Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

View previous topic View next topic Go down

Can't delete rootkit c:windowssystem32driversknkvya.sys

Post by Pietro on Tue 22 Feb 2011, 10:57 pm

Hello,
I spent a lot of time by trying to delete rootkit c:\windows\system32\drivers\knkvya.sys
This message is shown: "cannot delete knkvya: cannot read from the source file or disk".

I tried this programs:
KillBox
command prompt
Malwarebytes Anti-Malware
ComboFix


but the knkvya.sys is still there. Here is my ComboFix log (thanks for your advice!):


ComboFix 11-02-21.02 - Jopek . 02. 2011 11:49:30.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.421.1051.18.3068.1771 [GMT 1:00]
Running from: c:\users\Jopek\Desktop\commy.exe
AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Recycle

.
((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
.

2011-02-22 11:03 . 2011-02-22 11:09 -------- d-----w- c:\users\Jopek\AppData\Local\temp
2011-02-22 11:03 . 2011-02-22 11:03 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-02-22 11:03 . 2011-02-22 11:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-22 10:02 . 2011-02-22 10:02 -------- d-----w- c:\users\Jopek\AppData\Roaming\Malwarebytes
2011-02-22 10:01 . 2011-02-22 10:01 -------- d-----w- c:\programdata\Malwarebytes
2011-02-22 10:01 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-22 10:01 . 2011-02-22 10:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-22 10:01 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-22 09:21 . 2011-02-22 09:27 -------- d-----w- c:\programdata\SecTaskMan
2011-02-22 09:21 . 2011-02-22 09:21 -------- d-----w- c:\program files\Security Task Manager
2011-02-21 20:58 . 2011-02-21 20:58 -------- d-----w- c:\users\Jopek\AppData\Roaming\Uniblue
2011-02-21 15:14 . 2011-02-21 15:14 -------- d-----w- c:\users\Jopek\AppData\Local\PackageAware
2011-02-20 21:53 . 2011-02-20 22:01 -------- d-sh--r- c:\users\Jopek\Microsoft-Driver-1-52-2475-9627-8645
2011-02-20 21:36 . 2011-02-20 22:01 -------- d-sh--r- c:\users\Jopek\Microsoft-Update-Service-8-8586-7578-5800
2011-02-20 18:03 . 2011-01-08 08:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-20 18:03 . 2011-01-08 06:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-02-19 17:32 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5F6AA587-68ED-4A42-A3B3-B01BE09C9382}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-21 10:36 . 2010-05-03 17:03 2018272 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-20 19:41 . 2010-11-11 11:27 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-02-20 19:41 . 2010-11-11 11:27 71880 ----a-w- c:\windows\system32\PxSecure.dll
2011-02-20 19:41 . 2010-11-11 11:27 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys
2011-02-20 19:41 . 2010-11-11 11:27 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-12-28 15:55 . 2011-01-13 10:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-13 10:02 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-04 11:37 . 2010-10-07 17:55 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-07-12 226904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-24 1348904]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-09-25 1152296]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-09-25 189736]
"UCam_Menu"="c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-07-14 814144]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13593120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 92704]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-19 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0afvaa6.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0afvaa6.exe
backup=c:\windows\pss\0afvaa6.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0aqaaqq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0aqaaqq.exe
backup=c:\windows\pss\0aqaaqq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0bq6qgg.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0bq6qgg.exe
backup=c:\windows\pss\0bq6qgg.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0ej1otj.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ej1otj.exe
backup=c:\windows\pss\0ej1otj.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0f8al1q.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f8al1q.exe
backup=c:\windows\pss\0f8al1q.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0iscccx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0iscccx.exe
backup=c:\windows\pss\0iscccx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0llbbgb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0llbbgb.exe
backup=c:\windows\pss\0llbbgb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0llq21l.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0llq21l.exe
backup=c:\windows\pss\0llq21l.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0mrhm7m.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mrhm7m.exe
backup=c:\windows\pss\0mrhm7m.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0mscmm1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mscmm1.exe
backup=c:\windows\pss\0mscmm1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0q6g7gb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0q6g7gb.exe
backup=c:\windows\pss\0q6g7gb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0qfqqfq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0qfqqfq.exe
backup=c:\windows\pss\0qfqqfq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0qvqfq1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0qvqfq1.exe
backup=c:\windows\pss\0qvqfq1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0rrhhmc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0rrhhmc.exe
backup=c:\windows\pss\0rrhhmc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0t9z31t.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0t9z31t.exe
backup=c:\windows\pss\0t9z31t.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1aqaaqq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1aqaaqq.exe
backup=c:\windows\pss\1aqaaqq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1bbgvbv.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1bbgvbv.exe
backup=c:\windows\pss\1bbgvbv.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1eyyeoj.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eyyeoj.exe
backup=c:\windows\pss\1eyyeoj.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1fl71fa.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1fl71fa.exe
backup=c:\windows\pss\1fl71fa.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1iinci6.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1iinci6.exe
backup=c:\windows\pss\1iinci6.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1m9m1cm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1m9m1cm.exe
backup=c:\windows\pss\1m9m1cm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1mcchcr.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1mcchcr.exe
backup=c:\windows\pss\1mcchcr.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1qav0lf.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qav0lf.exe
backup=c:\windows\pss\1qav0lf.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1uppu7e.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1uppu7e.exe
backup=c:\windows\pss\1uppu7e.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1vqvg4q.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1vqvg4q.exe
backup=c:\windows\pss\1vqvg4q.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1vvaqvq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1vvaqvq.exe
backup=c:\windows\pss\1vvaqvq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1wmrmrr.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1wmrmrr.exe
backup=c:\windows\pss\1wmrmrr.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1wrrhhm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1wrrhhm.exe
backup=c:\windows\pss\1wrrhhm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1xiisnn.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1xiisnn.exe
backup=c:\windows\pss\1xiisnn.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1xrrmhc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1xrrmhc.exe
backup=c:\windows\pss\1xrrmhc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1zkkz7p.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1zkkz7p.exe
backup=c:\windows\pss\1zkkz7p.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^2bww2b5.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2bww2b5.exe
backup=c:\windows\pss\2bww2b5.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^2c981rc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2c981rc.exe
backup=c:\windows\pss\2c981rc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^2ididss.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ididss.exe
backup=c:\windows\pss\2ididss.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^2llgvgq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2llgvgq.exe
backup=c:\windows\pss\2llgvgq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^3lflfll.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3lflfll.exe
backup=c:\windows\pss\3lflfll.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^42bbr7h.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42bbr7h.exe
backup=c:\windows\pss\42bbr7h.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^4iid5id.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4iid5id.exe
backup=c:\windows\pss\4iid5id.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^4vffaf6.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4vffaf6.exe
backup=c:\windows\pss\4vffaf6.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5aav1la.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aav1la.exe
backup=c:\windows\pss\5aav1la.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5aqqk40.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aqqk40.exe
backup=c:\windows\pss\5aqqk40.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5hrchcc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5hrchcc.exe
backup=c:\windows\pss\5hrchcc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5hrxh72.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5hrxh72.exe
backup=c:\windows\pss\5hrxh72.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5indsni.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5indsni.exe
backup=c:\windows\pss\5indsni.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^6a7avq0.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a7avq0.exe
backup=c:\windows\pss\6a7avq0.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^6wwrwhc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6wwrwhc.exe
backup=c:\windows\pss\6wwrwhc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^96uka6f.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\96uka6f.exe
backup=c:\windows\pss\96uka6f.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^dssxss3xnn.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dssxss3xnn.exe
backup=c:\windows\pss\dssxss3xnn.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^i9i1xiix7.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i9i1xiix7.exe
backup=c:\windows\pss\i9i1xiix7.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^idxxssiid.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idxxssiid.exe
backup=c:\windows\pss\idxxssiid.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^jttotott.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jttotott.exe
backup=c:\windows\pss\jttotott.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^lww1b0br6rw.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lww1b0br6rw.exe
backup=c:\windows\pss\lww1b0br6rw.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^mhhcrc0r.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhcrc0r.exe
backup=c:\windows\pss\mhhcrc0r.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^mhmhm76cxcx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhmhm76cxcx.exe
backup=c:\windows\pss\mhmhm76cxcx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^r4rc1mhhm7m.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r4rc1mhhm7m.exe
backup=c:\windows\pss\r4rc1mhhm7m.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^rmccr7hx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rmccr7hx.exe
backup=c:\windows\pss\rmccr7hx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^rrx71rm0r.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrx71rm0r.exe
backup=c:\windows\pss\rrx71rm0r.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^rxhcrrmm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rxhcrrmm.exe
backup=c:\windows\pss\rxhcrrmm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vqvf4a0qf.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqvf4a0qf.exe
backup=c:\windows\pss\vqvf4a0qf.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vqvqffaq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqvqffaq.exe
backup=c:\windows\pss\vqvqffaq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvalfvlfa.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvalfvlfa.exe
backup=c:\windows\pss\vvalfvlfa.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvalfvlv.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvalfvlv.exe
backup=c:\windows\pss\vvalfvlv.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvqffvava76.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqffvava76.exe
backup=c:\windows\pss\vvqffvava76.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvqqqvqfvff.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqqqvqfvff.exe
backup=c:\windows\pss\vvqqqvqfvff.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvqvfaa9.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqvfaa9.exe
backup=c:\windows\pss\vvqvfaa9.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^w032bwlw0w.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w032bwlw0w.exe
backup=c:\windows\pss\w032bwlw0w.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^w2gb0qglq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w2gb0qglq.exe
backup=c:\windows\pss\w2gb0qglq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^w2rrw7hhb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w2rrw7hhb.exe
backup=c:\windows\pss\w2rrw7hhb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wb93lblgbb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wb93lblgbb.exe
backup=c:\windows\pss\wb93lblgbb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wcrwrwhccww.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wcrwrwhccww.exe
backup=c:\windows\pss\wcrwrwhccww.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wgbwww6w.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wgbwww6w.exe
backup=c:\windows\pss\wgbwww6w.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^whrr2m9m.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\whrr2m9m.exe
backup=c:\windows\pss\whrr2m9m.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wm037wrr.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wm037wrr.exe
backup=c:\windows\pss\wm037wrr.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wm081rcc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wm081rcc.exe
backup=c:\windows\pss\wm081rcc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wqqlql6g.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wqqlql6g.exe
backup=c:\windows\pss\wqqlql6g.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wr0hchrm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wr0hchrm.exe
backup=c:\windows\pss\wr0hchrm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wr5mccw40w.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wr5mccw40w.exe
backup=c:\windows\pss\wr5mccw40w.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wrrhm9m1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wrrhm9m1.exe
backup=c:\windows\pss\wrrhm9m1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wwhcrr2m9m1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwhcrr2m9m1.exe
backup=c:\windows\pss\wwhcrr2m9m1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wwmb9wwrm0.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwmb9wwrm0.exe
backup=c:\windows\pss\wwmb9wwrm0.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wwrwrhhb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwrwrhhb.exe
backup=c:\windows\pss\wwrwrhhb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^x5mhmxhh2c9.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x5mhmxhh2c9.exe
backup=c:\windows\pss\x5mhmxhh2c9.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^x6mcs6mmhm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x6mcs6mmhm.exe
backup=c:\windows\pss\x6mcs6mmhm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xcnnhnn6c.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xcnnhnn6c.exe
backup=c:\windows\pss\xcnnhnn6c.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xh6hc5r5mr.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xh6hc5r5mr.exe
backup=c:\windows\pss\xh6hc5r5mr.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xhrrm5mccx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhrrm5mccx.exe
backup=c:\windows\pss\xhrrm5mccx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xi1xxdsi.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xi1xxdsi.exe
backup=c:\windows\pss\xi1xxdsi.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xissncxsi.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xissncxsi.exe
backup=c:\windows\pss\xissncxsi.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xixx0iic0xn.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xixx0iic0xn.exe
backup=c:\windows\pss\xixx0iic0xn.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xnsns0sis.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xnsns0sis.exe
backup=c:\windows\pss\xnsns0sis.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xrhh1c9c1rc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrhh1c9c1rc.exe
backup=c:\windows\pss\xrhh1c9c1rc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xrxhcrrm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrxhcrrm.exe
backup=c:\windows\pss\xrxhcrrm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xshmxhmmch.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xshmxhmmch.exe
backup=c:\windows\pss\xshmxhmmch.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xss9s1issi.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xss9s1issi.exe
backup=c:\windows\pss\xss9s1issi.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xsxsi6ddnii.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsxsi6ddnii.exe
backup=c:\windows\pss\xsxsi6ddnii.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xx2h0hxcxc7.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xx2h0hxcxc7.exe
backup=c:\windows\pss\xx2h0hxcxc7.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xx6mrmr8mm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xx6mrmr8mm.exe
backup=c:\windows\pss\xx6mrmr8mm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xxc7m6hhcxx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxc7m6hhcxx.exe
backup=c:\windows\pss\xxc7m6hhcxx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xxcrxrxhc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxcrxrxhc.exe
backup=c:\windows\pss\xxcrxrxhc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xxsiisnniix.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxsiisnniix.exe
backup=c:\windows\pss\xxsiisnniix.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xxsx7mhc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxsx7mhc.exe
backup=c:\windows\pss\xxsx7mhc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^y98nniy6ssn.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y98nniy6ssn.exe
backup=c:\windows\pss\y98nniy6ssn.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^yi5ssn1dsy9.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yi5ssn1dsy9.exe
backup=c:\windows\pss\yi5ssn1dsy9.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^yid6s7sni0.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yid6s7sni0.exe
backup=c:\windows\pss\yid6s7sni0.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^yotojjee2.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yotojjee2.exe
backup=c:\windows\pss\yotojjee2.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ytty7ytyi.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ytty7ytyi.exe
backup=c:\windows\pss\ytty7ytyi.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^z6u7ffzz.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z6u7ffzz.exe
backup=c:\windows\pss\z6u7ffzz.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^z6zooj1z.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z6zooj1z.exe
backup=c:\windows\pss\z6zooj1z.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^zeojeejeue1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeojeejeue1.exe
backup=c:\windows\pss\zeojeejeue1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^zjej8eez1pe.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zjej8eez1pe.exe
backup=c:\windows\pss\zjej8eez1pe.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^zoouoeojee.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zoouoeojee.exe
backup=c:\windows\pss\zoouoeojee.exe.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDAgent]
2008-09-26 01:36 1148200 ------w- c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 09:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVAgent]
2008-09-24 17:07 206120 ------w- c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-13 17:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-06-13 17:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-13 17:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-09-26 09:15 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\NIS\1002000.007\SYMNDISV.SYS [2008-12-12 40496]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2011-02-20 32008]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-07 691696]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [x]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-12 255536]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1002000.007\ccHPx86.sys [2008-12-16 362544]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090331.007\IDSvix86.sys [2009-01-29 292912]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2011-02-20 76696]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\Hewlett-Packard\Media\DVD\000.fcl [2008-09-26 59376]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2009-01-19 277544]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_408c4e5a\aestsrv.exe [2008-06-27 77824]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-11-27 6416120]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-08-07 24880]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-12 115560]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-09-24 296320]
S2 TVSched;TV Task Scheduler (TVTS);c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-09-24 116096]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-09-16 599344]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-09-04 54784]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-08-06 44576]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2011-02-20 26096]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-09-16 40752]


--- Other Services/Drivers In Memory ---

*Deregistered* - knkvya

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 09:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4218994666-1609149145-1912675028-1000Core.job
- c:\users\Jopek\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-06 19:54]

2011-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4218994666-1609149145-1912675028-1000UA.job
- c:\users\Jopek\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-06 19:54]

2009-10-22 c:\windows\Tasks\NSSstub.job
- c:\windows\System32\Adobe\Shockwave 11\nssstub.exe [2009-10-22 05:29]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SmartMenu - %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
AddRemove-{8EB85C0E-DE7D-4A53-BD66-708B8F2C80B0} - c:\users\Jopek\AppData\Local\HHD Software\Hex Editor Neo\Setup\uninstHEX.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-02-22 12:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\knkvya]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4218994666-1609149145-1912675028-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:d9,41,5b,32,b6,e4,3d,ed,2f,aa,d4,0d,c6,02,e0,7b,ea,c0,47,03,20,7a,2b,
83,5d,a6,73,73,56,b1,a5,e3,fb,61,0c,b5,d3,50,b0,fe,dc,58,ca,50,00,70,b4,5b,\
"??"=hex:61,af,b9,29,dc,ad,af,b5,2d,19,88,12,a0,64,03,d3

[HKEY_USERS\S-1-5-21-4218994666-1609149145-1912675028-1000\Software\SecuROM\License information*]
"datasecu"=hex:d2,db,cf,46,ed,31,aa,36,69,4c,de,3c,a4,62,4a,df,47,92,80,f2,99,
cf,bf,7f,5b,a1,48,82,34,6e,50,88,89,80,88,e8,97,e5,77,b8,e0,bc,cd,4c,9e,1b,\
"rkeysecu"=hex:77,6f,df,33,3b,4c,0e,93,93,19,68,88,ee,9a,6d,21

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3808)
c:\program files\DigitalPersona\Bin\DpoFeedb.dll
c:\windows\system32\btmmhook.dll
c:\program files\DigitalPersona\Bin\DpoSet.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_408c4e5a\STacSV.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\program files\DigitalPersona\Bin\DpHostW.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
c:\program files\IDT\WDM\sttray.exe
c:\windows\System32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-02-22 12:25:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-22 11:25

Pre-Run: 237 950 390 272 bytes free
Post-Run: 237 604 667 392 bytes free

- - End Of File - - 0C8AA821B0767685D7E54D49CBEB9C97

Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by DragonMaster Jay on Wed 23 Feb 2011, 8:49 am

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

  • Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
  • Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
  • Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
  • It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
  • Once inside the interface, do not fix anything. Click on the Report tab.
  • Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
  • It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
  • When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Pietro on Thu 24 Feb 2011, 9:02 am

Thanks & sorry for my delay,
here is the report (part 1/2):

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtAlertResumeThread, Type: Address change 0x824A251D-->87F58108 [Unknown module filename]
ntkrnlpa.exe-->NtAlertThread, Type: Address change 0x8241B1E5-->888323C0 [Unknown module filename]
ntkrnlpa.exe-->NtAllocateVirtualMemory, Type: Address change 0x824574AB-->8857A400 [Unknown module filename]
ntkrnlpa.exe-->NtAlpcConnectPort, Type: Address change 0x823F981F-->87F67C58 [Unknown module filename]
ntkrnlpa.exe-->NtAssignProcessToJobObject, Type: Address change 0x823CCB13-->88579108 [Unknown module filename]
ntkrnlpa.exe-->NtCreateMutant, Type: Address change 0x8242F7BC-->88AD4D40 [Unknown module filename]
ntkrnlpa.exe-->NtCreateSymbolicLinkObject, Type: Address change 0x823CF32A-->88AFA760 [Unknown module filename]
ntkrnlpa.exe-->NtCreateThread, Type: Address change 0x824A0B98-->87F70580 [Unknown module filename]
ntkrnlpa.exe-->NtDebugActiveProcess, Type: Address change 0x82473CE2-->87FE4898 [Unknown module filename]
ntkrnlpa.exe-->NtDuplicateObject, Type: Address change 0x824074E1-->8899DB68 [Unknown module filename]
ntkrnlpa.exe-->NtFreeVirtualMemory, Type: Address change 0x82293F5D-->889A0858 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateAnonymousToken, Type: Address change 0x823C9EE2-->87F23DA8 [Unknown module filename]
ntkrnlpa.exe-->NtImpersonateThread, Type: Address change 0x823DF4E4-->87F55BF0 [Unknown module filename]
ntkrnlpa.exe-->NtLoadDriver, Type: Address change 0x8237ADEE-->87F51758 [Unknown module filename]
ntkrnlpa.exe-->NtMapViewOfSection, Type: Address change 0x8241F82A-->88578840 [Unknown module filename]
ntkrnlpa.exe-->NtOpenEvent, Type: Address change 0x82408D5F-->88026738 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcess, Type: Address change 0x8242FF58-->8857A068 [Unknown module filename]
ntkrnlpa.exe-->NtOpenProcessToken, Type: Address change 0x824109BE-->880936C8 [Unknown module filename]
ntkrnlpa.exe-->NtOpenSection, Type: Address change 0x824205FD-->88015118 [Unknown module filename]
ntkrnlpa.exe-->NtOpenThread, Type: Address change 0x8242B4AA-->88579258 [Unknown module filename]
ntkrnlpa.exe-->NtProtectVirtualMemory, Type: Address change 0x8242928D-->9060DBE0 [C:\Windows\System32\drivers\pxrts.sys]
ntkrnlpa.exe-->NtResumeThread, Type: Address change 0x8242AAF5-->87F279B0 [Unknown module filename]
ntkrnlpa.exe-->NtSetContextThread, Type: Address change 0x824A1867-->88026D70 [Unknown module filename]
ntkrnlpa.exe-->NtSetInformationProcess, Type: Address change 0x82423858-->889A11E8 [Unknown module filename]
ntkrnlpa.exe-->NtSetSystemInformation, Type: Address change 0x823F5E83-->87FCF518 [Unknown module filename]
ntkrnlpa.exe-->NtSuspendProcess, Type: Address change 0x824A2457-->880DB110 [Unknown module filename]
ntkrnlpa.exe-->NtSuspendThread, Type: Address change 0x823A992D-->88576660 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateProcess, Type: Address change 0x824000D3-->8854C6C8 [Unknown module filename]
ntkrnlpa.exe-->NtTerminateThread, Type: Address change 0x8242B4DF-->885760B8 [Unknown module filename]
ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Address change 0x8241FAED-->884C5EB0 [Unknown module filename]
ntkrnlpa.exe-->NtWriteVirtualMemory, Type: Address change 0x8241C8BD-->87FD03C8 [Unknown module filename]
ntkrnlpa.exe-->NtCreateThreadEx, Type: Address change 0x8242AF94-->88AFAD30 [Unknown module filename]
==============================================
>Shadow
==============================================
win32k.sys-->NtGdiAlphaBlend, Type: Address change 0x816F4150-->9060EF70 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtGdiBitBlt, Type: Address change 0x8171F28A-->9060F190 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtGdiMaskBlt, Type: Address change 0x81688E49-->9060F100 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtGdiOpenDCW, Type: Address change 0x816E0A58-->9060F240 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtGdiPlgBlt, Type: Address change 0x8174E3F1-->9060EFF0 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtGdiStretchBlt, Type: Address change 0x81715465-->9060EEC0 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtGdiTransparentBlt, Type: Address change 0x81689C35-->9060F090 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0x817674A4-->88D6F3A0 [Unknown module filename]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0x8167FE30-->9060EE70 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserGetClipboardData, Type: Address change 0x81779E01-->9060F4C0 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserGetForegroundWindow, Type: Address change 0x816C9EA7-->9060ED50 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0x8169FFCE-->9060EDA0 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserGetKeyState, Type: Address change 0x817113C5-->9060EDE0 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserGetRawInputData, Type: Address change 0x8177D011-->9060EE30 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserMessageCall, Type: Address change 0x8170E30E-->88FEBF80 [Unknown module filename]
win32k.sys-->NtUserPostMessage, Type: Address change 0x8170F598-->89018DF0 [Unknown module filename]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0x816EDBD3-->89018D20 [Unknown module filename]
win32k.sys-->NtUserQueryWindow, Type: Address change 0x816E4437-->9060F590 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserSetClipboardData, Type: Address change 0x8177989D-->9060F470 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0x816E33B5-->9060F520 [C:\Windows\System32\drivers\pxrts.sys]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0x81692397-->88FF03A0 [Unknown module filename]
win32k.sys-->NtUserWindowFromPoint, Type: Address change 0x81684CD9-->9060F620 [C:\Windows\System32\drivers\pxrts.sys]
==============================================
>Processes
==============================================
0x8998E980 [436] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x88A1A020 [496] C:\Windows\System32\smss.exe (Microsoft Corporation, Windows Session Manager)
0x8911A020 [580] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x89500D90 [632] C:\Windows\System32\wininit.exe (Microsoft Corporation, Windows Start-Up Application)
0x89508960 [644] C:\Windows\System32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x89533020 [676] C:\Windows\System32\services.exe (Microsoft Corporation, Services and Controller app)
0x89532D90 [688] C:\Windows\System32\lsass.exe (Microsoft Corporation, Local Security Authority Process)
0x8953F570 [696] C:\Windows\System32\lsm.exe (Microsoft Corporation, Local Session Manager Service)
0x89582C78 [824] C:\Windows\System32\winlogon.exe (Microsoft Corporation, Windows Logon Application)
0x895E87B0 [872] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x895E46B8 [916] C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 179.14)
0x89AC3020 [940] C:\Program Files\Prevx\prevx.exe (Prevx, Prevx 3.0)
0x89601D90 [944] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x896C2668 [996] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x89689490 [1040] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x896ABD08 [1072] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x89786980 [1108] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x897767A8 [1124] C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_408c4e5a\stacsv.exe (IDT, Inc., IDT PC Audio)
0x85C09B68 [1184] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x86A50380 [1312] C:\Windows\System32\notepad.exe (Microsoft Corporation, Poznámkový blok)
0x89822D90 [1476] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x89812980 [1492] C:\Windows\System32\SLsvc.exe (Microsoft Corporation, Microsoft Software Licensing Service)
0x898206B8 [1536] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x8981F020 [1548] C:\Windows\System32\rundll32.exe (Microsoft Corporation, Windows host process (Rundll32))
0x89838B80 [1648] C:\Windows\System32\hpservice.exe (Hewlett-Packard Corporation, HpService)
0x8988A940 [1696] C:\Windows\System32\vfsFPService.exe (Validity Sensors, Inc., Validity Sensors Fingerprint Service)
0x897E4410 [1708] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard, hpwuSchd Application)
0x89E6D808 [1748] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java(TM) Update Scheduler)
0x89A034A0 [1788] C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_408c4e5a\AEstSrv.exe (Andrea Electronics Corporation, Andrea filters APO access service (32-bit))
0x898B8740 [1796] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x89AC3AC0 [1812] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x898EA020 [1940] C:\Windows\System32\wlanext.exe (Microsoft Corporation, Windows Wireless LAN 802.11 Extensibility Framework)
0x898F5020 [1992] C:\Windows\System32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x898F4850 [2000] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0x898FC358 [2040] C:\Program Files\DigitalPersona\Bin\DpHostW.exe (DigitalPersona, Inc., DigitalPersona Local Host)
0x89A1B1E0 [2060] C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company, LightScribe Service)
0x89ACC3D0 [2212] C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (Microsoft Corporation, SQL Server Windows NT)
0x89E0DD90 [2240] C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink, CyberLink MediaLibray Service)
0x89AB8370 [2248] C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x89B9B020 [2348] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x89BD0D90 [2360] C:\Program Files\SMINST\BLService.exe (-, STServices)
0x89BCF358 [2392] C:\Program Files\CyberLink\Shared files\RichVideo.exe (-, RichVideo Module)
0x89BBC020 [2452] C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation, SQL Server VSS Writer)
0x86459658 [2676] C:\Windows\System32\MustBeRandomlyNamed\s0Ltf87L1n0P5.exe (UG North, RKULE, SR2 Normandy)
0x89B97AD8 [2716] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x89BFAAD8 [2752] C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe (-, CLCapSvc Module)
0x89C10AD8 [2784] C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe (-, CLSched Module)
0x89C48A48 [2864] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x89C5B348 [2912] C:\Windows\System32\SearchIndexer.exe (Microsoft Corporation, Microsoft Windows Search Indexer)
0x899AA8C0 [3172] C:\Windows\System32\dwm.exe (Microsoft Corporation, Desktop Window Manager)
0x89C75868 [3220] C:\Windows\explorer.exe (Microsoft Corporation, Windows Prieskumník)
0x89CE2D90 [3376] C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe (Symantec Corporation, Symantec Service Framework)
0x89E544F0 [3604] C:\Program Files\DigitalPersona\Bin\DpAgent.exe (DigitalPersona, Inc., DigitalPersona Local Agent)
0x85F24D90 [3612] C:\Windows\System32\svchost.exe (Microsoft Corporation, Host Process for Windows Services)
0x89D53D90 [3616] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0x897E15B8 [3784] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard Development Company, L.P., HPWAMain Module)
0x89DE24F0 [4020] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc., Synaptics TouchPad Enhancements)
0x89DE9990 [4048] C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe (CyberLink Corp., CyberLink PowerCinema Resident Program)
0x89DEDD90 [4060] C:\Program Files\Prevx\prevx.exe (Prevx, Prevx 3.0)
0x8979CD90 [4068] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe ( Hewlett-Packard Development Company, L.P., Quick Launch Buttons)
0x85B80D90 [4140] C:\Windows\System32\SearchProtocolHost.exe (Microsoft Corporation, Microsoft Windows Search Protocol Host)
0x89D41368 [4156] C:\Windows\System32\rundll32.exe (Microsoft Corporation, Windows host process (Rundll32))
0x89E7D660 [4164] C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation, Macrovision Software Manager)
0x897F5D90 [4356] C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation., Bluetooth Tray Application)
0x89C721B0 [4556] C:\Windows\System32\wbem\unsecapp.exe (Microsoft Corporation, Sink to receive asynchronous callbacks for WMI client application)
0x89861940 [4652] C:\Windows\System32\wbem\WmiPrvSE.exe (Microsoft Corporation, WMI Provider Host)
0x89AE0D90 [4832] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation, Windows Media Player Network Sharing Service Configuration Application)
0x879385A0 [4904] C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation, Windows Media Player - služba zdieľania v sieti)
0x89CF5600 [5164] C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P., hpqwmiex Module)
0x88F69AA8 [5248] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe (Hewlett-Packard Development Company, L.P., Module to process WiFi messages.)
0x89AD0D90 [5432] C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (Synaptics, Inc., Synaptics Pointing Device Helper)
0x89609B68 [5464] C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe (-, HpqToaster Module)
0x85C81460 [5584] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe (Hewlett-Packard, HP Health Check Service)
0x86F77020 [5692] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe (Hewlett-Packard Development Company, L.P., Com for QLB application)
0x85EA8020 [6100] C:\Windows\System32\wuauclt.exe (Microsoft Corporation, Windows Update)
0x89C664E8 [6120] C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe (Broadcom Corporation., Bluetooth Stack COM Server)
0x859C6D90 [6296] C:\Windows\System32\SearchFilterHost.exe (Microsoft Corporation, Microsoft Windows Search Filter Host)
0x8681FD90 [6672] C:\Windows\System32\taskeng.exe (Microsoft Corporation, Task Scheduler Engine)
0x89C3CD90 [7972] C:\Windows\System32\WUDFHost.exe (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Host Process)
0x85346910 [4] System
0x897EE3D8 [1324] C:\Windows\System32\audiodg.exe (Microsoft Corporation, Windows Audio Device Graph Isolation )
==============================================
...

Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Pietro on Thu 24 Feb 2011, 9:03 am

(part 2/2)

...
>Drivers
==============================================
0x8F608000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 7405568 bytes (NVIDIA Corporation, NVIDIA Compatible Windows Vista Kernel Mode Driver, Version 179.14 )
0x8220F000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
0x8220F000 PnpManager 3907584 bytes
0x8220F000 RAW 3907584 bytes
0x8220F000 WMIxWDM 3907584 bytes
0x81650000 Win32k 2109440 bytes
0x81650000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x90091000 C:\Windows\system32\DRIVERS\bcmwl6.sys 1335296 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0x8B20B000 C:\Windows\system32\drivers\ql2300.sys 1277952 bytes (QLogic Corporation, QLogic Fibre Channel Stor Miniport Driver)
0x8B80B000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x8B40F000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x80694000 PCI_PNP5623 995328 bytes
0x80694000 C:\Windows\System32\Drivers\spic.sys 995328 bytes
0x80694000 sptd 995328 bytes
0x8B601000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x804DB000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xA4A0D000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x82C0C000 C:\Windows\System32\Drivers\knkvya.sys 757760 bytes
0x8B007000 C:\Windows\system32\drivers\megasr.sys 749568 bytes (LSI Corporation, Inc., LSI MegaRAID Software RAID Driver)
0xA181D000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x82E03000 C:\Windows\system32\drivers\iastorv.sys 659456 bytes (Intel Corporation, Intel Matrix Storage Manager driver (base))
0x8FD18000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8AE86000 C:\Windows\system32\drivers\elxstor.sys 606208 bytes (Emulex, Storport Miniport Driver for LightPulse HBAs)
0x90004000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x93601000 C:\Windows\System32\Drivers\bthport.sys 524288 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0x93755000 C:\Windows\system32\drivers\btwaudio.sys 524288 bytes (Broadcom Corporation., Bluetooth Audio Device)
0x8060B000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8AF88000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x80411000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0xA1924000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x936EA000 C:\Windows\system32\drivers\btwavdt.sys 438272 bytes (Broadcom Corporation., Broadcom Bluetooth AVDT Service)
0x82F3A000 C:\Windows\system32\drivers\adp94xx.sys 434176 bytes (Adaptec, Inc., Adaptec Windows SAS/SATA Storport Driver)
0x90508000 C:\Windows\system32\DRIVERS\stwrt.sys 409600 bytes (IDT, Inc., IDT PC Audio)
0x90EB7000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x90F2C000 C:\Windows\System32\Drivers\NIS\1002000.007\ccHPx86.sys 380928 bytes (Symantec Corporation, Common Client Hash Provider Driver)
0x8B343000 C:\Windows\system32\drivers\ql40xx.sys 348160 bytes (QLogic Corporation, QLogic iSCSI Storport Miniport Driver)
0x8B1AF000 C:\Windows\System32\Drivers\NIS\1002000.007\SYMEFA.SYS 323584 bytes (Symantec Corporation, Symantec Extended File Attributes)
0xA40A4000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x82FA4000 C:\Windows\system32\drivers\adpahci.sys 311296 bytes (Adaptec, Inc., Adaptec Windows SATA Storport Driver)
0x90E6B000 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090331.007\IDSvix86.sys 311296 bytes (Symantec Corporation, IDS Core Driver)
0x82D0C000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x90711000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x807B6000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA410A000 C:\Windows\system32\drivers\acedrv11.sys 274432 bytes (Protect Software GmbH, ProtectDisc x64/x86 Hybrid Driver)
0x90F89000 C:\Windows\System32\Drivers\NIS\1002000.007\BHDrvx86.sys 266240 bytes (Symantec Corporation, BASH Driver)
0x8049A000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x82EE4000 C:\Windows\system32\drivers\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8B737000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x90E0E000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8B0E4000 C:\Windows\system32\drivers\uliahci.sys 245760 bytes (ULi Electronics Inc., ULi SATA Controller Driver)
0x8B545000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0xA402B000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8B923000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x904C2000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x825C9000 ACPI_HAL 208896 bytes
0x825C9000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8B16D000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x90759000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8B7AB000 C:\Windows\system32\DRIVERS\SynTP.sys 196608 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x8B5AC000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x906A9000 C:\Windows\System32\Drivers\NIS\1002000.007\SYMTDI.SYS 192512 bytes (Symantec Corporation, Network Dispatch Driver)
0x9056C000 C:\Windows\system32\DRIVERS\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8B120000 C:\Windows\system32\drivers\ulsata2.sys 180224 bytes (Promise Technology, Inc., Promise SATAII150 Series Windows Drivers)
0x8B51A000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x90473000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0xA18DD000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x93681000 C:\Windows\system32\DRIVERS\rfcomm.sys 167936 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0xA4B4F000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA407C000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8B9A8000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x805BB000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8AE20000 C:\Windows\system32\drivers\adpu320.sys 155648 bytes (Adaptec, Inc., Adaptec StorPort Ultra320 SCSI Driver)
0x80790000 C:\Windows\System32\Drivers\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0x90599000 C:\Windows\system32\DRIVERS\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x906D8000 C:\Windows\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0x90406000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x901D7000 C:\Windows\system32\DRIVERS\Rtlh86.sys 139264 bytes (Realtek Corporation , Realtek 8101E/8168/8169 NDIS6 32-bit Driver )
0xA4B01000 C:\Program Files\Hewlett-Packard\Media\DVD\000.fcl 135168 bytes (Cyberlink Corp., -)
0x82DC6000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0xA19DC000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8B3DC000 C:\Windows\system32\drivers\ulsata.sys 135168 bytes (Promise Technology, Inc., Promise Ultra/Sata Series Driver for Win2003)
0x907D5000 C:\Windows\System32\Drivers\usbvideo.sys 135168 bytes (Microsoft Corporation, USB Video Class Driver)
0x90640000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8B14C000 C:\Windows\system32\drivers\vsmraid.sys 135168 bytes (VIA Technologies Inc.,Ltd, VIA RAID DRIVER FOR AMD-X86-64)
0xA400C000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x82EAC000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0xA1991000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x82CC5000 C:\Windows\system32\drivers\mpio.sys 114688 bytes (Microsoft Corporation, MultiPath Support Bus-Driver)
0x8B97D000 C:\Windows\System32\drivers\prohlp02.sys 114688 bytes (Protection Technology, StarForce Protection Helper Driver)
0x8AE05000 C:\Windows\system32\drivers\adpu160m.sys 110592 bytes (Adaptec, Inc., Adaptec LH Ultra160 Driver (x86))
0x8B6EB000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0xA1802000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x82DAB000 C:\Windows\system32\drivers\nvraid.sys 110592 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) RAID Driver)
0x936B4000 C:\Windows\system32\DRIVERS\bthpan.sys 106496 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0x8AF4C000 C:\Windows\system32\drivers\lsi_fc.sys 106496 bytes (LSI Logic, LSI Logic Fusion-MPT FC Driver (StorPort))
0x82ECA000 C:\Windows\system32\drivers\lsi_scsi.sys 106496 bytes (LSI Logic, LSI Logic Fusion-MPT SCSI Driver (StorPort))
0x82D91000 C:\Windows\system32\drivers\msdsm.sys 106496 bytes (Microsoft Corporation, Microsoft Device Specific Module)
0xA19AE000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8B580000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x8B7E6000 C:\Windows\system32\DRIVERS\enecir.sys 98304 bytes (ENE TECHNOLOGY INC., ENE CIR Driver for eHome)
0x8B775000 C:\Windows\system32\DRIVERS\jmcr.sys 98304 bytes (JMicron Technology Corporation, JMicron JMB38X Flash Media Controller Driver)
0x8AF66000 C:\Windows\system32\drivers\lsi_sas.sys 98304 bytes (LSI Logic, LSI Logic Fusion-MPT SAS Driver (StorPort))
0xA4064000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x90F15000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8B5E6000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x90FD7000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x8AE5A000 C:\Windows\system32\drivers\arc.sys 90112 bytes (Adaptec, Inc., Adaptec RAID Storport Driver)
0x8AE70000 C:\Windows\system32\drivers\arcsas.sys 90112 bytes (Adaptec, Inc., Adaptec SAS RAID WS03 Driver)
0xA4B24000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x9078B000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x90693000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0xA19C7000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x9044C000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8B966000 C:\Windows\system32\drivers\sbp2port.sys 86016 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0x8B3A5000 C:\Windows\system32\drivers\sisraid4.sys 86016 bytes (Silicon Integrated Systems, SiS AHCI Stor-Miniport Driver)
0xA4BBF000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 86016 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xA4BD4000 C:\Windows\system32\DRIVERS\WUDFRd.sys 86016 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x8AE46000 C:\Windows\system32\drivers\djsvs.sys 81920 bytes (Adaptec, Inc., Adaptec Ultra SCSI miniport)
0x90438000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x906FD000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8B78D000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0xA1911000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x907B8000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA4BE9000 C:\Windows\system32\DRIVERS\WUDFPf.sys 73728 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x8B9D8000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x904F7000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80481000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x9060C000 C:\Windows\System32\drivers\pxrts.sys 69632 bytes (Prevx, Prevx Realtime Security)
0x8B19F000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x905D7000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x8AF24000 C:\Windows\system32\drivers\iirsp.sys 65536 bytes (Intel Corp./ICP vortex GmbH, Intel/ICP Raid Storport Driver)
0xA18CD000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x82D81000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8FDDE000 C:\Windows\system32\DRIVERS\ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0x90461000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x936CE000 C:\Windows\system32\DRIVERS\bthmodem.sys 61440 bytes (Microsoft Corporation, Bluetooth Communications Driver)
0x8B724000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x805E2000 C:\Windows\system32\drivers\isapnp.sys 61440 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xA4BA7000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8B999000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x82CE1000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x90429000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8FDCF000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x82CFD000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x8FDEE000 C:\Windows\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0x81890000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x9049D000 C:\Windows\system32\DRIVERS\circlass.sys 57344 bytes (Microsoft Corporation, Consumer IR Class Driver for eHome)
0x907AA000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8B0C9000 C:\Windows\system32\drivers\nfrd960.sys 57344 bytes (IBM Corporation, IBM ServeRAID Controller Driver)
0x9067C000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x905BE000 C:\Windows\system32\drivers\nvhda32v.sys 57344 bytes (NVIDIA Corporation, NVIDIA HDMI Audio Driver)
0x82D5D000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x90E4A000 C:\Windows\System32\drivers\prodrv06.sys 57344 bytes (Protection Technology, StarForce Protection Environment Driver)
0x90FEE000 C:\Windows\System32\Drivers\BTHUSB.sys 53248 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0x937D8000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x936DD000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8B0D7000 C:\Windows\system32\drivers\nvstor.sys 53248 bytes (NVIDIA Corporation, NVIDIA® nForce(TM) Sata Performance Driver)
0x8B398000 C:\Windows\system32\drivers\sisraid2.sys 53248 bytes (Microsoft Corporation, SiS RAID Stor Miniport Driver)
0x904B5000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x90FCA000 C:\Windows\system32\drivers\vfs101x.sys 53248 bytes (Validity Sensors, Inc., Validity Fingerprint Scanner USB Driver)
0x80687000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x8AF34000 C:\Windows\system32\drivers\iteatapi.sys 49152 bytes (Integrated Technology Express, Inc., ITE IT8211 ATA/ATAPI SCSI miniport)
0x8AF40000 C:\Windows\system32\drivers\iteraid.sys 49152 bytes (Integrated Technology Express, Inc., ITE IT8212 ATA RAID SCSI miniport)
0x8B3BA000 C:\Windows\system32\drivers\symc8xx.sys 49152 bytes (LSI Logic, LSI Logic 8XX SCSI Miniport Driver)
0xA4AF5000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x90634000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8FDB8000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8B5A1000 C:\Windows\system32\DRIVERS\Accelerometer.sys 45056 bytes (Hewlett-Packard Corporation, HP Accelerometer)
0x937E5000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x905CC000 C:\Windows\system32\DRIVERS\hidir.sys 45056 bytes (Microsoft Corporation, Infrared Miniport Driver for Input Devices)
0x82F2F000 C:\Windows\system32\drivers\hpcisss.sys 45056 bytes (Hewlett-Packard Company, Smart Array Storport Driver)
0x8B7A0000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8B7DB000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8B0BE000 C:\Windows\system32\drivers\mraid35x.sys 45056 bytes (LSI Logic Corporation, MegaRAID RAID Controller Driver for Windows Vista/Longhorn for x86)
0x90671000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8B400000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8B3C6000 C:\Windows\system32\drivers\sym_hi.sys 45056 bytes (LSI Logic, LSI Logic Hi-Perf SCSI Miniport Driver)
0x8B3D1000 C:\Windows\system32\drivers\sym_u3.sys 45056 bytes (LSI Logic, LSI Logic Ultra160 SCSI Miniport Driver)
0x8B5DB000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8B710000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8FDC4000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x82CF3000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x936AA000 C:\Windows\system32\DRIVERS\BthEnum.sys 40960 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0x937F0000 C:\Windows\System32\Drivers\dump_msahci.sys 40960 bytes
0x90E00000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8AF1A000 C:\Windows\system32\drivers\i2omp.sys 40960 bytes (Microsoft Corporation, I2O Miniport Driver)
0x8AF7E000 C:\Windows\system32\drivers\megasas.sys 40960 bytes (LSI Corporation, MEGASAS RAID Controller Driver for Windows Vista/Longhorn for x86)
0x82F25000 C:\Windows\system32\drivers\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x904AB000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA1907000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x90E61000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xA4AEB000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x907CB000 C:\Windows\System32\Drivers\NIS\1002000.007\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xA4B9E000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x8B9E9000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x9061D000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x90E58000 C:\Windows\system32\DRIVERS\hidusb.sys 36864 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x8B9CF000 C:\Windows\system32\DRIVERS\hpdskflt.sys 36864 bytes (Hewlett-Packard Corporation, HP Disk Filter - SATA/RAID)
0x905EE000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0xA4BB6000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x9068A000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x907A1000 C:\Windows\system32\DRIVERS\SymIMv.sys 36864 bytes (Symantec Corporation, NDIS 6.0 Filter Driver for Windows Vista)
0x81870000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8B71B000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8B598000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x80787000 C:\Windows\System32\Drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x82EA4000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80492000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x82D79000 C:\Windows\system32\drivers\cmdide.sys 32768 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0x905F7000 C:\Windows\system32\DRIVERS\mouhid.sys 32768 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x80600000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x90661000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x90669000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8B95C000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x82DF4000 C:\Windows\system32\drivers\viaide.sys 32768 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)
0x8B91B000 C:\Windows\system32\drivers\wd.sys 32768 bytes (Microsoft Corporation, Microsoft Watchdog Timer Driver)
0x82D6B000 C:\Windows\system32\drivers\aliide.sys 28672 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0x82D72000 C:\Windows\system32\drivers\amdide.sys 28672 bytes (Microsoft Corporation, AMD IDE Driver)
0x9062D000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x905E7000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x82D56000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x8040A000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x90626000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x82DE7000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x82DEE000 C:\Windows\System32\drivers\pxscan.sys 24576 bytes (Prevx, Prevx Scanner)
0x901F9000 C:\Windows\system32\DRIVERS\HpqKbFiltr.sys 20480 bytes (Hewlett-Packard Development Company, L.P., HpqKbFiltr Keyboard Filter Driver)
0x8F600000 C:\Windows\System32\drivers\pxkbf.sys 20480 bytes (Prevx, Prevx Keyboard Security)
0x8B733000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x937D5000 C:\Windows\system32\DRIVERS\btwrchid.sys 12288 bytes (Broadcom Corporation., Bluetooth Remote Control HID Minidriver)
0x82CF0000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x8B97B000 C:\Windows\System32\drivers\prosync1.sys 8192 bytes (Protection Technology, StarForce Protection Synchronization Driver)
0x8B964000 C:\Windows\System32\drivers\sfhlp01.sys 8192 bytes (Protection Technology, StarForce Protection Helper Driver)
0x90471000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x901FE000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x86FA6010 unknown_irp_handler 4080 bytes
0x861531F8 unknown_irp_handler 3592 bytes
0x861421F8 unknown_irp_handler 3592 bytes
0x8613A1F8 unknown_irp_handler 3592 bytes
0x8613F1F8 unknown_irp_handler 3592 bytes
0x861311F8 unknown_irp_handler 3592 bytes
0x861481F8 unknown_irp_handler 3592 bytes
0x861431F8 unknown_irp_handler 3592 bytes
0x861351F8 unknown_irp_handler 3592 bytes
0x8613B1F8 unknown_irp_handler 3592 bytes
0x8614A1F8 unknown_irp_handler 3592 bytes
0x8614B1F8 unknown_irp_handler 3592 bytes
0x861451F8 unknown_irp_handler 3592 bytes
0x861391F8 unknown_irp_handler 3592 bytes
0x861321F8 unknown_irp_handler 3592 bytes
0x873021F8 unknown_irp_handler 3592 bytes
0x8613E1F8 unknown_irp_handler 3592 bytes
0x861371F8 unknown_irp_handler 3592 bytes
0x8614F1F8 unknown_irp_handler 3592 bytes
0x861491F8 unknown_irp_handler 3592 bytes
0x8704B1F8 unknown_irp_handler 3592 bytes
0x8614C1F8 unknown_irp_handler 3592 bytes
0x861461F8 unknown_irp_handler 3592 bytes
0x861411F8 unknown_irp_handler 3592 bytes
0x861381F8 unknown_irp_handler 3592 bytes
0x8614E1F8 unknown_irp_handler 3592 bytes
0x87F3A1F8 unknown_irp_handler 3592 bytes
0x861501F8 unknown_irp_handler 3592 bytes
0x8723F1F8 unknown_irp_handler 3592 bytes
0x861401F8 unknown_irp_handler 3592 bytes
0x8612F1F8 unknown_irp_handler 3592 bytes
0x861521F8 unknown_irp_handler 3592 bytes
0x861441F8 unknown_irp_handler 3592 bytes
0x861361F8 unknown_irp_handler 3592 bytes
0x861331F8 unknown_irp_handler 3592 bytes
0x8704A1F8 unknown_irp_handler 3592 bytes
0x871C21F8 unknown_irp_handler 3592 bytes
0x861541F8 unknown_irp_handler 3592 bytes
0x8614D1F8 unknown_irp_handler 3592 bytes
0x8613C1F8 unknown_irp_handler 3592 bytes
0x861511F8 unknown_irp_handler 3592 bytes
0x8613D1F8 unknown_irp_handler 3592 bytes
0x861341F8 unknown_irp_handler 3592 bytes
0x861471F8 unknown_irp_handler 3592 bytes
0x8994E1F8 unknown_irp_handler 3592 bytes
0x87F2F498 unknown_irp_handler 2920 bytes
0x859C1500 unknown_irp_handler 2816 bytes
0x89A36500 unknown_irp_handler 2816 bytes
0x87157500 unknown_irp_handler 2816 bytes
0x8C1299E0 unknown_irp_handler 1568 bytes
0x8E1EF9F0 unknown_irp_handler 1552 bytes
==============================================
>Stealth
==============================================
0x01020000 Hidden Image-->HP.ActiveSupportLibrary.dll [ EPROCESS 0x85C81460 ] PID: 5584, 110592 bytes
WARNING: File locked for read access [C:\Windows\system32\drivers\knkvya.sys]
WARNING: File locked for read access [C:\Windows\system32\drivers\sptd.sys]
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
Key object-->ParseProcedure, Type: Kernel Object [unknown_irp_handler]
ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x822B77AA-->822B77B1 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000AC8C0, Type: Inline - RelativeJump 0x822BB8C0-->822BB8BD [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACCF0, Type: Inline - RelativeJump 0x822BBCF0-->822BBD63 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACD30, Type: Inline - RelativeCall 0x822BBD30-->BFB45746 [unknown_code_page]
[1548]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[1548]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[1548]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[1548]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[1548]rundll32.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]
[3220]explorer.exe-->kernel32.dll-->CreateThread, Type: Inline - RelativeJump 0x75EBC90E-->00000000 [PxSecure.dll]
[3220]explorer.exe-->ntdll.dll-->NtWriteFile, Type: Inline - RelativeJump 0x77535494-->00000000 [PxSecure.dll]
[3220]explorer.exe-->user32.dll-->SetWindowTextW, Type: Inline - RelativeJump 0x761F9815-->00000000 [PxSecure.dll]
[4156]rundll32.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [shimeng.dll]
[4156]rundll32.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [shimeng.dll]
[4156]rundll32.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x768E1414-->00000000 [shimeng.dll]
[4156]rundll32.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [shimeng.dll]
[4156]rundll32.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [shimeng.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by DragonMaster Jay on Thu 24 Feb 2011, 2:42 pm

Double-click RootkitUnhooker, and click on the Files tab.

Click the Scan button and allow it to scan, then look for the entry that contains this string: C:\Windows\system32\drivers\knkvya.sys

Select the result, right-click, and then click Wipe File.


Then re-run Rootkit Unhooker and post a new log...


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Pietro on Tue 01 Mar 2011, 8:21 am

Thanks, I got a new report, but there are no changes in it. The knkvya.sys can't be deleted.

I selected the driver knkvya.sys, then right-click, Wipe File --> message "Do you want to delete C:\Windows\system32\drivers\knkvya.sys?", clicked Yes --> then appeared message "File content deleted", clicked OK.

But nothing has changed, knkvya.sys is still there. And it's still renewing. Everytime I check the properties of this file, the date modified is still new & actual (like PC clock)...

Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Kenny94 on Tue 01 Mar 2011, 9:42 am

Hi,

DragonMaster Jay is not available for the next several days and has asked us to take over.....

Okay, please drag ComboFix to the recycle bin and grab the latest version, but run DeFogger before you run ComboFix as instructed below:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Next



  1. Download ComboFix from below:

    Combofix download


    * IMPORTANT !!! Place combofix.exe on your Desktop

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  3. Double click on combofix.exe & follow the prompts.

  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.

  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Pietro on Fri 04 Mar 2011, 9:37 pm

Hi, thanks, so here are the logs:
First the defogger_disable log:

*******
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 10:08 on 03/03/2011 (Jopek)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read knkvya.sys
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-
*******

Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Pietro on Fri 04 Mar 2011, 9:39 pm

... and here is the ComboFix log:

*******
ComboFix 11-03-02.01 - Jopek . 03. 2011 10:19:53.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1250.421.1051.18.3068.1739 [GMT 1:00]
Running from: c:\users\Jopek\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton Internet Security *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Jopek\AppData\Roaming\winsysdrv32.txt

.
((((((((((((((((((((((((( Files Created from 2011-02-03 to 2011-03-03 )))))))))))))))))))))))))))))))
.

2011-03-03 09:29 . 2011-03-03 09:29 -------- d-----w- c:\users\Jopek\AppData\Local\temp
2011-03-03 09:29 . 2011-03-03 09:29 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-03-03 09:29 . 2011-03-03 09:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-26 17:51 . 2011-02-26 17:50 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-02-26 17:50 . 2011-03-02 16:18 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-02-26 17:50 . 2011-03-02 16:18 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-02-26 17:50 . 2011-02-26 17:50 -------- d-----w- c:\users\Jopek\AppData\Local\PunkBuster
2011-02-26 17:06 . 2011-02-26 17:06 -------- d-----w- c:\program files\EA Games
2011-02-22 22:05 . 2011-02-22 22:05 -------- d-----w- c:\windows\system32\MustBeRandomlyNamed
2011-02-22 21:59 . 2011-02-22 21:59 -------- d-----w- c:\program files\7-Zip
2011-02-22 10:02 . 2011-02-22 10:02 -------- d-----w- c:\users\Jopek\AppData\Roaming\Malwarebytes
2011-02-22 10:01 . 2011-02-22 10:01 -------- d-----w- c:\programdata\Malwarebytes
2011-02-22 10:01 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-22 10:01 . 2011-02-22 10:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-22 10:01 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-22 09:21 . 2011-02-22 09:27 -------- d-----w- c:\programdata\SecTaskMan
2011-02-22 09:21 . 2011-02-22 09:21 -------- d-----w- c:\program files\Security Task Manager
2011-02-21 20:58 . 2011-02-21 20:58 -------- d-----w- c:\users\Jopek\AppData\Roaming\Uniblue
2011-02-21 15:14 . 2011-02-21 15:14 -------- d-----w- c:\users\Jopek\AppData\Local\PackageAware
2011-02-20 21:53 . 2011-02-20 22:01 -------- d-sh--r- c:\users\Jopek\Microsoft-Driver-1-52-2475-9627-8645
2011-02-20 21:36 . 2011-02-20 22:01 -------- d-sh--r- c:\users\Jopek\Microsoft-Update-Service-8-8586-7578-5800
2011-02-20 18:03 . 2011-01-08 08:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-20 18:03 . 2011-01-08 06:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-02-19 17:32 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5F6AA587-68ED-4A42-A3B3-B01BE09C9382}\mpengine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-21 10:36 . 2010-05-03 17:03 2018272 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
2011-02-20 19:41 . 2010-11-11 11:27 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
2011-02-20 19:41 . 2010-11-11 11:27 71880 ----a-w- c:\windows\system32\PxSecure.dll
2011-02-20 19:41 . 2010-11-11 11:27 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys
2011-02-20 19:41 . 2010-11-11 11:27 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-12-28 15:55 . 2011-01-13 10:03 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-13 10:02 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-04 11:37 . 2010-10-07 17:55 109080 ----a-w- c:\windows\system32\OpenAL32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-07-12 226904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-24 1348904]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-09-25 1152296]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-09-25 189736]
"UCam_Menu"="c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2008-07-14 814144]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-19 13593120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-19 92704]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-19 727592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0afvaa6.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0afvaa6.exe
backup=c:\windows\pss\0afvaa6.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0aqaaqq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0aqaaqq.exe
backup=c:\windows\pss\0aqaaqq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0bq6qgg.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0bq6qgg.exe
backup=c:\windows\pss\0bq6qgg.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0ej1otj.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ej1otj.exe
backup=c:\windows\pss\0ej1otj.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0f8al1q.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f8al1q.exe
backup=c:\windows\pss\0f8al1q.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0iscccx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0iscccx.exe
backup=c:\windows\pss\0iscccx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0llbbgb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0llbbgb.exe
backup=c:\windows\pss\0llbbgb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0llq21l.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0llq21l.exe
backup=c:\windows\pss\0llq21l.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0mrhm7m.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mrhm7m.exe
backup=c:\windows\pss\0mrhm7m.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0mscmm1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mscmm1.exe
backup=c:\windows\pss\0mscmm1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0q6g7gb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0q6g7gb.exe
backup=c:\windows\pss\0q6g7gb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0qfqqfq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0qfqqfq.exe
backup=c:\windows\pss\0qfqqfq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0qvqfq1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0qvqfq1.exe
backup=c:\windows\pss\0qvqfq1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0rrhhmc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0rrhhmc.exe
backup=c:\windows\pss\0rrhhmc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^0t9z31t.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0t9z31t.exe
backup=c:\windows\pss\0t9z31t.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1aqaaqq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1aqaaqq.exe
backup=c:\windows\pss\1aqaaqq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1bbgvbv.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1bbgvbv.exe
backup=c:\windows\pss\1bbgvbv.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1eyyeoj.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eyyeoj.exe
backup=c:\windows\pss\1eyyeoj.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1fl71fa.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1fl71fa.exe
backup=c:\windows\pss\1fl71fa.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1iinci6.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1iinci6.exe
backup=c:\windows\pss\1iinci6.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1m9m1cm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1m9m1cm.exe
backup=c:\windows\pss\1m9m1cm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1mcchcr.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1mcchcr.exe
backup=c:\windows\pss\1mcchcr.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1qav0lf.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qav0lf.exe
backup=c:\windows\pss\1qav0lf.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1uppu7e.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1uppu7e.exe
backup=c:\windows\pss\1uppu7e.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1vqvg4q.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1vqvg4q.exe
backup=c:\windows\pss\1vqvg4q.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1vvaqvq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1vvaqvq.exe
backup=c:\windows\pss\1vvaqvq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1wmrmrr.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1wmrmrr.exe
backup=c:\windows\pss\1wmrmrr.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1wrrhhm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1wrrhhm.exe
backup=c:\windows\pss\1wrrhhm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1xiisnn.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1xiisnn.exe
backup=c:\windows\pss\1xiisnn.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1xrrmhc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1xrrmhc.exe
backup=c:\windows\pss\1xrrmhc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^1zkkz7p.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1zkkz7p.exe
backup=c:\windows\pss\1zkkz7p.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^2bww2b5.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2bww2b5.exe
backup=c:\windows\pss\2bww2b5.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^2c981rc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2c981rc.exe
backup=c:\windows\pss\2c981rc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^2ididss.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ididss.exe
backup=c:\windows\pss\2ididss.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^2llgvgq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2llgvgq.exe
backup=c:\windows\pss\2llgvgq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^3lflfll.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3lflfll.exe
backup=c:\windows\pss\3lflfll.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^42bbr7h.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42bbr7h.exe
backup=c:\windows\pss\42bbr7h.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^4iid5id.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4iid5id.exe
backup=c:\windows\pss\4iid5id.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^4vffaf6.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4vffaf6.exe
backup=c:\windows\pss\4vffaf6.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5aav1la.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aav1la.exe
backup=c:\windows\pss\5aav1la.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5aqqk40.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aqqk40.exe
backup=c:\windows\pss\5aqqk40.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5hrchcc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5hrchcc.exe
backup=c:\windows\pss\5hrchcc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5hrxh72.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5hrxh72.exe
backup=c:\windows\pss\5hrxh72.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^5indsni.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5indsni.exe
backup=c:\windows\pss\5indsni.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^6a7avq0.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a7avq0.exe
backup=c:\windows\pss\6a7avq0.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^6wwrwhc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6wwrwhc.exe
backup=c:\windows\pss\6wwrwhc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^96uka6f.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\96uka6f.exe
backup=c:\windows\pss\96uka6f.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^dssxss3xnn.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dssxss3xnn.exe
backup=c:\windows\pss\dssxss3xnn.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^i9i1xiix7.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i9i1xiix7.exe
backup=c:\windows\pss\i9i1xiix7.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^idxxssiid.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\idxxssiid.exe
backup=c:\windows\pss\idxxssiid.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^jttotott.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jttotott.exe
backup=c:\windows\pss\jttotott.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^lww1b0br6rw.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lww1b0br6rw.exe
backup=c:\windows\pss\lww1b0br6rw.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^mhhcrc0r.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhcrc0r.exe
backup=c:\windows\pss\mhhcrc0r.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^mhmhm76cxcx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhmhm76cxcx.exe
backup=c:\windows\pss\mhmhm76cxcx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^r4rc1mhhm7m.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r4rc1mhhm7m.exe
backup=c:\windows\pss\r4rc1mhhm7m.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^rmccr7hx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rmccr7hx.exe
backup=c:\windows\pss\rmccr7hx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^rrx71rm0r.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrx71rm0r.exe
backup=c:\windows\pss\rrx71rm0r.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^rxhcrrmm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rxhcrrmm.exe
backup=c:\windows\pss\rxhcrrmm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vqvf4a0qf.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqvf4a0qf.exe
backup=c:\windows\pss\vqvf4a0qf.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vqvqffaq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqvqffaq.exe
backup=c:\windows\pss\vqvqffaq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvalfvlfa.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvalfvlfa.exe
backup=c:\windows\pss\vvalfvlfa.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvalfvlv.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvalfvlv.exe
backup=c:\windows\pss\vvalfvlv.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvqffvava76.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqffvava76.exe
backup=c:\windows\pss\vvqffvava76.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvqqqvqfvff.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqqqvqfvff.exe
backup=c:\windows\pss\vvqqqvqfvff.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^vvqvfaa9.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqvfaa9.exe
backup=c:\windows\pss\vvqvfaa9.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^w032bwlw0w.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w032bwlw0w.exe
backup=c:\windows\pss\w032bwlw0w.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^w2gb0qglq.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w2gb0qglq.exe
backup=c:\windows\pss\w2gb0qglq.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^w2rrw7hhb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w2rrw7hhb.exe
backup=c:\windows\pss\w2rrw7hhb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wb93lblgbb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wb93lblgbb.exe
backup=c:\windows\pss\wb93lblgbb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wcrwrwhccww.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wcrwrwhccww.exe
backup=c:\windows\pss\wcrwrwhccww.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wgbwww6w.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wgbwww6w.exe
backup=c:\windows\pss\wgbwww6w.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^whrr2m9m.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\whrr2m9m.exe
backup=c:\windows\pss\whrr2m9m.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wm037wrr.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wm037wrr.exe
backup=c:\windows\pss\wm037wrr.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wm081rcc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wm081rcc.exe
backup=c:\windows\pss\wm081rcc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wqqlql6g.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wqqlql6g.exe
backup=c:\windows\pss\wqqlql6g.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wr0hchrm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wr0hchrm.exe
backup=c:\windows\pss\wr0hchrm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wr5mccw40w.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wr5mccw40w.exe
backup=c:\windows\pss\wr5mccw40w.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wrrhm9m1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wrrhm9m1.exe
backup=c:\windows\pss\wrrhm9m1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wwhcrr2m9m1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwhcrr2m9m1.exe
backup=c:\windows\pss\wwhcrr2m9m1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wwmb9wwrm0.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwmb9wwrm0.exe
backup=c:\windows\pss\wwmb9wwrm0.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wwrwrhhb.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wwrwrhhb.exe
backup=c:\windows\pss\wwrwrhhb.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^x5mhmxhh2c9.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x5mhmxhh2c9.exe
backup=c:\windows\pss\x5mhmxhh2c9.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^x6mcs6mmhm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x6mcs6mmhm.exe
backup=c:\windows\pss\x6mcs6mmhm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xcnnhnn6c.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xcnnhnn6c.exe
backup=c:\windows\pss\xcnnhnn6c.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xh6hc5r5mr.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xh6hc5r5mr.exe
backup=c:\windows\pss\xh6hc5r5mr.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xhrrm5mccx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xhrrm5mccx.exe
backup=c:\windows\pss\xhrrm5mccx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xi1xxdsi.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xi1xxdsi.exe
backup=c:\windows\pss\xi1xxdsi.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xissncxsi.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xissncxsi.exe
backup=c:\windows\pss\xissncxsi.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xixx0iic0xn.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xixx0iic0xn.exe
backup=c:\windows\pss\xixx0iic0xn.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xnsns0sis.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xnsns0sis.exe
backup=c:\windows\pss\xnsns0sis.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xrhh1c9c1rc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrhh1c9c1rc.exe
backup=c:\windows\pss\xrhh1c9c1rc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xrxhcrrm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xrxhcrrm.exe
backup=c:\windows\pss\xrxhcrrm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xshmxhmmch.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xshmxhmmch.exe
backup=c:\windows\pss\xshmxhmmch.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xss9s1issi.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xss9s1issi.exe
backup=c:\windows\pss\xss9s1issi.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xsxsi6ddnii.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsxsi6ddnii.exe
backup=c:\windows\pss\xsxsi6ddnii.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xx2h0hxcxc7.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xx2h0hxcxc7.exe
backup=c:\windows\pss\xx2h0hxcxc7.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xx6mrmr8mm.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xx6mrmr8mm.exe
backup=c:\windows\pss\xx6mrmr8mm.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xxc7m6hhcxx.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxc7m6hhcxx.exe
backup=c:\windows\pss\xxc7m6hhcxx.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xxcrxrxhc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxcrxrxhc.exe
backup=c:\windows\pss\xxcrxrxhc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xxsiisnniix.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxsiisnniix.exe
backup=c:\windows\pss\xxsiisnniix.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^xxsx7mhc.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxsx7mhc.exe
backup=c:\windows\pss\xxsx7mhc.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^y98nniy6ssn.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y98nniy6ssn.exe
backup=c:\windows\pss\y98nniy6ssn.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^yi5ssn1dsy9.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yi5ssn1dsy9.exe
backup=c:\windows\pss\yi5ssn1dsy9.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^yid6s7sni0.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yid6s7sni0.exe
backup=c:\windows\pss\yid6s7sni0.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^yotojjee2.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yotojjee2.exe
backup=c:\windows\pss\yotojjee2.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ytty7ytyi.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ytty7ytyi.exe
backup=c:\windows\pss\ytty7ytyi.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^z6u7ffzz.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z6u7ffzz.exe
backup=c:\windows\pss\z6u7ffzz.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^z6zooj1z.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z6zooj1z.exe
backup=c:\windows\pss\z6zooj1z.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^zeojeejeue1.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeojeejeue1.exe
backup=c:\windows\pss\zeojeejeue1.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^zjej8eez1pe.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zjej8eez1pe.exe
backup=c:\windows\pss\zjej8eez1pe.exe.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jopek^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^zoouoeojee.exe]
path=c:\users\Jopek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zoouoeojee.exe
backup=c:\windows\pss\zoouoeojee.exe.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDAgent]
2008-09-26 01:36 1148200 ------w- c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 09:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVAgent]
2008-09-24 17:07 206120 ------w- c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-13 17:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-06-13 17:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-13 17:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-09-26 09:15 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\NIS\1002000.007\SYMNDISV.SYS [2008-12-12 40496]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-07 691696]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [2011-02-20 32008]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\\SystemRoot\System32\Drivers\NIS\1002000.007\SYMEFA.SYS [x]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1002000.007\BHDrvx86.sys [2008-12-12 255536]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1002000.007\ccHPx86.sys [2008-12-16 362544]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090331.007\IDSvix86.sys [2009-01-29 292912]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2011-02-20 76696]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};{55662437-DA8C-40c0-AADA-2C816A897A49};c:\program files\Hewlett-Packard\Media\DVD\000.fcl [2008-09-26 59376]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2009-01-19 277544]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_408c4e5a\aestsrv.exe [2008-06-27 77824]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2010-11-27 6416120]
S2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe [2008-01-21 21504]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2008-08-07 24880]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2008-12-12 115560]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe [2008-09-24 296320]
S2 TVSched;TV Task Scheduler (TVTS);c:\program files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe [2008-09-24 116096]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-09-16 599344]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-09-04 54784]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-08-06 44576]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2011-02-20 26096]
S3 vfs101x;vfs101x;c:\windows\system32\drivers\vfs101x.sys [2008-09-16 40752]


--- Other Services/Drivers In Memory ---

*Deregistered* - knkvya

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 09:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4218994666-1609149145-1912675028-1000Core.job
- c:\users\Jopek\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-06 19:54]

2011-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4218994666-1609149145-1912675028-1000UA.job
- c:\users\Jopek\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-06 19:54]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip
IE: E&xportovať do programu Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-03-03 10:29
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\knkvya]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4218994666-1609149145-1912675028-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:d9,41,5b,32,b6,e4,3d,ed,2f,aa,d4,0d,c6,02,e0,7b,ea,c0,47,03,20,7a,2b,
83,5d,a6,73,73,56,b1,a5,e3,fb,61,0c,b5,d3,50,b0,fe,dc,58,ca,50,00,70,b4,5b,\
"??"=hex:61,af,b9,29,dc,ad,af,b5,2d,19,88,12,a0,64,03,d3

[HKEY_USERS\S-1-5-21-4218994666-1609149145-1912675028-1000\Software\SecuROM\License information*]
"datasecu"=hex:ce,73,c8,0d,13,ea,fe,8c,d5,86,33,dd,3b,c7,d3,ac,45,3d,94,ec,db,
ae,93,17,7e,43,92,16,d0,84,7b,53,c2,fb,74,57,17,1f,bd,d2,74,37,f7,c8,5e,24,\
"rkeysecu"=hex:8c,4e,24,ff,48,0c,56,67,56,51,7c,59,98,85,2c,a0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-03 10:31:31
ComboFix-quarantined-files.txt 2011-03-03 09:31
ComboFix2.txt 2011-02-22 11:25

Pre-Run: 230 927 872 000 bytes free
Post-Run: 230 897 815 552 bytes free

- - End Of File - - 1CC11873FC0B68E10AFD64338DF9F159
*******

Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Kenny94 on Sat 05 Mar 2011, 2:27 am

We need to look at this driver/file. You will need to enable hidden files and folders by doing the following:

[You must be registered and logged in to see this link.]

Next

Please go to one of the below sites to scan the following files:
virscan.org
Virus Total

Click on Browse, and upload the following file for analysis:
C:\Windows\System32\Drivers\knkvya.sys


Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Please include the following in your next post:

  • File analysis results



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Pietro on Sun 06 Mar 2011, 7:36 am

I tried to do it, but there is a "small" problem: the file can't be opened & uploaded. I get the error message 'Device attached to the system is not functioning' Hmm...

Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Kenny94 on Sun 06 Mar 2011, 10:21 am

Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:
Drivers to disable:
knkvya
 
Drivers to delete:
knkvya
 
Files to delete:
C:\Windows\System32\Drivers\knkvya.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Now, click on Execute. Just say Yes at every prompted


The Avenger will automatically do the following:

  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please copy/paste the content of c:\avenger.txt into your reply.

Next

Update Run Malwarebytes



  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Last edited by Kenny94 on Mon 07 Mar 2011, 1:47 am; edited 1 time in total



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Kenny94 on Mon 07 Mar 2011, 1:46 am

Hi,

I changed my fix with Avenger and added Malwarebytes.



Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Pietro on Tue 08 Mar 2011, 11:05 am

Thank you very much,
it is functioning! The malware file knkvya.sys is deleted
It's a good feeling not to see the virus after so many days.

So, here is the avenger log (pls, ignore the part where I was trying to delete the recycle folders...):

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "knkvya" disabled successfully.
Driver "knkvya" deleted successfully.
File "C:\Windows\System32\Drivers\knkvya.sys" deleted successfully.

Error: folder "C:\recycler" not found!
Deletion of folder "C:\recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "D:\recycler" not found!
Deletion of folder "D:\recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "e:\recycler"
Deletion of folder "e:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.



And this is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 5838

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

8. 3. 2011 0:46:48
mbam-log-2011-03-08 (00-46-48).txt

Scan type: Quick scan
Objects scanned: 167792
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I think, it seems to be clear now... ?


Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Kenny94 on Tue 08 Mar 2011, 11:20 am

Yes your good to go.....

Some final items:


To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.


Additional Security Measures


Visit Microsoft's Windows Update Site Frequently - It is important that you visit [You must be registered and logged in to see this link.] regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial for Spywareblaster can be found [url="http://www.bleepingcomputer.com/tutorials/tutorial49.html"]here[/url].

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Secunia software inspector & update checker

Visit My Blog for Malware and Spyware Tips









Kenny94

Tech Officer
Tech Officer

Posts : 2019
Joined : 2010-04-23
Operating System : Windows 7

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Pietro on Fri 11 Mar 2011, 5:43 am

Good job! Thank you Kenny & I want to thank you Jay, too. Thanks, guys!
Your advices in this topic were helpful to me.

The final security tips seems to be helpful, too. Some of them are known for me and I try to use them.

All the best & take care!

Pietro

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-22
Operating System : Windows Vista 32-bit

View user profile

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by DragonMaster Jay on Fri 11 Mar 2011, 2:01 pm

We're glad to help. Best wishes in the future on preventing malware.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Can't delete rootkit c:\windows\system32\drivers\knkvya.sys

Post by Sponsored content Today at 6:22 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum