TechSpot

Can't do windows updates

Inactive
By rcc2324
Jan 5, 2011
Topic Status:
Not open for further replies.
  1. I was infected with the security tools virus and now I cant' do any windows updates. I'm also getting svchost errors. i tried doing a windows restore to an early date but system will not restore. I'm using windows XP pro sp3.

    I followed the UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions and here are the logs.


    system will not allow me to post DDS.txt log.
    I get the following message:
    internet explorer cannot display the webpage.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot. Ill be glad to help with the problem, but must ask that you follow this:

    http://www.techspot.com/vb/topic154928.html

    I don't know why you would get that message for the DDS.txt log. You are not trying to display a webpage. Please search your system for DDS.txt When found, open Notepad, click on Format> uncheck Word Wrap> copy the log to Notepad, then paste it in the next reply.
  3. rcc2324

    rcc2324 Newcomer, in training Topic Starter

    Thanks Bobbye,
    Here are the logs:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/5/2011 8:21:09 PM
    mbam-log-2011-01-05 (20-21-09).txt

    Scan type: Quick scan
    Objects scanned: 137679
    Time elapsed: 12 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-05 20:29:27
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3160815AS rev.3.ADA
    Running: zwfd4o18.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\fftoapow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB1BA82C7]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB1BA830D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB1BA8355]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8734939B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8734939B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8734939B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8734939B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8734939B
    Device \FileSystem\Ntfs \Ntfs 873DB1D0

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160815AS_____________________________3.ADA___#5&3380c066&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] exwudxqs <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Admin at 20:34:21.70 on Wed 01/05/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.351 [GMT -7:00]

    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: McAfee VirusScan Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Dell Network Assistant\hnm_svc.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    "C:\WINDOWS\System32\svchost.exe"
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Documents and Settings\Admin\Desktop\zwfd4o18.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Documents and Settings\Admin\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uWindow Title = Windows Internet Explorer provided by MSN & Bing
    uInternet Connection Wizard,ShellNext = iexplore
    mWinlogon: Userinit=userinit.exe
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    dRunOnce: [RunNarrator] Narrator.exe
    dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
    uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
    uPolicies-explorer: NoSMMyPictures = 0 (0x0)
    uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
    uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
    uPolicies-explorer: NoInstrumentation = 0 (0x0)
    mPolicies-explorer: NoSMMyPictures = 0 (0x0)
    mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
    mPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
    mPolicies-explorer: NoInstrumentation = 0 (0x0)
    mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: &Search
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6211/mcfscan.cab
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ============= SERVICES / DRIVERS ===============

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-7-28 28544]
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-13 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-9-3 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-13 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-13 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-13 61960]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-12-5 104000]
    R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
    R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-12-5 72264]
    R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-12-5 34152]
    R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-12-5 168776]
    S0 serri;serri; [x]
    S1 gfrmfbyi;gfrmfbyi;\??\c:\windows\system32\drivers\gfrmfbyi.sys --> c:\windows\system32\drivers\gfrmfbyi.sys [?]
    S2 gupdate1c99c8972892354;Google Update Service (gupdate1c99c8972892354);c:\program files\google\update\GoogleUpdate.exe [2009-3-3 133104]
    S2 ycgcljpl;Direct Parallel Link Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
    S3 cpuz134;cpuz134;\??\c:\docume~1\admin\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\admin\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 12872]

    =============== Created Last 30 ================

    2010-12-30 19:40:54 -------- d-----w- c:\windows\McAfee.com
    2010-12-26 23:12:33 -------- d-----w- c:\program files\Support Tools
    2010-12-23 04:12:53 -------- dc-h--w- c:\windows\ie8
    2010-12-22 03:25:08 -------- d-----w- C:\rei
    2010-12-22 03:25:04 -------- d-----w- c:\program files\Reimage
    2010-12-19 03:26:02 -------- d-----w- c:\docume~1\admin\applic~1\Avira
    2010-12-19 01:54:37 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\{8A8CAC74-89F5-4779-9753-B1B281C01E31}
    2010-12-19 01:52:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\bCiEf06501
    2010-12-14 04:10:05 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-14 04:10:03 -------- d-----w- c:\program files\Avira
    2010-12-14 04:10:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-12-14 02:45:16 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-12-14 02:45:16 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-14 02:43:00 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\{F2ED73AF-4D34-4E23-84C2-E51E0E62A485}
    2010-12-14 01:28:26 -------- d-----w- c:\docume~1\admin\locals~1\applic~1\{F2ED73AF-4D34-4E23-84C2-E51E0E62A485}(2)
    2010-12-14 01:26:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\pJaOc06501

    ==================== Find3M ====================

    2010-12-22 01:08:46 0 ----a-w- c:\windows\Sgejezoweqoh.bin
    2010-11-25 21:25:22 398744 ----a-r- c:\windows\system32\cpnprt2.cid
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2008-10-29 01:04:11 17286 ----a-w- c:\program files\common files\jaxerofa.bin
    2008-10-29 01:04:11 16737 ----a-w- c:\program files\common files\udyryjucyw.vbs
    2008-10-29 01:04:11 13973 ----a-w- c:\program files\common files\kahive.vbs

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160815AS rev.3.ADA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87349555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8734f7b0]; MOV EAX, [0x8734f82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8737CAB8]
    3 CLASSPNP[0xF7564FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000072[0x87382F18]
    5 ACPI[0xF74DB620] -> nt!IofCallDriver[0x804E13B9] -> [0x87370D98]
    \Driver\atapi[0x87387728] -> IRP_MJ_CREATE -> 0x87349555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160815AS_____________________________3.ADA___#5&3380c066&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8734939B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 20:36:22.31 ===============


    Attach.txt is on second reply
  4. rcc2324

    rcc2324 Newcomer, in training Topic Starter

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 1/8/2010 10:18:54 AM
    System Uptime: 1/5/2011 8:01:08 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0RN474
    Processor: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz | Socket 775 | 2194/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 149 GiB total, 54.612 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP152: 10/1/2010 9:16:17 PM - System Checkpoint
    RP153: 10/3/2010 7:48:40 PM - System Checkpoint
    RP154: 10/4/2010 10:44:54 PM - System Checkpoint
    RP155: 10/4/2010 10:51:45 PM - Software Distribution Service 3.0
    RP156: 10/8/2010 4:37:16 PM - System Checkpoint
    RP157: 10/10/2010 8:02:59 AM - System Checkpoint
    RP158: 10/15/2010 5:28:02 PM - Software Distribution Service 3.0
    RP159: 10/17/2010 3:00:34 PM - System Checkpoint
    RP160: 10/19/2010 5:50:49 PM - System Checkpoint
    RP161: 10/21/2010 4:53:11 PM - System Checkpoint
    RP162: 10/24/2010 11:36:34 AM - System Checkpoint
    RP163: 10/25/2010 12:35:55 PM - System Checkpoint
    RP164: 10/27/2010 6:27:15 PM - System Checkpoint
    RP165: 10/29/2010 6:08:04 PM - System Checkpoint
    RP166: 10/31/2010 4:44:39 PM - System Checkpoint
    RP167: 11/1/2010 4:58:33 PM - System Checkpoint
    RP168: 11/4/2010 6:59:03 AM - System Checkpoint
    RP169: 11/6/2010 2:45:15 PM - System Checkpoint
    RP170: 11/7/2010 7:39:47 PM - System Checkpoint
    RP171: 11/11/2010 6:02:09 PM - Software Distribution Service 3.0
    RP172: 11/12/2010 9:28:26 PM - System Checkpoint
    RP173: 11/16/2010 9:11:10 PM - System Checkpoint
    RP174: 11/18/2010 7:52:37 PM - System Checkpoint
    RP175: 11/20/2010 6:38:36 PM - System Checkpoint
    RP176: 11/21/2010 9:10:34 PM - System Checkpoint
    RP177: 11/24/2010 10:18:25 AM - System Checkpoint
    RP178: 11/25/2010 2:43:15 PM - System Checkpoint
    RP179: 11/29/2010 5:53:06 PM - System Checkpoint
    RP180: 12/5/2010 6:05:00 PM - System Checkpoint
    RP181: 12/6/2010 5:45:19 PM - Removed Dell Support Center (Support Software).
    RP182: 12/6/2010 5:48:20 PM - Removed Dell Support Center (Support Software).
    RP183: 12/7/2010 8:36:23 PM - System Checkpoint
    RP184: 12/10/2010 6:22:52 PM - System Checkpoint
    RP185: 12/12/2010 6:05:46 PM - System Checkpoint
    RP186: 12/13/2010 7:25:38 PM - System Checkpoint
    RP187: 12/13/2010 7:42:37 PM - Restore Operation
    RP188: 12/13/2010 9:10:03 PM - Avira AntiVir Personal - 12/13/2010 21:07
    RP189: 12/14/2010 10:39:17 PM - Software Distribution Service 3.0
    RP190: 12/17/2010 3:58:29 PM - System Checkpoint
    RP191: 12/22/2010 9:13:59 PM - Installed Windows Internet Explorer 8.
    RP192: 12/22/2010 9:43:37 PM - Software Distribution Service 3.0
    RP193: 12/26/2010 3:00:36 PM - Software Distribution Service 3.0
    RP194: 12/30/2010 2:23:43 PM - Installed Microsoft Fix it 50267
    RP195: 12/30/2010 5:20:45 PM - Restore Operation
    RP196: 12/30/2010 5:27:08 PM - Restore Operation
    RP197: 12/30/2010 5:41:29 PM - Restore Operation
    RP198: 12/30/2010 5:49:03 PM - Restore Operation
    RP199: 12/31/2010 1:14:40 PM - Restore Operation

    ==== Installed Programs ======================


    1Click DVD Copy 5.3.0.0
    5600
    5600_Help
    5600Trb
    7-Zip 9.10 beta
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 7.1.0
    AiO_Scan
    AiOSoftware
    American Greetings® CreataCard® 4
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    Avira AntiVir Personal - Free Antivirus
    Browser Address Error Redirector
    BufferChm
    CCleaner
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CustomerResearchQFolder
    Dell Driver Reset Tool
    Dell Network Assistant
    Dell Support Center (Support Software)
    DellSupport
    Destinations
    DeviceManagementQFolder
    DocProc
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    eMusic Download Manager 3.0
    eSupportQFolder
    Fax
    Google Chrome
    Google Desktop
    Google Earth
    Google Update Helper
    Google Updater
    HijackThis 1.99.1
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Extended Capabilities 5.3
    HP Imaging Device Functions 5.3
    HP Photosmart Essential
    HP Product Assistant
    HP PSC & OfficeJet 5.3.B
    HP Solution Center & Imaging Support Tools 5.3
    HP Update
    HPProductAssistant
    Intel(R) PRO Network Connections 12.1.12.0
    iTunes
    Java(TM) 6 Update 17
    Malwarebytes' Anti-Malware
    MarketResearch
    McAfee VirusScan Enterprise
    Memorex exPressit Label Design Studio
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office 97, Professional Edition
    Microsoft Office Word Viewer 2003
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Web Publishing Wizard 1.52
    Mozilla Firefox (3.5.6)
    MP3 Player Utilities 1.47
    MP3 Player Utilities 4.15
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Nero - Burning Rom
    NewCopy
    NVIDIA Drivers
    OGA Notifier 2.0.0048.0
    Panda ActiveScan 2.0
    PowerDVD
    ProductContext
    QualxServ Service Agreement
    QuickTime
    Readme
    Realtek High Definition Audio Driver
    Reimage Repair
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    Scan
    ScannerCopy
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SolutionCenter
    Sonic Activation Module
    Spybot - Search & Destroy
    SpywareBlaster 4.1
    Status
    SUPERAntiSpyware Free Edition
    SureThing CD Labeler Deluxe Trial 5
    TrayApp
    TurboTax 2008
    TurboTax 2008 waziper
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 waziper
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax Deluxe 2007
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Support Tools
    Windows XP Service Pack 3
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    12/31/2010 1:13:50 PM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.
    12/30/2010 8:00:33 AM, error: Print [19] - Sharing printer failed + 1722, Printer HP Officejet 5600 series fax share name Printer2.
    12/30/2010 5:46:26 PM, error: Service Control Manager [7000] - The Direct Parallel Link Helper service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
    12/30/2010 5:27:05 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
    12/30/2010 5:27:05 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/30/2010 5:27:05 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    12/30/2010 5:27:03 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    12/30/2010 5:25:06 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
    12/30/2010 3:24:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/30/2010 11:58:39 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    1/5/2011 8:00:02 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 7:53:54 PM, error: Service Control Manager [7034] - The SupportSoft Sprocket Service (dellsupportcenter) service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 7:53:54 PM, error: Service Control Manager [7034] - The Roxio Hard Drive Watcher 9 service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 7:53:54 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 7:53:54 PM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 7:53:15 PM, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 7:53:15 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 7:53:15 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
    1/5/2011 7:53:15 PM, error: Service Control Manager [7034] - The Advanced Networking Service service terminated unexpectedly. It has done this 1 time(s).
    1/4/2011 9:54:32 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    1/4/2011 8:30:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm pavboot SASDIFSV SASKUTIL ssmdrv
    1/2/2011 7:45:51 AM, error: Print [19] - Sharing printer failed + 1722, Printer HP Officejet 5600 series share name Printer3.

    ==== End Of File ===========================
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry for delay- internet was down most of day.

    Download bootkitremover.rar and save it to your desktop.
    • Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • Double-click on the remover.exe file to run the program.
    • Paste the output in your next reply.
    ====================================
    You are running 2 AV programs. Please decide which you want to keep and remove the other. This is a vulnerability on the system:
    AV: AntiVir Desktop *Enabled/Updated*
    AV: McAfee VirusScan Enterprise

    Removal tools to help:
    McAfee Removal
    To uninstall Avira:
    • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
    • Wait for the list of installed programs to load, then click the name of the Avira program.
    • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
    • Press Yes, to confirm the removal and then OK.
    • . Click Next until Finish. The software is removed.
    Please reboot the system when finished.
    ===================================
    When you have finished the above, please run the following:
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  6. rcc2324

    rcc2324 Newcomer, in training Topic Starter

    thanks for replying, I wa away from home and could't work on PC till today.
    I downloaded bootkitremove and ran remover.exe
    here is the output:

    .\debug.cpp(238) : Debug log started at 09.01.2011 - 19:27:31
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x00228000 "\WINDOWS\system32\ntoskrnl.exe"
    .\debug.cpp(256) : 0x806ff000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0x87329000 0x00003000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xf7938000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xf74d5000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xf7a24000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
    .\debug.cpp(256) : 0xf74c4000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xf7524000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xf7402000 0x000c2000 "exwudxqs.sys"
    .\debug.cpp(256) : 0xf7aec000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xf77a4000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf7534000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xf73e3000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xf7a26000 0x00002000 "dmload.sys"
    .\debug.cpp(256) : 0xf73bd000 0x00026000 "dmio.sys"
    .\debug.cpp(256) : 0xf77ac000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xf77b4000 0x00006000 "pavboot.sys"
    .\debug.cpp(256) : 0xf7544000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xf72f6000 0x000c7000 "iaStor.sys"
    .\debug.cpp(256) : 0xf72de000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xf77bc000 0x00008000 "cercsr6.sys"
    .\debug.cpp(256) : 0xf72c6000 0x00018000 "\WINDOWS\System32\Drivers\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xf7554000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xf7564000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xf72a6000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xf7294000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xf727e000 0x00016000 "DRVMCDB.SYS"
    .\debug.cpp(256) : 0xf7574000 0x00009000 "PxHelp20.sys"
    .\debug.cpp(256) : 0xf7267000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xf7254000 0x00013000 "WudfPf.sys"
    .\debug.cpp(256) : 0xf71c7000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xf719a000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xf7180000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xf76b4000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
    .\debug.cpp(256) : 0xf61e3000 0x0068a000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xf61cf000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xf618e000 0x00041000 "\SystemRoot\system32\DRIVERS\e1e5132.sys"
    .\debug.cpp(256) : 0xf78d4000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xf616a000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xf78dc000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xf6142000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
    .\debug.cpp(256) : 0xf78e4000 0x00007000 "\SystemRoot\system32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xf76c4000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xf7a74000 0x00002000 "\SystemRoot\System32\Drivers\DLACDBHM.SYS"
    .\debug.cpp(256) : 0xf76d4000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xf76e4000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xf611f000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xf78ec000 0x00007000 "\SystemRoot\System32\Drivers\GEARAspiWDM.sys"
    .\debug.cpp(256) : 0xf7be5000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xf76f4000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xf686d000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xf6108000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xf7704000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xf7714000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xf78f4000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xf60f7000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xf7724000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xf78fc000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xf7904000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xf7734000 0x0000c000 "\SystemRoot\System32\Drivers\pcouffin.sys"
    .\debug.cpp(256) : 0xf60c7000 0x00030000 "\SystemRoot\system32\DRIVERS\rdpdr.sys"
    .\debug.cpp(256) : 0xf7744000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xf790c000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xf7914000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xf7a76000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xf6069000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xf79e0000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xf6915000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xee97d000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xf7a4c000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xb2da7000 0x0045d000 "\SystemRoot\system32\drivers\RtkHDAud.sys"
    .\debug.cpp(256) : 0xb2d83000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xb49d4000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xb4527000 0x00003000 "\SystemRoot\System32\Drivers\i2omgmt.SYS"
    .\debug.cpp(256) : 0xb4d36000 0x00008000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0xb3b8f000 0x00003000 "\SystemRoot\system32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xb3f25000 0x00009000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xb415d000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xb4155000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xf7a4a000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xb3d7b000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xf7a50000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xb4145000 0x00006000 "\SystemRoot\System32\Drivers\DLARTL_M.SYS"
    .\debug.cpp(256) : 0xb413d000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xf7a52000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xb5de9000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xb4135000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xb412d000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xb3b83000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xb2d50000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xb2cf7000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xb3ec5000 0x0000c000 "\SystemRoot\system32\drivers\mfetdik.sys"
    .\debug.cpp(256) : 0xb2cd1000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xb2ca9000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xb3eb5000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xb3b6f000 0x00003000 "\SystemRoot\System32\drivers\ws2ifsl.sys"
    .\debug.cpp(256) : 0xb2c87000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xb3ea5000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xb411d000 0x00006000 "\SystemRoot\system32\DRIVERS\ssmdrv.sys"
    .\debug.cpp(256) : 0xb2c65000 0x00022000 "\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys"
    .\debug.cpp(256) : 0xb4115000 0x00006000 "\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS"
    .\debug.cpp(256) : 0xb2c3a000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xb2bca000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xb3947000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xb2ba4000 0x00026000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
    .\debug.cpp(256) : 0xb5ddb000 0x00002000 "\??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys"
    .\debug.cpp(256) : 0xf195e000 0x00004000 "\SystemRoot\system32\DRIVERS\usbscan.sys"
    .\debug.cpp(256) : 0xb3887000 0x00007000 "\SystemRoot\system32\DRIVERS\usbprint.sys"
    .\debug.cpp(256) : 0xb387f000 0x00006000 "\SystemRoot\system32\DRIVERS\HPZius12.sys"
    .\debug.cpp(256) : 0xef3b8000 0x00003000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xeb009000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xef3ac000 0x00004000 "\SystemRoot\system32\DRIVERS\kbdhid.sys"
    .\debug.cpp(256) : 0xf7128000 0x0000d000 "\SystemRoot\system32\DRIVERS\HPZid412.sys"
    .\debug.cpp(256) : 0xef3a8000 0x00004000 "\SystemRoot\system32\DRIVERS\HPZipr12.sys"
    .\debug.cpp(256) : 0xb2b8c000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
    .\debug.cpp(256) : 0xb4f32000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xf7158000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xeb846000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xf7b5d000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbf012000 0x00584000 "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xbffa0000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xb2977000 0x00015000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
    .\debug.cpp(256) : 0xf7614000 0x0000b000 "\SystemRoot\System32\Drivers\DRVNDDM.SYS"
    .\debug.cpp(256) : 0xeb0f6000 0x00001000 "\SystemRoot\System32\DLA\DLADResM.SYS"
    .\debug.cpp(256) : 0xb295f000 0x00018000 "\SystemRoot\System32\DLA\DLAIFS_M.SYS"
    .\debug.cpp(256) : 0xf780c000 0x00005000 "\SystemRoot\System32\DLA\DLAOPIOM.SYS"
    .\debug.cpp(256) : 0xee782000 0x00002000 "\SystemRoot\System32\DLA\DLAPoolM.SYS"
    .\debug.cpp(256) : 0xf7814000 0x00007000 "\SystemRoot\System32\DLA\DLABMFSM.SYS"
    .\debug.cpp(256) : 0xf781c000 0x00007000 "\SystemRoot\System32\DLA\DLABOIOM.SYS"
    .\debug.cpp(256) : 0xb2949000 0x00016000 "\SystemRoot\System32\DLA\DLAUDFAM.SYS"
    .\debug.cpp(256) : 0xb2932000 0x00017000 "\SystemRoot\System32\DLA\DLAUDF_M.SYS"
    .\debug.cpp(256) : 0xf7948000 0x00004000 "\SystemRoot\system32\DRIVERS\packet.sys"
    .\debug.cpp(256) : 0xf7150000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xb283d000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xb4489000 0x00002000 "\SystemRoot\system32\DRIVERS\dsunidrv.sys"
    .\debug.cpp(256) : 0xb275c000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
    .\debug.cpp(256) : 0xefc12000 0x00009000 "\SystemRoot\system32\DRIVERS\ipfltdrv.sys"
    .\debug.cpp(256) : 0xb26b4000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xb1eec000 0x00028000 "\SystemRoot\system32\drivers\mfehidk.sys"
    .\debug.cpp(256) : 0xeeacb000 0x00007000 "\SystemRoot\system32\drivers\mfebopk.sys"
    .\debug.cpp(256) : 0xb2424000 0x0000f000 "\SystemRoot\system32\drivers\mfeapfk.sys"
    .\debug.cpp(256) : 0xb24e4000 0x00010000 "\SystemRoot\system32\drivers\mfeavfk.sys"
    .\debug.cpp(256) : 0xb1e5f000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xb2394000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_03f0&Pid_4f11&MI_01#6&16b42c1f&0&0001#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}"
    .\debug.cpp(400) : Destination "\Device\00000081"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WUDFLpcDevice"
    .\debug.cpp(400) : Destination "\Device\WUDFLpcDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028023D&REV_1000#4&1e41d60b&0&0201#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgio"
    .\debug.cpp(400) : Destination "\Device\avgio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ProcessManagement"
    .\debug.cpp(400) : Destination "\Device\ProcessManagement"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WGUARDNT"
    .\debug.cpp(400) : Destination "\Device\mfehidk"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
    .\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2938&SUBSYS_023D1028&REV_02#3&2411e6fe&0&D1#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&340073fe&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2939&SUBSYS_023D1028&REV_02#3&2411e6fe&0&D2#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&2406739b&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_03f0&Pid_4f11#CN7BFDW28F04B2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_293C&SUBSYS_023D1028&REV_02#3&2411e6fe&0&D7#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0006"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2105#6&104a6906&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{049d7f61-20a8-11de-a197-001aa09a4cab}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_15#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000049"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Usbscan0"
    .\debug.cpp(400) : Destination "\Device\Usbscan0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{af041bca-fc38-11de-997c-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
    .\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
    .\debug.cpp(400) : Destination "\Device\PSched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I2OExec"
    .\debug.cpp(400) : Destination "\Device\I2OExec"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&24c51932&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&24c51932&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{af041bcb-fc38-11de-997c-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&4f27a30&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPFILTERDRIVER"
    .\debug.cpp(400) : Destination "\Device\IPFILTERDRIVER"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2937&SUBSYS_023D1028&REV_02#3&2411e6fe&0&D0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_293A&SUBSYS_023D1028&REV_02#3&2411e6fe&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_FLASH_CA&Prod_RD_READER_Slot_M&Rev_#0000000&3#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000089"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\dsunidrv_SDDMI2"
    .\debug.cpp(400) : Destination "\Device\dsunidrv_SDDMI2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_045e&Pid_0040#6&365bd989&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000084"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{049d7f60-20a8-11de-a197-001aa09a4cab}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\H:"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&1f566b80&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&506232a&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{af041bc9-fc38-11de-997c-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\mfehidk"
    .\debug.cpp(400) : Destination "\Device\mfehidk"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&4f27a30&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive2"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DR4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{8E6984F7-592D-47F6-98D0-801C944188C5}"
    .\debug.cpp(400) : Destination "\Device\{8E6984F7-592D-47F6-98D0-801C944188C5}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
    .\debug.cpp(400) : Destination "\Device\USBFDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DOT4#Vid_03f0&Pid_4f11&MI_02&DOT4&PRINT_HPZ#8&3a836f5&0&0#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}"
    .\debug.cpp(400) : Destination "\Device\HPZID412PRINT_HPZ1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028023D&REV_1000#4&1e41d60b&0&0201#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive3"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DR5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000050"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD5"
    .\debug.cpp(400) : Destination "\Device\USBFDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&2c76000c&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\dsunidrv_GPCIEnu1"
    .\debug.cpp(400) : Destination "\Device\dsunidrv_GPCIEnu1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive4"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DR6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{EEBB6D6F-4603-4592-A853-FB7E4BDA8C26}"
    .\debug.cpp(400) : Destination "\Device\{EEBB6D6F-4603-4592-A853-FB7E4BDA8C26}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_10C0&SUBSYS_023D1028&REV_02#3&2411e6fe&0&C8#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6"
    .\debug.cpp(400) : Destination "\Device\USBFDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_045e&Pid_0040#6&365bd989&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000084"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\drvnddm"
    .\debug.cpp(400) : Destination "\Device\drvnddm"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#THRM#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{B6AF18BB-88BD-4D45-A455-01ABFDE33781}"
    .\debug.cpp(400) : Destination "\Device\{B6AF18BB-88BD-4D45-A455-01ABFDE33781}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD7"
    .\debug.cpp(400) : Destination "\Device\USBFDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_FLASH_CA&Prod_RD_READER_Slot_D&Rev_#0000000&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000087"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&2c76000c&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028023D&REV_1000#4&1e41d60b&0&0201#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomTSSTcorp_DVD+-RW_TS-H653B_______________D200____#5&6f530e0&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_FLASH_CA&Prod_RD_READER_Slot_S&Rev_#0000000&2#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000088"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{e0ec2552-a28a-11dc-9e1a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\patincouffin0"
    .\debug.cpp(400) : Destination "\Device\Patin couffin device0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_15#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000004a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1d099e7c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_413c&Pid_2105#5&26139fa&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_03f0&Pid_4f11&MI_00#6&16b42c1f&0&0000#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\00000080"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomTSSTcorp_DVD+-RW_TS-H653B_______________D200____#5&6f530e0&0&0.0.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000039"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ssmctl"
    .\debug.cpp(400) : Destination "\Device\ssmctl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{CE5C1319-845-E03E-F5CB-B9327ECEFF93}"
    .\debug.cpp(400) : Destination "\Device\{CE5C1319-845-E03E-F5CB-B9327ECEFF93}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Pavboot"
    .\debug.cpp(400) : Destination "\Device\Pavboot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1a756b9d&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{af041bc6-fc38-11de-997c-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{af041bc7-fc38-11de-997c-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2105#6&104a6906&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{54D4F157-B845-4427-B1EC-4C41C9E365E8}"
    .\debug.cpp(400) : Destination "\Device\{54D4F157-B845-4427-B1EC-4C41C9E365E8}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{049d7f5f-20a8-11de-a197-001aa09a4cab}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2935&SUBSYS_023D1028&REV_02#3&2411e6fe&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0009"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\dsunidrv_GTKCMOS"
    .\debug.cpp(400) : Destination "\Device\dsunidrv_GTKCMOS"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SASKUTIL"
    .\debug.cpp(400) : Destination "\Device\SASKUTIL"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature41AB2316Offset36E8E00Length253D336A00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&7141191&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&7141191&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\INTELPRO_{54D4F157-B845-4427-B1EC-4C41C9E365E8}"
    .\debug.cpp(400) : Destination "\Device\INTELPRO_{54D4F157-B845-4427-B1EC-4C41C9E365E8}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DEEAE300-316C-4876-9379-AFCF06A84BD8}"
    .\debug.cpp(400) : Destination "\Device\{DEEAE300-316C-4876-9379-AFCF06A84BD8}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2936&SUBSYS_023D1028&REV_02#3&2411e6fe&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2934&SUBSYS_023D1028&REV_02#3&2411e6fe&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0008"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\dsunidrv_GTKUniDriver"
    .\debug.cpp(400) : Destination "\Device\dsunidrv_GTKUniDriver"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
    .\debug.cpp(400) : Destination "\Device\DmLoader"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{af041bc8-fc38-11de-997c-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Packet_{54D4F157-B845-4427-B1EC-4C41C9E365E8}"
    .\debug.cpp(400) : Destination "\Device\Packet_{54D4F157-B845-4427-B1EC-4C41C9E365E8}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : Device "\GLOBAL??\DLAIFS"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\drvmcdb"
    .\debug.cpp(400) : Destination "\Device\drvmcdb"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{5DBEB105-DEA3-47EE-801E-4F293FD25B2D}"
    .\debug.cpp(400) : Destination "\Device\{5DBEB105-DEA3-47EE-801E-4F293FD25B2D}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0423&SUBSYS_049410DE&REV_A1#4&b71b61b&0&0008#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0017"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&fcf62b7&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_045e&Pid_0040#5&26139fa&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028023D&REV_1000#4&1e41d60b&0&0201#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{049d7f5e-20a8-11de-a197-001aa09a4cab}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{e0ec2553-a28a-11dc-9e1a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SABDIFSV"
    .\debug.cpp(400) : Destination "\Device\SASDIFSV"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000043"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Packet"
    .\debug.cpp(400) : Destination "\Device\Packet"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_FLASH_CA&Prod_RD_READER_Slot_A&Rev_#0000000&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000086"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{6AFC366D-296E-4803-8210-5117A775E02D}"
    .\debug.cpp(400) : Destination "\Device\{6AFC366D-296E-4803-8210-5117A775E02D}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028023D&REV_1000#4&1e41d60b&0&0201#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomTSSTcorp_DVD+-RW_TS-H653B_______________D200____#5&6f530e0&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3bfe57a&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_07cc&Pid_0200#0000000#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-11"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskST3160815AS_____________________________3.ADA___#5&3380c066&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
    .\debug.cpp(400) : Destination "\Device\avipbb"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 149 GB \\.\PhysicalDrive0 Controlled by rootkit!
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1135) : Boot code on some of your physical disks is hidden by a rootkit.
    .\boot_cleaner.cpp(1137) : To disinfect the master boot sector, use the following command:
    .\boot_cleaner.cpp(1138) : remover.exe fix <device_name>
    .\boot_cleaner.cpp(1142) : To inspect the boot code manually, dump the master boot sector:
    .\boot_cleaner.cpp(1143) : remover.exe dump <device_name> [output_file]
    .\boot_cleaner.cpp(1146) :
    .\boot_cleaner.cpp(1151) : Done;



    Combofix log on second reply
  7. rcc2324

    rcc2324 Newcomer, in training Topic Starter

    I got rid of Mcafee virusScan

    downloaded and ran Combofix

    When I ran Combofix it installed the Recovry Console OK and then started Combofix scan and it detected Rootkit TDL3 and it reboot PC. When it tried to restart windows it would shutdown and try to restart again after about 4 times I started windows in safe mode and Combfix started automatically. It completed all 50 stages and then proceeded to delete a bunch of folders. Then it just stayed on same screen for about 45 miutes, I could not copy log due to nothing else was loaded in safe mode only Combfix. I rebooted PC and ran windows in normal mode and it ran OK. I ran Combofix again and again it detected Rootkit TDL3 and rebooted the PC. This time it came up in normal mode and it ran Combofix as soon as it boted-up. Here is the Combofix.txt file:

    ComboFix 11-01-08.05 - Admin 01/09/2011 15:07:15.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.630 [GMT -7:00]
    Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-09 to 2011-01-09 )))))))))))))))))))))))))))))))
    .

    2011-01-09 20:46 . 2010-12-13 15:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-01-09 20:46 . 2010-12-13 15:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-01-09 20:46 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-01-09 20:46 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-01-09 20:46 . 2011-01-09 20:46 -------- d-----w- c:\program files\Avira
    2011-01-09 20:46 . 2011-01-09 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-01-09 19:21 . 2011-01-09 19:23 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Smith Micro
    2011-01-09 19:21 . 2011-01-09 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Smith Micro
    2011-01-09 19:20 . 2011-01-09 19:20 -------- d-----w- c:\program files\Smith Micro
    2010-12-30 23:56 . 2010-12-31 00:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-12-30 19:40 . 2010-12-30 19:40 -------- d-----w- c:\windows\McAfee.com
    2010-12-26 23:12 . 2010-12-31 00:45 -------- d-----w- c:\program files\Support Tools
    2010-12-23 04:12 . 2010-12-31 00:45 -------- dc-h--w- c:\windows\ie8
    2010-12-22 03:25 . 2010-12-31 00:44 -------- d-----w- C:\rei
    2010-12-22 03:25 . 2010-12-22 03:25 -------- d-----w- c:\program files\Reimage
    2010-12-21 06:19 . 2010-12-21 06:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
    2010-12-19 01:52 . 2010-12-22 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\bCiEf06501
    2010-12-14 02:47 . 2010-12-14 02:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
    2010-12-14 02:45 . 2010-12-14 02:45 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-14 02:43 . 2010-12-14 02:43 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\{F2ED73AF-4D34-4E23-84C2-E51E0E62A485}
    2010-12-14 01:26 . 2010-12-14 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\pJaOc06501

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-09 22:18 . 2010-08-30 03:57 768512 ----a-w- c:\windows\system32\drivers\exwudxqs.sys
    2010-11-25 21:25 . 2010-01-24 22:37 398744 ----a-r- c:\windows\system32\cpnprt2.cid
    2010-11-18 18:12 . 2008-07-30 02:40 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-02 15:17 . 2004-08-04 10:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-04 10:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2008-10-29 01:04 . 2008-10-29 01:04 17286 ----a-w- c:\program files\Common Files\jaxerofa.bin
    2008-10-29 01:04 . 2008-10-29 01:04 16737 ----a-w- c:\program files\Common Files\udyryjucyw.vbs
    2008-10-29 01:04 . 2008-10-29 01:04 13973 ----a-w- c:\program files\Common Files\kahive.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-17 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-09 128560]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMMyPictures"= 0 (0x0)
    "NoStartMenuMyMusic"= 0 (0x0)
    "NoRecentDocsNetHood"= 0 (0x0)
    "NoSimpleStartMenu"= 0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMMyPictures"= 0 (0x0)
    "NoStartMenuMyMusic"= 0 (0x0)
    "NoRecentDocsNetHood"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
    "10426:UDP"= 10426:UDP:SingleClick ICC

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/28/2008 7:48 PM 28544]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 67656]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/9/2011 1:46 PM 135336]
    S0 serri;serri; [x]
    S1 gfrmfbyi;gfrmfbyi;\??\c:\windows\system32\drivers\gfrmfbyi.sys --> c:\windows\system32\drivers\gfrmfbyi.sys [?]
    S2 gupdate1c99c8972892354;Google Update Service (gupdate1c99c8972892354);c:\program files\Google\Update\GoogleUpdate.exe [3/3/2009 10:24 PM 133104]
    S2 ycgcljpl;Direct Parallel Link Helper;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 3:00 AM 14336]
    S3 cpuz134;cpuz134;\??\c:\docume~1\Admin\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Admin\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 12872]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - exwudxqs
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-09 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-04 00:37]

    2011-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 05:24]

    2011-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-04 05:24]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-7-Zip - j:\7-zip\Uninstall.exe
    AddRemove-Mozilla Firefox (3.5.6) - j:\uninstall\helper.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-09 15:17
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160815AS rev.3.ADA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x872FA555]<<
    c:\docume~1\Admin\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x873007b0]; MOV EAX, [0x8730082c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8735AAB8]
    3 CLASSPNP[0xF7564FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000006e[0x873C93E0]
    5 ACPI[0xF74DB620] -> nt!IofCallDriver[0x804E13B9] -> [0x8735D940]
    \Driver\atapi[0x87340D10] -> IRP_MJ_CREATE -> 0x872FA555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160815AS_____________________________3.ADA___#5&3380c066&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x872FA39B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exwudxqs]

    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,a6,3c,93,d9,58,13,4f,a6,74,37,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,a6,3c,93,d9,58,13,4f,a6,74,37,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F1F56AC0-A65A-4148-9834-3E9D0112D97D}\InprocServer32]
    @DACL=(02 0000)
    @="c:\\windows\\system32\\blpbuio.dll"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F1F56AC0-A65A-4148-9834-3E9D0112D97D}\ProgID]
    @DACL=(02 0000)
    @="Lhtzpayn"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @DACL=(02 0010)
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @DACL=(02 0010)
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @DACL=(02 0010)
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Classes\Lhtzpayn\CLSID]
    @DACL=(02 0000)
    @="{F1F56AC0-A65A-4148-9834-3E9D0112D97D}"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed"="1"
    .
    Completion time: 2011-01-09 15:22:03
    ComboFix-quarantined-files.txt 2011-01-09 22:21
    ComboFix2.txt 2008-08-07 03:00
    ComboFix3.txt 2008-08-05 01:29
    ComboFix4.txt 2008-08-05 00:24
    ComboFix5.txt 2011-01-09 20:52

    Pre-Run: 58,668,322,816 bytes free
    Post-Run: 58,838,962,176 bytes free

    - - End Of File - - 7543D8DC0E64413DF893C984359EC0C0




    Thanks and please let me know what's next.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The thread turned the page and I didn't. My apology to you. Please run the following:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      @ECHO OFF
      START 
      remover.exe fix  \\.\PhysicalDrive0    
      EXIT
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output.
    Do NOT reboot computer!
    =======================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\drivers\gfrmfbyi.sys
    c:\docume~1\admin\locals~1\temp\cpuz134\cpuz134_x32.sys
    c:\windows\system32\drivers\exwudxqs.sys
    c:\windows\system32\cpnprt2.cid
    c:\program files\Common Files\jaxerofa.bin
    c:\program files\Common Files\udyryjucyw.vbs
    c:\program files\Common Files\kahive.vbs
    
    Folder::
    c:\windows\McAfee.com
    c:\documents and settings\Admin\Local Settings\Application Data\{F2ED73AF-4D34-4E23-84C2-E51E0E62A485}
    c:\documents and settings\All Users\Application Data\pJaOc06501
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_LOCAL_MACHINE\software\Classes\Lhtzpayn\CLSID]
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupportCenter"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupportCenter"=-
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exwudxqs]
    Driver::
    serri
    gfrmfbyi
    cpuz134
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    The following are outdated and should be uninstalled:
    HijackThis 1.99.1
    Java(TM) 6 Update 17

    For Java update, check this site: Java Updates Current version is v6u23. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Due to inactivity, this thread will be closed. Please send me a PM if you still need help for this issue and I will reopen.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.