:46:19.0234 4344	============================================================
14:46:19.0234 5496	Detected object count: 1
14:46:19.0234 5496	Actual detected object count: 1
14:47:32.0812 5496	Backup copy found, using it..
14:47:33.0031 5496	C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured on reboot
14:47:36.0171 5496	Cdrom ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure 
14:47:44.0750 3096	Deinitialize success


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

I'm not surprised the dhcp and tcip are still an issue - that happened with the first time ZAccess infected the machine and is going to continue to haunt you.

I have spent endless hours researching, and testing, and comparing your exports to mine to try to figure out where they are 'broken' and it just cannot be found. Several colleagues have also been following this thread and they are also at a loss as to what is causing the issue, or what other tools or where to look to try to find the source. Actually, you're one of the lucky ones - most people can't get networking services to start at all. You can at least start yours manually.

Whatever ZAccess has done, or left behind that may be trying to call some orphaned entry - we'll never know. Scanners can't identify it yet, and it doesn't appear to have 'broken' networking via conventional means. I doubt this was their intent - the last thing the authors of this malware want is for internet to be broken, and people to reformat. That would defeat the purpose of the infection in the first place.

As much of a pain as it is for you - the fact you got hit twice by the same infection, I feel it's best you reformat and start over. If it were my machine, that's certainly what I would do. Bear in mind that we can only remove what we see, and what any of the tools we use can see. That doesn't mean there isn't something being left behind that the malware can use to call itself back to the machine.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Sadly I have to agree if for no other reason than security --a reformat and clean reinstall will alleviate that worry.

I am however the stubborn type and may delay that for a few weeks --hoping that with all the recent new zeroaccess and security 2012 infections some new information may come to light.
I'll be watching here and other places, if anything seems promising I'll spread the word.

I can't thank you enough for the time you've spent --except for the infection part  I enjoyed the process.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

That's fine if you want to delay a few weeks. I'll keep this open in case I find any new developments or think of something else to try. :smile: Please remain subscribed.

I would however, recommend that you not use this computer to access any financial sites, or make any purchases from this machine. Use your other computer for that, and also - from the other computer, change all your passwords to any financial sites you may have visited.

In the meantime to make things easier for you, there was one other user who has the same issue as you where these services will not start automatically, but he can manually start them. A workaround was devised by the malware analyst there and you can safely deploy that method here as well. Follow the instructions in this post

It's been a pleasure, and thank you for your tireless efforts and patience as well. Thus far, this is the most diagnostic work anyone has let us perform to try to find the source of the internet issues caused by ZAccess


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Yuck -- I hate changing passwords so many of them these days -- But, I will tonight.



> I'll keep this open in case I find any new developments or think of something else to try. Please remain subscribed.


Will do & would be interested in the cause even after the thread is closed - You have access to the email I used for log in? 

Took a look at the work round -- I'll pass there, I put a shortcut to services on the desktop so I'm there in 1 click -- That'll do until I reformat

Before I forget to ask Whats the process for removing combo fix? 



> thank you for your tireless efforts and patience as well. Thus far, this is the most diagnostic work anyone has let us perform to try to find the source of the internet issues caused by ZAccess


You're welcome and thank you again you guys did all the work,I was just sitting here with my feet on the desk half the time 

Anyway I can help support the forum ? 


Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



> I put a shortcut to services on the desktop


Slick move! :grin:

No, I do not have access to your personal email address. If you wish, you can give it to me via PM (Personal Message)

Understand that ComboFix will flush out all the old restore points and create a fresh, new one, when it uninstalls. It will also remove all the backups created, including the Erunt backup of the registry.

If you still wish to uninstall it at this point, click Start>Run and copy/paste the following into the Run command box and click OK:

Combofix /uninstall

The forum is not accepting donations at this time, but if you wish to, you can contribute to the ongoing development of ComboFix. Donations are being accepted via PayPal.

FYI - at this time, ComboFix is the only tool that will properly eradicate ZAccess. Notice how much ZA was still on the machine after TDSSKiller 'cured' it? That folder and the contents you see in the Other Deletions section, is just a part of what keeps ZA active on a machine.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried, 

PM coming-
Donation to Combofix on going development also coming, it's saved me twice now.

After reading your post I'll keep Combofix around for a while Thanks.

And last [for now] When I do reformat -- I'd like to install another newly formatted drive with a freshly installed operating system and using something like norton ghost move all everything over -- 
When done formatting install the OP Sys and all updates --I'll then copy it back.
My thoughts were I'd finally have the complete back up I should have and less important --should save me a lot of time.

My concern is safety --Can these infections be transferred with the data files ? Or are they in the operating system only? 

Bob.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob,

ZAccess and rogue AV infections do not infect data files, .doc, music, or pics. Those will all be safe to transfer over. Any software programs you may have should also be safe to transfer over.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob,

I didn't have you try this earlier, because frankly, it didn't work in the other thread so I didn't see any point in having you try it. However, you never know - it might work for you.

I know you already tried to fix Winsock, but did you use the FixIt tool, or did you try to do it manually. If you didn't try manual fix, please go to this link: How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista and scroll way down to *Manual steps to recover from Winsock2 corruption*

It includes removing winsock and winsock2 keys, rebooting and installing Internet Protocol(TCP/IP).


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried,

I used the "fix it "tool 
Think I ended up at these directions but didn't proceed because of this comment 


> To repair Winsock if you have Windows XP Service Pack 2 (SP2) installed


I had upgraded to SP3 by then -- went looking for similar directions for SP3 & didn't find any

Wasn't sure the fix still applied -- software fixes can be very version specific. If the instructions are correct for SP3 as well I'll do it. 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Yes, you can use the same instructions for SP3


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok good I'll do it 

Want this machine available today for work so am going to wait till the end of the day -just in case of the possible internet issues mentioned -

Look for another post around 6ish

Bob.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok, will do. :wave:


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Ok, will do. :wave:


Ok here I go 

Question was going over the registry keys comparing the key I replaced Netbt with one from my work laptop

The work machine has one entry in parameters referring to DHCP that mine doesn't have 
I attached screenshots of both in a word doc for you 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

On my XP, I don't have that DHCPNodeType in the key either.

What OS is your laptop?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried
Win XP Professional ver 2002 SP3

That winsock reset didn't work either -- the next step suggested is to delete registry keys and reboot 
yes? no? 
May be on to some thing here though
Doing this 



> Method 2: Use the Msinfo32 program
> 
> Click Start, click Run, type Msinfo32, and then click OK.
> Expand Components, expand Network, and then click Protocol.
> You will have ten sections under Protocol. The section headings will include the following names if the Winsock2 key is undamaged:
> MSAFD Tcpip [TCP/IP]
> MSAFD Tcpip [UDP/IP]
> RSVP UDP Service Provider
> RSVP TCP Service Provider
> MSAFD NetBIOS [\Device\NetBT_Tcpip...
> MSAFD NetBIOS [\Device\NetBT_Tcpip...
> MSAFD NetBIOS [\Device\NetBT_Tcpip...
> MSAFD NetBIOS [\Device\NetBT_Tcpip...
> MSAFD NetBIOS [\Device\NetBT_Tcpip...
> MSAFD NetBIOS [\Device\NetBT_Tcpip...
> If the names are anything different from those in this list, the Winsock2 key is corrupted, or you have a third-party add-on, such as proxy software, installed.
> 
> If you have a third-party add-on installed, the name of the add-on will replace the letters "MSAFD" in the list.
> 
> If there are more than ten sections in the list, you have third-party additions installed.


I have 4 more entries that appear the same as the last 6 above
MSAFD NetBIOS [Device\NeetBT_Tcpip ect ect

Total of 14

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

I don't have any cool scanning tools like you guys  But I can cut and paste.

See attached


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks. :grin:

I'll need time to research this.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Just read the MS site and it appears those entries and msinfo32 procedure apply to Vista users

*Manual steps to determine whether the Winsock2 key is corrupted for Windows Vista users*

I would still proceed with steps listed above that section. 

Step 1. Manual deletion of Winsock keys and reinstalling fix of Winsock
Step 2. Install TCP/IP


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried 

It's the same for XP --Look Just above the fix it tool

Going to read up on the removing the reg keys 

That ones got me sweating


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried
What's this mean %*SystemRoot*%

from the backup registry command I'm to type in the run box
%SystemRoot%\system32\restore\rstrui.exe,

I tried c\ and c:\ is it c:\windows\

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Yes, it's c:\Windows, but you can type that in just the way you see it, using the %SyestemRoot%. 

%SystemRoot%\system32\restore\rstrui.exe


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Yes, it's c:\Windows, but you can type that in just the way you see it, using the %SyestemRoot%.
> 
> %SystemRoot%\system32\restore\rstrui.exe


Oh --I thought they wanted the actual path  
got there anyway 

start-all programs-accessories-system tools -system restore -create restore point

Removing and restoring the keys didn't work either 
I may just keep this drive and mess with it --forever :twisted:
There has to be a fix !


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Sadly, there isn't always a fix. Out of curiosity, you feel like trying one more thing for me?

Please download maxlook, saving the file to your desktop.

Double click maxlook.exe to run it. *Note - you must run it only once!*

As instructed when the tool runs, restart the computer and logon to the Recovery Console.
*1.* Reboot your computer and as Windows starts it will present you with your startup options for exactly two seconds - you'll have to be quick - which in your case will be *Microsoft Windows XP Professional* and *Microsoft Windows Recovery Console*

*2.* With the arrows keys on your keyboard select the option listed as *Microsoft Windows Recovery Console* and press the *enter* key on your keyboard.

If it passes by too quickly, restart the machine again, and press F8. Once you're at the Advanced Boot Menu Options screen, select "Return to OS Choices", then choose Recovery Console from the next screen.

*3. *The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press *enter*. If you have just one Windows installation, type *1* and press *enter*.

*4.* It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

*5.* You should now be presented with a *C:\Windows>* prompt 

At that prompt, type in the following bolded text and press Enter

*batch look.bat*

(Note - there is a space between the words batch and look.bat)











You will see *1 file copied* many times then return to the _x:\windows>_ prompt.
Type *Exit* to restart your computer then logon in normal mode.

Once back in Windows, click Start > Run, and copy/paste the following then press Enter.

*maxlook -sig*

Follow the prompts, and attach the C:\looklog.txt in your next reply.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Also, navigate to C:\Windows\Erunt folder locate the *System *file. Right click, zip it up and upload that for me please.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Also, navigate to C:\Windows\Erunt folder locate the *System *file. Right click, zip it up and upload that for me please.


Ok I'm back -- holiday stuff keeping me busy

Will do the two things you asked -- back in a few .

Bob.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,

Ok maxlook zip attached

For "C:\Windows\Erunt folder " I don't have one
Closest I have is C:\windows\ERDNT --in there were 2 folders -only one of those hiv-backup had a system file that's the one I zipped and attached.

Last a few days ago when we removed the winsock keys and reinstalled them -- I noticed two things yesterday after rebooting that made me use the restore point From earlier that day.

1st Before launching the dhcp ect. manually the network indicator in the sys tray no longer said acquiring address it said limited internet connectivity. Tried opening a web page --timed out.After manually launching services --all seemed ok.

2nd Did this "Click Start, click Run, type Msinfo32, and then click OK."again
Instead of the 10 I should have,or even the 14 I used to have.
I had two--only these two.

RSVP UDP Service Provider
RSVP TCP Service Provider

Everything worked as usual after I manually started the services but I thought I'd put things back the way they were and let you know --meant to tell you yesterday but never got the chance.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks, Bob. I'll let you know if I figure out anything.


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob,

Open Notepad and copy/paste the following into Notepad 



> REGEDIT4
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList]
> "NetBIOSGroup"=hex:03,00,00,00,01,00,00,00,02,00,00,00,03,00,00,00


Save this as *netbiosgroup.reg* Be sure to save it as type All Files.

Double click and allow it to merge with the registry.

Reboot.

How about now? Are those services auto starting for you?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried ,
Done -- 
The services still won't start on their own but once started manually are ok -- 
Hmm --wonder if they [services] are teenagers  Does grounding still work?

Anyway will be busy over the next few days --holidays-- will check in from time to time and be ready to try any new idea's next week.

Happy Holidays 
and as always thanks for your help.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob, hope you had a relaxing Holiday. :smile:

I'd like to see a full export of the netbt key. It would save me time to have that info in a current post to save me time looking through 7 pages for referencing it.

Open Notepad and copy/paste the following:



> regedit /a peek.txt "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT"
> nircmd wait 2000
> notepad peek.txt


Save it as ntbtexport.bat and as type All Files. Double click to run it and please post the contents.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> Hi Bob, hope you had a relaxing Holiday. :smile:
> 
> I'd like to see a full export of the netbt key. It would save me time to have that info in a current post to save me time looking through 7 pages for referencing it.
> 
> Open Notepad and copy/paste the following:
> 
> 
> 
> Save it as ntbtexport.bat and as type All Files. Double click to run it and please post the contents.


Hi Ried --
Holidays were good thanks How were yours? 

Here's the netbt reg key .

Bob.
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6e,65,74,\
62,74,2e,73,79,73,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,63,70,69,70,00,00
"DependOnGroup"=hex(7):00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,63,70,69,70,00,00
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,43,42,30,34,44,38,\
33,31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,\
32,34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,\
41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,\
70,5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,\
35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,54,\
63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,\
42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00
"Route"=hex(7):22,54,63,70,69,70,22,20,22,7b,43,42,30,34,44,38,33,31,2d,41,37,\
32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,\
7d,22,00,22,54,63,70,69,70,22,20,22,7b,42,38,36,46,33,43,39,38,2d,31,45,43,\
45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,\
22,00,22,54,63,70,69,70,22,20,22,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,\
2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,22,\
00,22,54,63,70,69,70,22,20,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,\
43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,\
43,30,30,36,32,43,32,34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,\
54,5f,54,63,70,69,70,5f,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,39,\
30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,5c,44,65,\
76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,44,41,38,33,36,42,31,\
37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,\
31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,\
5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,35,\
2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,4e,65,\
74,42,54,5f,54,63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,\
34,43,31,36,2d,42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried,

I added the "regedit4" and it merged successfully 
DHCP client and TCP/IP NetBIOS helper are still not loading on their own after reboot-- 

stubborn little suckers aren't they  

As well as the path for them to load being corrupted --could there also be something blocking them? 
My thinking is the original virus/root-kit ect needs to have internet access right? so it should have a way to control that

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

No, it's just something messed up in the keys involved.

I'd like to see a fresh export of netbt, and tcpip keys. You should still have those .bat files on your desktop. 

Also, download and run *this* tool. Post the log it produces, please.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> No, it's just something messed up in the keys involved.
> 
> I'd like to see a fresh export of netbt, and tcpip keys. You should still have those .bat files on your desktop.
> 
> Also, download and run *this* tool. Post the log it produces, please.


Hi Ried -- here they are
One thing though -- After the netbt reg key change I lost the ability to print and scan -- remember network printer/scanner.
I need them back--they're used every day for work -- should I go back to a restore point from a few days ago or do you know offhand what to tweek?.
I can also try removing and reinstalling them if you'd prefer 

Bob

Ok first is NetBT
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6e,65,74,\
62,74,2e,73,79,73,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,63,70,69,70,00,00
"DependOnGroup"=hex(7):00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,63,70,69,70,00,00
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,7b,44,38,30,44,30,41,39,33,2d,42,42,37,\
33,2d,34,43,34,39,2d,42,35,38,42,2d,34,39,32,35,30,39,37,44,30,34,35,35,7d,\
00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,46,33,43,39,38,2d,\
31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,\
43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,44,41,38,33,36,42,\
31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,\
38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,31,34,33,\
35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,35,2d,39,42,33,43,\
36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,42,36,41,44,2d,42,\
44,43,46,41,30,42,46,35,46,39,38,7d,00,00
"Route"=hex(7):22,54,63,70,69,70,22,20,22,7b,44,38,30,44,30,41,39,33,2d,42,42,\
37,33,2d,34,43,34,39,2d,42,35,38,42,2d,34,39,32,35,30,39,37,44,30,34,35,35,\
7d,22,00,22,54,63,70,69,70,22,20,22,7b,42,38,36,46,33,43,39,38,2d,31,45,43,\
45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,\
22,00,22,54,63,70,69,70,22,20,22,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,\
2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,22,\
00,22,54,63,70,69,70,22,20,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,\
44,38,30,44,30,41,39,33,2d,42,42,37,33,2d,34,43,34,39,2d,42,35,38,42,2d,34,\
39,32,35,30,39,37,44,30,34,35,35,7d,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00

Next TCPIP
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,74,63,70,\
69,70,2e,73,79,73,00
"DisplayName"="TCP/IP Protocol Driver"
"Group"="PNP_TDI"
"DependOnService"=hex(7):49,50,53,65,63,00,00
"DependOnGroup"=hex(7):00
"Description"="TCP/IP Protocol Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Linkage]
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,7b,43,42,30,34,44,38,33,31,2d,41,37,32,\
31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,\
00,5c,44,65,76,69,63,65,5c,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,\
39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,5c,44,\
65,76,69,63,65,5c,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,\
2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,\
63,65,5c,4e,64,69,73,57,61,6e,49,70,00,00
"Route"=hex(7):22,7b,43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,38,32,2d,\
38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,22,00,22,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,22,00,22,7b,44,41,38,33,36,42,31,37,2d,46,30,35,\
41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,\
22,00,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,43,42,30,34,44,38,\
33,31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,\
32,34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,\
41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,\
70,5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,\
35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,54,\
63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,\
42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters]
"NV Hostname"="robertzoppa"
"DataBasePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,64,72,69,76,65,72,73,5c,65,74,63,00
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="robertzoppa"
"DeadGWDetectDefault"=dword:00000001
"CitrixBackupTcpWindowSize"=dword:00000000
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"DhcpNameServer"="192.168.0.1"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,\
46,36,2d,41,31,31,35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,54,63,70,\
69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,65,72,66,61,63,65,73,5c,\
7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,42,36,41,44,2d,\
42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:84,2a,35,14,b3,b8,f6,40,a1,15,9b,3c,65,16,7b,83,40,fe,34,73,\
39,2f,16,4c,b6,ad,bd,cf,a0,bf,5f,98

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters\{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,39,\
30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters\{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,\
38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Adapters\{DA836B17-F05A-455A-804B-6AD9C2381057}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,\
35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{14352A84-B8B3-40F6-A115-9B3C65167B83}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):00
"UDPAllowedPorts"=hex(7):00
"RawIPAllowedProtocols"=hex(7):00
"NTEContextList"=hex(7):00
"DhcpClassIdBin"=hex:
"DhcpServer"="255.255.255.255"
"Lease"=dword:00000e10
"LeaseObtainedTime"=dword:4ee8037b
"T1"=dword:4ee80a83
"T2"=dword:4ee80fc9
"LeaseTerminatesTime"=dword:4ee8118b
"AddressType"=dword:00000000
"DisableDynamicUpdate"=dword:00000000
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"IsServerNapAware"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00
"UDPAllowedPorts"=hex(7):30,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00
"NTEContextList"=hex(7):30,78,30,30,30,30,30,30,30,32,00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.0.1"
"Lease"=dword:00093a80
"LeaseObtainedTime"=dword:4efc6be7
"T1"=dword:4f010927
"T2"=dword:4f047f17
"LeaseTerminatesTime"=dword:4f05a667
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"IsServerNapAware"=dword:00000000
"DhcpIPAddress"="192.168.0.100"
"DhcpSubnetMask"="255.255.255.0"
"DhcpRetryTime"=dword:00049d40
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="192.168.0.1"
"DhcpDefaultGateway"=hex(7):31,39,32,2e,31,36,38,2e,30,2e,31,00,00
"DhcpSubnetMaskOpt"=hex(7):32,35,35,2e,32,35,35,2e,32,35,35,2e,30,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Interfaces\{DA836B17-F05A-455A-804B-6AD9C2381057}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):00
"UDPAllowedPorts"=hex(7):00
"RawIPAllowedProtocols"=hex(7):00
"NTEContextList"=hex(7):30,78,30,30,30,30,30,30,30,33,00,00
"DhcpClassIdBin"=hex:
"AddressType"=dword:00000000
"DisableDynamicUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,\
6d,33,32,5c,77,73,68,74,63,70,69,70,2e,64,6c,6c,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Performance]
"Close"="CloseTcpIpPerformanceData"
"Collect"="CollectTcpIpPerformanceData"
"Library"="Perfctrs.dll"
"Open"="OpenTcpIpPerformanceData"
"Object List"="502 510 546 582 638 658"
"WbemAdapFileSignature"=hex:96,49,2c,72,1c,6e,a5,17,e2,bf,d5,38,1f,ef,55,e3
"WbemAdapFileTime"=hex:00,f8,16,2e,c9,7e,c4,01
"WbemAdapFileSize"=dword:00009c00
"WbemAdapStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:000007d0
"HostsPriority"=dword:000001f4
"LocalPriority"=dword:000001f3
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,73,6f,63,6b,33,32,2e,64,6c,6c,00
"NetbtPriority"=dword:000007d1
"Name"="TCP/IP"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\TCPIP\Enum]
"0"="Root\\LEGACY_TCPIP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


Last 
==== ServiceGroupOrder =========

PNP_TDI
TDI
NetBIOSGroup

==========================
PNP_TDI = [08], 05, 01, 02, 03, 04, 06, 07, 08

SERVICE_NAME: Gpc
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\msgpc.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 3
DISPLAY_NAME : Generic Packet Classifier

SERVICE_NAME: IPSec
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\ipsec.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 5
DISPLAY_NAME : IPSEC driver

SERVICE_NAME: NDProxy
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : 
LOAD_ORDER_GROUP : PNP_TDI
TAG : 0
DISPLAY_NAME : NDIS Proxy

SERVICE_NAME: NetBT
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : System32\DRIVERS\netbt.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 6
DISPLAY_NAME : NetBios over Tcpip
DEPENDENCIES : Tcpip

SERVICE_NAME: PSched
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\psched.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 7
DISPLAY_NAME : QoS Packet Scheduler
DEPENDENCIES : Gpc

SERVICE_NAME: Tcpip
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL  : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\tcpip.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 4
DISPLAY_NAME : TCP/IP Protocol Driver
DEPENDENCIES : IPSec

SERVICE_NAME: WS2IFSL
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\System32\drivers\ws2ifsl.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 0
DISPLAY_NAME : Windows Socket 2.0 Non-IFS Service Provider Support Environment

==========================

SERVICE_NAME: AFD
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\System32\drivers\afd.sys
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : AFD

SERVICE_NAME: Dhcp
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
PID : 1220
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip, Afd, NetBT

SERVICE_NAME: Dnscache
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
PID : 1300
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip

SERVICE_NAME: Dot3svc
STATE : 1 STOPPED
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k dot3svc
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wired AutoConfig
DEPENDENCIES : Ndisuio, eaphost

SERVICE_NAME: LmHosts
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
PID : 1896
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT, Afd

SERVICE_NAME: WZCSVC
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
PID : 1220
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs, Ndisuio

==========================
NetBIOSGroup = [03], 01, 02, 03

SERVICE_NAME: NetBIOS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\netbios.sys
LOAD_ORDER_GROUP : NetBIOSGroup
TAG : 1
DISPLAY_NAME : NetBIOS Interface


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried 
I figured you don't want me to go back to a restore point so I removed and reinstalled the printer and scanner.
Got the scanner back -over the network
but not the printer -- says it cannot communicate with the device

Any thoughts? 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

What is the most recent restore point?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> What is the most recent restore point?


Yesterday and then Tuesday


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

You know what? Go ahead, the regfix didn't work anyway. :smile:

After you do the system restore, I'll need new tcpip and netbt key exports, as well as a new log from this tool. You'll have to download it again.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



Ried said:


> You know what? Go ahead, the regfix didn't work anyway. :smile:
> 
> After you do the system restore, I'll need new tcpip and netbt key exports, as well as a new log from this tool. You'll have to download it again.


Ok back in a few -


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ok Ried here you go

One thing though and this happened before once-
after reboot before I start the services - in the system tray it used to say "acquiring network address"
Now after the restore to tuesday it says "limited internet connectivity" 
Just for fun I tried a web page --nothing, services both still need started manually & after that everything works but at this point change is a little unnerving .

Scanner needed to be told an address but otherwise printer and scanner work.

I may try yet another restore point but will wait a while and see if we can find any changes --I'll only do it [restore point] without your knowing if I FIND SOMETHING THAT i need dosen't work.

Ok here they are .

Bob

netbt
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6e,65,74,\
62,74,2e,73,79,73,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,63,70,69,70,00,00
"DependOnGroup"=hex(7):00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"INITSTARTFAILED"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,63,70,69,70,00,00
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,43,42,30,34,44,38,\
33,31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,\
32,34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,\
41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,\
70,5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,\
35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,54,\
63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,\
42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00
"Route"=hex(7):22,54,63,70,69,70,22,20,22,7b,43,42,30,34,44,38,33,31,2d,41,37,\
32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,\
7d,22,00,22,54,63,70,69,70,22,20,22,7b,42,38,36,46,33,43,39,38,2d,31,45,43,\
45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,\
22,00,22,54,63,70,69,70,22,20,22,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,\
2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,22,\
00,22,54,63,70,69,70,22,20,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,\
43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,\
43,30,30,36,32,43,32,34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,\
54,5f,54,63,70,69,70,5f,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,39,\
30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,5c,44,65,\
76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,44,41,38,33,36,42,31,\
37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,\
31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,\
5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,35,\
2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,4e,65,\
74,42,54,5f,54,63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,\
34,43,31,36,2d,42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00

Tcpip
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,74,63,70,\
69,70,2e,73,79,73,00
"DisplayName"="TCP/IP Protocol Driver"
"Group"="PNP_TDI"
"DependOnService"=hex(7):49,50,53,65,63,00,00
"DependOnGroup"=hex(7):00
"Description"="TCP/IP Protocol Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Linkage]
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,7b,43,42,30,34,44,38,33,31,2d,41,37,32,\
31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,\
00,5c,44,65,76,69,63,65,5c,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,\
39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,5c,44,\
65,76,69,63,65,5c,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,\
2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,\
63,65,5c,4e,64,69,73,57,61,6e,49,70,00,00
"Route"=hex(7):22,7b,43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,38,32,2d,\
38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,22,00,22,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,22,00,22,7b,44,41,38,33,36,42,31,37,2d,46,30,35,\
41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,\
22,00,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,43,42,30,34,44,38,\
33,31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,\
32,34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,\
41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,\
70,5f,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,46,36,2d,41,31,31,\
35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,5c,44,65,76,69,63,65,5c,54,\
63,70,69,70,5f,7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,\
42,36,41,44,2d,42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters]
"NV Hostname"="robertzoppa"
"DataBasePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,64,72,69,76,65,72,73,5c,65,74,63,00
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="robertzoppa"
"DeadGWDetectDefault"=dword:00000001
"CitrixBackupTcpWindowSize"=dword:00000000
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"DhcpNameServer"="192.168.0.1"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,31,34,33,35,32,41,38,34,2d,42,38,42,33,2d,34,30,\
46,36,2d,41,31,31,35,2d,39,42,33,43,36,35,31,36,37,42,38,33,7d,00,54,63,70,\
69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,65,72,66,61,63,65,73,5c,\
7b,37,33,33,34,46,45,34,30,2d,32,46,33,39,2d,34,43,31,36,2d,42,36,41,44,2d,\
42,44,43,46,41,30,42,46,35,46,39,38,7d,00,00
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:84,2a,35,14,b3,b8,f6,40,a1,15,9b,3c,65,16,7b,83,40,fe,34,73,\
39,2f,16,4c,b6,ad,bd,cf,a0,bf,5f,98

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters\{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,39,\
30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters\{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,\
38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters\{DA836B17-F05A-455A-804B-6AD9C2381057}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,\
35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{14352A84-B8B3-40F6-A115-9B3C65167B83}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{7334FE40-2F39-4C16-B6AD-BDCFA0BF5F98}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):00
"UDPAllowedPorts"=hex(7):00
"RawIPAllowedProtocols"=hex(7):00
"NTEContextList"=hex(7):00
"DhcpClassIdBin"=hex:
"DhcpServer"="255.255.255.255"
"Lease"=dword:00000e10
"LeaseObtainedTime"=dword:4ee8037b
"T1"=dword:4ee80a83
"T2"=dword:4ee80fc9
"LeaseTerminatesTime"=dword:4ee8118b
"AddressType"=dword:00000000
"DisableDynamicUpdate"=dword:00000000
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"IsServerNapAware"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00
"UDPAllowedPorts"=hex(7):30,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00
"NTEContextList"=hex(7):30,78,30,30,30,30,30,30,30,32,00,00
"DhcpClassIdBin"=hex:
"DhcpServer"="192.168.0.1"
"Lease"=dword:00093a80
"LeaseObtainedTime"=dword:4efd08b2
"T1"=dword:4f01a5f2
"T2"=dword:4f051be2
"LeaseTerminatesTime"=dword:4f064332
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"IsServerNapAware"=dword:00000000
"DhcpIPAddress"="192.168.0.100"
"DhcpSubnetMask"="255.255.255.0"
"DhcpRetryTime"=dword:00049d40
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="192.168.0.1"
"DhcpDefaultGateway"=hex(7):31,39,32,2e,31,36,38,2e,30,2e,31,00,00
"DhcpSubnetMaskOpt"=hex(7):32,35,35,2e,32,35,35,2e,32,35,35,2e,30,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{DA836B17-F05A-455A-804B-6AD9C2381057}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):00
"UDPAllowedPorts"=hex(7):00
"RawIPAllowedProtocols"=hex(7):00
"NTEContextList"=hex(7):30,78,30,30,30,30,30,30,30,33,00,00
"DhcpClassIdBin"=hex:
"AddressType"=dword:00000000
"DisableDynamicUpdate"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,\
6d,33,32,5c,77,73,68,74,63,70,69,70,2e,64,6c,6c,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Performance]
"Close"="CloseTcpIpPerformanceData"
"Collect"="CollectTcpIpPerformanceData"
"Library"="Perfctrs.dll"
"Open"="OpenTcpIpPerformanceData"
"Object List"="502 510 546 582 638 658"
"WbemAdapFileSignature"=hex:96,49,2c,72,1c,6e,a5,17,e2,bf,d5,38,1f,ef,55,e3
"WbemAdapFileTime"=hex:00,f8,16,2e,c9,7e,c4,01
"WbemAdapFileSize"=dword:00009c00
"WbemAdapStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:000007d0
"HostsPriority"=dword:000001f4
"LocalPriority"=dword:000001f3
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,73,6f,63,6b,33,32,2e,64,6c,6c,00
"NetbtPriority"=dword:000007d1
"Name"="TCP/IP"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Enum]
"0"="Root\\LEGACY_TCPIP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Logit
==== ServiceGroupOrder =========

PNP_TDI
TDI
NetBIOSGroup

==========================
PNP_TDI = [08], 05, 01, 02, 03, 04, 06, 07, 08

SERVICE_NAME: Gpc
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\msgpc.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 3
DISPLAY_NAME : Generic Packet Classifier

SERVICE_NAME: IPSec
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\ipsec.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 5
DISPLAY_NAME : IPSEC driver

SERVICE_NAME: NDProxy
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : 
LOAD_ORDER_GROUP : PNP_TDI
TAG : 0
DISPLAY_NAME : NDIS Proxy

SERVICE_NAME: NetBT
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : System32\DRIVERS\netbt.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 6
DISPLAY_NAME : NetBios over Tcpip
DEPENDENCIES : Tcpip

SERVICE_NAME: PSched
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\psched.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 7
DISPLAY_NAME : QoS Packet Scheduler
DEPENDENCIES : Gpc

SERVICE_NAME: Tcpip
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\tcpip.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 4
DISPLAY_NAME : TCP/IP Protocol Driver
DEPENDENCIES : IPSec

SERVICE_NAME: WS2IFSL
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\System32\drivers\ws2ifsl.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 0
DISPLAY_NAME : Windows Socket 2.0 Non-IFS Service Provider Support Environment

==========================

SERVICE_NAME: AFD
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\System32\drivers\afd.sys
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : AFD

SERVICE_NAME: Dhcp
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
PID : 1220
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip, Afd, NetBT

SERVICE_NAME: Dnscache
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
PID : 1264
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip

SERVICE_NAME: Dot3svc
STATE : 1 STOPPED
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k dot3svc
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wired AutoConfig
DEPENDENCIES : Ndisuio, eaphost

SERVICE_NAME: LmHosts
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
PID : 1360
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT, Afd

SERVICE_NAME: WZCSVC
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
PID : 1220
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs, Ndisuio

==========================
NetBIOSGroup = [03], 01, 02, 03

SERVICE_NAME: NetBIOS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\netbios.sys
LOAD_ORDER_GROUP : NetBIOSGroup
TAG : 1
DISPLAY_NAME : NetBIOS Interface


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried,
Small update -after having done nothing other than several normal reboots the network connection indicator in the system tray before starting the services no longer says "limited internet connectivity".
It's back to normal saying "Acquiring network address" 

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob,

Download *VEW.exe*


Double click on VEW.exe to start the program. If you recieve an "Open File" security warning, press Run. 
In the "*Select log to query*" section check: 
Application
System


In the "*Select type to list*" section check: 
Error


In the "*Number or dates of events*" section check : 
*Number of events*... then enter any number from 1 thru 20 in the entry box -- enter 10.


Press the Run button.
When the process completes, it only takes a few seconds...
Notepad will open with a report file named: VEW.txt... located on %SystemDrive%\VEW.txt ... usually C:\VEW.txt. Please post the VEW.txt


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

After you post that, delete your existing Combofix.exe and download the latest version from *here*.

Reboot before you run it, and do NOT start the services yourself. Leave it as is. 

Disable onboard AV and run ComboFix. Follow all prompts and post the ComboFix.txt when it has completed.

If ComboFix did not reboot the machine, reboot it yourself. Are those services auto starting now?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried,

Scan results are attached and I'm going to run combo fix as directed now.
I'll post when it's done.

Here's the requested scan results
Vino's Event Viewer v01c run on Windows XP in English
Report run at 31/12/2011 10:23:52 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 29/12/2011 7:19:12 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application BR_DRV_LOG_OFF.exe, version 0.0.0.0, faulting module BR_DRV_LOG_OFF.exe, version 0.0.0.0, fault address 0x0001fd10. 

Log: 'Application' Date/Time: 29/12/2011 6:34:14 PM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application wfica32.exe, version 12.0.3.6, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Log: 'Application' Date/Time: 21/12/2011 10:35:21 AM
Type: error Category: 0
Event: 1001 Source: Application Hang
Fault bucket -1589266322. 

Log: 'Application' Date/Time: 21/12/2011 10:35:15 AM
Type: error Category: 101
Event: 1002 Source: Application Hang
Hanging application firefox.exe, version 8.0.1.4341, hang module hungapp, version 0.0.0.0, hang address 0x00000000. 

Log: 'Application' Date/Time: 21/12/2011 8:45:50 AM
Type: error Category: 1
Event: 490 Source: ESENT
svchost (1204) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\edb.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8). 

Log: 'Application' Date/Time: 19/12/2011 8:27:05 PM
Type: error Category: 0
Event: 36865 Source: Media Center Extender Services
ERROR: Device Service Listener - UDP networking failed. Error code 0x8007273C. 

Log: 'Application' Date/Time: 19/12/2011 8:27:02 PM
Type: error Category: 0
Event: 1 Source: JavaQuickStarterService
The event description cannot be found.

Log: 'Application' Date/Time: 19/12/2011 7:56:10 PM
Type: error Category: 0
Event: 36865 Source: Media Center Extender Services
ERROR: Device Service Listener - UDP networking failed. Error code 0x8007273C. 

Log: 'Application' Date/Time: 19/12/2011 7:56:07 PM
Type: error Category: 0
Event: 1 Source: JavaQuickStarterService
The event description cannot be found.

Log: 'Application' Date/Time: 15/12/2011 7:53:43 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 31/12/2011 8:26:23 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: NetBT 

Log: 'System' Date/Time: 31/12/2011 8:26:17 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 31/12/2011 8:26:17 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 30/12/2011 8:42:25 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: NetBT 

Log: 'System' Date/Time: 30/12/2011 8:42:18 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 30/12/2011 8:42:18 AM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 29/12/2011 8:07:48 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: NetBT 

Log: 'System' Date/Time: 29/12/2011 8:07:45 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 29/12/2011 8:07:45 PM
Type: error Category: 0
Event: 7001 Source: Service Control Manager
The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning. 

Log: 'System' Date/Time: 29/12/2011 7:46:45 PM
Type: error Category: 0
Event: 7016 Source: Service Control Manager
The BrSplService service has reported an invalid current state 0.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Ried,
Combo fix completed it's run - I rebooted twice to be sure -- services still not starting on their own 

Has Combo Fix evolved again to fix this issue [sometimes] or was running it with the services not started the difference ? 

Hmm-- that made me think if we just wait long enough Combofix will be able to handle -Anything-- and it'll do it for us 

I'm still game as long as you are -- am ordering a new drive so I can just mirror everything over -- my spare drive is too small only 160 gb --Remember when that was huge ! Oh well I guess Moores law applies there too.

I'll be willing to keep this up as long as you wish. I'm seeing lots of similar attacks reportedly taking out networking -- so fixing issues like this should be of interest.

Happy New Year !!
Bob

Combo Fix log 
ComboFix 11-12-31.02 - Bob Zoppa 12/31/2011 10:35:36.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1470 [GMT -5:00]
Running from: c:\documents and settings\Bob Zoppa\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Bob Zoppa\g2mdlhlpx.exe
c:\windows\look.bat
c:\windows\system32\spool\prtprocs\w32x86\brmfpp1(2).dll
c:\windows\system32\spool\prtprocs\w32x86\brmfpp1(3).dll
c:\windows\system32\spool\prtprocs\w32x86\brmfpp1(4).dll
c:\windows\system32\spool\prtprocs\w32x86\brmfpp1(5).dll
c:\windows\system32\spool\prtprocs\w32x86\brmfpp1(6).dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
.
.
2011-12-30 00:35 . 2011-12-30 00:35	--------	d-----w-	c:\windows\system32\wbem\Repository
2011-12-30 00:34 . 2011-12-30 00:34	--------	d-----w-	c:\program files\Common Files\ScanSoft Shared
2011-12-30 00:34 . 2011-12-30 00:34	--------	d-----w-	c:\documents and settings\All Users\Application Data\ScanSoft
2011-12-21 23:22 . 2010-10-12 16:56	220024	----a-w-	c:\windows\sigcheck.exe
2011-12-21 23:09 . 2011-12-21 18:17	--------	d-----w-	c:\windows\maxdrive
2011-12-15 04:39 . 2008-04-14 09:42	221184	-c--a-w-	c:\windows\system32\dllcache\wmpns.dll
2011-12-15 02:12 . 2011-12-15 02:20	--------	d-----w-	c:\documents and settings\Bob Zoppa\Application Data\ImgBurn
2011-12-15 02:07 . 2011-12-15 02:07	--------	d-----w-	c:\program files\ImgBurn
2011-12-13 01:52 . 2011-12-13 02:32	--------	d-----w-	c:\program files\nLite
2011-12-12 19:31 . 2008-04-14 10:42	116224	-c--a-w-	c:\windows\system32\dllcache\xrxwiadr.dll
2011-12-12 19:31 . 2001-08-18 03:36	23040	-c--a-w-	c:\windows\system32\dllcache\xrxwbtmp.dll
2011-12-12 19:31 . 2008-04-14 10:42	18944	-c--a-w-	c:\windows\system32\dllcache\xrxscnui.dll
2011-12-12 19:31 . 2001-08-18 03:37	27648	-c--a-w-	c:\windows\system32\dllcache\xrxftplt.exe
2011-12-12 19:31 . 2001-08-18 03:37	4608	-c--a-w-	c:\windows\system32\dllcache\xrxflnch.exe
2011-12-12 19:29 . 2008-04-14 03:04	29311	-c--a-w-	c:\windows\system32\dllcache\watv01nt.sys
2011-12-12 19:28 . 2001-08-17 18:28	224802	-c--a-w-	c:\windows\system32\dllcache\usr1807a.sys
2011-12-12 19:27 . 2001-08-17 18:48	11520	-c--a-w-	c:\windows\system32\dllcache\twotrack.sys
2011-12-12 19:26 . 2001-08-17 17:51	138528	-c--a-w-	c:\windows\system32\dllcache\tgiulnt5.sys
2011-12-12 19:25 . 2001-08-18 03:36	10240	-c--a-w-	c:\windows\system32\dllcache\swpdflt2.dll
2011-12-12 19:24 . 2001-08-17 17:51	20752	-c--a-w-	c:\windows\system32\dllcache\sonync.sys
2011-12-12 19:23 . 2001-08-17 19:56	157696	-c--a-w-	c:\windows\system32\dllcache\sisv256.dll
2011-12-12 19:22 . 2001-08-17 18:52	11648	-c--a-w-	c:\windows\system32\dllcache\scsiprnt.sys
2011-12-12 19:21 . 2001-08-18 03:36	82432	-c--a-w-	c:\windows\system32\dllcache\rwia450.dll
2011-12-12 19:20 . 2001-08-17 18:52	49024	-c--a-w-	c:\windows\system32\dllcache\ql1280.sys
2011-12-12 19:19 . 2001-08-17 19:04	173696	-c--a-w-	c:\windows\system32\dllcache\philcam2.sys
2011-12-12 19:18 . 2001-08-18 03:36	20480	-c--a-w-	c:\windows\system32\dllcache\ovcomc.dll
2011-12-12 19:17 . 2001-08-17 17:20	87040	-c--a-w-	c:\windows\system32\dllcache\nm6wdm.sys
2011-12-12 19:16 . 2001-08-17 18:50	21888	-c--a-w-	c:\windows\system32\dllcache\mxcard.sys
2011-12-12 19:16 . 2001-08-17 17:50	103296	-c--a-w-	c:\windows\system32\dllcache\mtxvideo.sys
2011-12-12 19:16 . 2008-04-14 05:16	49024	-c--a-w-	c:\windows\system32\dllcache\mstape.sys
2011-12-12 19:16 . 2001-08-17 18:48	12416	-c--a-w-	c:\windows\system32\dllcache\msriffwv.sys
2011-12-12 19:16 . 2001-08-17 19:00	2944	-c--a-w-	c:\windows\system32\dllcache\msmpu401.sys
2011-12-12 19:16 . 2008-04-14 05:24	22016	-c--a-w-	c:\windows\system32\dllcache\msircomm.sys
2011-12-12 19:16 . 2001-08-17 19:02	35200	-c--a-w-	c:\windows\system32\dllcache\msgame.sys
2011-12-12 19:16 . 2001-08-17 18:48	6016	-c--a-w-	c:\windows\system32\dllcache\msfsio.sys
2011-12-12 19:16 . 2008-04-14 05:16	51200	-c--a-w-	c:\windows\system32\dllcache\msdv.sys
2011-12-12 19:16 . 2001-08-17 18:52	17280	-c--a-w-	c:\windows\system32\dllcache\mraid35x.sys
2011-12-12 19:16 . 2001-08-17 18:57	16128	-c--a-w-	c:\windows\system32\dllcache\modemcsa.sys
2011-12-12 19:16 . 2001-08-17 18:52	6528	-c--a-w-	c:\windows\system32\dllcache\miniqic.sys
2011-12-12 19:14 . 2001-08-17 18:51	15744	-c--a-w-	c:\windows\system32\dllcache\lit220p.sys
2011-12-12 19:13 . 2001-08-17 17:12	45632	-c--a-w-	c:\windows\system32\dllcache\ip5515.sys
2011-12-12 19:12 . 2001-08-18 03:34	9216	-c--a-w-	c:\windows\system32\dllcache\ibmsgnet.dll
2011-12-12 19:11 . 2001-08-18 03:36	19456	-c--a-w-	c:\windows\system32\dllcache\hr1w.dll
2011-12-12 19:10 . 2001-08-17 19:56	1733120	-c--a-w-	c:\windows\system32\dllcache\g400d.dll
2011-12-12 19:09 . 2008-04-14 03:06	137088	-c--a-w-	c:\windows\system32\dllcache\essm2e.sys
2011-12-12 19:08 . 2001-08-17 17:12	19594	-c--a-w-	c:\windows\system32\dllcache\e100isa4.sys
2011-12-12 19:07 . 2001-08-18 03:36	110592	-c--a-w-	c:\windows\system32\dllcache\dc260usd.dll
2011-12-12 19:06 . 2008-04-14 05:11	8192	-c--a-w-	c:\windows\system32\dllcache\changer.sys
2011-12-12 19:05 . 2001-08-18 03:36	9728	-c--a-w-	c:\windows\system32\dllcache\brcoinst.dll
2011-12-12 19:04 . 2001-08-17 19:55	689216	-c--a-w-	c:\windows\system32\dllcache\3dfxvs.dll
2011-12-12 19:04 . 2001-08-17 19:06	11264	-c--a-w-	c:\windows\system32\dllcache\1394vdbg.sys
2011-12-12 19:04 . 2001-08-17 18:28	762780	-c--a-w-	c:\windows\system32\dllcache\3cwmcru.sys
2011-12-12 19:04 . 2008-04-14 05:16	53376	-c--a-w-	c:\windows\system32\dllcache\1394bus.sys
2011-12-12 19:04 . 2001-08-17 19:56	66048	-c--a-w-	c:\windows\system32\dllcache\s3legacy.dll
2011-12-12 04:50 . 2011-12-12 04:50	--------	d-----w-	c:\program files\ESET
2011-12-10 21:55 . 2008-04-14 10:41	22528	-c--a-w-	c:\windows\system32\dllcache\lpdsvc.dll
2011-12-10 21:54 . 2008-04-14 10:41	218112	-c--a-w-	c:\windows\system32\dllcache\c_g18030.dll
2011-12-10 21:54 . 2008-04-14 10:41	26624	-c--a-w-	c:\windows\system32\dllcache\fxsdrv.dll
2011-12-10 21:54 . 2008-04-14 10:42	29184	-c--a-w-	c:\windows\system32\dllcache\rw330ext.dll
2011-12-10 21:54 . 2008-04-14 10:41	35328	-c--a-w-	c:\windows\system32\dllcache\iprip.dll
2011-12-10 21:54 . 2008-04-14 10:42	142848	-c--a-w-	c:\windows\system32\dllcache\fxsclnt.exe
2011-12-10 21:54 . 2008-04-14 10:42	456192	-c--a-w-	c:\windows\system32\dllcache\smtpsvc.dll
2011-12-10 21:54 . 2008-04-14 10:39	6144	-c--a-w-	c:\windows\system32\dllcache\kbdax2.dll
2011-12-10 21:54 . 2008-04-14 10:41	33792	-c--a-w-	c:\windows\system32\dllcache\lmmib2.dll
2011-12-10 21:54 . 2008-04-14 10:42	39936	-c--a-w-	c:\windows\system32\dllcache\snmpthrd.dll
2011-12-10 21:54 . 2008-04-14 10:41	101888	-c--a-w-	c:\windows\system32\dllcache\evntagnt.dll
2011-12-10 21:54 . 2008-04-14 10:41	331264	-c--a-w-	c:\windows\system32\dllcache\aqueue.dll
2011-12-10 21:13 . 2011-12-10 21:13	--------	d-----w-	c:\documents and settings\Bob Zoppa\Application Data\TeamViewer
2011-12-10 20:23 . 2011-10-25 13:33	2192768	-c--a-w-	c:\windows\system32\dllcache\ntoskrnl.exe
2011-12-10 20:15 . 2011-02-17 12:32	5120	----a-w-	c:\windows\system32\xpsp4res.dll
2011-12-10 19:46 . 2011-12-10 19:46	--------	d-----w-	c:\documents and settings\Bob Zoppa\Application Data\Media Player Classic
2011-12-09 23:59 . 2002-02-13 06:16	176128	------w-	c:\windows\system32\Pdrvinst.dll
2011-12-09 23:59 . 2002-02-05 06:08	81920	------w-	c:\windows\system32\BrWebIns.dll
2011-12-09 23:59 . 2002-02-05 06:07	65536	------w-	c:\windows\system32\Brwebup.exe
2011-12-09 23:59 . 2000-01-28 17:19	513536	------w-	c:\program files\Common Files\InstallShield\WebUpdate\Iftw.exe
2011-12-09 23:59 . 2000-01-28 17:19	331776	------w-	c:\program files\Common Files\InstallShield\WebUpdate\WebUpdate.exe
2011-12-09 23:59 . 2000-01-28 17:19	24576	------w-	c:\program files\Common Files\InstallShield\WebUpdate\RasThunk.dll
2011-12-09 23:59 . 2000-01-28 17:19	132096	------w-	c:\program files\Common Files\InstallShield\WebUpdate\ISiteLite.dll
2011-12-09 23:59 . 2004-04-06 06:00	126976	------w-	c:\windows\system32\BrfxD04a.dll
2011-12-09 23:58 . 2002-12-05 19:12	692224	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-12-09 23:58 . 2002-12-05 19:10	155648	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-12-09 23:58 . 2002-12-02 20:22	5632	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-12-09 23:58 . 2002-12-02 18:33	57344	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-12-09 23:58 . 2002-12-02 18:33	237568	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-12-09 23:58 . 2011-12-09 23:58	282756	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-12-09 23:58 . 2011-12-09 23:58	163972	----a-w-	c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-12-07 12:27 . 2009-08-17 04:57	485920	----a-w-	c:\windows\system32\nvuninst.exe
2011-12-07 12:27 . 2009-08-17 04:57	485920	----a-w-	c:\windows\system32\nvudisp.exe
2011-12-06 21:07 . 2004-08-10 10:00	18944	-c--a-w-	c:\windows\system32\dllcache\simptcp.dll
2011-12-06 21:06 . 2001-08-18 03:36	43520	-c--a-w-	c:\windows\system32\dllcache\EXCH_fcachdll.dll
2011-12-06 20:44 . 2004-08-10 11:00	24661	-c--a-w-	c:\windows\system32\dllcache\spxcoins.dll
2011-12-06 20:44 . 2004-08-10 11:00	24661	----a-w-	c:\windows\system32\spxcoins.dll
2011-12-06 20:44 . 2004-08-10 11:00	13312	-c--a-w-	c:\windows\system32\dllcache\irclass.dll
2011-12-06 20:44 . 2004-08-10 11:00	13312	----a-w-	c:\windows\system32\irclass.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-17 19:48 . 2004-08-10 11:00	62976	----a-w-	c:\windows\system32\drivers\cdrom.sys
2011-11-23 13:25 . 2004-08-10 11:00	1859584	----a-w-	c:\windows\system32\win32k.sys
2011-11-01 20:35 . 2006-03-04 03:33	667136	----a-w-	c:\windows\system32\wininet.dll
2011-11-01 20:35 . 2004-08-10 11:00	81920	----a-w-	c:\windows\system32\ieencode.dll
2011-11-01 20:35 . 2004-08-10 11:00	61952	----a-w-	c:\windows\system32\tdc.ocx
2011-11-01 16:07 . 2004-08-10 11:00	1288704	----a-w-	c:\windows\system32\ole32.dll
2011-11-01 15:02 . 2004-08-10 11:00	369664	----a-w-	c:\windows\system32\html.iec
2011-10-28 05:31 . 2004-08-10 11:00	33280	----a-w-	c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-03-30 01:21	2148864	----a-w-	c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2005-03-30 01:01	2027008	----a-w-	c:\windows\system32\ntkrnlpa.exe
2011-10-10 14:22 . 2009-10-03 22:20	692736	----a-w-	c:\windows\system32\inetcomm.dll
2010-05-12 21:42 . 2010-05-12 21:42	124344	----a-w-	c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-05-12 22:22 . 2010-05-12 22:22	13240	----a-w-	c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-05-12 21:43 . 2010-05-12 21:43	70592	----a-w-	c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-05-12 21:42 . 2010-05-12 21:42	91576	----a-w-	c:\program files\mozilla firefox\plugins\confmgr.dll
2010-05-12 21:42 . 2010-05-12 21:42	22464	----a-w-	c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-05-12 21:41 . 2010-05-12 21:41	255416	----a-w-	c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-05-12 21:42 . 2010-05-12 21:42	31160	----a-w-	c:\program files\mozilla firefox\plugins\icafile.dll
2010-05-12 21:42 . 2010-05-12 21:42	40384	----a-w-	c:\program files\mozilla firefox\plugins\icalogon.dll
2010-04-14 18:55 . 2010-04-14 18:55	652640	----a-w-	c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-05-12 21:43 . 2010-05-12 21:43	24000	----a-w-	c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-12-10 18:57 . 2011-04-15 12:21	134104	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-12-18_01.26.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-31 15:32 . 2011-12-31 15:32	16384 c:\windows\temp\Perflib_Perfdata_15c.dat
- 2004-08-10 11:00 . 2011-09-05 13:56	37888 c:\windows\system32\url.dll
+ 2004-08-10 11:00 . 2011-11-01 20:35	37888 c:\windows\system32\url.dll
+ 2009-10-03 23:56 . 2011-11-08 13:46	46080 c:\windows\system32\tzchange.exe
- 2009-10-03 23:56 . 2011-07-08 13:49	46080 c:\windows\system32\tzchange.exe
- 2002-03-04 15:16 . 2002-03-04 15:16	56320 c:\windows\system32\spool\drivers\w32x86\2\ppbiUif.dll
+ 2011-12-29 23:40 . 2002-03-04 15:16	56320 c:\windows\system32\spool\drivers\w32x86\2\ppbiUif.dll
- 2002-03-04 15:16 . 2002-03-04 15:16	51712 c:\windows\system32\spool\drivers\w32x86\2\ppbiNT.dll
+ 2011-12-29 23:40 . 2002-03-04 15:16	51712 c:\windows\system32\spool\drivers\w32x86\2\ppbiNT.dll
+ 2004-08-10 11:00 . 2011-12-20 01:30	72332 c:\windows\system32\perfc009.dat
- 2004-08-10 11:00 . 2011-09-05 13:56	37888 c:\windows\system32\dllcache\url.dll
+ 2004-08-10 11:00 . 2011-11-01 20:35	37888 c:\windows\system32\dllcache\url.dll
- 2004-08-10 11:00 . 2011-09-05 13:56	81920 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-10 11:00 . 2011-11-01 20:35	81920 c:\windows\system32\dllcache\ieencode.dll
- 2004-08-10 11:00 . 2011-04-26 11:07	33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2004-08-10 11:00 . 2011-10-28 05:31	33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2002-04-12 00:00 . 2002-04-12 00:00	57344 c:\windows\system32\brsvc01a(6).exe
+ 2002-04-12 00:00 . 2002-04-12 00:00	57344 c:\windows\system32\brsvc01a(5).exe
+ 2002-04-12 00:00 . 2002-04-12 00:00	57344 c:\windows\system32\brsvc01a(4).exe
+ 2002-04-12 00:00 . 2002-04-12 00:00	57344 c:\windows\system32\brsvc01a(3).exe
+ 2002-04-12 00:00 . 2002-04-12 00:00	57344 c:\windows\system32\brsvc01a(2).exe
+ 2001-12-13 00:01 . 2001-12-13 00:01	45056 c:\windows\system32\brss01a(6).exe
+ 2001-12-13 00:01 . 2001-12-13 00:01	45056 c:\windows\system32\brss01a(5).exe
+ 2001-12-13 00:01 . 2001-12-13 00:01	45056 c:\windows\system32\brss01a(4).exe
+ 2001-12-13 00:01 . 2001-12-13 00:01	45056 c:\windows\system32\brss01a(3).exe
+ 2001-12-13 00:01 . 2001-12-13 00:01	45056 c:\windows\system32\brss01a(2).exe
+ 2009-10-03 23:37 . 2008-04-14 05:16	19200 c:\windows\maxdrive\wstcodec.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	12032 c:\windows\maxdrive\ws2ifsl.sys
+ 2004-08-10 11:00 . 2005-08-03 22:29	18944 c:\windows\maxdrive\wpdusb.sys
+ 2004-08-03 23:15 . 2008-04-14 05:47	83072 c:\windows\maxdrive\wdmaud.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	25471 c:\windows\maxdrive\watv10nt.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	22271 c:\windows\maxdrive\watv06nt.sys
+ 2004-08-10 11:00 . 2008-04-14 05:27	34560 c:\windows\maxdrive\wanarp.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	11935 c:\windows\maxdrive\wadv11nt.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	11871 c:\windows\maxdrive\wadv09nt.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	11295 c:\windows\maxdrive\wadv08nt.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	11807 c:\windows\maxdrive\wadv07nt.sys
+ 2011-12-10 21:52 . 2008-04-14 05:13	14208 c:\windows\maxdrive\wacompen.sys
+ 2004-08-10 11:00 . 2008-04-14 05:11	52352 c:\windows\maxdrive\volsnap.sys
+ 2004-08-10 11:00 . 2008-04-14 05:14	81664 c:\windows\maxdrive\videoprt.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	42240 c:\windows\maxdrive\viaagp.sys
+ 2004-08-10 11:00 . 2008-04-14 05:14	20992 c:\windows\maxdrive\vga.sys
+ 2001-08-17 14:02 . 2004-08-10 11:00	58112 c:\windows\maxdrive\vdmindvd.sys
+ 2004-08-10 11:00 . 2008-04-14 05:15	20608 c:\windows\maxdrive\usbuhci.sys
+ 2004-08-10 11:00 . 2008-04-14 05:15	26368 c:\windows\maxdrive\usbstor.sys
+ 2011-03-13 13:40 . 2008-04-14 05:15	15104 c:\windows\maxdrive\usbscan.sys
+ 2004-08-03 23:08 . 2008-04-14 05:15	15872 c:\windows\maxdrive\usbintel.sys
+ 2004-08-10 11:00 . 2008-04-14 05:15	59520 c:\windows\maxdrive\usbhub.sys
+ 2004-08-10 11:00 . 2008-04-14 05:15	30208 c:\windows\maxdrive\usbehci.sys
+ 2001-08-17 14:03 . 2008-04-14 05:15	25728 c:\windows\maxdrive\usbcamd2.sys
+ 2001-08-17 14:03 . 2008-04-14 05:15	25600 c:\windows\maxdrive\usbcamd.sys
+ 2011-12-10 21:52 . 2008-04-14 05:26	12800 c:\windows\maxdrive\usb8023x.sys
+ 2004-08-10 11:00 . 2008-04-14 05:26	12800 c:\windows\maxdrive\usb8023.sys
+ 2004-08-10 11:00 . 2008-04-14 05:02	66048 c:\windows\maxdrive\udfs.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	44672 c:\windows\maxdrive\uagp35.sys
+ 2004-08-03 23:03 . 2008-04-14 05:26	12288 c:\windows\maxdrive\tunmp.sys
+ 2001-08-17 14:06 . 2004-08-10 11:00	21376 c:\windows\maxdrive\tsbvcap.sys
+ 2001-08-17 14:01 . 2004-08-10 11:00	51712 c:\windows\maxdrive\tosdvd.sys
+ 2009-10-04 16:01 . 2009-04-02 20:00	52624 c:\windows\maxdrive\tmevtmgr_bak.sys
+ 2009-10-04 16:01 . 2009-04-02 20:00	52752 c:\windows\maxdrive\tmactmon_bak.sys
+ 2009-10-03 22:18 . 2008-04-14 10:43	40840 c:\windows\maxdrive\termdd.sys
+ 2009-10-03 22:18 . 2008-04-14 10:43	21896 c:\windows\maxdrive\tdtcp.sys
+ 2009-10-03 22:18 . 2008-04-14 10:43	12040 c:\windows\maxdrive\tdpipe.sys
+ 2004-08-10 11:00 . 2008-04-14 05:30	19072 c:\windows\maxdrive\tdi.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	14976 c:\windows\maxdrive\tape.sys
+ 2004-08-03 23:15 . 2008-04-14 05:45	60800 c:\windows\maxdrive\sysaudio.sys
+ 2001-08-17 14:00 . 2008-04-14 05:15	56576 c:\windows\maxdrive\swmidi.sys
+ 2004-08-10 11:00 . 2008-04-14 05:16	15232 c:\windows\maxdrive\streamip.sys
+ 2004-08-03 23:08 . 2008-04-14 05:15	49408 c:\windows\maxdrive\stream.sys
+ 2010-05-30 02:00 . 2009-05-11 14:12	28520 c:\windows\maxdrive\ssmdrv.sys
+ 2009-10-03 22:20 . 2008-04-14 05:06	73472 c:\windows\maxdrive\sr.sys
+ 2004-08-03 23:09 . 2008-04-14 05:16	25344 c:\windows\maxdrive\sonydcam.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	14592 c:\windows\maxdrive\smclib.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	13240 c:\windows\maxdrive\slwdmsup.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	95424 c:\windows\maxdrive\slnthal.sys
+ 2004-08-10 11:00 . 2008-04-14 05:16	11136 c:\windows\maxdrive\slip.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	40960 c:\windows\maxdrive\sisagp.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	11392 c:\windows\maxdrive\sfloppy.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	11008 c:\windows\maxdrive\sffp_sd.sys
+ 2011-12-10 21:52 . 2008-04-14 05:10	10240 c:\windows\maxdrive\sffp_mmc.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	11904 c:\windows\maxdrive\sffdisk.sys
+ 2004-08-10 11:00 . 2008-04-14 05:45	64512 c:\windows\maxdrive\serial.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	15744 c:\windows\maxdrive\serenum.sys
+ 2004-08-10 11:00 . 2007-11-13 10:25	20480 c:\windows\maxdrive\secdrv.sys
+ 2004-08-10 11:00 . 2008-04-14 05:06	79232 c:\windows\maxdrive\sdbus.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	96384 c:\windows\maxdrive\scsiport.sys
+ 2011-12-10 21:52 . 2008-04-14 05:26	30592 c:\windows\maxdrive\rndismpx.sys
+ 2004-08-10 11:00 . 2008-04-14 05:26	30592 c:\windows\maxdrive\rndismp.sys
+ 2001-08-17 13:24 . 2004-08-10 11:00	12032 c:\windows\maxdrive\riodrv.sys
+ 2001-08-17 13:24 . 2004-08-10 11:00	12032 c:\windows\maxdrive\rio8drv.sys
+ 2011-12-10 21:52 . 2008-04-14 05:16	59136 c:\windows\maxdrive\rfcomm.sys
+ 2009-10-03 18:15 . 2008-04-14 05:10	57600 c:\windows\maxdrive\redbook.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	13776 c:\windows\maxdrive\recagent.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	34432 c:\windows\maxdrive\rawwan.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	16512 c:\windows\maxdrive\raspti.sys
+ 2004-08-10 11:00 . 2008-04-14 05:49	48384 c:\windows\maxdrive\raspptp.sys
+ 2004-08-10 11:00 . 2008-04-14 05:27	41472 c:\windows\maxdrive\raspppoe.sys
+ 2004-08-10 11:00 . 2008-04-14 05:49	51328 c:\windows\maxdrive\rasl2tp.sys
+ 2005-01-26 06:03 . 2004-08-10 08:39	19840 c:\windows\maxdrive\pxhelp20.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	17792 c:\windows\maxdrive\ptilink.sys
+ 2004-08-10 11:00 . 2008-04-14 05:26	69120 c:\windows\maxdrive\psched.sys
+ 2004-08-03 22:59 . 2008-04-14 05:01	35840 c:\windows\maxdrive\processr.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	24960 c:\windows\maxdrive\pciidex.sys
+ 2004-08-10 11:00 . 2008-04-14 05:06	68224 c:\windows\maxdrive\pci.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	19712 c:\windows\maxdrive\partmgr.sys
+ 2004-08-03 22:59 . 2008-04-14 05:10	80128 c:\windows\maxdrive\parport.sys
+ 2004-08-03 22:59 . 2008-04-14 05:01	42752 c:\windows\maxdrive\p3.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	55936 c:\windows\maxdrive\nwlnkspx.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	63232 c:\windows\maxdrive\nwlnknb.sys
+ 2004-08-10 11:00 . 2008-04-14 05:26	88320 c:\windows\maxdrive\nwlnkipx.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	32512 c:\windows\maxdrive\nwlnkfwd.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	12416 c:\windows\maxdrive\nwlnkflt.sys
+ 2004-08-10 11:00 . 2008-04-14 05:02	30848 c:\windows\maxdrive\npfs.sys
+ 2004-08-10 11:00 . 2008-04-14 05:23	40320 c:\windows\maxdrive\nmnt.sys
+ 2001-08-17 13:24 . 2004-08-10 11:00	12032 c:\windows\maxdrive\nikedrv.sys
+ 2004-08-03 22:58 . 2008-04-14 05:21	61824 c:\windows\maxdrive\nic1394.sys
+ 2004-08-10 11:00 . 2008-04-14 05:26	34688 c:\windows\maxdrive\netbios.sys
+ 2004-08-10 11:00 . 2010-11-02 15:17	40960 c:\windows\maxdrive\ndproxy.sys
+ 2004-08-10 11:00 . 2008-04-14 05:50	91520 c:\windows\maxdrive\ndiswan.sys
+ 2004-08-03 23:03 . 2008-04-14 05:26	14592 c:\windows\maxdrive\ndisuio.sys
+ 2004-08-10 11:00 . 2011-07-08 14:02	10496 c:\windows\maxdrive\ndistapi.sys
+ 2004-08-03 23:10 . 2008-04-14 05:16	10880 c:\windows\maxdrive\ndisip.sys
+ 2009-10-03 23:36 . 2006-04-06 17:49	11904 c:\windows\maxdrive\NcRemotePci.SYS
+ 2009-10-03 23:37 . 2008-04-14 05:16	85248 c:\windows\maxdrive\nabtsfec.sys
+ 2011-12-10 21:52 . 2008-04-14 05:13	12672 c:\windows\maxdrive\mutohpen.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	15488 c:\windows\maxdrive\mssmbios.sys
+ 2004-08-10 11:00 . 2008-04-14 05:26	35072 c:\windows\maxdrive\msgpc.sys
+ 2004-08-10 11:00 . 2008-04-14 05:02	19072 c:\windows\maxdrive\msfs.sys
+ 2004-08-10 11:00 . 2008-04-14 05:09	92544 c:\windows\maxdrive\mqac.sys
+ 2004-08-03 23:10 . 2008-04-14 05:16	15232 c:\windows\maxdrive\mpe.sys
+ 2004-08-10 11:00 . 2008-04-14 05:09	42368 c:\windows\maxdrive\mountmgr.sys
+ 2001-08-17 13:48 . 2004-08-10 11:00	12160 c:\windows\maxdrive\mouhid.sys
+ 2004-08-03 22:58 . 2008-04-14 05:09	23040 c:\windows\maxdrive\mouclass.sys
+ 2004-08-03 23:08 . 2008-04-14 05:30	30080 c:\windows\maxdrive\modem.sys
+ 2009-10-03 22:19 . 2004-08-10 07:45	11008 c:\windows\maxdrive\mhndrv.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	63744 c:\windows\maxdrive\mf.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	11868 c:\windows\maxdrive\mdmxsdk.sys
+ 2009-11-13 15:14 . 2011-08-31 22:00	22216 c:\windows\maxdrive\mbam.sys
+ 2004-08-10 11:00 . 2009-06-24 11:18	92928 c:\windows\maxdrive\ksecdd.sys
+ 2004-08-10 11:00 . 2008-04-14 05:09	14592 c:\windows\maxdrive\kbdhid.sys
+ 2004-08-10 11:00 . 2008-04-14 05:09	24576 c:\windows\maxdrive\kbdclass.sys
+ 2004-08-10 11:00 . 2008-04-14 05:06	37248 c:\windows\maxdrive\isapnp.sys
+ 2009-10-03 18:14 . 2008-04-14 05:24	11264 c:\windows\maxdrive\irenum.sys
+ 2009-10-03 22:34 . 2008-04-14 05:15	46592 c:\windows\maxdrive\irbus.sys
+ 2006-06-05 07:39 . 2006-06-05 07:39	24064 c:\windows\maxdrive\iqvw32.sys
+ 2004-08-10 11:00 . 2008-04-14 05:49	75264 c:\windows\maxdrive\ipsec.sys
+ 2004-08-10 11:00 . 2008-04-14 05:27	20864 c:\windows\maxdrive\ipinip.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	32896 c:\windows\maxdrive\ipfltdrv.sys
+ 2004-08-10 11:00 . 2008-04-14 05:23	36608 c:\windows\maxdrive\ip6fw.sys
+ 2004-08-10 11:00 . 2008-04-14 05:01	36352 c:\windows\maxdrive\intelppm.sys
+ 2004-08-10 11:00 . 2008-04-14 05:11	42112 c:\windows\maxdrive\imapi.sys
+ 2004-08-10 11:00 . 2008-04-14 05:48	52480 c:\windows\maxdrive\i8042prt.sys
+ 2010-05-30 18:27 . 2010-05-30 18:58	15944 c:\windows\maxdrive\hitmanpro35.sys
+ 2004-08-10 11:00 . 2008-04-14 05:15	10368 c:\windows\maxdrive\hidusb.sys
+ 2004-08-10 11:00 . 2008-04-14 05:15	24960 c:\windows\maxdrive\hidparse.sys
+ 2009-10-03 22:34 . 2008-04-14 05:15	19200 c:\windows\maxdrive\hidir.sys
+ 2004-08-10 11:00 . 2008-04-14 05:15	36864 c:\windows\maxdrive\hidclass.sys
+ 2011-12-10 21:52 . 2008-04-14 05:16	25600 c:\windows\maxdrive\hidbth.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	46464 c:\windows\maxdrive\gagp30kx.sys
+ 2001-08-17 13:57 . 2004-08-10 11:00	12160 c:\windows\maxdrive\fsvga.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	20480 c:\windows\maxdrive\flpydisk.sys
+ 2004-08-10 11:00 . 2008-04-14 05:03	44544 c:\windows\maxdrive\fips.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	27392 c:\windows\maxdrive\fdc.sys
+ 2004-08-10 11:00 . 2008-04-14 05:08	71168 c:\windows\maxdrive\dxg.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	10496 c:\windows\maxdrive\dxapi.sys
+ 2009-10-04 14:01 . 2005-08-12 09:20	40544  c:\windows\maxdrive\DRVNDDM.SYS
+ 2009-10-04 14:01 . 2005-09-12 07:30	89264 c:\windows\maxdrive\DRVMCDB.SYS
+ 2004-08-03 23:08 . 2008-04-14 05:15	60160 c:\windows\maxdrive\drmk.sys
+ 2009-10-03 23:37 . 2008-04-14 05:15	52864 c:\windows\maxdrive\dmusic.sys
+ 2009-10-04 14:01 . 2005-11-18 16:02	22684 c:\windows\maxdrive\DLARTL_N.SYS
+ 2004-08-10 11:00 . 2008-04-14 05:10	14208 c:\windows\maxdrive\diskdump.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	36352 c:\windows\maxdrive\disk.sys
+ 2004-08-03 22:59 . 2008-04-14 05:01	36736 c:\windows\maxdrive\crusoe.sys
+ 2001-08-17 13:24 . 2004-08-10 11:00	11776 c:\windows\maxdrive\cpqdap01.sys
+ 2004-08-10 11:00 . 2008-04-14 05:46	49536 c:\windows\maxdrive\classpnp.sys
+ 2004-12-13 21:14 . 2004-12-13 21:14	39904 c:\windows\maxdrive\cercsr6.sys
+ 2004-08-10 11:00 . 2011-12-17 19:48	62976 c:\windows\maxdrive\cdrom.sys
+ 2004-08-10 11:00 . 2008-04-14 05:44	63744 c:\windows\maxdrive\cdfs.sys
+ 2001-08-17 13:52 . 2004-08-10 11:00	18688 c:\windows\maxdrive\cdaudio.sys
+ 2009-10-03 23:37 . 2008-04-14 05:16	17024 c:\windows\maxdrive\ccdecode.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	13952 c:\windows\maxdrive\cbidf2k.sys
+ 2011-12-10 21:52 . 2008-04-14 05:16	18944 c:\windows\maxdrive\bthusb.sys
+ 2011-12-10 21:52 . 2008-04-14 05:16	36480 c:\windows\maxdrive\bthprint.sys
+ 2011-12-10 21:52 . 2008-04-14 05:16	37888 c:\windows\maxdrive\bthmodem.sys
+ 2011-12-10 21:52 . 2008-04-14 05:16	17024 c:\windows\maxdrive\bthenum.sys
+ 2004-08-10 11:00 . 2008-04-14 05:23	71552 c:\windows\maxdrive\bridge.sys
+ 2004-08-03 23:10 . 2008-04-14 05:16	11776 c:\windows\maxdrive\bdasup.sys
+ 2010-05-30 01:59 . 2009-05-11 16:49	22360 c:\windows\maxdrive\avgntmgr.sys
+ 2010-05-30 01:59 . 2011-07-03 21:00	66616 c:\windows\maxdrive\avgntflt.sys
+ 2010-05-30 01:59 . 2009-05-11 16:49	45416 c:\windows\maxdrive\avgntdd.sys
+ 2004-08-10 11:00 . 2008-04-14 05:21	55808 c:\windows\maxdrive\atmlane.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	31360 c:\windows\maxdrive\atmepvc.sys
+ 2004-08-10 11:00 . 2008-04-14 05:21	59904 c:\windows\maxdrive\atmarpc.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	63488 c:\windows\maxdrive\atinxsxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	31744 c:\windows\maxdrive\atinxbxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	73216 c:\windows\maxdrive\atintuxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	13824 c:\windows\maxdrive\atinttxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	28672 c:\windows\maxdrive\atinsnxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	52224 c:\windows\maxdrive\atinraxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	14336 c:\windows\maxdrive\atinpdxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	13824 c:\windows\maxdrive\atinmdxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	57856 c:\windows\maxdrive\atinbtxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	34735 c:\windows\maxdrive\ati1xsxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	29455 c:\windows\maxdrive\ati1xbxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	36463 c:\windows\maxdrive\ati1tuxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	21343 c:\windows\maxdrive\ati1ttxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	26367 c:\windows\maxdrive\ati1snxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	63663 c:\windows\maxdrive\ati1rvxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	30671  c:\windows\maxdrive\ati1raxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	12047 c:\windows\maxdrive\ati1pdxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	11615 c:\windows\maxdrive\ati1mdxx.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	56623 c:\windows\maxdrive\ati1btxx.sys
+ 2004-08-10 11:00 . 2008-04-14 05:10	96512 c:\windows\maxdrive\atapi.sys
+ 2004-08-10 11:00 . 2008-04-14 05:27	14336 c:\windows\maxdrive\asyncmac.sys
+ 2004-08-03 22:58 . 2008-04-14 05:21	60800 c:\windows\maxdrive\arp1394.sys
+ 2004-08-03 22:59 . 2008-04-14 05:01	37760 c:\windows\maxdrive\amdk7.sys
+ 2004-08-03 22:59 . 2008-04-14 05:01	37376 c:\windows\maxdrive\amdk6.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	43008 c:\windows\maxdrive\amdagp.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	42752 c:\windows\maxdrive\alim1541.sys
+ 2010-02-07 17:46 . 2002-08-28 20:20	61312 c:\windows\maxdrive\AIRPLUS.SYS
+ 2004-08-03 23:07 . 2008-04-14 05:06	44928 c:\windows\maxdrive\agpcpq.sys
+ 2004-08-03 23:07 . 2008-04-14 05:06	42368 c:\windows\maxdrive\agp440.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	11648 c:\windows\maxdrive\acpiec.sys
+ 2009-10-04 00:41 . 2011-12-18 16:38	35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-10-04 00:41 . 2011-12-18 16:38	18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-10-04 00:41 . 2011-12-18 16:38	20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-12-18 16:38 . 2011-12-18 16:38	38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2011-09-17 04:19 . 2011-09-17 04:19	38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2004-08-10 11:00 . 2004-08-10 11:00	4352 c:\windows\maxdrive\wmilib.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	4736 c:\windows\maxdrive\usbd.sys
+ 2004-08-03 22:58 . 2008-04-14 05:09	4352 c:\windows\maxdrive\swenum.sys
+ 2009-10-03 23:37 . 2008-04-14 05:15	6272 c:\windows\maxdrive\splitter.sys
+ 2011-12-10 21:52 . 2008-04-14 05:06	5888 c:\windows\maxdrive\smbali.sys
+ 2009-10-04 13:52 . 2001-08-17 18:53	6784 c:\windows\maxdrive\serscan.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	5888 c:\windows\maxdrive\rootmdm.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	4224 c:\windows\maxdrive\rdpcdd.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	8832 c:\windows\maxdrive\rasacd.sys
+ 2009-10-04 14:12 . 2004-10-19 13:07	9728 c:\windows\maxdrive\PfModNT.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	6784 c:\windows\maxdrive\parvdm.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	3456 c:\windows\maxdrive\oprghdlr.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	2944 c:\windows\maxdrive\null.sys
+ 2009-10-03 23:37 . 2008-04-14 05:09	5504 c:\windows\maxdrive\mstee.sys
+ 2004-08-03 22:58 . 2008-04-14 05:09	4992 c:\windows\maxdrive\mspqm.sys
+ 2004-08-03 22:58 . 2008-04-14 05:09	5376 c:\windows\maxdrive\mspclock.sys
+ 2004-08-03 22:58 . 2008-04-14 05:09	7552 c:\windows\maxdrive\mskssrv.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	4224  c:\windows\maxdrive\mnmdd.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	7680 c:\windows\maxdrive\mcd.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	7936 c:\windows\maxdrive\fs_rec.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	3328 c:\windows\maxdrive\dxgthk.sys
+ 2004-08-03 23:07 . 2008-04-14 05:15	2944 c:\windows\maxdrive\drmkaud.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	5888 c:\windows\maxdrive\dmload.sys
+ 2009-10-04 14:01 . 2005-11-18 16:02	5660 c:\windows\maxdrive\DLACDBHM.SYS
+ 2004-08-10 11:00 . 2004-08-10 11:00	4224 c:\windows\maxdrive\beep.sys
+ 2009-10-03 18:15 . 2001-08-17 13:59	3072 c:\windows\maxdrive\audstub.sys
+ 2006-03-18 11:09 . 2011-11-01 20:35	633344 c:\windows\system32\urlmon.dll
- 2006-03-18 11:09 . 2011-09-05 13:56	633344 c:\windows\system32\urlmon.dll
+ 2004-08-10 11:00 . 2011-12-20 01:30	444456 c:\windows\system32\perfh009.dat
- 2006-03-04 03:33 . 2011-09-05 13:56	532480 c:\windows\system32\mstime.dll
+ 2006-03-04 03:33 . 2011-11-01 20:35	532480 c:\windows\system32\mstime.dll
- 2006-03-04 03:33 . 2011-09-05 13:56	449536 c:\windows\system32\mshtmled.dll
+ 2006-03-04 03:33 . 2011-11-01 20:35	449536 c:\windows\system32\mshtmled.dll
- 2006-03-04 03:33 . 2011-09-05 13:56	251904 c:\windows\system32\iepeers.dll
+ 2006-03-04 03:33 . 2011-11-01 20:35	251904 c:\windows\system32\iepeers.dll
+ 2009-10-03 18:13 . 2011-12-18 17:00	285312 c:\windows\system32\FNTCACHE.DAT
- 2009-10-03 18:13 . 2011-12-12 13:40	285312 c:\windows\system32\FNTCACHE.DAT
+ 2006-03-04 03:33 . 2011-11-01 20:35	667136 c:\windows\system32\dllcache\wininet.dll
- 2006-03-04 03:33 . 2011-09-05 13:56	667136 c:\windows\system32\dllcache\wininet.dll
- 2006-03-18 11:09 . 2011-09-05 13:56	633344 c:\windows\system32\dllcache\urlmon.dll
+ 2006-03-18 11:09 . 2011-11-01 20:35	633344 c:\windows\system32\dllcache\urlmon.dll
+ 2006-03-04 03:33 . 2011-11-01 20:35	532480 c:\windows\system32\dllcache\mstime.dll
- 2006-03-04 03:33 . 2011-09-05 13:56	532480 c:\windows\system32\dllcache\mstime.dll
- 2006-03-04 03:33 . 2011-09-05 13:56	449536 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-03-04 03:33 . 2011-11-01 20:35	449536 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-03-04 03:33 . 2011-11-01 20:35	251904 c:\windows\system32\dllcache\iepeers.dll
- 2006-03-04 03:33 . 2011-09-05 13:56	251904 c:\windows\system32\dllcache\iepeers.dll
+ 2000-11-02 04:10 . 2000-11-02 04:10	164180 c:\windows\maxdrive\windrvr.sys
+ 2011-12-10 21:52 . 2008-04-14 05:16	121984 c:\windows\maxdrive\usbvideo.sys
+ 2004-08-10 11:00 . 2008-04-14 05:15	143872 c:\windows\maxdrive\usbport.sys
+ 2004-08-10 11:00 . 2008-04-14 05:09	384768 c:\windows\maxdrive\update.sys
+ 2009-10-04 16:01 . 2009-11-01 16:45	160272 c:\windows\maxdrive\tmcomm_bak.sys
+ 2004-08-10 11:00 . 2010-02-11 12:02	226880 c:\windows\maxdrive\tcpip6.sys
+ 2004-08-10 11:00 . 2008-06-20 11:51	361600 c:\windows\maxdrive\tcpip.sys
+ 2004-08-10 11:00 . 2011-02-17 13:18	357888 c:\windows\maxdrive\srv.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	404990 c:\windows\maxdrive\slntamr.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	129535 c:\windows\maxdrive\slnt7554.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	166912 c:\windows\maxdrive\s3gnbm.sys
+ 2004-08-10 11:00 . 2008-05-08 14:02	203136 c:\windows\maxdrive\rmcast.sys
+ 2009-10-03 22:18 . 2011-06-24 14:10	139656  c:\windows\maxdrive\rdpwd.sys
+ 2009-10-03 22:18 . 2008-04-14 05:02	196224 c:\windows\maxdrive\rdpdr.sys
+ 2004-08-10 11:00 . 2008-04-14 05:58	175744 c:\windows\maxdrive\rdbss.sys
+ 2010-04-17 23:28 . 2010-04-17 23:28	247808 c:\windows\maxdrive\qgnsopcp.sys
+ 2004-08-03 23:15 . 2008-04-14 05:49	146048 c:\windows\maxdrive\portcls.sys
+ 2004-08-10 11:00 . 2008-04-14 05:06	120192 c:\windows\maxdrive\pcmcia.sys
+ 2004-08-10 11:00 . 2008-04-14 05:04	163584 c:\windows\maxdrive\nwrdr.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	180360 c:\windows\maxdrive\ntmtlfax.sys
+ 2004-08-10 11:00 . 2008-04-14 05:45	574976 c:\windows\maxdrive\ntfs.sys
+ 2004-08-10 11:00 . 2008-04-14 05:51	162816 c:\windows\maxdrive\netbt.sys
+ 2004-08-10 11:00 . 2008-04-14 05:50	182656 c:\windows\maxdrive\ndis.sys
+ 2004-08-10 11:00 . 2011-04-21 13:37	105472 c:\windows\maxdrive\mup.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	452736 c:\windows\maxdrive\mtxparhm.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	126686 c:\windows\maxdrive\mtlmnt5.sys
+ 2004-08-10 11:00 . 2011-07-15 13:29	456320 c:\windows\maxdrive\mrxsmb.sys
+ 2004-08-10 11:00 . 2008-04-14 05:02	180608 c:\windows\maxdrive\mrxdav.sys
+ 2004-08-03 23:15 . 2008-04-14 05:46	141056 c:\windows\maxdrive\ks.sys
+ 2004-08-03 23:07 . 2008-04-14 05:15	172416 c:\windows\maxdrive\kmixer.sys
+ 2004-08-10 11:00 . 2008-04-14 05:27	152832 c:\windows\maxdrive\ipnat.sys
+ 2006-05-11 16:30 . 2006-05-11 16:30	247808 c:\windows\maxdrive\iaStor.sys
+ 2004-08-10 11:00 . 2009-10-20 16:20	265728 c:\windows\maxdrive\http.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	685056 c:\windows\maxdrive\hsfcxts2.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	220032 c:\windows\maxdrive\hsfbs2s2.sys
+ 2004-08-12 21:45 . 2004-08-12 21:45	113664 c:\windows\maxdrive\Hdaudio.sys
+ 2004-08-12 21:45 . 2008-04-14 03:06	144384 c:\windows\maxdrive\hdaudbus.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	125056 c:\windows\maxdrive\ftdisk.sys
+ 2009-10-03 22:20 . 2008-04-14 05:03	129792 c:\windows\maxdrive\fltmgr.sys
+ 2004-08-10 11:00 . 2008-04-14 05:44	143744 c:\windows\maxdrive\fastfat.sys
+ 2009-10-03 23:25 . 2006-07-19 19:42	230400 c:\windows\maxdrive\e1e5132.sys
+ 2004-08-10 11:00 . 2008-04-14 05:14	153344 c:\windows\maxdrive\dmio.sys
+ 2004-08-10 11:00 . 2008-04-14 05:14	799744 c:\windows\maxdrive\dmboot.sys
+ 2009-10-04 14:09 . 2005-05-25 21:34	158464 c:\windows\maxdrive\ctusfsyn.sys
+ 2009-10-04 14:09 . 2005-01-10 22:15	138752 c:\windows\maxdrive\ctsfm2k.sys
+ 2009-10-04 14:09 . 2005-01-10 22:15	106496 c:\windows\maxdrive\ctoss2k.sys
+ 2001-08-17 14:02 . 2004-08-10 11:00	262528 c:\windows\maxdrive\cinemst2.sys
+ 2004-08-10 11:00 . 2008-06-13 11:05	272128 c:\windows\maxdrive\bthport.sys
+ 2011-12-10 21:52 . 2008-04-14 05:21	101120 c:\windows\maxdrive\bthpan.sys
+ 2010-05-30 01:59 . 2011-07-03 21:00	138192 c:\windows\maxdrive\avipbb.sys
+ 2004-08-10 11:00 . 2004-08-10 11:00	352256 c:\windows\maxdrive\atmuni.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	104960 c:\windows\maxdrive\atinrvxx.sys
+ 2009-10-03 23:36 . 2006-06-09 01:40	359296 c:\windows\maxdrive\atinavrr.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	701440 c:\windows\maxdrive\ati2mtag.sys
+ 2011-12-10 21:52 . 2008-04-14 03:04	327040 c:\windows\maxdrive\ati2mtaa.sys
+ 2004-08-10 11:00 . 2011-08-17 13:49	138496  c:\windows\maxdrive\afd.sys
+ 2004-08-03 22:39 . 2008-04-14 03:09	142592 c:\windows\maxdrive\aec.sys
+ 2004-08-10 11:00 . 2008-04-14 05:06	187776 c:\windows\maxdrive\acpi.sys
- 2009-10-04 00:41 . 2011-12-10 20:46	888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-10-04 00:41 . 2011-12-18 16:38	888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-10-04 00:41 . 2011-12-18 16:38	272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-10-04 00:41 . 2011-12-18 16:38	922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-10-04 00:41 . 2011-12-18 16:38	845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-10-04 00:41 . 2011-12-18 16:38	217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2011-12-18 16:38 . 2011-12-18 16:38	350080 c:\windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.PowerPoint.dll
- 2006-03-30 09:16 . 2011-09-05 13:56	1510400 c:\windows\system32\shdocvw.dll
+ 2006-03-30 09:16 . 2011-11-01 20:35	1510400 c:\windows\system32\shdocvw.dll
+ 2009-11-01 18:23 . 2011-12-30 00:35	6964400 c:\windows\system32\Restore\rstrlog.dat
+ 2006-03-23 17:32 . 2011-11-03 15:51	3087360 c:\windows\system32\mshtml.dll
+ 2004-08-10 11:00 . 2011-11-23 13:25	1859584 c:\windows\system32\dllcache\win32k.sys
+ 2006-03-30 09:16 . 2011-11-01 20:35	1510400 c:\windows\system32\dllcache\shdocvw.dll
- 2006-03-30 09:16 . 2011-09-05 13:56	1510400 c:\windows\system32\dllcache\shdocvw.dll
+ 2004-08-10 11:00 . 2011-11-01 16:07	1288704 c:\windows\system32\dllcache\ole32.dll
- 2005-03-30 01:01 . 2010-12-09 13:07	2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2005-03-30 01:01 . 2011-10-25 12:52	2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-02-08 00:02 . 2011-10-25 12:52	2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2009-02-08 00:02 . 2010-12-09 13:07	2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2005-03-30 01:21 . 2011-10-25 13:37	2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2005-03-30 01:21 . 2010-12-09 13:42	2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2006-03-23 17:32 . 2011-11-03 15:51	3087360 c:\windows\system32\dllcache\mshtml.dll
+ 2006-03-04 03:33 . 2011-11-01 20:35	1025024 c:\windows\system32\dllcache\browseui.dll
- 2006-03-04 03:33 . 2011-09-05 13:56	1025024 c:\windows\system32\dllcache\browseui.dll
+ 2006-03-04 03:33 . 2011-11-01 20:35	1025024 c:\windows\system32\browseui.dll
- 2006-03-04 03:33 . 2011-09-05 13:56	1025024 c:\windows\system32\browseui.dll
+ 2009-10-03 23:37 . 2006-03-20 20:06	1156648 c:\windows\maxdrive\sthda.sys
+ 2009-08-17 04:57 . 2009-08-17 04:57	7729568 c:\windows\maxdrive\nv4_mini.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	1309184 c:\windows\maxdrive\mtlstrm.sys
+ 2009-10-04 14:09 . 2006-01-04 19:41	1389056 c:\windows\maxdrive\monfilt.sys
+ 2011-12-10 21:52 . 2008-04-14 04:53	1041536 c:\windows\maxdrive\hsfdpsp2.sys
+ 2011-11-01 18:34 . 2011-11-01 18:34	1552384 c:\windows\Installer\335c9be.msp
+ 2011-11-01 18:34 . 2011-11-01 18:34	4250112 c:\windows\Installer\335c9b6.msp
+ 2011-11-01 18:34 . 2011-11-01 18:34	2247168 c:\windows\Installer\335c9a1.msp
+ 2011-11-11 21:14 . 2011-11-11 21:14	9096192 c:\windows\Installer\335c98e.msp
+ 2011-11-01 18:34 . 2011-11-01 18:34	4225536 c:\windows\Installer\335c97b.msp
+ 2011-11-01 18:34 . 2011-11-01 18:34	2531840 c:\windows\Installer\335c953.msp
+ 2011-11-11 21:15 . 2011-11-11 21:15	1795584 c:\windows\Installer\335c94b.msp
+ 2011-11-11 21:16 . 2011-11-11 21:16	8458240 c:\windows\Installer\335c928.msp
+ 2009-10-04 00:41 . 2011-12-18 16:38	1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-10-04 00:41 . 2011-12-18 16:38	1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2009-10-04 00:41 . 2011-12-10 20:46	1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-04-03 02:44 . 2009-04-03 02:44	2532224 c:\windows\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6425\GRAPH.EXE
+ 2011-12-10 20:23 . 2011-10-25 13:33	2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2011-12-10 20:23 . 2010-12-09 13:38	2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2011-12-10 20:23 . 2011-10-25 12:52	2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2011-12-10 20:23 . 2010-12-09 13:07	2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2009-02-08 00:02 . 2010-12-09 13:07	2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-02-08 00:02 . 2011-10-25 12:52	2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2011-12-10 20:23 . 2011-10-25 13:37	2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2011-12-10 20:23 . 2010-12-09 13:42	2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2010-01-21 01:24 . 2011-12-18 16:36	52988224 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2010-01-21 24576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-11 281768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55	937920	----a-w-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 14:34	851968	----a-w-	c:\program files\Brother\ControlCenter2\brctrcen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-11-07 09:20	122940	----a-w-	c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 17:56	64512	----a-w-	c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-07-06 11:15	151552	----a-w-	c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 20:04	40960	----a-w-	c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 20:50	221184	----a-w-	c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 20:50	81920	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-08-17 08:03	13877248	----a-w-	c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-08-17 08:03	86016	----a-w-	c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-08-13 04:40	1657376	----a-w-	c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 19:46	57393	----a-w-	c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-20 20:00	282624	----a-w-	c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 15:22	155648	----a-r-	c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59	254696	----a-w-	c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 05:00	90112	----a-w-	c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 13:20	1118208	----a-w-	c:\program files\Creative\VoiceCenter\AndreaVC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/29/2010 9:00 PM 136360]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.csgrp.com/owa/auth/logon.aspx?replaceCurrent=1&url=https://mail.csgrp.com/owa/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Bob Zoppa\Application Data\Mozilla\Firefox\Profiles\kn6t9xu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://headlines.verizon.com/headlines/portals/headlines.portal
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-12-31 10:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1409082233-412668190-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2011-12-31 10:42:48
ComboFix-quarantined-files.txt 2011-12-31 15:42
ComboFix2.txt 2011-12-18 03:39
ComboFix3.txt 2011-12-18 01:31
ComboFix4.txt 2011-12-10 03:00
ComboFix5.txt 2011-12-31 15:33
.
Pre-Run: 196,801,642,496 bytes free
Post-Run: 196,961,284,096 bytes free
.
- - End Of File - - B2FC892CBEBB83F112F84C5CCD6084CE


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*



> I'll be willing to keep this up as long as you wish. I'm seeing lots of similar attacks reportedly taking out networking -- so fixing issues like this should be of interest.
> 
> Hmm-- that made me think if we just wait long enough Combofix will be able to handle -Anything-- and it'll do it for us


We are seeing a lot of borked networking, and we are now able to fix those. Yours is a different story from the others. You CAN start them manually and everything works for you. Everyone else can't even start the services. What really complicates the matter for you, is the manual fixing that was done first, and the reinstall of the OS. Things can just kinda get really jumbled under such circumstances.


If you recall, in Post #167 I had you go to MS site and follow the "Manual steps to recover from Winsock2 corruption" which also mentioned uninstalling and reinstalling TCPIP. This time, we're going to uninstall and reinstall TCPIP but using the directions from this MS KB How to remove and reinstall TCP/IP on a Windows Server 2003 domain controller This set of directions is a bit different procedure from what you followed earlier. Please be sure to carry out the steps below in the order given: (images and instructions to aid what you've read at the MS link, are provided courtesy of one of our Experts. :smile

1. Locate the file - *C:\Windows\inf\Nettcpip.inf*, and then open it in Notepad.












2. Locate the *[MS_TCPIP.PrimaryInstall]* section.

3. Edit the *Characteristics = 0xa0* entry and replace 0xa0 with 0×80.












4. Save the file, and then exit Notepad.












5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select *Properties*.



















6. On the *General *tab, click *Install*, select *Protocol*, and then click *Add*.












7. In the Select *Network Protocols* window, click *Have Disk*.













8. In the Copy manufacturer’s files from: text box, type *c:\windows\inf*, and then click *OK*.













9. Select *Internet Protocol (TCP/IP)*, and then click *OK*.












Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.

10. Select *Internet Protocol (TCP/IP)*, click *Uninstall*, and then click *Yes*.


11.* It is important that you restart the computer to complete the uninstall*.



------------


Step #2 - Reinstall of TCP/IP 












Edit the file - *C:\Windows\inf\Nettcpip.inf*. Replace the 0×80 back to 0xA0

Redo sub-steps 4-11 to re-install TCP/IP


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried, -- :thumb::smile:ray::smile:

:flowers::dance::dance::flowers::smitten::smitten:

YOU GOT IT !!!!!

Fixed -
Services start on their own -- all network functions work, printer/scanner too.
Even the long boot up time I mentioned is back to normal .

Rebooted twice to confirm 

What a way to end the year on a great note ! Wahoo !!

Anything you want scan or log wise ? To compare working with not working? 

:dance::dance:
Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried -- 

Did we set a record - 11 pages, 206 posts, almost 2800 views AND YOU FIXED IT !

Just in case you're off for the New Year Holiday 
Have a HAPPY NEW YEARS EVE and a GREAT NEW YEAR

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

:woot::dance:

We just should have done that in post 167. 




> Did we set a record - 11 pages, 206 posts, almost 2800 views AND YOU FIXED IT !










Thankfully, no - we did not set a record. :laugh:

Before we wrap this up, I would like for you to do another scan with Eset's online scanner.

Please go to *here* to run the online scannner from ESET.
 Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activex control to install
Click *Start*
Make sure that the option *Remove found threats* is *unticked*, and the option *Scan unwanted applications* is *checked*
Click on *Advanced Settings* and ensure these options are ticked:
*Scan for potentially unwanted applications*
*Scan for potentially unsafe applications*
*Enable Anti-Stealth Technology*

Click *Scan*
Wait for the scan to finish
If any threats were found, click the *'List of found threats' *, then click* Export to text file...*. 
Save it to your desktop, then please copy and paste that log as a reply to this topic.

I am offline the rest of this evening for New Year's. Happy New Year to you as well! :4-cheers:


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Bob - also, for forensic purposes, would you post netbt and tcpip key exports again for us?


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried

Online scan completed -- no threats found --Whew!

Below are the Netbt & Tcpip exports requested

One more thing -I noticed when removing & reinstalling it -the TCPIP protocol is not signed --- I attached a screenshot in a word doc
Mean anything? 

Thanks again for never giving up -- 

I'll check in later 
Have A Great New Years Eve and Day. Heck- have a great New Year too !

Bob


netbt 12-31-11
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:0000000b
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6e,65,74,\
62,74,2e,73,79,73,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,63,70,69,70,00,00
"DependOnGroup"=hex(7):00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,63,70,69,70,00,00
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,44,41,38,33,36,42,\
31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,\
38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,\
43,30,30,36,32,43,32,34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,\
70,5f,7b,42,42,33,37,41,36,30,32,2d,30,44,36,46,2d,34,45,42,41,2d,42,30,32,\
33,2d,41,33,44,30,33,30,36,41,42,43,32,44,7d,00,5c,44,65,76,69,63,65,5c,54,\
63,70,69,70,5f,7b,35,30,44,37,37,38,43,34,2d,39,38,31,43,2d,34,41,36,46,2d,\
41,30,34,42,2d,30,41,33,46,33,36,30,46,44,46,39,42,7d,00,00
"Route"=hex(7):22,54,63,70,69,70,22,20,22,7b,44,41,38,33,36,42,31,37,2d,46,30,\
35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,\
7d,22,00,22,54,63,70,69,70,22,20,22,7b,42,38,36,46,33,43,39,38,2d,31,45,43,\
45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,\
22,00,22,54,63,70,69,70,22,20,22,7b,43,42,30,34,44,38,33,31,2d,41,37,32,31,\
2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,22,\
00,22,54,63,70,69,70,22,20,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,\
44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,\
41,44,39,43,32,33,38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,\
54,5f,54,63,70,69,70,5f,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,39,\
30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,5c,44,65,\
76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,5f,7b,43,42,30,34,44,38,33,\
31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,\
34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,4e,65,74,42,54,5f,54,63,70,69,70,\
5f,7b,42,42,33,37,41,36,30,32,2d,30,44,36,46,2d,34,45,42,41,2d,42,30,32,33,\
2d,41,33,44,30,33,30,36,41,42,43,32,44,7d,00,5c,44,65,76,69,63,65,5c,4e,65,\
74,42,54,5f,54,63,70,69,70,5f,7b,35,30,44,37,37,38,43,34,2d,39,38,31,43,2d,\
34,41,36,46,2d,41,30,34,42,2d,30,41,33,46,33,36,30,46,44,46,39,42,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{50D778C4-981C-4A6F-A04B-0A3F360FDF9B}]
"NameServerList"=hex(7):00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{BB37A602-0D6F-4EBA-B023-A3D0306ABC2D}]
"NameServerList"=hex(7):00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Parameters\Interfaces\Tcpip_{DA836B17-F05A-455A-804B-6AD9C2381057}]
"NameServerList"=hex(7):00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

TCPIP 12-31-11
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000009
"ImagePath"=hex(2):73,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,74,63,70,\
69,70,2e,73,79,73,00
"DisplayName"="TCP/IP Protocol Driver"
"Group"="PNP_TDI"
"DependOnService"=hex(7):49,50,53,65,63,00,00
"DependOnGroup"=hex(7):00
"Description"="TCP/IP Protocol Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Linkage]
"Bind"=hex(7):5c,44,65,76,69,63,65,5c,7b,44,41,38,33,36,42,31,37,2d,46,30,35,\
41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,\
00,5c,44,65,76,69,63,65,5c,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,\
39,30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,5c,44,\
65,76,69,63,65,5c,7b,43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,38,32,\
2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,00,5c,44,65,76,69,\
63,65,5c,4e,64,69,73,57,61,6e,49,70,00,00
"Route"=hex(7):22,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,35,41,2d,\
38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,22,00,22,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,22,00,22,7b,43,42,30,34,44,38,33,31,2d,41,37,32,\
31,2d,34,30,38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,\
22,00,22,4e,64,69,73,57,61,6e,49,70,22,00,00
"Export"=hex(7):5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,44,41,38,33,36,42,\
31,37,2d,46,30,35,41,2d,34,35,35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,\
38,31,30,35,37,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,42,38,36,\
46,33,43,39,38,2d,31,45,43,45,2d,34,39,30,31,2d,38,36,43,37,2d,35,30,36,35,\
30,33,33,43,32,37,43,42,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,70,5f,7b,\
43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,38,32,2d,38,34,42,39,2d,38,\
43,30,30,36,32,43,32,34,46,41,32,7d,00,5c,44,65,76,69,63,65,5c,54,63,70,69,\
70,5f,7b,42,42,33,37,41,36,30,32,2d,30,44,36,46,2d,34,45,42,41,2d,42,30,32,\
33,2d,41,33,44,30,33,30,36,41,42,43,32,44,7d,00,5c,44,65,76,69,63,65,5c,54,\
63,70,69,70,5f,7b,35,30,44,37,37,38,43,34,2d,39,38,31,43,2d,34,41,36,46,2d,\
41,30,34,42,2d,30,41,33,46,33,36,30,46,44,46,39,42,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters]
"DataBasePath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,64,72,69,76,65,72,73,5c,65,74,63,00
"NameServer"=""
"ForwardBroadcasts"=dword:00000000
"IPEnableRouter"=dword:00000000
"Domain"=""
"Hostname"="robertzoppa"
"NV Hostname"="robertzoppa"
"SearchList"=""
"UseDomainNameDevolution"=dword:00000001
"EnableICMPRedirect"=dword:00000001
"DeadGWDetectDefault"=dword:00000001
"DontAddDefaultGatewayDefault"=dword:00000000
"EnableSecurityFilters"=dword:00000000
"DhcpNameServer"="192.168.0.1"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,42,42,33,37,41,36,30,32,2d,30,44,36,46,2d,34,45,\
42,41,2d,42,30,32,33,2d,41,33,44,30,33,30,36,41,42,43,32,44,7d,00,54,63,70,\
69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,65,72,66,61,63,65,73,5c,\
7b,35,30,44,37,37,38,43,34,2d,39,38,31,43,2d,34,41,36,46,2d,41,30,34,42,2d,\
30,41,33,46,33,36,30,46,44,46,39,42,7d,00,00
"NumInterfaces"=dword:00000002
"IpInterfaces"=hex:02,a6,37,bb,6f,0d,ba,4e,b0,23,a3,d0,30,6a,bc,2d,c4,78,d7,50,\
1c,98,6f,4a,a0,4b,0a,3f,36,0f,df,9b

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters\{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,42,38,36,46,33,43,39,38,2d,31,45,43,45,2d,34,39,\
30,31,2d,38,36,43,37,2d,35,30,36,35,30,33,33,43,32,37,43,42,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters\{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,43,42,30,34,44,38,33,31,2d,41,37,32,31,2d,34,30,\
38,32,2d,38,34,42,39,2d,38,43,30,30,36,32,43,32,34,46,41,32,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Adapters\{DA836B17-F05A-455A-804B-6AD9C2381057}]
"LLInterface"=""
"IpConfig"=hex(7):54,63,70,69,70,5c,50,61,72,61,6d,65,74,65,72,73,5c,49,6e,74,\
65,72,66,61,63,65,73,5c,7b,44,41,38,33,36,42,31,37,2d,46,30,35,41,2d,34,35,\
35,41,2d,38,30,34,42,2d,36,41,44,39,43,32,33,38,31,30,35,37,7d,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\DNSRegisteredAdapters]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{50D778C4-981C-4A6F-A04B-0A3F360FDF9B}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{B86F3C98-1ECE-4901-86C7-5065033C27CB}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00
"UDPAllowedPorts"=hex(7):30,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{BB37A602-0D6F-4EBA-B023-A3D0306ABC2D}]
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{CB04D831-A721-4082-84B9-8C0062C24FA2}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00
"UDPAllowedPorts"=hex(7):30,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00
"NTEContextList"=hex(7):30,78,30,30,30,30,30,30,30,32,00,00
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="192.168.0.100"
"DhcpSubnetMask"="255.255.255.0"
"DhcpServer"="192.168.0.1"
"Lease"=dword:00093a80
"LeaseObtainedTime"=dword:4eff64f1
"T1"=dword:4f040231
"T2"=dword:4f077821
"LeaseTerminatesTime"=dword:4f089f71
"IPAutoconfigurationAddress"="0.0.0.0"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"=dword:00000000
"AddressType"=dword:00000000
"IsServerNapAware"=dword:00000000
"DhcpRetryTime"=dword:00049d3e
"DhcpRetryStatus"=dword:00000000
"DhcpNameServer"="192.168.0.1"
"DhcpDefaultGateway"=hex(7):31,39,32,2e,31,36,38,2e,30,2e,31,00,00
"DhcpSubnetMaskOpt"=hex(7):32,35,35,2e,32,35,35,2e,32,35,35,2e,30,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Interfaces\{DA836B17-F05A-455A-804B-6AD9C2381057}]
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=hex(7):30,2e,30,2e,30,2e,30,00,00
"SubnetMask"=hex(7):30,2e,30,2e,30,2e,30,00,00
"DefaultGateway"=hex(7):00
"DefaultGatewayMetric"=hex(7):00
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=hex(7):30,00,00
"UDPAllowedPorts"=hex(7):30,00,00
"RawIPAllowedProtocols"=hex(7):30,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\PersistentRoutes]

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Parameters\Winsock]
"UseDelayedAcceptance"=dword:00000000
"HelperDllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,\
6d,33,32,5c,77,73,68,74,63,70,69,70,2e,64,6c,6c,00
"MaxSockAddrLength"=dword:00000010
"MinSockAddrLength"=dword:00000010
"Mapping"=hex:0b,00,00,00,03,00,00,00,02,00,00,00,01,00,00,00,06,00,00,00,02,\
00,00,00,01,00,00,00,00,00,00,00,02,00,00,00,00,00,00,00,06,00,00,00,00,00,\
00,00,00,00,00,00,06,00,00,00,00,00,00,00,01,00,00,00,06,00,00,00,02,00,00,\
00,02,00,00,00,11,00,00,00,02,00,00,00,02,00,00,00,00,00,00,00,02,00,00,00,\
00,00,00,00,11,00,00,00,00,00,00,00,00,00,00,00,11,00,00,00,00,00,00,00,02,\
00,00,00,11,00,00,00,02,00,00,00,03,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Performance]
"Close"="CloseTcpIpPerformanceData"
"Collect"="CollectTcpIpPerformanceData"
"Library"="Perfctrs.dll"
"Open"="OpenTcpIpPerformanceData"
"Object List"="502 510 546 582 638 658"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:000007d0
"HostsPriority"=dword:000001f4
"LocalPriority"=dword:000001f3
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,77,73,6f,63,6b,33,32,2e,64,6c,6c,00
"NetbtPriority"=dword:000007d1
"Name"="TCP/IP"

[HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\Services\tcpip\Enum]
"0"="Root\\LEGACY_TCPIP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks for the exports. :wave:

Did you remember to change that Nettcpip.inf file back the way it was? It _*is*_ case sensitive. 

*Step #2 - Reinstall of TCP/IP *












Edit the file - *C:\Windows\inf\Nettcpip.inf*. Replace the 0×80 *back to **0xA0*


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Ried, 

I forgot to mention that -- I was pretty sure mine was lowercase - noticed it when I read the directions before I did anything - so I replaced it with one in lower case

I just went back and changed it to Upper case --going to reboot and see what happens.
I'll be back in a few min.

Bob


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Me again --reboot went fine everything still works -- 

Another security question not directly related to this issue --
On someones security advice "Auto run" has been disabled on this machine -- I'm fine with that.
What I miss is when I insert a disc,SD card or USB anything I no longer get the box that asks me what to do with the new disc,card, drive ect.

Must that go away when auto play is disabled or can I get that back.

Bob


----------



## Ried

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Hi Bob, sorry for the delay. Something odd happened with this thread and I did not see your last reply in my notifications, only mine. 

With XP, it's all or nothing. It is best to leave it disabled. Even Microsoft figured out it was a bad idea and had made a patch to disable that a couple years ago.


----------



## Zappafrank

*Re: Removed xp security 2012 & sys32 -still having issues want to make sure it's all*

Thanks Ried,

I'll leave that one alone then.

As a follow up everything is still working as it should - If I didn't know better I'd say nothing had ever happened. :dance:

Had a thought - pretty sure this will work although if for some reason it doesn't work as planned - I'll let you know.

After a complete backup -- hopefully this weekend - I'm going to leave everything [OS, data & programs] on one drive and set up a second drive that I'll boot to.

It'll have an OS, web browser and security software -- Nothing else 
If [ok when] I get nailed again -- just reformat and go.

Still deciding the easiest way to handle the shortcuts -start menu paths ect

Thanks for everything
Bob


----------

