Remote Procedure Call (RPC), Cryptographic Service doesn't START

molo5000 · December 5, 2009

I have obtained a used computer from a friend, a Pentium 4 with a Windows XP Professional, Service Pack 2.

It has many problems, the source of which seems to be that the Remote Procedure Call (RPC) service doesn't start.

As a consequence Windows Update, System Information, System Restore, User & Accounts control panel, printers, Windows Firewall, ActiveX, and many other things all don't work.

I can't install anything. And when I go into Device Manager, Services, Event Viewer, or other things like that, I can't view the properties of any items.

Almost all services don't work, maybe they depend on Remote Procedure Call too?

If I go into Services (only Standard view works), I can see that Remote Procedure Call is set as "Automatic" startup type, but is not "Started" at all.

Any attempt to start it manually results in the error "Could not start the Remote Procedure Call (RPC) service on Local Computer. Error 5: Access is Denied".

1. Windows Firewall does not start up as it used to.

- Tried turning it on through the Control Panel - Windows Firewall. Error Message: "Windows Firewall settings cannot be displayed because the associated service not running. Do you want to start the windows firewall/internet connection sharing (ICS) service?" If i select Yes, I get "Windows cannot start the ICS service."

- Same error occurs when I go through the Security Center.

- Trying to start the service manually results in this error: "Could not start the windows firewall connection sharing (ICS) service on Local Computer. Error 1068: The dependency service or group failed to start."

2. I use AVG as my anti-virus program. It used to boot up with the computer, but now it won't work. I uninstalled it and tried to reinstalling but no good.

3. Can't get to a Services properties. I can click properties button and do it by the right click menu but nothing happens.

4. Can't copy and or move files and paste in explorer windows.

5. Can't open an IE, no Network Icon on the Taskbar.

6. If I do Minimize any open window, it don't appear in Taskbar, so I need to use the alt-tab key to bring it back.

7. Can't drag and drop icons on the desktop or in any explorer windows. I can select them but can't move them around.

8. No matter how what I open, it does not show up on the task bar. task bar has the Clock, Quick Launch, and a whole bunch of blank space in between. If I had 6 applications up and running I'd only know of one of them due to it being up. Other than that, you have to alt-tab to see what's open.

9. System Restore does not work. If you try to start the service manually, you get: "Could not start the windows firewall connection sharing (ICS) service on Local Computer. Error 1068: The dependency service or group failed to start."

10. No Sound.

When I view in the "Services", only 2 programs are running. Event Viewer, and Plug and Play. The other are not running or started. When I tried to start manually (like Cryptographic service, RPC, Remote Registry, Machine Debug Manager, TCP/IP NetBIOS Helper, Security Center, IPSEC Services, Print Spooler, Server, and more...), I'm only got an Error message. ("Error 1068: The dependency service or group failed to start" and or "Error 5: Access is Denied").

I tried to use gpedit.msc, it open and I can view and browse inside, the problem is I can't modified at all. It's seam that it is locked.

I've done the chkdsk, its work and fine. But not the Disk Defragmenter, it can be open but don't work, either analyzing or defragmenting.

It seems like there should be a simple fix. ..on a BIG problem. Is there a way to do that?

I know I am forgetting to mention things that are not right or things I've tried but hopefully this can start a good discussion.

Here's the Result of HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:13:51 PM, on 12/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-823518204-1343024091-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: UAMWM - Unknown owner - (no file)

O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe

O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe

O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe

--

End of file - 8654 bytes

I just wonder almost in "023" - Service: is running by Unknown owner. Actually if I check in the Services under Administrative Tools, They NEVER START.

Thanks so much for the advice in advance;

AdvancedSetup · December 5, 2009

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

molo5000 · December 5, 2009

Hi Ron,

Actually, the machine that having a problem can't connect to the net. So I'm Using other pc to access the net.

And if doing or fixing something in that machine, the program that I need to use can't be copy in that machine unless if it is .zip file. If .zip file, I can extract it directly to that machine. But if .exe or .com file, I can run it only in my Flash Drive. I can't even drag and drop. I know this is a useful command especially in combofix.

Thanks for your help! Now I will try what you told me before..

molo5000 · December 5, 2009

Hi Ron,

I did what you told me to rename the ComboFix to Combo-Fix before I saved it when I download.

I able to ran the Combo-Fix in Normal Mode, but once again, only in my flash drive. First problem I saw was the system has no Microsoft Recovery Console. But still, Combo-Fix continue to scan for malware, untill it completed the 50 Stages.

In the screen says:

System file is infected!! Attempting to restore..

Now, here is the log from Combo-Fix, followed by HJT:

ComboFix 09-12-04.02 - RIGOBERTO 12/04/2009 22:54.4.1 - x86

Running from: e:\mine\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\eventlog.dll . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))

.

2009-12-04 19:44 . 2009-06-18 17:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2009-12-04 19:22 . 2009-12-04 19:22 -------- d-----w- c:\program files\Sophos

2009-12-04 19:20 . 2009-12-04 19:20 7680 ----a-w- c:\windows\system32\drivers\RKL1.tmp.sys

2009-12-04 19:20 . 2009-12-04 19:20 -------- d-----w- C:\AriesRemoverInst

2009-12-04 17:13 . 2009-12-04 17:13 -------- d-----w- C:\RPC_Fix

2009-12-04 15:03 . 2009-12-04 15:03 -------- d-----w- C:\RootkitRevealer

2009-12-03 18:06 . 2009-12-03 18:20 -------- d-----w- C:\ComboFix

2009-12-03 08:45 . 2009-12-03 09:08 -------- d-----w- c:\program files\RegCure

2009-12-03 08:24 . 2009-12-03 08:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-12-03 06:07 . 2009-12-03 06:07 -------- d-----w- c:\program files\Trend Micro

2009-12-03 05:40 . 2009-12-03 05:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8

2009-12-02 12:43 . 2009-12-02 13:50 -------- d-----w- C:\check

2009-12-02 02:24 . 2004-08-04 04:06 25600 ----a-w- c:\windows\system32\setupcl.exe

2009-12-01 18:39 . 2009-12-01 18:41 -------- d-----w- c:\program files\KB824146Scan

2009-12-01 16:33 . 2009-12-02 02:29 -------- d-----w- C:\Sysprep

2009-12-01 16:02 . 2009-12-01 16:14 -------- d-----w- C:\SysprepXP_SP1

2009-12-01 13:41 . 2009-12-01 13:41 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-11-30 09:54 . 2009-11-30 09:54 0 ----a-w- c:\windows\nsreg.dat

2009-11-30 09:54 . 2009-11-30 09:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-11-30 08:56 . 2009-11-30 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-11-30 07:46 . 2002-11-08 19:56 24640 ----a-w- c:\windows\system32\drivers\iqvnt4.sys

2009-11-30 07:46 . 2002-11-08 19:52 20096 ----a-w- c:\windows\system32\drivers\iqvw32.sys

2009-11-30 05:32 . 2009-11-30 05:32 -------- d-----w- C:\SWTOOLS

2009-11-30 04:10 . 2009-11-30 07:46 -------- d-----w- C:\IBMTOOLS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-04 22:57 . 2007-10-17 22:57 -------- d-----w- c:\program files\CCleaner

2009-12-03 08:23 . 2007-10-17 22:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-12-03 01:31 . 2009-10-16 22:03 0 ----a-r- c:\windows\win32k.sys

2009-11-30 12:20 . 2008-08-27 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-11-30 07:45 . 2007-10-18 00:16 -------- d-----w- c:\program files\Common Files\InstallShield

2004-03-11 17:27 . 2007-10-18 00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

.

------- Sigcheck -------

Cryptography Services Error !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R3 AntiAries;Anti Aries Helper Driver;c:\windows\System32\drivers\RKL1.tmp.sys [2009-12-04 7680]

R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\2.tmp [x]

R3 UAMWM;UAMWM; [x]

S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2009-06-18 18816]

.

Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-12-03 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

.

------- Supplementary Scan -------

.

FF - ProfilePath -

.

- - - - ORPHANS REMOVED - - - -

AddRemove-Sophos-AntiRootkit - c:\program files\Sophos\Sophos Anti-Rootkit\helper.exe remove

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-04 23:01

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\2.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1376)

c:\windows\system32\WININET.dll

.

Completion time: 2009-12-04 23:04

ComboFix-quarantined-files.txt 2009-12-05 04:04

ComboFix2.txt 2009-12-03 18:20

Pre-Run: 10,938,179,584 bytes free

Post-Run: 10,933,407,744 bytes free

- - End Of File - - CBFE9B7B807139C4CBECC37FFAFE66BA

HJT: