Being redirected, can't Windows Update or post to this site

Solved
By Rstynls
Oct 25, 2010
Topic Status:
Not open for further replies.
  1. Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4937

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/24/2010 11:13:35 AM
    mbam-log-2010-10-24 (11-13-35).txt

    Scan type: Quick scan
    Objects scanned: 153496
    Time elapsed: 7 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-24 12:08:12
    Windows 5.1.2600 Service Pack 3
    Running: srxsv2jd.exe; Driver: C:\DOCUME~1\Tom\LOCALS~1\Temp\kgroypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwClose [0xECC9FCF0]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwCreateKey [0xECC9FBAC]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwDeleteKey [0xECCA0160]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwDeleteValueKey [0xECCA008A]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwDuplicateObject [0xECC9F782]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwOpenKey [0xECC9FC86]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwOpenProcess [0xECC9F6C2]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwOpenThread [0xECC9F726]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwQueryValueKey [0xECC9FDA6]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwRenameKey [0xECCA022E]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwRestoreKey [0xECC9FD66]
    SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwSetValueKey [0xECC9FEE6]

    Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwCreateProcessEx [0xECCACBAE]
    Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwCreateSection [0xECCAC9D2]
    Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwLoadDriver [0xECCACB0C]
    Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** NtCreateSection
    Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ObInsertObject
    Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE*********** ntkrnlpa.exe!ZwLoadDriver*************************************************************************************************************************** 805795FA 7 Bytes* JMP ECCACB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE*********** ntkrnlpa.exe!NtCreateSection************************************************************************************************************************ 805A075C 7 Bytes* JMP ECCAC9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE*********** ntkrnlpa.exe!ObMakeTemporaryObject****************************************************************************************************************** 805B1CE0 5 Bytes* JMP ECCA85D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE*********** ntkrnlpa.exe!ObInsertObject************************************************************************************************************************* 805B8B58 5 Bytes* JMP ECCA9FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE*********** ntkrnlpa.exe!ZwCreateProcessEx********************************************************************************************************************** 805C73EA 7 Bytes* JMP ECCACBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    ?************** omtl.sys******************************************************************************************************************************************** The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text********** C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!NtProtectVirtualMemory****************************************************************************** 7C90D6EE 5 Bytes* JMP 00D0000A
    .text********** C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!NtWriteVirtualMemory******************************************************************************** 7C90DFAE 5 Bytes* JMP 00D1000A
    .text********** C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!KiUserExceptionDispatcher*************************************************************************** 7C90E47C 5 Bytes* JMP 00CF000C
    .text********** C:\WINDOWS\System32\svchost.exe[1176] USER32.dll!GetCursorPos*************************************************************************************** 7E42974E 5 Bytes* JMP 0171000A
    .text********** C:\WINDOWS\System32\svchost.exe[1176] ole32.dll!CoCreateInstance************************************************************************************ 774FF1AC 5 Bytes* JMP 00EA000A
    .text********** C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1796] kernel32.dll!SetUnhandledExceptionFilter************************************************** 7C84495D 4 Bytes* [C2, 04, 00, 90] {RET 0x4; NOP }
    .text********** C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!NtProtectVirtualMemory************************************************************************************** 7C90D6EE 5 Bytes* JMP 00C9000A
    .text********** C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!NtWriteVirtualMemory**************************************************************************************** 7C90DFAE 5 Bytes* JMP 00D2000A
    .text********** C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!KiUserExceptionDispatcher*********************************************************************************** 7C90E47C 5 Bytes* JMP 00C8000C

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT************ C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]**************************************** 003B0002
    IAT************ C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]********************************************** 003B0000

    ---- Devices - GMER 1.0.15 ----

    Device********* \FileSystem\Ntfs \Ntfs****************************************************************************************************************************** aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice* \FileSystem\Ntfs \Ntfs****************************************************************************************************************************** aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice* \Driver\Tcpip \Device\Ip**************************************************************************************************************************** aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice* \Driver\Tcpip \Device\Tcp*************************************************************************************************************************** aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice* \Driver\Tcpip \Device\Udp*************************************************************************************************************************** aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice* \Driver\Tcpip \Device\RawIp************************************************************************************************************************* aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device********* \Driver\viasraid -> DriverStartIo \Device\Scsi\viasraid1******************************************************************************************** 8705C292
    Device********* \Device\Scsi\viasraid1Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&Rev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}* device not found

    ---- Modules - GMER 1.0.15 ----

    Module********* (noname) (*** hidden *** )************************************************************************************************************************** 02000000-03F8F000 (33091584 bytes)***********************************************************************************

    ---- EOF - GMER 1.0.15 ----


    DDS (Ver_10-10-21.02) - NTFSx86*
    Run by Tom at 12:12:16.81 on Sun 10/24/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Home Edition* 5.1.2600.3.1252.1.1033.18.1023.284 [GMT -7:00]

    AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated)** {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    AV: avast! Antivirus *On-access scanning enabled* (Updated)** {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    C:\Program Files\RSSoft\RedSwoosh.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
    C:\Program Files\Belkin\Nostromo\nost_LM.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Tom\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = About:Blank
    uSearch Bar = About:Blank
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = About:Blank
    uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
    mSearch Bar = about:blank
    mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = About:Blank
    mSearchURL = about:blank
    mSearchAssistant = about:blank
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: {e3bb3f2a-8f67-4b96-a432-8190258c0fd1} - c:\windows\system32\rqRKEXnO.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &ESPN: {ae6f2894-af10-4c9c-b16e-1dfc6ff8c0c6} - c:\program files\espn\toolbar\DIGToolBar.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Red Swoosh] c:\program files\rssoft\RedSwoosh.exe /S
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
    mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
    mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
    mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [DIGServices] c:\program files\espnruntime\DIGServices.exe** /brand=ESPN** /priority=0** /poll=24
    mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
    mRun: [WD Button Manager] WDBtnMgr.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [Conime] %windir%\system32\conime.exe
    mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\tom\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\tom\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053v4\BelkinWCUI.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - c:\program files\belkin\nostromo\nost_LM.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    Trusted Zone: aol.com\free
    Trusted Zone: microsoft.com\v4.windowsupdate
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: microsoft.com\www
    DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.08.43&unknown&unknown&http://www.toyota.com/vehicles/2005/prius/key_features/pc/index.html
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
    Notify: WRNotifier - WRLogonNTF.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKEXnO
    LSA: Notification Packages = scecli c:\windows\system32\kejajumo.dll

    ============= SERVICES / DRIVERS ===============

    R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [2010-5-13 77056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-31 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-31 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
    R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2004-12-4 16168]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
    R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-1-12 517632]
    S1 MpKsl8e8849bf;MpKsl8e8849bf;\??\c:\windows\system32\mpenginestore\mpksl8e8849bf.sys --> c:\windows\system32\mpenginestore\MpKsl8e8849bf.sys [?]
    S2 tcaicchg;tcaicchg;\??\c:\windows\system32\tcaicchg.sys --> c:\windows\system32\tcaicchg.sys [?]
    S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\tcaitdi.sys --> c:\windows\system32\drivers\TCAITDI.sys [?]
    S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-23 22821]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\lavalys\everest ultimate edition\kerneld.wnt --> c:\program files\lavalys\everest ultimate edition\kerneld.wnt [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2008-12-23 552448]

    =============== Created Last 30 ================

    2010-10-24 08:50:42*** --------*** d-----w-*** c:\docume~1\alluse~1\applic~1\McAfee Security Scan
    2010-10-24 08:50:40*** --------*** d-----w-*** c:\program files\McAfee Security Scan
    2010-10-15 05:40:07*** 974848*** -c----w-*** c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 05:40:07*** 953856*** -c----w-*** c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 05:39:58*** 617472*** -c----w-*** c:\windows\system32\dllcache\comctl32.dll
    2010-10-04 18:50:10*** --------*** d-----w-*** c:\program files\iTunes
    2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin7.dll
    2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin6.dll
    2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin5.dll
    2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin4.dll
    2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin3.dll
    2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin2.dll
    2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin.dll
    2010-10-04 18:46:00*** --------*** d-----w-*** c:\program files\Bonjour
    2010-09-26 15:43:59*** --------*** d-----w-*** c:\docume~1\tom\applic~1\OpenOffice.org
    2010-09-26 15:07:51*** --------*** d-----w-*** c:\program files\JRE
    2010-09-26 15:07:11*** --------*** d-----w-*** c:\program files\OpenOffice.org 3
    2010-09-26 15:06:54*** 472808*** ----a-w-*** c:\windows\system32\deployJava1.dll
    2010-09-26 03:29:51*** 421888*** ----a-w-*** c:\windows\system32\EKIJ5000MON.dll
    2010-09-26 03:29:51*** 196608*** ----a-w-*** c:\windows\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll
    2010-09-26 03:29:51*** 131072*** ----a-w-*** c:\windows\system32\EKIJCOINST09.dll

    ==================== Find3M* ====================

    2010-09-18 19:23:26*** 974848*** ----a-w-*** c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25*** 974848*** ----a-w-*** c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25*** 954368*** ----a-w-*** c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25*** 953856*** ----a-w-*** c:\windows\system32\mfc40u.dll
    2010-09-15 09:29:49*** 73728*** ----a-w-*** c:\windows\system32\javacpl.cpl
    2010-09-10 05:58:08*** 916480*** ----a-w-*** c:\windows\system32\wininet.dll
    2010-09-10 05:58:06*** 43520*** ----a-w-*** c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06*** 1469440*** ----a-w-*** c:\windows\system32\inetcpl.cpl
    2010-09-08 18:17:46*** 94208*** ----a-w-*** c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 18:17:46*** 69632*** ----a-w-*** c:\windows\system32\QuickTime.qts
    2010-09-07 15:12:17*** 38848*** ----a-w-*** c:\windows\avastSS.scr
    2010-09-01 11:51:14*** 285824*** ----a-w-*** c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52*** 1852800*** ----a-w-*** c:\windows\system32\win32k.sys
    2010-08-27 08:02:29*** 119808*** ----a-w-*** c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43*** 99840*** ----a-w-*** c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45*** 5120*** ----a-w-*** c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04*** 617472*** ----a-w-*** c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06*** 58880*** ----a-w-*** c:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00*** 590848*** ----a-w-*** c:\windows\system32\rpcrt4.dll
    2010-07-28 01:44:10*** 91424*** ----a-w-*** c:\windows\system32\dnssd.dll
    2010-07-28 01:44:10*** 107808*** ----a-w-*** c:\windows\system32\dns-sd.exe

    ============= FINISH: 12:13:23.48 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/26/2006 5:00:51 PM
    System Uptime: 10/24/2010 11:14:49 AM (1 hours ago)

    Motherboard: ASUSTeK Computer Inc. |* | SK8V
    Processor: AMD Athlon(tm) 64 FX-51 Processor | Socket 754 | 2202/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 224 GiB total, 157.514 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: RAID Controller
    Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
    Manufacturer:
    Name: RAID Controller
    PNP Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
    Service:

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 3Com Gigabit LOM (3C940)
    Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\3&267A616A&0&50
    Manufacturer: 3Com
    Name: 3Com Gigabit LOM (3C940)
    PNP Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\3&267A616A&0&50
    Service: EL2000

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: MAC Bridge Miniport
    Device ID: ROOT\MS_BRIDGEMP\0000
    Manufacturer: Microsoft
    Name: MAC Bridge Miniport
    PNP Device ID: ROOT\MS_BRIDGEMP\0000
    Service: BridgeMP

    ==== System Restore Points ===================

    RP1290: 8/1/2010 1:25:04 AM - System Checkpoint
    RP1291: 8/2/2010 1:37:37 AM - System Checkpoint
    RP1292: 8/2/2010 11:21:35 PM - Software Distribution Service 3.0
    RP1293: 8/5/2010 10:28:05 PM - System Checkpoint
    RP1294: 8/8/2010 11:14:40 PM - System Checkpoint
    RP1295: 8/11/2010 10:21:24 PM - System Checkpoint
    RP1296: 8/12/2010 10:23:37 PM - System Checkpoint
    RP1297: 8/12/2010 11:32:51 PM - Software Distribution Service 3.0
    RP1298: 8/15/2010 2:08:05 AM - System Checkpoint
    RP1299: 8/16/2010 2:15:57 AM - System Checkpoint
    RP1300: 8/22/2010 3:44:26 PM - System Checkpoint
    RP1301: 8/25/2010 9:51:31 PM - System Checkpoint
    RP1302: 8/28/2010 8:01:29 PM - System Checkpoint
    RP1303: 8/29/2010 8:38:14 PM - System Checkpoint
    RP1304: 8/30/2010 9:27:05 PM - System Checkpoint
    RP1305: 8/31/2010 9:28:31 PM - System Checkpoint
    RP1306: 9/3/2010 7:30:31 PM - System Checkpoint
    RP1307: 9/4/2010 8:30:58 PM - System Checkpoint
    RP1308: 9/12/2010 9:50:32 PM - System Checkpoint
    RP1309: 9/15/2010 10:55:46 PM - Software Distribution Service 3.0
    RP1310: 9/17/2010 8:48:56 PM - System Checkpoint
    RP1311: 9/18/2010 9:36:20 PM - System Checkpoint
    RP1312: 9/19/2010 9:59:03 PM - System Checkpoint
    RP1313: 9/21/2010 9:19:54 PM - System Checkpoint
    RP1314: 9/22/2010 10:16:56 PM - System Checkpoint
    RP1315: 9/23/2010 7:04:51 AM - Software Distribution Service 3.0
    RP1316: 9/25/2010 7:04:42 PM - System Checkpoint
    RP1317: 9/26/2010 8:06:35 AM - Installed Java(TM) 6 Update 20
    RP1318: 9/26/2010 8:07:07 AM - Installed OpenOffice.org 3.2
    RP1319: 9/27/2010 8:47:15 AM - System Checkpoint
    RP1320: 9/28/2010 11:44:04 PM - Software Distribution Service 3.0
    RP1321: 10/2/2010 6:37:13 PM - System Checkpoint
    RP1322: 10/3/2010 6:53:41 PM - System Checkpoint
    RP1323: 10/4/2010 9:25:51 PM - System Checkpoint
    RP1324: 10/5/2010 11:45:43 PM - System Checkpoint
    RP1325: 10/7/2010 11:25:04 PM - Software Distribution Service 3.0
    RP1326: 10/9/2010 7:26:46 PM - System Checkpoint
    RP1327: 10/10/2010 7:46:02 PM - System Checkpoint
    RP1328: 10/11/2010 8:46:08 PM - System Checkpoint
    RP1329: 10/13/2010 9:24:28 PM - System Checkpoint
    RP1330: 10/14/2010 11:22:17 PM - Software Distribution Service 3.0
    RP1331: 10/16/2010 8:23:35 PM - System Checkpoint
    RP1332: 10/17/2010 9:05:51 PM - System Checkpoint
    RP1333: 10/20/2010 7:51:48 PM - System Checkpoint
    RP1334: 10/21/2010 8:47:19 PM - System Checkpoint
    RP1335: 10/22/2010 10:00:42 PM - System Checkpoint
    RP1336: 10/24/2010 1:52:40 AM - Installed Java(TM) 6 Update 22

    ==== Installed Programs ======================

    3Com NIC Diagnostics
    3ivx D4 4.5.1 (remove only)
    AC3Filter (remove only)
    ACDSee
    Ad-Aware SE Personal
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Download Manager 2.0 (Remove Only)
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 9 ActiveX
    Adobe Help Center 1.0
    Adobe Photoshop CS2
    Adobe Reader 7.0.8
    Adobe Stock Photos 1.0
    aiofw
    aioprnt
    aioscnnr
    AKoff Music Composer
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AsfTools 3.1 (remove only)
    avast! Free Antivirus
    AVI to MPEG Converter
    AVIcodec (remove only)
    Belkin N Wireless USB Adapter Setup
    BitTorrent
    BLM 2.5.3
    Bonjour
    C4USelfUpdater
    center
    CleanUp!
    Codec Pack - All In 1 6.0.3.0
    Creative MediaSource
    Creative System Information
    Critical Update for Windows Media Player 11 (KB959772)
    DataPilot
    DataPilot USB Driver Pack
    Direct Show Ogg Vorbis Filter (remove only)
    DivX Codec 3.1alpha release
    Easy CD & DVD Creator 6
    eMule
    EQ2MAP Updater 0.9.7
    ESPN Java Check
    ESPN RunTime
    EVEREST Ultimate Edition v5.01
    EverQuest II
    FavOrg
    ffdshow [rev 2527] [2008-12-19]
    FinePixViewer Ver.4.2
    FLV Player 2.0 (build 25)
    Forté Agent
    FUJIFILM USB Driver
    GetBot
    GSpot Codec Information Appliance
    HijackThis 1.99.1
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    ImageMixer VCD2 for FinePix
    Intel A/V Codecs V2.0
    InterVideo DVDCopy5
    iPhone Configuration Utility
    iPod for Windows 2005-11-17
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) SE Runtime Environment 6 Update 1
    KODAK AiO Home Center
    ksDIP
    Lexmark Supplies Monitor
    Lexmark Z25-Z35
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Master Cook Deluxe
    MasterCook Deluxe
    McAfee Security Scan Plus
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Excel Viewer 2003
    Microsoft Office XP Standard for Students and Teachers
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MicroStaff WINASPI
    MidiNotate Musician
    Mozilla Firefox (3.0.10)
    Mozilla Firefox (3.6.11)
    MP3 WAV Converter 2.68
    Mpeg Layer3 Codec FHG-Radium v1.263
    MSN Music Assistant
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    Nostromo Array Programming Software
    NVIDIA Drivers
    On2 VP3 Video for Windows Codec
    OpenOffice.org 3.2
    Pixia
    PreReq
    QuickTime
    RAW FILE CONVERTER LE
    RealPlayer
    Red Swoosh
    SeaTools for Windows
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Encoder (KB954156)
    Security Update for Windows Media Encoder (KB979332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    SimilarImages
    SkillJam SecurePlayer
    Sound Blaster Audigy 2 ZS
    Spelling Dictionaries For Adobe Reader Package
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.4
    SpywareBlaster 4.1
    TVAnts 1.0
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB969497)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB Universal Driver
    VCW VicMan's Photo Editor 7.9
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    WD Diagnostics
    WD Firewire HID Driver
    WebFldrs XP
    Winamp (remove only)
    Windows 7 Upgrade Advisor
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Encoder 9 Series
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB822603
    Windows XP Service Pack 3
    WinRAR archiver
    Xilisoft DVD to iPod Converter
    XviD MPEG-4 Video Codec
    YASA DVD to MP4 Converter v2.9 (build 044)
    YASA MP4 Video Converter v3.2 (build 0051)

    ==== Event Viewer Messages From Past Week ========

    10/24/2010 10:56:30 AM, error: Service Control Manager [7034]* - The NVIDIA Display Driver Service service terminated unexpectedly.* It has done this 1 time(s).
    10/24/2010 10:56:30 AM, error: Service Control Manager [7034]* - The Kodak AiO Network Discovery Service service terminated unexpectedly.* It has done this 1 time(s).
    10/24/2010 10:56:30 AM, error: Service Control Manager [7034]* - The Java Quick Starter service terminated unexpectedly.* It has done this 1 time(s).
    10/24/2010 10:56:29 AM, error: Service Control Manager [7034]* - The Creative Service for CDROM Access service terminated unexpectedly.* It has done this 1 time(s).
    10/24/2010 10:56:29 AM, error: Service Control Manager [7034]* - The Bonjour Service service terminated unexpectedly.* It has done this 1 time(s).
    10/24/2010 10:56:29 AM, error: Service Control Manager [7031]* - The Apple Mobile Device service terminated unexpectedly.* It has done this 1 time(s).* The following corrective action will be taken in 60000 milliseconds: Restart the service.
    10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The Telephony service terminated unexpectedly.* It has done this 8 time(s).
    10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The System Event Notification service terminated unexpectedly.* It has done this 8 time(s).
    10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The Remote Access Connection Manager service terminated unexpectedly.* It has done this 8 time(s).
    10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The Network Location Awareness (NLA) service terminated unexpectedly.* It has done this 8 time(s).
    10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The Cryptographic Services service terminated unexpectedly.* It has done this 4 time(s).
    10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The COM+ Event System service terminated unexpectedly.* It has done this 8 time(s).
    10/24/2010 10:47:34 AM, error: Service Control Manager [7031]* - The Windows Time service terminated unexpectedly.* It has done this 1 time(s).* The following corrective action will be taken in 60000 milliseconds: Restart the service.
    10/24/2010 10:47:34 AM, error: Service Control Manager [7031]* - The Windows Management Instrumentation service terminated unexpectedly.* It has done this 8 time(s).* The following corrective action will be taken in 60000 milliseconds: Restart the service.
    10/24/2010 10:03:08 AM, error: Service Control Manager [7000]* - The 6to4 service failed to start due to the following error:* The system cannot find the path specified.
    10/24/2010 1:39:07 AM, error: DCOM [10005]* - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/22/2010 9:33:43 PM, error: DCOM [10005]* - DCOM got error "%1055" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    10/22/2010 9:33:43 PM, error: DCOM [10005]* - DCOM got error "%1055" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    10/22/2010 9:33:43 PM, error: DCOM [10005]* - DCOM got error "%1055" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    10/22/2010 9:33:43 PM, error: DCOM [10005]* - DCOM got error "%1055" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/22/2010 9:33:41 PM, error: Service Control Manager [7000]* - The TCAITDI Protocol service failed to start due to the following error:* The system cannot find the file specified.
    10/22/2010 9:33:41 PM, error: Service Control Manager [7000]* - The tcaicchg service failed to start due to the following error:* The system cannot find the file specified.
    10/22/2010 9:33:41 PM, error: Service Control Manager [7000]* - The PfModNT service failed to start due to the following error:* The system cannot find the file specified.
    10/22/2010 9:33:10 PM, error: iviVD [9]* - The device, \Device\Scsi\iviVD1, did not respond within the timeout period.

    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You have a CoolWebSearch malware infection. It is strange that Mbam didn't pick more of it up. You have several old versions of Java> all vulnerabilities, two versions of Firefox, one Mozilla Firefox (3.0.10) way out of date, also a vulnerability.

    1. Please download randmbam.exe
    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.Once done, run a new scan with MBAM.

    2. Security Check
    Download Security Check and save it to your Desktop.
    • Double-click SecurityCheck.exe to run.
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
    ==============================
    3. Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    4. Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Do the best you can. These programs will remove some of the malware and give me information for entries to be removed. Leave all logs in next reply- okay to use multiple posts.
  3. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Thanks

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4943

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/25/2010 10:51:19 AM
    mbam-log-2010-10-25 (10-51-19).txt

    Scan type: Quick scan
    Objects scanned: 154737
    Time elapsed: 7 minute(s), 39 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    *Results of screen317's Security Check version 0.99.5*
    *Windows XP Service Pack 3*
    *Internet Explorer 8*
    ``````````````````````````````
    Antivirus/Firewall Check:

    *avast! Free Antivirus***
    *McAfee Security Scan Plus**
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    *Out of date Spybot installed!
    *Ad-Aware
    *Out of date HijackThis installed!
    *Malwarebytes' Anti-Malware***
    *HijackThis 1.99.1***
    *Hijackthis 1.99.1***
    *Java(TM) 6 Update 22*
    *Java(TM) SE Runtime Environment 6 Update 1
    *Out of date Java installed!
    *Adobe Flash Player 9 (Out of date Flash Player installed!)
    *Adobe Flash Player 10.1.85.3*
    Adobe Reader 7.0.8
    Out of date Adobe Reader installed!
    *Mozilla Firefox (x86 en-US..) Firefox Out of Date!*
    ````````````````````````````````
    Process Check:*
    objlist.exe by Laurent

    *Ad-Aware AAWService.exe is disabled!
    *Ad-Aware AAWTray.exe is disabled!
    *Alwil Software Avast5 AvastSvc.exe*
    *ALWILS~1 Avast5 avastUI.exe*
    ````````````````````````````````
    DNS Vulnerability Check:

    *GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=cd05b446a638da4ea8ee7160551946f8
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-25 07:47:10
    # local_time=2010-10-25 12:47:10 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 15384598 15384598 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=166279
    # found=6
    # cleaned=0
    # scan_time=3061
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip*** Win32/Bagle.gen.zip worm*** 00000000000000000000000000000000*** I
    C:\New Folder\acdsee_3_retail\CORE99.EXE*** a variant of Win32/Packed.PECrypt32.A application*** 00000000000000000000000000000000*** I
    C:\WINDOWS\system32\ajagebir.ini*** Win32/Adware.Virtumonde.NEO application*** 00000000000000000000000000000000*** I
    C:\WINDOWS\system32\ehihidav.ini*** Win32/Adware.Virtumonde.NEO application*** 00000000000000000000000000000000*** I
    C:\WINDOWS\system32\xrljfmos.ini*** Win32/Adware.Virtumonde.NEO application*** 00000000000000000000000000000000*** I
    G:\Files\acdsee_3_retail\CORE99.EXE*** a variant of Win32/Packed.PECrypt32.A application*** 00000000000000000000000000000000*** I

    ComboFix 10-10-24.06 - Tom 10/25/2010* 13:43:11.1.1 - x86
    Microsoft Windows XP Home Edition* 5.1.2600.3.1252.1.1033.18.1023.715 [GMT -7:00]
    Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    .

    (((((((((((((((((((((((((((((((((((((((** Other Deletions** )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\ystem~1
    c:\windows\run.log
    c:\windows\system32\_006046_.tmp.dll
    c:\windows\system32\_006215_.tmp.dll
    c:\windows\system32\_006216_.tmp.dll
    c:\windows\system32\_006217_.tmp.dll
    c:\windows\system32\_006218_.tmp.dll
    c:\windows\system32\_006225_.tmp.dll
    c:\windows\system32\_006226_.tmp.dll
    c:\windows\system32\_006227_.tmp.dll
    c:\windows\system32\ajagebir.ini
    c:\windows\system32\ehihidav.ini
    c:\windows\system32\xrljfmos.ini

    .
    (((((((((((((((((((((((((((((((((((((((** Drivers/Services** )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SERVICE


    (((((((((((((((((((((((((** Files Created from 2010-09-25 to 2010-10-25* )))))))))))))))))))))))))))))))
    .

    2010-10-25 18:48 . 2010-10-25 18:48*** --------*** d-----w-*** c:\program files\ESET
    2010-10-24 12:30 . 2010-10-24 12:30*** --------*** d-----w-*** c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    2010-10-24 11:54 . 2010-10-24 11:54*** --------*** d-----w-*** c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-10-24 08:50 . 2010-10-24 08:50*** --------*** d-----w-*** c:\documents and settings\All Users\Application Data\McAfee
    2010-10-24 08:50 . 2010-10-24 08:50*** --------*** d-----w-*** c:\documents and settings\All Users\Application Data\McAfee Security Scan
    2010-10-24 08:50 . 2010-10-24 08:50*** --------*** d-----w-*** c:\program files\McAfee Security Scan
    2010-10-15 05:40 . 2010-09-18 06:53*** 974848*** -c----w-*** c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 05:40 . 2010-09-18 06:53*** 953856*** -c----w-*** c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 05:39 . 2010-08-23 16:12*** 617472*** -c----w-*** c:\windows\system32\dllcache\comctl32.dll
    2010-10-04 18:50 . 2010-10-04 18:50*** --------*** d-----w-*** c:\program files\iTunes
    2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2010-10-04 18:47 . 2010-10-04 18:48*** --------*** d-----w-*** c:\program files\QuickTime
    2010-10-04 18:46 . 2010-10-04 18:46*** --------*** d-----w-*** c:\program files\Bonjour
    2010-09-26 15:43 . 2010-09-26 15:43*** --------*** d-----w-*** c:\documents and settings\Tom\Application Data\OpenOffice.org
    2010-09-26 15:07 . 2010-09-26 15:07*** --------*** d-----w-*** c:\program files\JRE
    2010-09-26 15:07 . 2010-09-26 15:07*** --------*** d-----w-*** c:\program files\OpenOffice.org 3
    2010-09-26 15:06 . 2010-09-15 11:50*** 472808*** ----a-w-*** c:\windows\system32\deployJava1.dll
    2010-09-26 03:29 . 2010-09-02 15:21*** 131072*** ----a-w-*** c:\windows\system32\EKIJCOINST09.dll
    2010-09-26 03:29 . 2010-09-02 15:17*** 196608*** ----a-w-*** c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
    2010-09-26 03:29 . 2010-09-02 15:17*** 421888*** ----a-w-*** c:\windows\system32\EKIJ5000MON.dll

    .
    ((((((((((((((((((((((((((((((((((((((((** Find3M Report** ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 19:23 . 2001-08-18 12:00*** 974848*** ----a-w-*** c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2001-08-18 12:00*** 974848*** ----a-w-*** c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2001-08-18 12:00*** 954368*** ----a-w-*** c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2001-08-18 12:00*** 953856*** ----a-w-*** c:\windows\system32\mfc40u.dll
    2010-09-15 09:29 . 2007-04-19 04:45*** 73728*** ----a-w-*** c:\windows\system32\javacpl.cpl
    2010-09-10 05:58 . 2006-06-23 19:33*** 916480*** ----a-w-*** c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2006-06-27 01:29*** 43520*** ----a-w-*** c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2006-06-27 01:29*** 1469440*** ----a-w-*** c:\windows\system32\inetcpl.cpl
    2010-09-08 18:17 . 2010-09-08 18:17*** 94208*** ----a-w-*** c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 18:17 . 2010-09-08 18:17*** 69632*** ----a-w-*** c:\windows\system32\QuickTime.qts
    2010-09-07 15:12 . 2010-06-30 06:13*** 38848*** ----a-w-*** c:\windows\avastSS.scr
    2010-09-07 15:11 . 2010-06-01 01:32*** 167592*** ----a-w-*** c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2010-06-01 01:32*** 46672*** ----a-w-*** c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2010-06-01 01:32*** 165584*** ----a-w-*** c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2010-06-01 01:32*** 23376*** ----a-w-*** c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2010-06-01 01:32*** 100176*** ----a-w-*** c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2010-06-01 01:32*** 94544*** ----a-w-*** c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2010-06-01 01:32*** 17744*** ----a-w-*** c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2010-06-01 01:32*** 28880*** ----a-w-*** c:\windows\system32\drivers\aavmker4.sys
    2010-09-01 11:51 . 2001-08-18 12:00*** 285824*** ----a-w-*** c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2001-08-18 12:00*** 1852800*** ----a-w-*** c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2001-08-18 12:00*** 119808*** ----a-w-*** c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2001-08-18 12:00*** 99840*** ----a-w-*** c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2001-08-18 12:00*** 357248*** ----a-w-*** c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-19 05:52*** 5120*** ----a-w-*** c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2001-08-18 12:00*** 617472*** ----a-w-*** c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2005-06-10 23:55*** 58880*** ----a-w-*** c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-03-06 02:16*** 590848*** ----a-w-*** c:\windows\system32\rpcrt4.dll
    2010-07-28 01:44 . 2010-07-28 01:44*** 91424*** ----a-w-*** c:\windows\system32\dnssd.dll
    2010-07-28 01:44 . 2010-07-28 01:44*** 107808*** ----a-w-*** c:\windows\system32\dns-sd.exe
    .

    (((((((((((((((((((((((((((((((((((((** Reg Loading Points** ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
    "CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
    "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
    "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
    "WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\documents and settings\Tom\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
    Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-23 442368]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute*** REG_MULTI_SZ** *** autocheck autochk *\0SsiEfr.e\0sprestrt

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    TCAUDIAG.exe -on [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2007-03-14 10:43*** 83608*** ----a-w-*** c:\program files\Java\jre1.6.0_01\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    2006-03-31 00:45*** 313472*** ----a-w-*** c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9322:TCP"= 9322:TCP:EKDiscovery

    R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 5:35 AM 77056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 6:32 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 6:32 PM 17744]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
    R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 10:17 AM 16168]
    S1 MpKsl8e8849bf;MpKsl8e8849bf;\??\c:\windows\system32\MpEngineStore\MpKsl8e8849bf.sys --> c:\windows\system32\MpEngineStore\MpKsl8e8849bf.sys [?]
    S2 tcaicchg;tcaicchg;\??\c:\windows\System32\tcaicchg.sys --> c:\windows\System32\tcaicchg.sys [?]
    S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\DRIVERS\TCAITDI.sys --> c:\windows\system32\DRIVERS\TCAITDI.sys [?]
    S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 12:16 PM 22821]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 7:17 PM 552448]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = About:Blank
    uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
    mSearch Bar = about:blank
    mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = About:Blank
    mSearchURL = about:blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: aol.com\free
    Trusted Zone: microsoft.com\v4.windowsupdate
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: microsoft.com\www
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - c:\windows\System32\rqRKEXnO.dll
    HKLM-Run-LXSUPMON - c:\windows\System32\LXSUPMON.EXE
    Notify-rqRIxxXn - (no file)
    MSConfigStartUp-runner1 - c:\windows\retadpu72.exe
    AddRemove-Ad-Aware SE Personal - c:\progra~1\Lavasoft\AD-AWA~1\UNWISE.EXE
    AddRemove-eMule - c:\new folder\eMule\Uninstall.exe
    AddRemove-EVEREST Ultimate Edition_is1 - c:\program files\Lavalys\EVEREST Ultimate Edition\unins000.exe
    AddRemove-FLV Player - g:\files\FLV Player\uninst.exe
    AddRemove-GSpot - c:\program files\GSpot\Uninstall.exe
    AddRemove-HijackThis - c:\program files\Hijackthis\HijackThis.exe
    AddRemove-Hijackthis_is1 - c:\program files\Hijackthis\unins000.exe
    AddRemove-Lexmark Supplies Monitor - c:\windows\System32\LXSMUNIN.EXE
    AddRemove-Mozilla Firefox (3.0.10) - c:\program files\Mozilla Firefox\uninstall\helper.exe
    AddRemove-Mozilla Firefox (3.6.11) - g:\files\Mozilla Firefox\uninstall\helper.exe
    AddRemove-Mozilla Firefox 4.0b6 (x86 en-US) - g:\files\Mozilla Firefox 4.0 Beta 6\uninstall\helper.exe
    AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe
    AddRemove-Xilisoft DVD to iPod Converter - c:\program files\Xilisoft\DVD to iPod Converter 4\Uninstall.exe
    AddRemove-YASA DVD to MP4 Converter v2.9 (build 044) - c:\progra~1\YASADV~1\UNWISE.EXE
    AddRemove-YASA MP4 Video Converter v3.2 (build 0051) - c:\progra~1\YASAMP~1\UNWISE.EXE
    AddRemove-BitTorrent - g:\files\BitTorrent\uninst.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-25 14:05
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...*

    scanning hidden autostart entries ...

    scanning hidden files ...*

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
    Windows 5.1.2600

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705C446]<<
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8712BAB8]
    2 ntkrnlpa[0x804EE130] -> CLASSPNP.SYS[0xF7679FD7] -> \Device\Harddisk0\DR0[0x8712BAB8]
    3 CLASSPNP[0xF7679FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8700F138]
    \Driver\viasraid[0x870206D8] -> IRP_MJ_CREATE -> 0x8705C446
    4 ntkrnlpa[0x804EE130] -> UNKNOWN[0x8705C449] -> [0x8700F138]
    error: Read \Device\Ide\IdePort0 The system cannot find the file specified.
    kernel: MBR read successfully
    detected hooks:
    \Device\Scsi\viasraid1Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&Rev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    \Driver\Disk -> CLASSPNP.SYS @ 0xf767df28
    \Driver\ACPI -> ACPI.sys @ 0xf74e0cb8
    \Driver\atapi -> atapi.sys @ 0xf7480852
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
    *SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
    *SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
    NDIS:* -> SendCompleteHandler -> 0x0
    *PacketIndicateHandler -> 0x0
    *SendHandler -> 0x0
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(784)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(852)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(2224)
    c:\windows\system32\WININET.dll
    c:\program files\Belkin\Nostromo\nost_FSH.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\System32\CTsvcCDA.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\WDBtnMgr.exe
    c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    c:\windows\System32\nvsvc32.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\windows\system32\wscntfy.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-25* 14:11:01 - machine was rebooted
    ComboFix-quarantined-files.txt* 2010-10-25 21:10

    Pre-Run: 168,726,827,008 bytes free
    Post-Run: 168,598,908,928 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

    Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 7774A791B92594870C329204C134A0B6
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    We have some housekeeping to do: First, you need to uninstall one of these 2 AV programs: Avast or McAfee Multiple AV programs can make a system more vulnerable, not less. Here are tools to help with either:
    McAfee Removal
    Avast Removal
    Reboot the computer after the uninstall.
    ========================================
    To remove the Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip
      C:\New Folder\acdsee_3_retail\CORE99.EXE
      C:\WINDOWS\system32\ajagebir.ini
      C:\WINDOWS\system32\ehihidav.ini
      C:\WINDOWS\system32\xrljfmos.ini
      G:\Files\acdsee_3_retail\CORE99.EXE
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ============================================
    Open Spybot Search & Destroy and delete the contents of the quarantine folder.
    ===========================================
    When finished, uninstall the following in Add/Remove Programs in the Control Panel:
    HijackThis 1.99.1
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 8
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) SE Runtime Environment 6 Update 1
    Mozilla Firefox (3.0.10)

    All of the above are out of date and you do have the current (except for HijackThis and I'll give you a link to run that later), correct versions installed. These old versions also present a vulnerability.
    =========================================
    Run the following scan: It will produce a log- I need to see it.
    Download CKScanner and save to your desktop.
    • Double click CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click [b/]Save List To File.[/b]
    • A message box will verify that the file is saved.
    • Double-click the [/b]CKFiles.txt icon[/b] on your desktop and copy/paste the contents
      in your next reply.
    ======================================


    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni
    =======================================
    I will set up script for you to run through Combofix after I see these logs.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You can go ahead and run this script after you finish the previous instructions.

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\MpEngineStore\MpKsl8e88 49bf.sys
    c:\windows\System32\tcaicchg.sys
    c:\windows\system32\DRIVERS\TCAITDI.sys
    DDS::
    uSearch Page = About:Blank
    uSearch Bar = About:Blank
    uDefault_Search_URL = About:Blank
    uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
    mSearch Bar = about:blank
    mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = About:Blank
    mSearchURL = about:blank
    mSearchAssistant = about:blank
    BHO: {e3bb3f2a-8f67-4b96-a432-8190258c0fd1} - c:\windows\system32\rqRKEXnO.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKEXnO
    LSA: Notification Packages = scecli c:\windows\system32\kejajumo.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=-
    
    Driver::
    MpKsl8e8849bf
    tcaicchg
    TCAITDI
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    We have more to do.
  6. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Update

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip moved successfully.
    C:\New Folder\acdsee_3_retail\CORE99.EXE moved successfully.
    File/Folder C:\WINDOWS\system32\ajagebir.ini not found.
    File/Folder C:\WINDOWS\system32\ehihidav.ini not found.
    File/Folder C:\WINDOWS\system32\xrljfmos.ini not found.
    File/Folder G:\Files\acdsee_3_retail\CORE99.EXE not found.
    ========== COMMANDS ==========
    C:\Documents and Settings\Tom\Application Data\?ystem32 folder moved successfully.

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Administrator.GAME-MACHINE
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 43529803 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 7473 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 41036445 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 6712 bytes

    User: Tom
    ->Temp folder emptied: 4354228 bytes
    ->Temporary Internet Files folder emptied: 5591724 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 341308213 bytes
    ->Flash cache emptied: 14317 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 2229291 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 418.00 mb


    OTM by OldTimer - Version 3.1.17.1 log created on 10282010_133654

    Files moved on Reboot...
    File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\tom\favorites\computer stuff\http--kickme.to-crackz182.url
    c:\documents and settings\tom\favorites\computer stuff\seriall.com - serials, keys, keygen, cracks.url
    c:\documents and settings\tom\favorites\test\favorites\misc\crack's smilies =).url
    c:\documents and settings\tom\favorites\test\favorites\misc\mp3 sound - warez - appz - gamez - mp3z - hacking - serialz - crackz - ftpz.url
    c:\documents and settings\tom\favorites\test\misc\best microbez appz - here you can download all !warez! !crackz! !full retail appz! !real direct download! !iso! !gamez!.url
    c:\documents and settings\tom\favorites\test\misc\fast downloads - here you can see warez crackz serialz full appz gamez real direct download iso 1 file.url
    scanner sequence 3.FN.11
    ----- EOF -----

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    223 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    ComboFix 10-10-27.A3 - Tom 10/28/2010 15:03:44.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.735 [GMT -7:00]
    Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt

    FILE ::
    "c:\windows\system32\DRIVERS\TCAITDI.sys"
    "c:\windows\system32\MpEngineStore\MpKsl8e88 49bf.sys"
    "c:\windows\System32\tcaicchg.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk
    c:\documents and settings\Tom\Application Data\Bitrix Security
    c:\documents and settings\Tom\Application Data\Bitrix Security\cet.txt
    c:\documents and settings\Tom\Application Data\Bitrix Security\lrtg.txt
    c:\documents and settings\Tom\Application Data\Bitrix Security\mor.txt
    c:\documents and settings\Tom\Application Data\Bitrix Security\mxd1.txt
    c:\documents and settings\Tom\Application Data\Bitrix Security\podzce.dll
    c:\documents and settings\Tom\Application Data\Bitrix Security\podzce_shrd
    c:\documents and settings\Tom\Application Data\Bitrix Security\rgx.txt
    c:\documents and settings\Tom\Application Data\Bitrix Security\uurn
    c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MPKSL8E8849BF
    -------\Legacy_TCAICCHG
    -------\Legacy_TCAITDI
    -------\Service_MpKsl8e8849bf
    -------\Service_tcaicchg
    -------\Service_TCAITDI


    ((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
    .

    2010-10-28 20:36 . 2010-10-28 20:36 -------- d-----w- C:\_OTM
    2010-10-28 20:22 . 2010-10-28 20:22 -------- d-sh--w- c:\documents and settings\Tom\IECompatCache
    2010-10-25 18:48 . 2010-10-25 18:48 -------- d-----w- c:\program files\ESET
    2010-10-24 12:30 . 2010-10-24 12:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    2010-10-24 11:54 . 2010-10-24 11:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-10-15 05:40 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 05:40 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 05:39 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-04 18:50 . 2010-10-04 18:50 -------- d-----w- c:\program files\iTunes
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2010-10-04 18:47 . 2010-10-04 18:48 -------- d-----w- c:\program files\QuickTime
    2010-10-04 18:46 . 2010-10-04 18:46 -------- d-----w- c:\program files\Bonjour

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 11:50 . 2010-09-26 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 09:29 . 2007-04-19 04:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:58 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2006-06-27 01:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2006-06-27 01:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-07 15:12 . 2010-06-30 06:13 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2010-06-01 01:32 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2010-06-01 01:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2010-06-01 01:32 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2010-06-01 01:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2010-06-01 01:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2010-06-01 01:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2010-06-01 01:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2010-06-01 01:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-02 15:21 . 2010-09-26 03:29 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll
    2010-09-02 15:17 . 2010-09-26 03:29 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
    2010-09-02 15:17 . 2010-09-26 03:29 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll
    2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2001-08-18 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-19 05:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2001-08-18 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
    "CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
    "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
    "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
    "WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
    [BU]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0sprestrt

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    TCAUDIAG.exe -on [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    2006-03-31 00:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9322:TCP"= 9322:TCP:EKDiscovery

    R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 5:35 AM 77056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 6:32 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 6:32 PM 17744]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
    R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 10:17 AM 16168]
    S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 7:17 PM 552448]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchAssistant = About:Blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: aol.com\free
    Trusted Zone: microsoft.com\v4.windowsupdate
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: microsoft.com\www
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)
    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
    MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_01\bin\jusched.exe
    ActiveSetup-{CB92D056-5802-4D2E-A0FE-59E3F5EF3598} - c:\documents and settings\Tom\Application Data\Bitrix Security\podzce.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-28 15:17
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705C446]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(792)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(852)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3440)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\System32\CTsvcCDA.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\nvsvc32.exe
    c:\windows\system32\WDBtnMgr.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-28 15:23:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-28 22:23
    ComboFix2.txt 2010-10-25 21:11

    Pre-Run: 168,369,741,824 bytes free
    Post-Run: 168,374,726,656 bytes free

    Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - D7570FA0DF7E13D15E6ACE1E6A96948E
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay. Now I need you to run HijackThis so I can how this is coming up: SearchAssistant = About:Blank

    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ===============================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\bcgame.sys
    c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    
    Driver::
    bcgame
    EverestDriver
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    When we're finished, you will need to update the Adobe Reader: Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  8. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Update

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:50:32 PM, on 11/1/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\ESPNRunTime\DIGServices.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    C:\Program Files\RSSoft\RedSwoosh.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = About:Blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = About:Blank
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: (no name) - {E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
    O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ehicles/2005/prius/key_features/pc/index.html
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O20 - Winlogon Notify: rqRIxxXn - Invalid registry found
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 9453 bytes

    ComboFix 10-10-27.A3 - Tom 11/01/2010 17:55:01.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.727 [GMT -7:00]
    Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

    FILE ::
    "c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
    "c:\windows\system32\drivers\bcgame.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_EVERESTDRIVER
    -------\Service_bcgame
    -------\Service_EverestDriver


    ((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
    .

    2010-11-01 19:49 . 2010-11-01 19:49 388096 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-01 19:49 . 2010-11-01 19:49 -------- d-----w- c:\program files\Trend Micro
    2010-10-28 20:36 . 2010-10-28 20:36 -------- d-----w- C:\_OTM
    2010-10-28 20:22 . 2010-10-28 20:22 -------- d-sh--w- c:\documents and settings\Tom\IECompatCache
    2010-10-25 18:48 . 2010-10-25 18:48 -------- d-----w- c:\program files\ESET
    2010-10-24 12:30 . 2010-10-24 12:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    2010-10-24 11:54 . 2010-10-24 11:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-10-15 05:40 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-15 05:40 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-15 05:39 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-04 18:50 . 2010-10-04 18:50 -------- d-----w- c:\program files\iTunes
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
    2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
    2010-10-04 18:47 . 2010-10-04 18:48 -------- d-----w- c:\program files\QuickTime
    2010-10-04 18:46 . 2010-10-04 18:46 -------- d-----w- c:\program files\Bonjour

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 11:50 . 2010-09-26 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 09:29 . 2007-04-19 04:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:58 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2006-06-27 01:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2006-06-27 01:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-07 15:12 . 2010-06-30 06:13 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2010-06-01 01:32 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2010-06-01 01:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2010-06-01 01:32 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2010-06-01 01:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2010-06-01 01:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2010-06-01 01:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2010-06-01 01:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2010-06-01 01:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-02 15:21 . 2010-09-26 03:29 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll
    2010-09-02 15:17 . 2010-09-26 03:29 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
    2010-09-02 15:17 . 2010-09-26 03:29 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll
    2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2001-08-18 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-19 05:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2001-08-18 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
    "CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
    "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
    "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
    "WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    c:\documents and settings\Tom\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
    [BU]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0sprestrt

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    TCAUDIAG.exe -on [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    2006-03-31 00:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9322:TCP"= 9322:TCP:EKDiscovery

    R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 5:35 AM 77056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 6:32 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 6:32 PM 17744]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
    R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 10:17 AM 16168]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 7:17 PM 552448]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchAssistant = About:Blank
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: aol.com\free
    Trusted Zone: microsoft.com\v4.windowsupdate
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: microsoft.com\www
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-01 18:11
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705D446]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(792)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(852)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(1988)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\WDBtnMgr.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\System32\CTsvcCDA.exe
    c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\windows\System32\nvsvc32.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-01 18:18:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-02 01:18
    ComboFix2.txt 2010-10-28 22:24
    ComboFix3.txt 2010-10-25 21:11

    Pre-Run: 166,740,090,880 bytes free
    Post-Run: 167,640,354,816 bytes free

    Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 51DFF10F66C69A0712B06ACF275F48D8
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You are very patient! The thread turned the age and I didn't- sorry.
    Before I forget, next time you open Notepad, please click on Format> Uncheck 'Word Wrap.' That will make it much easier for you to paste and for me to read the logs.

    The CK scan shows several entries for pirated data:
    c:\documents and settings\tom\favorites\computer stuff\http--kickme.to-crackz182.url
    c:\documents and settings\tom\favorites\computer stuff\seriall.com - serials, keys, keygen, cracks.url
    c:\documents and settings\tom\favorites\test\favorites\misc\crack's smilies =).url
    c:\documents and settings\tom\favorites\test\favorites\misc\mp3 sound - warez - appz - gamez - mp3z - hacking - serialz - crackz - ftpz.url
    c:\documents and settings\tom\favorites\test\misc\best microbez appz - here you can download all !warez! !crackz! !full retail appz! !real direct download! !iso! !gamez!.url
    c:\documents and settings\tom\favorites\test\misc\fast downloads - here you can see warez crackz serialz full appz gamez real direct download iso 1 file.url
    scanner sequence 3.FN.11

    Cracks and keygens are used to activate a program using a license key or activation code in order to get a program without paying for it.

    Please remove all of the entries above if you want continued support. Reboot the computer when finished, then repeat the CK Scan.
    =============================================
    Please go to Jotti's malware scan
    (If more than one file needs scanned they must be done separately and links posted for each one)
    • Copy the file(s) path in the below Code box:
    • At the upload site, click once inside the window next to Browse.
    • Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      Code:
      : [Select]
      c:\windows\system32\rqRKEXnO.dll
      c:\windows\system32\kejajumo.dll
      
    • Next click Submit file
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
    ==============================================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = About:Blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = About:Blank
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN (See Note 1)
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS.../pc/index.html
    O20 - Winlogon Notify: rqRIxxXn - Invalid registry found


    Close all Windows except HijackThis and click on "Fix Checked."

    Note 1: RegShave:
    Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly
    =======================================
    You will need to update the Adobe Reader to v9.xx when we are finished: Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.

    I have script written for you to run through Combofix. After I see the logs from the above scans, I will know if I need to include any other entries.
  10. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    NP, very patient. Appreciate the help.

    Wordwrap not checked.

    Old bookmarks deleted.

    Jotti's didn't work. Couldn't paste anything, either ctrl-v or right click. Looked up files manually, they weren't there.

    Uninstalled Adobe Reader v7, haven't installed v9 yet.

    Logs:

    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11
    ----- EOF -----

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:56:18 AM, on 11/8/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\ESPNRunTime\DIGServices.exe
    C:\WINDOWS\system32\WDBtnMgr.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    C:\Program Files\RSSoft\RedSwoosh.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: (no name) - {E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
    O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 8697 bytes
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Try these again please- I should have put them in a Quote box, not a Code box. If nothing comes up with Jotti, try this:
    Please go to VirSCAN.org FREE on-line scan service:
    If busy, you can use one of the following: ( you only need one)
    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page- remember, only select one at a time:
      .
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
     
  12. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Tried them all. Unable to paste anything in the submit box on any of them. Tried manually browsing for the files and they are not there.

    Could be part of the virus I guess. Can't make posts to message boards either. Have to do this from a different computer.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Windows Updates can wait. Is this the only site you can't post to? Do you access it?
  14. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Turned off Windows Update, it seemed to keep crashing the computer when it tried to check on its own.

    I can see the message board just when I hit the submit button I get an error page that says no network connection, pretty sure it happens anywhere there is a submit button.

    Doesn't let me send emails from hotmail either. Soon after I tried my account was locked, same with my gmail account. Reset passwords and not accessing anything that uses a password on that computer.

    The longer I leave it on I get Avast popping with virus alerts, always a svchost file. Oh and at some point something crashes and I lose sound.

    I can start writing down the errors if you want.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\lavalys\everest ultimate edition\kerneld.wnt
    Folder::
    c:\docume~1\alluse~1\applic~1\McAfee Security Scan
    c:\program files\McAfee Security Scan
    
    DDS::
    uSearch Page = About:Blank
    uSearch Bar = About:Blank
    uDefault_Search_URL = About:Blank
    uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
    mSearch Bar = about:blank
    mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = About:Blank
    mSearchURL = about:blank
    mSearchAssistant = about:blank
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.08.43&unknown&unknown&http://www.toyota.com/vehicles/2005/.../pc/index.html
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn] 
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
    [BU]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    In Errors: Are you using the following?/
    10/22/2010 9:33:41 PM, The TCAITDI Protocol service failed to start due to the following error:* The system cannot find the file specified.
    TCAICCHG.SYS Related to TCAICCHG.SYS 3Com Windows NT NIC Diagnostic Memory/Port Access Driver.
    10/22/2010 9:33:41 PM, - The tcaicchg service failed to start due to the following error:* The system cannot find the file specified.
    10/22/2010 9:33:41 PM, The PfModNT service failed to start due to the following error:* The system cannot find the file specified.>> Related to PfModNT.sys PCI/ISA Device Info. Service from Creative Technology\
    10/22/2010 9:33:10 PM, error: iviVD [9]* - The device, \Device\Scsi\iviVD1, did not respond within the timeout period.>>>virtual drive that AUTOMATICALLY gets installed with intervideo copy dvd 4
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Closed due to inactivity. Please PM your helper if you need this thread reopened.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Reopened at member's request.

    Please provide description of continuing problems.
    Also new scan with Combofix.

    And Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Note: We close these threads if there has not been a reply for 5 days. This is both to prevent others from posting on the thread and also because earlier logs may be out of date.
  18. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Logs

    Thanks

    No real changes since the beginning, accept now Avast catches something called taskcgr.exe, also noticed after about an hour I lose audio through windows media player.

    On the errors you mentioned in the previous post, no programs I'm using/need.

    Logs:

    ComboFix 10-11-18.03 - Tom 11/18/2010 20:11:49.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.420 [GMT -8:00]
    Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\lsp21.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
    .

    2010-11-19 04:11 . 2010-11-19 04:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2010-11-19 04:11 . 2010-11-19 04:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2010-11-12 07:05 . 2010-11-12 07:05 0 ----a-w- c:\windows\system32\lsp21.tmp
    2010-11-03 05:07 . 2010-11-03 05:07 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Mozilla Corporation
    2010-11-01 19:49 . 2010-11-01 19:49 388096 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-01 19:49 . 2010-11-01 19:49 -------- d-----w- c:\program files\Trend Micro
    2010-10-28 20:36 . 2010-10-28 20:36 -------- d-----w- C:\_OTM
    2010-10-28 20:22 . 2010-10-28 20:22 -------- d-sh--w- c:\documents and settings\Tom\IECompatCache
    2010-10-25 18:48 . 2010-10-25 18:48 -------- d-----w- c:\program files\ESET
    2010-10-24 12:30 . 2010-10-24 12:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    2010-10-24 11:54 . 2010-11-02 01:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 11:50 . 2010-09-26 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 09:29 . 2007-04-19 04:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:58 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2006-06-27 01:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2006-06-27 01:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-07 15:12 . 2010-06-30 06:13 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2010-06-01 01:32 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2010-06-01 01:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2010-06-01 01:32 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2010-06-01 01:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2010-06-01 01:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2010-06-01 01:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2010-06-01 01:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2010-06-01 01:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-02 15:21 . 2010-09-26 03:29 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll
    2010-09-02 15:17 . 2010-09-26 03:29 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
    2010-09-02 15:17 . 2010-09-26 03:29 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll
    2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2001-08-18 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-19 05:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2001-08-18 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
    "CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
    "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
    "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
    "DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
    "WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
    [BU]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0sprestrt

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    TCAUDIAG.exe -on [X]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9322:TCP"= 9322:TCP:EKDiscovery

    R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 4:35 AM 77056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 5:32 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 5:32 PM 17744]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 4:18 PM 308656]
    R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 9:17 AM 16168]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 6:17 PM 552448]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: aol.com\free
    Trusted Zone: microsoft.com\v4.windowsupdate
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: microsoft.com\www
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)
    MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-18 20:28
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: VIA_SATA rev.____ -> Harddisk0\DR0 -> \Device\Scsi\viasraid1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705D446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87063504]; MOV EAX, [0x87063580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8712BAB8]
    3 CLASSPNP[0xF7640FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8700C678]
    \Driver\viasraid[0x87053560] -> IRP_MJ_CREATE -> 0x8705D446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Scsi\viasraid1Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&Rev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(792)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(852)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(4012)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\WDBtnMgr.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\System32\CTsvcCDA.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\nvsvc32.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Windows Live\Contacts\wlcomm.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-18 20:33:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-19 04:33
    ComboFix2.txt 2010-11-02 01:18
    ComboFix3.txt 2010-10-28 22:24
    ComboFix4.txt 2010-10-25 21:11

    Pre-Run: 166,402,981,888 bytes free
    Post-Run: 167,253,151,744 bytes free

    Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 4ECD232065445E642D7162C1931F9978

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=cd05b446a638da4ea8ee7160551946f8
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-25 07:47:10
    # local_time=2010-10-25 12:47:10 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 15384598 15384598 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=166279
    # found=6
    # cleaned=0
    # scan_time=3061
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    C:\New Folder\acdsee_3_retail\CORE99.EXE a variant of Win32/Packed.PECrypt32.A application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\ajagebir.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\ehihidav.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\WINDOWS\system32\xrljfmos.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    G:\Files\acdsee_3_retail\CORE99.EXE a variant of Win32/Packed.PECrypt32.A application 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=cd05b446a638da4ea8ee7160551946f8
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-19 05:22:27
    # local_time=2010-11-18 09:22:27 (-0800, Pacific Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 1414144 1414144 0 0
    # compatibility_mode=768 16777215 100 0 17493146 17493146 0 0
    # compatibility_mode=8192 67108863 100 0 2022601 2022601 0 0
    # scanned=80649
    # found=13
    # cleaned=0
    # scan_time=2631
    C:\Qoobox\Quarantine\C\Documents and Settings\Tom\Application Data\Bitrix Security\podzce.dll.vir Win32/AutoRun.Spy.Ambler.CE worm 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ajagebir.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ehihidav.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\system32\lsp21.dll.vir Win32/TrojanClicker.Agent.NMF trojan 00000000000000000000000000000000 I
    C:\Qoobox\Quarantine\C\WINDOWS\system32\xrljfmos.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1337\A0153618.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1337\A0153619.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1337\A0153620.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1345\A0156930.dll Win32/AutoRun.Spy.Ambler.CE worm 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1349\A0172934.exe Win32/TrojanClicker.Agent.NME trojan 00000000000000000000000000000000 I
    C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1350\A0173137.dll Win32/TrojanClicker.Agent.NMF trojan 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\10282010_133654\C_Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
    C:\_OTM\MovedFiles\10282010_133654\C_New Folder\acdsee_3_retail\CORE99.EXE a variant of Win32/Packed.PECrypt32.A application 00000000000000000000000000000000 I
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Let's get together here. You started this 3 weeks ago. I helped you through several scans, including setting up removals for the Eset entries and multiple scripts to run through Combofix. You left the thread and I closed it after 5 days of no reply.

    The Eset scan shows no new infections. Did you run the last script I left?
    ============================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
  20. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Logs

    Possibly Avast updated and its something it now catches? Or I just didn't notice it. I get alot of virus messages and things crashing. Have been keeping a list now. Avast also catches alot of svchost.exe and I get a popup for "Generic Host Process for Win32 Services" shutting down.

    Ran the script but it didn't post a log after computer restarted, mentioned that when I messaged you but understand you are helping alot of people and just missed it because its not in this thread. Just ran it again and log follows along with TDSSKiller log.

    ComboFix 10-11-20.03 - Tom 11/20/2010 17:34:07.6.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.412 [GMT -8:00]
    Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

    FILE ::
    "c:\program files\lavalys\everest ultimate edition\kerneld.wnt"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\regshave\REGSHAVE.EXE

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-21 to 2010-11-21 )))))))))))))))))))))))))))))))
    .

    2010-11-19 04:11 . 2010-11-19 04:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2010-11-19 04:11 . 2010-11-19 04:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2010-11-12 07:05 . 2010-11-12 07:05 0 ----a-w- c:\windows\system32\lsp21.tmp
    2010-11-03 05:07 . 2010-11-03 05:07 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Mozilla Corporation
    2010-11-01 19:49 . 2010-11-01 19:49 388096 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-01 19:49 . 2010-11-01 19:49 -------- d-----w- c:\program files\Trend Micro
    2010-10-28 20:36 . 2010-10-28 20:36 -------- d-----w- C:\_OTM
    2010-10-28 20:22 . 2010-10-28 20:22 -------- d-sh--w- c:\documents and settings\Tom\IECompatCache
    2010-10-25 18:48 . 2010-10-25 18:48 -------- d-----w- c:\program files\ESET
    2010-10-24 12:30 . 2010-10-24 12:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    2010-10-24 11:54 . 2010-11-02 01:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 11:50 . 2010-09-26 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-09-15 09:29 . 2007-04-19 04:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-09-10 05:58 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2006-06-27 01:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2006-06-27 01:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-07 15:12 . 2010-06-30 06:13 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2010-06-01 01:32 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2010-06-01 01:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2010-06-01 01:32 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2010-06-01 01:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2010-06-01 01:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2010-06-01 01:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2010-06-01 01:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2010-06-01 01:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-09-02 15:21 . 2010-09-26 03:29 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll
    2010-09-02 15:17 . 2010-09-26 03:29 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
    2010-09-02 15:17 . 2010-09-26 03:29 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll
    2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2001-08-18 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-19 05:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2001-08-18 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-10-25_21.06.18 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-21 01:17 . 2010-11-21 01:17 16384 c:\windows\Temp\Perflib_Perfdata_bb0.dat
    + 2001-08-18 12:00 . 2010-11-08 06:57 72446 c:\windows\system32\perfc009.dat
    - 2001-08-18 12:00 . 2010-10-08 06:28 72446 c:\windows\system32\perfc009.dat
    + 2001-08-18 12:00 . 2010-11-08 06:57 443942 c:\windows\system32\perfh009.dat
    - 2001-08-18 12:00 . 2010-10-08 06:28 443942 c:\windows\system32\perfh009.dat
    + 2010-11-01 19:49 . 2010-11-01 19:49 1094656 c:\windows\Installer\9aa12.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
    "CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
    "SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
    "RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
    "RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
    "DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
    "WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    c:\documents and settings\Tom\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
    [BU]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0sprestrt

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    TCAUDIAG.exe -on [X]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9322:TCP"= 9322:TCP:EKDiscovery

    R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 4:35 AM 77056]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 5:32 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 5:32 PM 17744]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 4:18 PM 308656]
    R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 9:17 AM 16168]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 6:17 PM 552448]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: aol.com\free
    Trusted Zone: microsoft.com\v4.windowsupdate
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: microsoft.com\www
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-20 17:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: VIA_SATA rev.____ -> Harddisk0\DR0 -> \Device\Scsi\viasraid1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705D446]<<
    c:\docume~1\Tom\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87063504]; MOV EAX, [0x87063580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8712BAB8]
    3 CLASSPNP[0xF7640FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86FCF928]
    \Driver\viasraid[0x87053560] -> IRP_MJ_CREATE -> 0x8705D446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Scsi\viasraid1Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&Rev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(792)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(852)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-11-20 17:49:41
    ComboFix-quarantined-files.txt 2010-11-21 01:49
    ComboFix2.txt 2010-11-19 04:33
    ComboFix3.txt 2010-11-02 01:18
    ComboFix4.txt 2010-10-28 22:24
    ComboFix5.txt 2010-11-21 01:29

    Pre-Run: 166,796,300,288 bytes free
    Post-Run: 167,066,992,640 bytes free

    Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - D87FEE5C3CDB25E42DF5ECA83A277AD6

    2010/11/20 17:54:20.0750 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
    2010/11/20 17:54:20.0750 ================================================================================
    2010/11/20 17:54:20.0750 SystemInfo:
    2010/11/20 17:54:20.0750
    2010/11/20 17:54:20.0750 OS Version: 5.1.2600 ServicePack: 3.0
    2010/11/20 17:54:20.0765 Product type: Workstation
    2010/11/20 17:54:20.0765 ComputerName: GAME-MACHINE
    2010/11/20 17:54:20.0765 UserName: Tom
    2010/11/20 17:54:20.0765 Windows directory: C:\WINDOWS
    2010/11/20 17:54:20.0765 System windows directory: C:\WINDOWS
    2010/11/20 17:54:20.0765 Processor architecture: Intel x86
    2010/11/20 17:54:20.0765 Number of processors: 1
    2010/11/20 17:54:20.0765 Page size: 0x1000
    2010/11/20 17:54:20.0765 Boot type: Normal boot
    2010/11/20 17:54:20.0765 ================================================================================
    2010/11/20 17:54:20.0984 Initialize success
    2010/11/20 17:54:26.0078 ================================================================================
    2010/11/20 17:54:26.0078 Scan started
    2010/11/20 17:54:26.0078 Mode: Manual;
    2010/11/20 17:54:26.0078 ================================================================================
    2010/11/20 17:54:26.0593 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
    2010/11/20 17:54:26.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/11/20 17:54:26.0921 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/11/20 17:54:27.0109 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/11/20 17:54:27.0187 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2010/11/20 17:54:27.0265 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/11/20 17:54:27.0703 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/11/20 17:54:27.0937 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
    2010/11/20 17:54:28.0046 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2010/11/20 17:54:28.0125 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
    2010/11/20 17:54:28.0218 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
    2010/11/20 17:54:28.0296 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
    2010/11/20 17:54:28.0359 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
    2010/11/20 17:54:28.0406 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/11/20 17:54:28.0515 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/11/20 17:54:28.0640 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/11/20 17:54:28.0734 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/11/20 17:54:28.0843 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/11/20 17:54:28.0953 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
    2010/11/20 17:54:28.0968 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
    2010/11/20 17:54:29.0234 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/11/20 17:54:29.0359 CdaD10BA (841cefab8228ee691705d059e7f21c47) C:\WINDOWS\System32\drivers\CdaD10BA.SYS
    2010/11/20 17:54:29.0437 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/11/20 17:54:29.0500 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/11/20 17:54:29.0562 Cdr4_xp (cedcbeee331deffe6999b6b4162e2246) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
    2010/11/20 17:54:29.0671 Cdralw2k (38b2f2439213fd5095f654afded23457) C:\WINDOWS\system32\drivers\Cdralw2k.sys
    2010/11/20 17:54:29.0718 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/11/20 17:54:29.0781 cdudf_xp (294f75a9f2c3317c61f5e51325e9976c) C:\WINDOWS\system32\drivers\cdudf_xp.sys
    2010/11/20 17:54:30.0000 COMMONFX.DLL (1ef05b641e9a67ded74ac8ad40055dbf) C:\WINDOWS\system32\COMMONFX.DLL
    2010/11/20 17:54:30.0156 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL
    2010/11/20 17:54:30.0250 ctac32k (8ac5f77e30e37d2d11bd99eff0c53d8c) C:\WINDOWS\system32\drivers\ctac32k.sys
    2010/11/20 17:54:30.0343 ctaud2k (673241d314e932f4890509ae8ebf26db) C:\WINDOWS\system32\drivers\ctaud2k.sys
    2010/11/20 17:54:30.0437 CTAUDFX.DLL (472b82d7e549e7fab428852e4d16f21d) C:\WINDOWS\system32\CTAUDFX.DLL
    2010/11/20 17:54:30.0546 ctdvda2k (ed316d4c3d39c5b6c23de067e275c183) C:\WINDOWS\system32\drivers\ctdvda2k.sys
    2010/11/20 17:54:30.0609 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL
    2010/11/20 17:54:30.0687 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL
    2010/11/20 17:54:30.0750 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL
    2010/11/20 17:54:30.0828 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL
    2010/11/20 17:54:30.0875 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL
    2010/11/20 17:54:30.0984 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL
    2010/11/20 17:54:31.0093 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL
    2010/11/20 17:54:31.0171 ctprxy2k (34e7f8a499fd8361df14fedb724c0ad3) C:\WINDOWS\system32\drivers\ctprxy2k.sys
    2010/11/20 17:54:31.0265 CTSBLFX.DLL (679ae21eb7f48a08184813aebabdec7c) C:\WINDOWS\system32\CTSBLFX.DLL
    2010/11/20 17:54:31.0359 ctsfm2k (32098497cb4dfe9ea7660fa62dd91060) C:\WINDOWS\system32\drivers\ctsfm2k.sys
    2010/11/20 17:54:31.0593 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/11/20 17:54:31.0718 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/11/20 17:54:31.0812 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/11/20 17:54:31.0906 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/11/20 17:54:31.0984 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/11/20 17:54:32.0140 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/11/20 17:54:32.0234 DVDVRRdr_xp (a2abb2a771a522b9dd57ce57d9960661) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
    2010/11/20 17:54:32.0312 dvd_2K (9d6fabf24b9ac7bd2ef52d7907fd2f8e) C:\WINDOWS\system32\drivers\dvd_2K.sys
    2010/11/20 17:54:32.0406 EL2000 (9d356817b223067ff6f7f9eb867585ef) C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
    2010/11/20 17:54:32.0500 emupia (2885f72d2daffd0329272f12e16d6579) C:\WINDOWS\system32\drivers\emupia2k.sys
    2010/11/20 17:54:32.0625 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/11/20 17:54:32.0671 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/11/20 17:54:32.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/11/20 17:54:32.0812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/11/20 17:54:32.0906 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/11/20 17:54:33.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/11/20 17:54:33.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/11/20 17:54:33.0125 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
    2010/11/20 17:54:33.0203 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
    2010/11/20 17:54:33.0281 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2010/11/20 17:54:33.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/11/20 17:54:33.0453 ha10kx2k (da2c735b66d2e7b739f9a46146581a9d) C:\WINDOWS\system32\drivers\ha10kx2k.sys
    2010/11/20 17:54:33.0578 hap16v2k (5c7d6d68796e4621b4168c879908dae0) C:\WINDOWS\system32\drivers\hap16v2k.sys
    2010/11/20 17:54:33.0718 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys
    2010/11/20 17:54:33.0812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/11/20 17:54:34.0015 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/11/20 17:54:34.0218 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/11/20 17:54:34.0312 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/11/20 17:54:34.0515 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/11/20 17:54:34.0578 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/11/20 17:54:34.0625 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/11/20 17:54:34.0734 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/11/20 17:54:34.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/11/20 17:54:34.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/11/20 17:54:35.0015 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/11/20 17:54:35.0078 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
    2010/11/20 17:54:35.0156 iviVD (7bd8ff29fecc1f4ef5b26ce3ffa80ae8) C:\WINDOWS\system32\DRIVERS\iviVD.sys
    2010/11/20 17:54:35.0234 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/11/20 17:54:35.0281 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/11/20 17:54:35.0375 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/11/20 17:54:35.0484 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/11/20 17:54:35.0671 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys
    2010/11/20 17:54:35.0781 mmc_2K (0ba70511363a4a148815c6e57a5f99c5) C:\WINDOWS\system32\drivers\mmc_2K.sys
    2010/11/20 17:54:35.0875 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/11/20 17:54:35.0968 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/11/20 17:54:36.0046 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/11/20 17:54:36.0125 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/11/20 17:54:36.0187 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/11/20 17:54:36.0312 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/11/20 17:54:36.0390 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/11/20 17:54:36.0500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/11/20 17:54:36.0593 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/11/20 17:54:36.0671 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/11/20 17:54:36.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/11/20 17:54:36.0828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/11/20 17:54:36.0921 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/11/20 17:54:37.0015 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/11/20 17:54:37.0093 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/11/20 17:54:37.0140 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/11/20 17:54:37.0218 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/11/20 17:54:37.0281 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/11/20 17:54:37.0343 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/11/20 17:54:37.0406 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/11/20 17:54:37.0562 netr28u (6f8480809d14f0594b4b1df07385da33) C:\WINDOWS\system32\DRIVERS\netr28u.sys
    2010/11/20 17:54:37.0718 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/11/20 17:54:37.0812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/11/20 17:54:37.0890 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/11/20 17:54:37.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/11/20 17:54:38.0140 nv (c823d5e609762c075f26f7fc56690f34) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/11/20 17:54:38.0328 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/11/20 17:54:38.0406 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/11/20 17:54:38.0484 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/11/20 17:54:38.0578 ossrv (61c85afeaa6ef0c1b32d43f84f7bfbcf) C:\WINDOWS\system32\drivers\ctoss2k.sys
    2010/11/20 17:54:38.0671 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/11/20 17:54:38.0703 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/11/20 17:54:38.0812 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/11/20 17:54:38.0906 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/11/20 17:54:39.0046 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/11/20 17:54:39.0468 PfDetNT (6dabb70783ef470492adb7b9a6e60bf3) C:\WINDOWS\System32\drivers\PfModNT.sys
    2010/11/20 17:54:39.0515 PfModNT (6dabb70783ef470492adb7b9a6e60bf3) C:\WINDOWS\System32\drivers\PfModNT.sys
    2010/11/20 17:54:39.0609 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/11/20 17:54:39.0687 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/11/20 17:54:39.0781 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/11/20 17:54:39.0843 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/11/20 17:54:39.0921 pwd_2k (a69812bcdf900f99e3ace4c38a3aefb2) C:\WINDOWS\system32\drivers\pwd_2k.sys
    2010/11/20 17:54:40.0000 PxHelp20 (183ef96bcc2ec3d5294cb2c2c0ecbcd1) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/11/20 17:54:40.0281 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/11/20 17:54:40.0359 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/11/20 17:54:40.0437 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/11/20 17:54:40.0500 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/11/20 17:54:40.0578 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/11/20 17:54:40.0656 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/11/20 17:54:40.0765 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/11/20 17:54:40.0859 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/11/20 17:54:40.0984 rt2870 (c2a6f7f35e617744a65dbfb0c0a64adc) C:\WINDOWS\system32\DRIVERS\rt2870.sys
    2010/11/20 17:54:41.0078 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2010/11/20 17:54:41.0218 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/11/20 17:54:41.0312 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/11/20 17:54:41.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/11/20 17:54:41.0500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/11/20 17:54:41.0703 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/11/20 17:54:41.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/11/20 17:54:41.0921 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/11/20 17:54:42.0046 Sus2pl (3461268d6daa38b65de2936f521afbc4) C:\WINDOWS\system32\DRIVERS\sus2pl.sys
    2010/11/20 17:54:42.0125 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/11/20 17:54:42.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/11/20 17:54:42.0500 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/11/20 17:54:42.0609 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/11/20 17:54:42.0656 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/11/20 17:54:42.0734 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/11/20 17:54:42.0812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/11/20 17:54:43.0031 UdfReadr_xp (8d719ae3cc449768963a6a1f7ff4b769) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
    2010/11/20 17:54:43.0093 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/11/20 17:54:43.0234 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/11/20 17:54:43.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/11/20 17:54:43.0343 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/11/20 17:54:43.0390 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/11/20 17:54:43.0437 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/11/20 17:54:43.0515 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/11/20 17:54:43.0578 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
    2010/11/20 17:54:43.0656 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/11/20 17:54:43.0718 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/11/20 17:54:43.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/11/20 17:54:43.0859 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2010/11/20 17:54:43.0921 viasraid (45469fa05947d75874316649a22878d4) C:\WINDOWS\system32\DRIVERS\VIASRAID.SYS
    2010/11/20 17:54:43.0984 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/11/20 17:54:44.0078 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/11/20 17:54:44.0187 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/11/20 17:54:44.0421 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/11/20 17:54:44.0546 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/11/20 17:54:44.0593 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/11/20 17:54:44.0703 WUSB54GPV4SRV (70aeec67e87a2002e6b2cc353d56e222) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
    2010/11/20 17:54:44.0859 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/11/20 17:54:44.0859 ================================================================================
    2010/11/20 17:54:44.0875 Scan finished
    2010/11/20 17:54:44.0875 ================================================================================
    2010/11/20 17:54:44.0906 Detected object count: 1
    2010/11/20 17:55:03.0890 \HardDisk0 - will be cured after reboot
    2010/11/20 17:55:03.0890 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2010/11/20 17:55:19.0750 Deinitialize success
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I missed this earlier. AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated It's in the Combofix header, running in addition to Avast. I don't see any entries in the log. The program had a trial and if this is what you have, it can be removed. If you do not have it in the installed programs and it only appears in the header, I can remove it from there- If it's installed, follow this:

    The Shield Deluxe 2010, powered by BitDefender: Removal:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    1. Open the control panel and select "Programs and Features" in Vista or "Add/Remove Programs" in older versions of Windows.
    2. Find The Shield Deluxe in your list of available programs and click "Remove."
    3. Read the choices in the uninstall wizard that pops up. Remove all aspects of the program, including definitions, the protected vaults and user configuration data.
    4. Verify that the Shield Deluxe is not longer checked on the Startup menu
    5. Wait until the wizard finishes, and then restart your computer into Normal Mode.
    =========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\lsp21.tmp
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ======================================
    Download bootkitremover.rar and save it to your desktop.
    • Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • Double-click on the remover.exe file to run the program.
    • Paste the output in your next reply.
  22. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Logs

    Posting this from infected computer, seeing if it works

    Don't have Shield Deluxe installed

    Things starting to seem more stable, something called PEV had an error and closed when combofix ran.

    Logs: Log has been removed as it is unreadable with Word Wrap on. Member advised, scan being repeated.

    ComboFix 10-11-23.01 - Tom 11/23/2010
  23. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    Logs continued

    It worked

    BE0925924BB3CD5A60B396D50C7B3DC4

    .\debug.cpp(238) : Debug log started at

    24.11.2010 - 03:03:41
    .\boot_cleaner.cpp(527) :

    Bootkit Remover
    .\boot_cleaner.cpp(528) : (c)

    2009 eSage Lab
    .\boot_cleaner.cpp(529) :

    www.esagelab.com
    .\boot_cleaner.cpp(533) :

    Program version: 1.2.0.0
    .\boot_cleaner.cpp(540)

    : OS Version: Microsoft Windows XP Home Edition

    Service Pack 3 (build 2600)
    .\debug.cpp(248) :

    **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES

    INFORMATION ] ***********
    .\debug.cpp(250) :

    **********************************************
    .\debug.cpp(256) : 0x804d7000 0x001f8980

    "\WINDOWS\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x806d0000 0x00020300

    "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) :

    0xf7ad0000 0x00002000

    "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) :

    0xf79e0000 0x00003000

    "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256)

    : 0xf74a1000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xf7ad2000 0x00002000

    "\WINDOWS\System32\DRIVERS\WMILIB.SYS"
    .\debug.cpp(256) : 0xf7490000 0x00011000

    "pci.sys"
    .\debug.cpp(256) : 0xf75d0000

    0x0000a000 "isapnp.sys"
    .\debug.cpp(256) :

    0xf75e0000 0x00010000 "ohci1394.sys"
    .\debug.cpp(256) : 0xf75f0000 0x0000e000

    "\WINDOWS\System32\DRIVERS\1394BUS.SYS"
    .\debug.cpp(256) : 0xf7ad4000 0x00002000

    "viaide.sys"
    .\debug.cpp(256) : 0xf7850000

    0x00007000

    "\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf7600000 0x0000b000

    "MountMgr.sys"
    .\debug.cpp(256) : 0xf7471000

    0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) :

    0xf7858000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xf7610000 0x0000d000

    "VolSnap.sys"
    .\debug.cpp(256) : 0xf7620000

    0x0000b000 "iviVD.sys"
    .\debug.cpp(256) :

    0xf7459000 0x00018000

    "\WINDOWS\System32\DRIVERS\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xf7441000 0x00018000

    "atapi.sys"
    .\debug.cpp(256) : 0xf742e000

    0x00013000 "VIASRAID.SYS"
    .\debug.cpp(256) :

    0xf7630000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xf7640000 0x0000d000

    "\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xf740e000 0x00020000

    "fltmgr.sys"
    .\debug.cpp(256) : 0xf73fc000

    0x00012000 "sr.sys"
    .\debug.cpp(256) :

    0xf7860000 0x00005000 "PxHelp20.sys"
    .\debug.cpp(256) : 0xf73e5000 0x00017000

    "KSecDD.sys"
    .\debug.cpp(256) : 0xf7358000

    0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) :

    0xf732b000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xf7311000 0x0001a000

    "Mup.sys"
    .\debug.cpp(256) : 0xf7650000

    0x0000c000 "gagp30kx.sys"
    .\debug.cpp(256) :

    0xeb2e2000 0x002b3000

    "\SystemRoot\System32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xeb2ce000 0x00014000

    "\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xf7730000 0x00010000

    "\SystemRoot\System32\DRIVERS\nic1394.sys"
    .\debug.cpp(256) : 0xec9aa000 0x00006000

    "\SystemRoot\system32\DRIVERS\RTL8139.SYS"
    .\debug.cpp(256) : 0xeb250000 0x0007e000

    "\SystemRoot\system32\drivers\ctaud2k.sys"
    .\debug.cpp(256) : 0xeb22c000 0x00024000

    "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xf77e0000 0x0000f000

    "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xeb209000 0x00023000

    "\SystemRoot\system32\drivers\ks.sys"
    .\debug.cpp(256) : 0xeb1d5000 0x00034000

    "\SystemRoot\system32\drivers\ctoss2k.sys"
    .\debug.cpp(256) : 0xebe1d000 0x00008000

    "\SystemRoot\system32\drivers\ctprxy2k.sys"
    .\debug.cpp(256) : 0xecb05000 0x00003000

    "\SystemRoot\System32\DRIVERS\gameenum.sys"
    .\debug.cpp(256) : 0xf7800000 0x0000b000

    "\SystemRoot\System32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xecb01000 0x00003000

    "\SystemRoot\system32\drivers\iviaspi.sys"
    .\debug.cpp(256) : 0xeb1c4000 0x00011000

    "\SystemRoot\System32\Drivers\Cdr4_xp.SYS"
    .\debug.cpp(256) : 0xf7810000 0x00010000

    "\SystemRoot\System32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xf77c0000 0x0000f000

    "\SystemRoot\System32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xebe15000 0x00006000

    "\SystemRoot\System32\Drivers\Cdralw2k.SYS"
    .\debug.cpp(256) : 0xeb1a7000 0x0001d000

    "\SystemRoot\System32\Drivers\pwd_2k.SYS"
    .\debug.cpp(256) : 0xebe0d000 0x00006000

    "\SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys"
    .\debug.cpp(256) : 0xebe05000 0x00006000

    "\SystemRoot\System32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xeb183000 0x00024000

    "\SystemRoot\System32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xebdfd000 0x00008000

    "\SystemRoot\System32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xebdf5000 0x00007000

    "\SystemRoot\System32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xeb16f000 0x00014000

    "\SystemRoot\System32\DRIVERS\parport.sys"
    .\debug.cpp(256) : 0xf7750000 0x00010000

    "\SystemRoot\System32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xecaf5000 0x00004000

    "\SystemRoot\System32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xf7760000 0x00009000

    "\SystemRoot\System32\DRIVERS\processr.sys"
    .\debug.cpp(256) : 0xeb9eb000 0x00001000

    "\SystemRoot\System32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xeb15d000 0x00012000

    "\SystemRoot\System32\DRIVERS\bridge.sys"
    .\debug.cpp(256) : 0xebded000 0x00005000

    "\SystemRoot\System32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xebc40000 0x0000d000

    "\SystemRoot\System32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xecae9000 0x00003000

    "\SystemRoot\System32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xeb146000 0x00017000

    "\SystemRoot\System32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xebc30000 0x0000b000

    "\SystemRoot\System32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xebc20000 0x0000c000

    "\SystemRoot\System32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xeb135000 0x00011000

    "\SystemRoot\System32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xebc10000 0x00009000

    "\SystemRoot\System32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xebde5000 0x00005000

    "\SystemRoot\System32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xebddd000 0x00005000

    "\SystemRoot\System32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xebc00000 0x0000a000

    "\SystemRoot\System32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xebdd5000 0x00006000

    "\SystemRoot\System32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xeb8ca000 0x00006000

    "\SystemRoot\System32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xf7ade000 0x00002000

    "\SystemRoot\System32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xeb0d7000 0x0005e000

    "\SystemRoot\System32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xecae5000 0x00004000

    "\SystemRoot\System32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xeb8c2000 0x00006000

    "\SystemRoot\System32\Drivers\mmc_2K.SYS"
    .\debug.cpp(256) : 0xebbf0000 0x0000a000

    "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xeb0ac000 0x0002b000

    "\SystemRoot\system32\drivers\hap16v2k.sys"
    .\debug.cpp(256) : 0xebaa6000 0x0010a000

    "\SystemRoot\system32\drivers\ha10kx2k.sys"
    .\debug.cpp(256) : 0xeb07d000 0x0002f000

    "\SystemRoot\system32\drivers\emupia2k.sys"
    .\debug.cpp(256) : 0xeb054000 0x00029000

    "\SystemRoot\system32\drivers\ctsfm2k.sys"
    .\debug.cpp(256) : 0xeba0a000 0x0009c000

    "\SystemRoot\system32\drivers\ctac32k.sys"
    .\debug.cpp(256) : 0xeb039000 0x0001b000

    "\SystemRoot\system32\COMMONFX.DLL"
    .\debug.cpp(256) : 0xebd29000 0x0008b000

    "\SystemRoot\system32\CTAUDFX.DLL"
    .\debug.cpp(256) : 0xebc9b000 0x0008e000

    "\SystemRoot\system32\CTSBLFX.DLL"
    .\debug.cpp(256) : 0xebbe0000 0x0000f000

    "\SystemRoot\System32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xedb24000 0x00002000

    "\SystemRoot\System32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xeb8ba000 0x00005000

    "\SystemRoot\System32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xedb22000 0x00002000

    "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xf7c02000 0x00001000

    "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xedb20000 0x00002000

    "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xeb8aa000 0x00007000

    "\SystemRoot\System32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xeb8a2000 0x00006000

    "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xedb1e000 0x00002000

    "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xedb1c000 0x00002000

    "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xeb5af000 0x00040000

    "\SystemRoot\System32\Drivers\cdudf_xp.SYS"
    .\debug.cpp(256) : 0xeb6a7000 0x00024000

    "\SystemRoot\System32\Drivers\DVDVRRdr_xp.SYS"
    .\debug.cpp(256) : 0xeb89a000 0x00005000

    "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xeb892000 0x00008000

    "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xeb7f5000 0x00035000

    "\SystemRoot\System32\Drivers\UdfReadr_xp.SYS"
    .\debug.cpp(256) : 0xf7acc000 0x00003000

    "\SystemRoot\System32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xeb86f000 0x00013000

    "\SystemRoot\System32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xebf78000 0x00059000

    "\SystemRoot\System32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xebbb0000 0x0000a000

    "\SystemRoot\System32\Drivers\aswTdi.SYS"
    .\debug.cpp(256) : 0xeb847000 0x00028000

    "\SystemRoot\System32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xf72e1000 0x00003000

    "\SystemRoot\System32\drivers\ws2ifsl.sys"
    .\debug.cpp(256) : 0xeb8ec000 0x00022000

    "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xeb67f000 0x00009000

    "\SystemRoot\System32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xeb9bc000 0x0002b000

    "\SystemRoot\System32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xebf08000 0x00070000

    "\SystemRoot\System32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xeb66f000 0x0000b000

    "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xebc5a000 0x00026000

    "\SystemRoot\System32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xeb65f000 0x00009000

    "\SystemRoot\System32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xeb64f000 0x0000f000

    "\SystemRoot\System32\DRIVERS\arp1394.sys"
    .\debug.cpp(256) : 0xebee1000 0x00027000

    "\SystemRoot\System32\Drivers\aswSP.SYS"
    .\debug.cpp(256) : 0xeb882000 0x00006000

    "\SystemRoot\System32\Drivers\Aavmker4.SYS"
    .\debug.cpp(256) : 0xeb61f000 0x00010000

    "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xebe62000 0x0007f000

    "\SystemRoot\system32\DRIVERS\rt2870.sys"
    .\debug.cpp(256) : 0xf78e0000 0x00008000

    "\SystemRoot\System32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0xf6c5e000 0x00004000

    "\SystemRoot\System32\DRIVERS\usbscan.sys"
    .\debug.cpp(256) : 0xf5c9a000 0x00007000

    "\SystemRoot\System32\DRIVERS\usbprint.sys"
    .\debug.cpp(256) : 0xf7a8c000 0x00003000

    "\SystemRoot\System32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xeb60f000 0x00009000

    "\SystemRoot\System32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xf7a74000 0x00004000

    "\SystemRoot\System32\DRIVERS\kbdhid.sys"
    .\debug.cpp(256) : 0xf7a78000 0x00004000

    "\SystemRoot\System32\Drivers\dump_diskdump.sys"
    .\debug.cpp(256) : 0xeb8d9000 0x00013000

    "\SystemRoot\System32\Drivers\dump_viasraid.sys"
    .\debug.cpp(256) : 0xbf800000 0x001c5000

    "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xf7a84000 0x00003000

    "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xf78c0000 0x00005000

    "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf000000 0x00012000

    "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xf7cc4000 0x00001000

    "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbf012000 0x00391000

    "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xbffa0000 0x00046000

    "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xf09c8000 0x00003000

    "\SystemRoot\System32\Drivers\aswFsBlk.SYS"
    .\debug.cpp(256) : 0xf1169000 0x00005000

    "\SystemRoot\system32\DRIVERS\AegisP.sys"
    .\debug.cpp(256) : 0xf2e54000 0x00004000

    "\SystemRoot\System32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xec710000 0x00017000

    "\SystemRoot\System32\Drivers\aswMon2.SYS"
    .\debug.cpp(256) : 0xf3f9d000 0x0000f000

    "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0xec044000 0x00015000

    "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xec7b6000 0x0002d000

    "\SystemRoot\System32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xf24b3000 0x00002000

    "\SystemRoot\System32\Drivers\ParVdm.SYS"
    .\debug.cpp(256) : 0xf78e8000 0x00005000

    "\SystemRoot\System32\drivers\aspi32.sys"
    .\debug.cpp(256) : 0xec065000 0x00003000

    "\??\C:\WINDOWS\System32\drivers\CdaD10BA.SYS"
    .\debug.cpp(256) : 0xf11c9000 0x00002000

    "\SystemRoot\System32\Drivers\MASPINT.SYS"
    .\debug.cpp(256) : 0xec813000 0x00058000

    "\SystemRoot\System32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xecace000 0x00017000

    "\??\C:\WINDOWS\System32\drivers\PfModNT.sys"
    .\debug.cpp(256) : 0xecb27000 0x00041000

    "\SystemRoot\System32\Drivers\HTTP.sys"
    .\debug.cpp(256) : 0xeda67000 0x00003000

    "\SystemRoot\System32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xf1189000 0x00005000

    "\SystemRoot\System32\Drivers\aswRdr.SYS"
    .\debug.cpp(256) : 0xed3c4000 0x00002000

    "\??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS"
    .\debug.cpp(256) : 0xeb8b2000 0x00008000

    "\??\C:\DOCUME~1\Tom\LOCALS~1\Temp\catchme.sys"
    .\debug.cpp(256) : 0xecd87000 0x0002b000

    "\SystemRoot\system32\drivers\kmixer.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000

    "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(263) :

    **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS

    INFORMATION ] ***********
    .\debug.cpp(308) :

    **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination

    "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Volume{0caa2527-b2bd-11dc-94b9-000ea6

    4e849f}"
    .\debug.cpp(400) : Destination

    "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_045e&Pid_001c#5&3278073a&0&2#

    {f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination

    "\Device\USBPDO-9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_040a&Pid_4032&MI_02#7&2bade5b

    3&2&0002#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination

    "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination

    "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\IDE#CdRomSONY_DVD-ROM_DDU1612________

    ____________DYS3____#5&6a6be80&0&0.1.0#{53f56308

    -b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400)

    : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Root#MS_PSCHEDMP#0004#{ad498944-762f-

    11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\00000043"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Scsi3:"
    .\debug.cpp(400) :

    Destination "\Device\Scsi\viasraid1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Volume{8e0fd423-0531-11db-9c39-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\HarddiskVolume1"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) :

    Destination "\Device\Video0"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1106&DEV_3044&SUBSYS_808A1043

    &REV_80#3&267a616a&0&38#{6bdd1fc1-810f-11d0-bec7

    -08002be2092f}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ASWSP"
    .\debug.cpp(400) :

    Destination "\Device\aswSP"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-

    90d9-421418b03a8e}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\SCSI#CdRom&Ven_IVI&Prod_Virtual_CD&Re

    v_0.5a#1&2afd7d61&0&000#{53f56308-b6bf-11d0-94f2

    -00a0c91efb8b}"
    .\debug.cpp(400) : Destination

    "\Device\Scsi\iviVD1Port0Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Volume{e86c4cb7-4511-11d9-8ffa-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\HarddiskVolume1"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) :

    Destination "\Device\Video1"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1106&DEV_3038&SUBSYS_80ED1043

    &REV_81#3&267a616a&0&80#{3abf6f2d-71c4-462a-8a92

    -1e6861e6af27}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0011"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-

    762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\0000003e"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Volume{dd7a9ac3-4545-11d9-a0d5-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\aswSP_Pot2"
    .\debug.cpp(400) : Destination

    "\Device\aswSP_Pot2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) :

    Destination "\Device\Video2"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination

    "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&6edbab&0&0

    #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination

    "\Device\FloppyPDO0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) :

    Destination "\Device\IPSEC"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) :

    Destination "\Device\Video3"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\CTAUDFX.DLL"
    .\debug.cpp(400) :

    Destination "\Device\CTAUDFX.DLL"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f

    -11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\0000003d"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\V1394#NIC1394#593734e01800#{ad498944-

    762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\00000069"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\CDR4_XP"
    .\debug.cpp(400) :

    Destination "\Device\CDR4_XP"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HID#Vid_046d&Pid_c501#6&491ecb8&0&000

    0#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination

    "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) :

    Destination "\Device\NDProxy"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ASWMON"
    .\debug.cpp(400) :

    Destination "\Device\aswMon"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

    &REV_04#3&267a616a&0&70#{dda54a40-1e4c-11d1-a050

    -405705c10000}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0006"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SCSIADAPTER#0000#{2accfe60-c130-

    11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) :

    Destination "\Device\00000047"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HID#Vid_046d&Pid_c501#6&491ecb8&0&000

    0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination

    "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#ROOT_HUB#4&467fdfe&0#{f18a0e88-c3

    0c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) :

    Destination "\Device\USBPDO-0"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\$VDMLPT1"
    .\debug.cpp(400) :

    Destination "\Device\ParallelVdm0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-

    b40f-00a0c9223196}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1102&DEV_4001&SUBSYS_00101102

    &REV_04#3&267a616a&0&72#{6bdd1fc1-810f-11d0-bec7

    -08002be2092f}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0008"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination

    "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\SCSI#CdRom&Ven_IVI&Prod_Virtual_CD&Re

    v_0.5a#1&2afd7d61&0&000#{53f5630d-b6bf-11d0-94f2

    -00a0c91efb8b}"
    .\debug.cpp(400) : Destination

    "\Device\Scsi\iviVD1Port0Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination

    "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

    &REV_04#3&267a616a&0&70#{dff220f3-f70f-11d0-b917

    -00a0c9223196}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0006"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination

    "\Device\Serial1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\V1394#NIC1394#51069f3223c01#{ad498944

    -762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400)

    : Destination "\Device\0000006a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-

    b917-00a0c9223196}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\COM2"
    .\debug.cpp(400) : Destination

    "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\{151F8550-BBF5-4F6E-96BA-D998840E2E02

    }"
    .\debug.cpp(400) : Destination

    "\Device\{151F8550-BBF5-4F6E-96BA-D998840E2E02}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) :

    Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\HID#Vid_045e&Pid_001d&MI_01&Col02#8&4

    a0078c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000

    030}"
    .\debug.cpp(400) : Destination

    "\Device\00000083"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Usbscan0"
    .\debug.cpp(400) :

    Destination "\Device\Usbscan0"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0

    407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c

    5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination

    "\Device\KSENUM#00000001"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-

    a5d6-28db04c10000}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_045e&Pid_001d#6&22c12eed&0&1#

    {a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination

    "\Device\USBPDO-10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\UdfReadr_XP"
    .\debug.cpp(400) :

    Destination "\Device\UdfReadr_XP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\PCI#VEN_1106&DEV_3038&SUBSYS_80ED1043

    &REV_81#3&267a616a&0&83#{3abf6f2d-71c4-462a-8a92

    -1e6861e6af27}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0014"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Volume{ef5e205f-4544-11d9-997e-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\HarddiskVolume1"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\IDE#CdRomSONY_DVD-ROM_DDU1612________

    ____________DYS3____#5&6a6be80&0&0.1.0#{53f5630d

    -b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400)

    : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\PfModNT"
    .\debug.cpp(400) : Destination

    "\Device\PfModNT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PSched"
    .\debug.cpp(400) :

    Destination "\Device\PSched"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Usbscan1"
    .\debug.cpp(400) :

    Destination "\Device\Usbscan1"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Volume{d3438a5a-4516-11d9-8378-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination

    "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\IPNAT"
    .\debug.cpp(400) :

    Destination "\Device\IPNAT"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HAP16V2K"
    .\debug.cpp(400) :

    Destination "\Device\HAP16V2K"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\GEARAspiWDMDevice"
    .\debug.cpp(400) :

    Destination "\Device\GEARAspiWDMDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-

    a3cc-00a0c9223196}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination

    "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ASWTDI"
    .\debug.cpp(400) :

    Destination "\Device\ASWTDI"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HID#Vid_045e&Pid_001d&MI_00#8&24b85c9

    d&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination

    "\Device\00000081"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination

    "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1106&DEV_3038&SUBSYS_80ED1043

    &REV_81#3&267a616a&0&81#{3abf6f2d-71c4-462a-8a92

    -1e6861e6af27}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0012"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\{B12488EA-F0D0-4BE5-A74E-17283D9459A0

    }"
    .\debug.cpp(400) : Destination

    "\Device\{B12488EA-F0D0-4BE5-A74E-17283D9459A0}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\{EEF58D39-4FA6-42ED-8F65-F8961947706E

    }"
    .\debug.cpp(400) : Destination

    "\Device\{EEF58D39-4FA6-42ED-8F65-F8961947706E}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination

    "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination

    "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\EMUPIA"
    .\debug.cpp(400) :

    Destination "\Device\EMUPIA"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\AegisP_{739A61E4-B24F-4826-A90D-706B6

    E1C9246}"
    .\debug.cpp(400) : Destination

    "\Device\AegisP_{739A61E4-B24F-4826-A90D-706B6E1

    C9246}"
    .\debug.cpp(409) : --
    .\debug.cpp(369)

    : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400)

    : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\DVDVRRdr_XP"
    .\debug.cpp(400) : Destination

    "\Device\DVDVRRdr_XP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-76

    2f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\00000044"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink
  24. Rstynls

    Rstynls Newcomer, in training Topic Starter Posts: 19

    More logs

    "\GLOBAL??\ACPI#AuthenticAMD_-_x86_Family_15_Mod

    el_5#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination

    "\Device\0000004e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\IVIaspi0"
    .\debug.cpp(400) :

    Destination "\Device\IVIaspi0"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) :

    Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\HID#Vid_045e&Pid_001d&MI_00#8&24b85c9

    d&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination

    "\Device\00000081"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination

    "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination

    "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-

    a5d6-28db04c10000}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination

    "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\sysaudio"
    .\debug.cpp(400) :

    Destination "\Device\sysaudio"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\fsWrap"
    .\debug.cpp(400) :

    Destination "\Device\FsWrap"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#MS_PSCHEDMP#0002#{ad498944-762f-

    11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\00000042"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-

    a3ea-00a0c9223196}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-

    11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\00000040"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\CdRom0"
    .\debug.cpp(400) :

    Destination "\Device\CdRom0"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HCD4"
    .\debug.cpp(400) : Destination

    "\Device\USBFDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\MbMmDp32"
    .\debug.cpp(400) :

    Destination "\Device\MbMmDp32"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1186&DEV_1300&SUBSYS_13011186

    &REV_10#3&267a616a&0&60#{ad498944-762f-11d0-8dcb

    -00c04fc3358c}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\{9F0A51CA-7F03-4E1E-9AE5-5F6774947D28

    }"
    .\debug.cpp(400) : Destination

    "\Device\{9F0A51CA-7F03-4E1E-9AE5-5F6774947D28}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\{A9850E1D-EBF3-4D30-AA6A-54CA75D115E2

    }"
    .\debug.cpp(400) : Destination

    "\Device\{A9850E1D-EBF3-4D30-AA6A-54CA75D115E2}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\CdRom1"
    .\debug.cpp(400)

    : Destination "\Device\CdRom1"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#ROOT_HUB#4&2d491760&0#{f18a0e88-c

    30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) :

    Destination "\Device\USBPDO-1"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Global"
    .\debug.cpp(400) :

    Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\{9D1E06C5-D35E-490C-B535-96BE7A5E96E2

    }"
    .\debug.cpp(400) : Destination

    "\Device\{9D1E06C5-D35E-490C-B535-96BE7A5E96E2}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\CdRom2"
    .\debug.cpp(400)

    : Destination "\Device\CdRom2"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d5

    3-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400)

    : Destination "\Device\00000052"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\ACPI#PNP0C0C#aa#{4afa3d53-74a7-11d0-b

    e5e-00a0c9062857}"
    .\debug.cpp(400) :

    Destination "\Device\00000050"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\AegisP_{8BCD12CD-A96A-411A-B624-EFAF4

    0C2E99C}"
    .\debug.cpp(400) : Destination

    "\Device\AegisP_{8BCD12CD-A96A-411A-B624-EFAF40C

    2E99C}"
    .\debug.cpp(409) : --
    .\debug.cpp(369)

    : SymbolicLink

    "\GLOBAL??\Volume{8e0fd421-0531-11db-9c39-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9c

    e4-08003e301f73}"
    .\debug.cpp(400) :

    Destination "\Device\00000068"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PxHelperDevice0"
    .\debug.cpp(400) :

    Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0

    407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c

    50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination

    "\Device\KSENUM#00000001"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ACPI#PNP0501#2#{86e0d1e0-8089-11d0-9c

    e4-08003e301f73}"
    .\debug.cpp(400) :

    Destination "\Device\00000067"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1106&DEV_3104&SUBSYS_80ED1043

    &REV_86#3&267a616a&0&84#{3abf6f2d-71c4-462a-8a92

    -1e6861e6af27}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0015"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1106&DEV_3038&SUBSYS_80ED1043

    &REV_81#3&267a616a&0&82#{3abf6f2d-71c4-462a-8a92

    -1e6861e6af27}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0013"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\COMMONFX.DLL"
    .\debug.cpp(400) :

    Destination "\Device\COMMONFX.DLL"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-

    8161-0000f8775bf1}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-

    a5d6-28db04c10000}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-

    9285-bd2bc77afcde}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1106&DEV_3149&SUBSYS_80ED1043

    &REV_80#3&267a616a&0&78#{2accfe60-c130-11d2-b082

    -00a0c91efb8b}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0009"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_05e3&Pid_0608#5&f7be307&0&4#{

    f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination

    "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

    &REV_04#3&267a616a&0&70#{65e8773e-8f56-11d0-a3b9

    -00a0c9223196}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0006"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ARP1394"
    .\debug.cpp(400) :

    Destination "\Device\ARP1394"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Bridge"
    .\debug.cpp(400) :

    Destination "\Device\Bridge"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\catchme"
    .\debug.cpp(400) :

    Destination "\Device\catchme"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

    &REV_04#3&267a616a&0&70#{6994ad04-93ef-11d0-a3cc

    -00a0c9223196}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0006"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_050d&Pid_8053#1.0#{ad498944-7

    62f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\USBPDO-5"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bf

    c1-08002be10318}"
    .\debug.cpp(400) :

    Destination "\Device\00000068"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_040a&Pid_4032&MI_01#7&2bade5b

    3&2&0001#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}"
    .\debug.cpp(400) : Destination

    "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\MbDlDp32"
    .\debug.cpp(400) :

    Destination "\Device\MbDlDp32"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) :

    Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature

    2F7F2F7FOffset7E00Length37E4610400#{53f5630d-b6b

    f-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) :

    Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\ASPINT"
    .\debug.cpp(400)

    : Destination "\Device\msfaspi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\CdaD10BA"
    .\debug.cpp(400) : Destination

    "\Device\CdaD10BA"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0

    407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c

    50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination

    "\Device\KSENUM#00000001"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\AAVMKER4"
    .\debug.cpp(400) :

    Destination "\Device\AavmKer4"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-7

    62f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\0000003c"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ACPI#PNP0C0E#2&daba3ff&0#{4afa3d53-74

    a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) :

    Destination "\Device\00000051"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\WanArp"
    .\debug.cpp(400) :

    Destination "\Device\WANARP"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\CTPROXY"
    .\debug.cpp(400) :

    Destination "\Device\CTPROXY"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-

    94f2-00a0c91efb8b}"
    .\debug.cpp(400) :

    Destination "\Device\00000002"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USNTracker"
    .\debug.cpp(400) :

    Destination "\Device\USNTracker"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Volume{389663ec-7ef9-11da-baf3-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HID#Vid_045e&Pid_001d&MI_01&Col01#8&4

    a0078c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000

    030}"
    .\debug.cpp(400) : Destination

    "\Device\00000082"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_046d&Pid_c501#5&3278073a&0&1#

    {a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination

    "\Device\USBPDO-8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\{739A61E4-B24F-4826-A90D-706B6E1C9246

    }"
    .\debug.cpp(400) : Destination

    "\Device\{739A61E4-B24F-4826-A90D-706B6E1C9246}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Volume{8e0fd422-0531-11db-9c39-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&1d62032d&0

    &LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
    .\debug.cpp(400) : Destination

    "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\CTSBLFX.DLL"
    .\debug.cpp(400) :

    Destination "\Device\CTSBLFX.DLL"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\{49A6E70C-0AFA-421D-9178-D479A58EE126

    }"
    .\debug.cpp(400) : Destination

    "\Device\{49A6E70C-0AFA-421D-9178-D479A58EE126}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\A:"
    .\debug.cpp(400) :

    Destination "\Device\Floppy0"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-

    8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) :

    Destination "\Device\NdisWanIp"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\AegisP"
    .\debug.cpp(400) :

    Destination "\Device\AegisP"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-

    8a2b-00a0c9255ac1}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0

    407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf

    6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination

    "\Device\KSENUM#00000001"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) :

    Destination "\Device\Scsi\iviVD1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Volume{e86c4cb4-4511-11d9-8ffa-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\{8123F7A7-CFE3-4460-AA61-619CC6370263

    }"
    .\debug.cpp(400) : Destination

    "\Device\{8123F7A7-CFE3-4460-AA61-619CC6370263}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\USB#ROOT_HUB#4&7d5b616&0#{f18a0e88-c3

    0c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) :

    Destination "\Device\USBPDO-3"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1102&DEV_7003&SUBSYS_00401102

    &REV_04#3&267a616a&0&71#{cae56030-684a-11d0-d6f6

    -00a0c90f57da}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0007"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\1394BUS0"
    .\debug.cpp(400) :

    Destination "\Device\1394BUS0"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ACPI#PNP0400#1#{97f76ef0-f883-11d0-af

    1f-0000f800845c}"
    .\debug.cpp(400) :

    Destination "\Device\00000064"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-

    a5d6-28db04c10000}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-7

    62f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) :

    Destination "\Device\0000003f"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) :

    Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\1394BUS1"
    .\debug.cpp(400) : Destination

    "\Device\1394BUS1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-

    9ced-00a024bf0407}"
    .\debug.cpp(400) :

    Destination "\Device\00000048"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Volume{389663ed-7ef9-11da-baf3-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#ROOT_HUB20#4&2556a5a7&0#{f18a0e88

    -c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400)

    : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination

    "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\NdisWan"
    .\debug.cpp(400) :

    Destination "\Device\NdisWan"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_040a&Pid_4032#C057636#{a5dcbf

    10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination

    "\Device\USBPDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) :

    Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination

    "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\LPT1"
    .\debug.cpp(400) : Destination

    "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\HA10KX2K"
    .\debug.cpp(400) :

    Destination "\Device\HA10KX2K"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) :

    Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\IDE#CdRomPLEXTOR_CD-R___PREMIUM______

    ____________1.02____#5&6a6be80&0&0.0.0#{53f5630d

    -b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400)

    : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\USB#Vid_040a&Pid_4032&MI_00#7&2bade5b

    3&2&0000#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination

    "\Device\00000078"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Shadow"
    .\debug.cpp(400) :

    Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\ACPI#PNP0501#2#{4d36e978-e325-11ce-bf

    c1-08002be10318}"
    .\debug.cpp(400) :

    Destination "\Device\00000067"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_10DE&DEV_0333&SUBSYS_194E270F

    &REV_A1#4&3600494a&0&0008#{5b45201d-f2f2-4f3b-85

    bb-30ff1f953599}"
    .\debug.cpp(400) :

    Destination "\Device\NTPNP_PCI0021"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination

    "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\pwd_2k"
    .\debug.cpp(400) :

    Destination "\Device\pwd_2k"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&R

    ev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00

    a0c91efb8b}"
    .\debug.cpp(400) : Destination

    "\Device\Scsi\viasraid1Port3Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400)

    : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination

    "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination

    "\Device\HarddiskVolume1"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\CdUdf_XP"
    .\debug.cpp(400) :

    Destination "\Device\CdUdf_XP"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\ASWRDR"
    .\debug.cpp(400) :

    Destination "\Device\ASWRDR"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\aswSP_Avar"
    .\debug.cpp(400) :

    Destination "\Device\aswSP_Avar"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\USB#ROOT_HUB#4&1a8f66bb&0#{f18a0e88-c

    30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) :

    Destination "\Device\USBPDO-2"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\CdaD23BA"
    .\debug.cpp(400) :

    Destination "\Device\CdaD23BA"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

    &REV_04#3&267a616a&0&70#{65e8773d-8f56-11d0-a3b9

    -00a0c9223196}"
    .\debug.cpp(400) : Destination

    "\Device\NTPNP_PCI0006"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Volume{d3438a5d-4516-11d9-8378-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\HarddiskVolume1"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Volume{8e0fd420-0531-11db-9c39-806d61

    72696f}"
    .\debug.cpp(400) : Destination

    "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) :

    Destination "\Device\MailSlot"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination

    "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) :

    Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) :

    Destination "\Device\Ndisuio"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1

    -bc8c-00a0c91405dd}"
    .\debug.cpp(400) :

    Destination "\Device\00000046"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) :

    Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) :

    Destination "\Device\Null"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\{8BCD12CD-A96A-411A-B624-EFAF40C2E99C

    }"
    .\debug.cpp(400) : Destination

    "\Device\{8BCD12CD-A96A-411A-B624-EFAF40C2E99C}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\IDE#CdRomPLEXTOR_CD-R___PREMIUM______

    ____________1.02____#5&6a6be80&0&0.0.0#{53f56308

    -b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400)

    : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink

    "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1

    -bc8c-00a0c91405dd}"
    .\debug.cpp(400) :

    Destination "\Device\00000045"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\USB#Vid_050d&Pid_8053#1.0#{a5dcbf10-6

    530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) :

    Destination "\Device\USBPDO-5"
    .\debug.cpp(409)

    : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\CTAC32K"
    .\debug.cpp(400) :

    Destination "\Device\CTAC32K"
    .\debug.cpp(409) :

    --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\IDE#CdRomPLEXTOR_CD-R___PREMIUM______

    ____________1.02____#5&6a6be80&0&0.0.0#{1186654d

    -47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400)

    : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\PROCEXP113"
    .\debug.cpp(400) : Destination

    "\Device\PROCEXP113"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink

    "\GLOBAL??\{D7075411-6248-4E83-BA44-21DEA793D884

    }"
    .\debug.cpp(400) : Destination

    "\Device\{D7075411-6248-4E83-BA44-21DEA793D884}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) :

    SymbolicLink "\GLOBAL??\CTSFM2K"
    .\debug.cpp(400) : Destination

    "\Device\CTSFM2K"
    .\debug.cpp(409) : --
    .\debug.cpp(453) :

    **********************************************
    .\boot_cleaner.cpp(565) : System volume is

    \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: ->

    \\.\PhysicalDrive0 at offset

    0x00000000`00007e00
    .\diskio.cpp(204) :

    ATA_Read(): DeviceIoControl() ERROR 1
    .\boot_cleaner.cpp(276) : Boot sector MD5 is:

    6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device

    Name MBR Status
    .\boot_cleaner.cpp(1062) :

    --------------------------------------------
    .\boot_cleaner.cpp(1106) : 223 GB

    \\.\PhysicalDrive0 OK (DOS/Win32 Boot code

    found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I've deleted the Combofix log as it is unreadable. When you open Notepad, first go to Format> Uncheck 'Word Wrap', then repeat this to generate new log:

    Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

    Code:
    File::
    File::
    c:\windows\system32\lsp21.tmp
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    You don't have to repeat the Bootscan, but any time you use NotePad for the logs, but sure that Word Wrap is unchecked
    Note:
    Combofix Log has been removed as it is unreadable with Word Wrap on. Member advised, scan being repeated.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.