Google webhp redirection

Solved
By zeromk5
Dec 10, 2010
Topic Status:
Not open for further replies.
  1. Hey guys, I just saw a thread that sounds similar to this but I decided to make my own thread because the rules warn us not to follow other people's directions. Hopefully I'm not too much of a bother.

    Basically, I have a problem where clicking on search results in Google will redirect me to a completely different page, some sort of fishy search engine site. Not only that, Firefox will sometimes randomly open up a new tab addressed "www.google.com/webhp" which I don't think is the real Google at all and I immediately close it.

    I'm not sure if this is related, but around the same time I got this problem, clicking on my Firefox quick launch button, or double clicking on the shortcut won't open up a window of Firefox, and instead I have to double click on one of those internet address shortcuts which lead to a specific site and then go to whichever site I want.

    Also, I often get an error message saying "generic host process for win32 services has encountered a problem". This'll turn my taskbar into the classic Windows XP theme, and completely shut off my sound and volume control, and maybe 5 to 10 minutes later, it disconnects my internet connection.

    I know this seems a lot at once, but it just suddenly started happening 2 or 3 days ago, and I'm not sure of what the cause of this is. Anyway, I managed to follow the 8 steps and got the log files. I'll copy paste them into separate posts if that's okay.
  2. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5247

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    12/10/2010 11:05:04 PM
    mbam-log-2010-12-10 (23-05-04).txt

    Scan type: Quick scan
    Objects scanned: 140133
    Time elapsed: 2 minute(s), 28 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  3. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-10 23:12:16
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HDT721010SLA360 rev.ST6OA3AA
    Running: s5rdc7nf.exe; Driver: C:\DOCUME~1\Test\LOCALS~1\Temp\kgnyqpob.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B28239B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B28239B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8B28239B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8B28239B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8B28239B
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDT721010SLA360_________________ST6OA3AA#5&2ea7e938&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
  4. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    DDS (Ver_10-12-05.01) - NTFSx86
    Run by Test at 23:12:37.17 on Fri 12/10/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2531 [GMT 11:00]

    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
    C:\WINDOWS\vsnp2std.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Razer\DeathAdder\razerhid.exe
    C:\Program Files\Razer\Arctosa\razerhid.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Documents and Settings\Test\Bluebirds\BlueBirds.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
    C:\Program Files\Razer\DeathAdder\razerofa.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Test\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Messenger Plus Live Australia Toolbar: {ea0969b3-6e12-4ac0-b6c9-148e81247954} - c:\program files\messenger_plus_live_australia\tbMes1.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: Messenger Plus Live Australia Toolbar: {ea0969b3-6e12-4ac0-b6c9-148e81247954} - c:\program files\messenger_plus_live_australia\tbMes1.dll
    BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
    TB: Messenger Plus Live Australia Toolbar: {ea0969b3-6e12-4ac0-b6c9-148e81247954} - c:\program files\messenger_plus_live_australia\tbMes1.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    uRun: [bluebirds] c:\documents and settings\test\bluebirds\BlueBirds.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
    mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [EPSON Stylus C45 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
    mRun: [snp2std] c:\windows\vsnp2std.exe
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [DeathAdder] c:\program files\razer\deathadder\razerhid.exe
    mRun: [Arctosa] "c:\program files\razer\arctosa\razerhid.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\test\startm~1\programs\startup\warkey~1.lnk - c:\program files\warkeys\autowarkey\autohotkey\AutoHotkey.exe
    IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
    IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\test\applic~1\mozilla\firefox\profiles\91f8333l.default\
    FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\documents and settings\test\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\test\application data\mozilla\plugins\npoctoshape.dll
    FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Extension: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - c:\docume~1\test\applic~1\mozilla\firefox\profiles\91f8333l.default\extensions\artur.dubovoy@gmail.com
    FF - Extension: Personas: personas@christopher.beard - c:\docume~1\test\applic~1\mozilla\firefox\profiles\91f8333l.default\extensions\personas@christopher.beard
    FF - Extension: Veoh Video Compass: searchrecs@veoh.com - c:\docume~1\test\applic~1\mozilla\firefox\profiles\91f8333l.default\extensions\searchrecs@veoh.com

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-10 11608]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-10 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-10 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-10 61960]
    R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-8-4 20072]
    R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-8-1 20328]
    R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\solidworks corp\solidworks flow simulation\bincfw\StandAloneSlv.exe [2009-11-23 71464]
    R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-6-12 5010288]
    R3 ArcFltr;Arctosa Keyboard;c:\windows\system32\drivers\Arctosa.sys [2010-8-11 16896]
    R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [2010-4-25 11136]
    R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [2010-4-25 5760]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-4 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-8 1684736]
    S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2010-1-20 87336]
    S3 DVDACCSS;DVDACCSS;\??\c:\progra~1\dvdacc~1\dvdax.sys --> c:\progra~1\dvdacc~1\DVDAX.SYS [?]
    S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\test\locals~1\temp\nfm61.tmp --> c:\docume~1\test\locals~1\temp\NFM61.tmp [?]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\safedrv.sys --> c:\program files\garena\safedrv.sys [?]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-6-12 16168]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

    =============== Created Last 30 ================

    2010-12-10 11:52:40 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-12-10 09:13:21 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-10 09:12:28 -------- d-----w- c:\docume~1\test\applic~1\Avira
    2010-12-10 09:08:58 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-10 09:08:57 -------- d-----w- c:\program files\Avira
    2010-12-10 09:08:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-12-09 11:36:07 -------- d-sha-r- C:\cmdcons
    2010-12-09 11:32:23 89088 ----a-w- c:\windows\MBR.exe
    2010-12-08 01:14:04 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc7B.tmp
    2010-12-05 12:32:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-05 12:32:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-05 12:32:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 04:53:03 -------- d-----w- C:\Nexon
    2010-11-25 05:18:08 9728 ----a-w- c:\windows\Wii DriverLoader.exe
    2010-11-25 05:18:08 299008 ----a-w- c:\windows\system32\Projoycpl.dll
    2010-11-25 05:18:08 11904 ----a-w- c:\windows\system32\drivers\Maypro.sys
    2010-11-25 05:18:08 -------- d-----w- c:\program files\Mayflash Wii Classic Controller Box
    2010-11-21 13:38:29 -------- d-----w- c:\docume~1\test\locals~1\applic~1\PunkBuster
    2010-11-21 13:30:50 -------- d-----w- c:\docume~1\test\applic~1\id Software
    2010-11-21 13:30:34 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-11-21 13:30:25 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2010-11-21 13:30:25 2373712 ----a-w- c:\windows\system32\pbsvc.exe
    2010-11-21 13:30:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\id Software
    2010-11-12 09:57:08 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2010-11-12 09:54:32 62424 ----a-w- c:\windows\system32\drivers\xusb21.sys
    2010-11-12 09:54:32 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
    2010-11-12 09:54:21 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

    ==================== Find3M ====================

    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-18 01:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_HDT721010SLA360 rev.ST6OA3AA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B282555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b2887b0]; MOV EAX, [0x8b28882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B24EAB8]
    3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000073[0x8B2E0F18]
    5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B2A9940]
    \Driver\atapi[0x8B2DF960] -> IRP_MJ_CREATE -> 0x8B282555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDT721010SLA360_________________ST6OA3AA#5&2ea7e938&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8B28239B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 23:13:29.87 ===============
  5. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-05.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/8/2009 2:29:20 PM
    System Uptime: 12/10/2010 10:54:23 PM (1 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P5P43TD PRO
    Processor: Intel Pentium III Xeon processor | LGA775 | 2666/333mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 932 GiB total, 686.197 GiB free.
    D: is CDROM (CDFS)
    E: is CDROM ()
    F: is CDROM ()
    G: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description:
    Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0001
    Manufacturer:
    Name:
    PNP Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0001
    Service:

    Class GUID:
    Description:
    Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0101
    Manufacturer:
    Name:
    PNP Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0101
    Service:

    Class GUID:
    Description:
    Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0301
    Manufacturer:
    Name:
    PNP Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0012&SUBSYS_10DE0101&REV_1001\5&1535133C&0&0301
    Service:

    ==== System Restore Points ===================

    RP1: 12/10/2010 10:55:25 PM - System Checkpoint

    ==== Installed Programs ======================

    µTorrent
    82TV
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color EU Recommended Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe Community Help
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Drive CS4
    Adobe Dynamiclink Support
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash CS4
    Adobe Flash CS4 Extension - Flash Lite STI en
    Adobe Flash CS4 Professional
    Adobe Flash CS4 STI-en
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Illustrator CS4
    Adobe InDesign CS5
    Adobe Linguistics CS4
    Adobe Media Encoder CS4
    Adobe Media Encoder CS4 Importer
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Reader 9.4.1
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Shockwave Player 11.5
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Akamai NetSession Interface
    Amazon MP3 Downloader 1.0.10
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
    Avira AntiVir Personal - Free Antivirus
    AviSynth 2.5
    BattleMoonWars‹â ‘æŽl•”
    Bonjour
    Brother MFL-Pro Suite
    BurnInTest v5.3 Pro
    Camtasia Studio 6
    Cheat Engine 5.5
    Cheat Engine 5.6
    Connect
    Continuum 0.40
    Counter-Strike: Source
    CPUID CPU-Z 1.55
    CPUID HWMonitor 1.16
    Death Rally for Windows
    Definition update for Microsoft Office 2010 (KB982726)
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    EPSON Printer Software
    EPU-4 Engine
    Facebook Plug-In
    FlashGet 1.9.6.1073
    Fraps (remove only)
    Garena
    GGPO
    GOM Player
    Google Chrome
    Google Earth
    Google Update Helper
    HackTheStack
    Half-Life(R) 2
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    iTunes
    Java(TM) 6 Update 16
    JMicron JMB36X Driver
    kuler
    League of Legends
    M3 SAKURA V1.46 Global (GAME PATCH V4.7g)
    Malwarebytes' Anti-Malware
    MapleStory
    Mayflash Wii Classic Controller Box
    Messenger Plus! Live
    Messenger_Plus_Live_Australia Toolbar
    Metal Gear Solid
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft AppLocale
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint 6.2
    Microsoft IntelliType Pro 6.2
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2003 Web Components
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Software Update for Web Folders (English) 14
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Visual Studio 2005 Tools for Applications - ENU
    Microsoft Windows Application Compatibility Database
    Microsoft Xbox 360 Accessories 1.2
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Mozilla Firefox (3.6.12)
    MPEG2 Codec(libmpeg2/mad)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Nexon Game Manager
    NVIDIA Drivers
    NVIDIA PhysX
    Octoshape Streaming Services
    PDF Settings CS4
    PDF Settings CS5
    Photoshop Camera Raw
    PhotoView 360
    Pixel Bender Toolkit
    Poker Night at the Inventory
    Portal
    PowerISO
    Project64 1.6
    PunkBuster Services
    Quake
    Quake II
    Quake Live Mozilla Plugin
    QuickSFV (Remove only)
    QuickTime
    Razer Arctosa
    Razer DeathAdder(TM) Mouse
    Realtek High Definition Audio Driver
    SDFormatter
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    SolidWorks 2010 SP02.1
    SolidWorks eDrawings 2010
    SolidWorks Flow Simulation 2010 SP02.1
    Source SDK Base 2006
    Spelling Dictionaries Support For Adobe Reader 9
    StarCraft II
    Steam
    Suite Shared Configuration CS4
    Switch Sound File Converter
    Team Fortress 2
    The Ultimate DOOM
    Trickster Online
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB GAME PAD
    VC80CRTRedist - 8.0.50727.4053
    Ventrilo Client
    Veoh Web Player
    Videora iPod Converter 6
    VLC media player 1.0.3
    VoiceOver Kit
    Vuze
    Wacom Tablet
    Warkeys 1.14.1.0b
    WebFldrs XP
    WebTablet IE Plugin
    WebTablet Netscape Plugin
    Windows Driver Package - Cypress (CYUSB) USB (06/05/2009 3.4.1.20)
    Windows Driver Package - Razer (HidUsb) HIDClass (01/11/2007 1.0)
    Windows Driver Package - Razer (HidUsb) HIDClass (02/02/2007 1.0.5.0)
    Windows Driver Package - Razer (HidUsb) HIDClass (04/04/2009 1.0.5.0)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    Wolfenstein 3D
    XH5222 DSE USB 1.3MP Camera
    YouTube Downloader App 3.00

    ==== Event Viewer Messages From Past Week ========

    12/9/2010 10:26:06 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
    12/9/2010 1:22:20 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    12/9/2010 1:22:20 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/8/2010 9:52:40 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/8/2010 9:11:40 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    12/8/2010 8:18:59 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    12/8/2010 10:25:17 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6024.
    12/5/2010 3:27:16 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    12/5/2010 11:29:14 PM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
    12/3/2010 1:19:15 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    12/10/2010 12:22:58 PM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    12/10/2010 10:55:08 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

    ==== End Of File ===========================
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with. the rootkit malware infection I don't know what all the duplicate posts were about, but I need your patience while I'm helping you. I will get you started- your posts is only 3 hours old- then I will leave to help others. After I'm notified of you next reply, I'll get back to you as soon as I can.
    ======================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ======================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry. If you are using any file sharing programs, either uninstall them or disable them while I'm helping you.
  7. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    I'm sorry, but when you say to Quarantine the detected objects in the fifth step of running TDSSKiller, do you mean to "Copy to quarantine"? Just want to absolutely make sure because doing so didn't seem to prompt me to reboot the system. Anyway, I have restarted the system and will move onto the next steps.
  8. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    By the way, I am sorry for the late reply, I had made this thread late last night so I had gotten sleepy by midnight.

    I should also mention, Firefox will not run at all, no matter what I do, neither does Google Chrome. I don't mind switching to Internet Explorer, but if the same thing will eventually happen to this browser as well, then I'm worried.
  9. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    I'm sorry again, I'm replying too many times. However, the scans are complete and I now have the logs. First the ESET log and then the one from ComboFix



    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17091 (vista_gdr.100824-1500)
    # OnlineScanner.ocx=1.0.0.6415
    # api_version=3.0.2
    # EOSSerial=2928a1989672b5448d32d87e3e7eb2f0
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-11 09:47:55
    # local_time=2010-12-11 08:47:55 (+1000, AUS Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1797 16775141 100 93 0 27791244 45558 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=179471
    # found=9
    # cleaned=0
    # scan_time=3401
    C:\Documents and Settings\Test\Application Data\OpenCandy\33CFA7345F3E43138A948373453D2158\registrybooster(3).exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0006.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
  10. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    ComboFix 10-12-09.08 - Test 12/11/2010 20:55:02.4.4 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2556 [GMT 11:00]
    Running from: c:\documents and settings\Test\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
    .

    2010-12-11 08:42 . 2010-12-11 08:42 -------- d-----w- c:\program files\ESET
    2010-12-11 08:15 . 2010-12-11 08:15 -------- d-----w- C:\TDSSKiller_Quarantine
    2010-12-10 11:52 . 2010-12-10 11:59 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-12-10 09:13 . 2010-12-10 09:27 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-10 09:12 . 2010-12-10 09:12 -------- d-----w- c:\documents and settings\Test\Application Data\Avira
    2010-12-10 09:08 . 2010-11-30 07:48 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-10 09:08 . 2010-11-30 07:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-10 09:08 . 2010-06-17 03:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-12-10 09:08 . 2010-06-17 03:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-12-10 09:08 . 2010-12-10 09:08 -------- d-----w- c:\program files\Avira
    2010-12-10 09:08 . 2010-12-10 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-12-09 02:22 . 2010-12-09 02:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-12-08 01:14 . 2010-12-08 01:14 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc7B.tmp
    2010-12-05 12:32 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-05 12:32 . 2010-12-05 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 12:32 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-05 04:53 . 2010-12-05 04:53 -------- d-----w- C:\Nexon
    2010-11-25 05:18 . 2010-11-25 05:18 -------- d-----w- c:\program files\Mayflash Wii Classic Controller Box
    2010-11-25 05:18 . 2009-12-10 09:54 11904 ----a-w- c:\windows\system32\drivers\Maypro.sys
    2010-11-25 05:18 . 2009-12-08 11:04 299008 ----a-w- c:\windows\system32\Projoycpl.dll
    2010-11-25 05:18 . 2009-12-07 11:02 9728 ----a-w- c:\windows\Wii DriverLoader.exe
    2010-11-21 13:38 . 2010-11-21 13:38 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\PunkBuster
    2010-11-21 13:30 . 2010-11-21 13:30 -------- d-----w- c:\documents and settings\Test\Application Data\id Software
    2010-11-21 13:30 . 2010-11-21 13:30 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-11-21 13:30 . 2010-11-21 13:30 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2010-11-21 13:30 . 2010-11-21 13:30 2373712 ----a-w- c:\windows\system32\pbsvc.exe
    2010-11-21 13:30 . 2010-11-21 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
    2010-11-12 09:57 . 2008-03-21 02:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2010-11-12 09:54 . 2009-09-10 01:24 62424 ----a-w- c:\windows\system32\drivers\xusb21.sys
    2010-11-12 09:54 . 2009-08-14 05:40 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
    2010-11-12 09:54 . 2010-11-12 09:54 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 12:00 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-18 01:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-12-09_11.54.07 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-11 08:20 . 2010-12-11 08:20 16384 c:\windows\Temp\Perflib_Perfdata_734.dat
    + 2010-12-11 08:20 . 2010-12-11 08:20 16384 c:\windows\Temp\Perflib_Perfdata_2e8.dat
    - 2010-06-16 03:35 . 2010-12-07 08:55 15019 c:\windows\system32\Wacom_Tablet.dat
    + 2010-06-16 03:35 . 2010-12-10 07:58 15019 c:\windows\system32\Wacom_Tablet.dat
    + 2004-08-04 12:00 . 2010-12-11 08:24 68360 c:\windows\system32\perfc009.dat
    - 2004-08-04 12:00 . 2010-12-09 11:46 68360 c:\windows\system32\perfc009.dat
    + 2010-12-10 09:08 . 2010-06-17 03:27 28520 c:\windows\system32\drivers\ssmdrv.sys
    - 2004-08-04 12:00 . 2010-12-09 11:46 435590 c:\windows\system32\perfh009.dat
    + 2004-08-04 12:00 . 2010-12-11 08:24 435590 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ea0969b3-6e12-4ac0-b6c9-148e81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]

    [HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-05-26 05:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]
    2010-07-12 04:08 2515552 ----a-w- c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ea0969b3-6e12-4ac0-b6c9-148e81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

    [HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{EA0969B3-6E12-4AC0-B6C9-148E81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

    [HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "bluebirds"="c:\documents and settings\Test\Bluebirds\BlueBirds.exe" [2009-04-29 270336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
    "Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2009-05-15 5750272]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-12 69632]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-10 149280]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-12-20 611712]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
    "EPSON Stylus C45 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
    "snp2std"="c:\windows\vsnp2std.exe" [2006-12-04 675840]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-13 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-13 13917800]
    "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2010-05-05 251392]
    "Arctosa"="c:\program files\Razer\Arctosa\razerhid.exe" [2008-10-06 147456]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]

    c:\documents and settings\Test\Start Menu\Programs\Startup\
    Warkeys Update.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2009-5-4 244736]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Program Files\\FlashGet\\flashget.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Warcraft III\\war3.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Garena\\Garena.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\zeromk5\\team fortress 2\\hl2.exe"=
    "c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
    "c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\Program Files\\GGPO\\ggpo.exe"=
    "c:\\Documents and Settings\\Test\\Local Settings\\Apps\\2.0\\7206VM5L.Z3H\\3P1Z7W00.77Z\\supe..tion_d6c7c0f5010e61b8_0001.0000_4482eb9aaee5b72a\\SupercadeClient.exe"=
    "c:\\Program Files\\Valve\\Steam\\Steam.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\zeromk5\\team fortress 2 meet the scout\\smp.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\zeromk5\\team fortress 2 meet the spy\\smp.exe"=
    "c:\\Documents and Settings\\Test\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\Winquake.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\qwcl.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\Glquake.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\glqwcl.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake 2\\quake2.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\poker night at the inventory\\CelebrityPoker.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "8376:TCP"= 8376:TCP:League of Legends Launcher
    "8376:UDP"= 8376:UDP:League of Legends Launcher
    "8377:TCP"= 8377:TCP:League of Legends Launcher
    "8377:UDP"= 8377:UDP:League of Legends Launcher
    "1039:TCP"= 1039:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface

    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 11:00 PM 14336]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2010 8:08 PM 135336]
    R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [8/4/2010 11:48 PM 20072]
    R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [8/1/2010 3:13 AM 20328]
    R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [11/23/2009 8:48 PM 71464]
    R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [6/12/2010 7:14 PM 5010288]
    R3 ArcFltr;Arctosa Keyboard;c:\windows\system32\drivers\Arctosa.sys [8/11/2010 9:58 PM 16896]
    R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [4/25/2010 5:39 PM 11136]
    R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [4/25/2010 5:39 PM 5760]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/4/2009 6:11 PM 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/8/2009 3:54 PM 1684736]
    S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [1/20/2010 1:59 AM 87336]
    S3 DVDACCSS;DVDACCSS;\??\c:\progra~1\DVDACC~1\DVDAX.SYS --> c:\progra~1\DVDACC~1\DVDAX.SYS [?]
    S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Test\LOCALS~1\Temp\NFM61.tmp --> c:\docume~1\Test\LOCALS~1\Temp\NFM61.tmp [?]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
    S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/12/2010 6:37 PM 16168]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - klmd25

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-10 c:\windows\Tasks\AdobeAAMUpdater-1.0-TEST-8DA2FE6C8B-Test.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-09 16:44]

    2010-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

    2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 07:11]

    2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 07:11]

    2010-12-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-05-26 05:23]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
    IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    FF - ProfilePath - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\
    FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\documents and settings\Test\Application Data\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\Test\Application Data\Mozilla\plugins\npoctoshape.dll
    FF - plugin: c:\progra~1\MI1933~1\Office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\MI1933~1\Office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\TabletPlugins\npwacom.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Extension: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\extensions\artur.dubovoy@gmail.com
    FF - Extension: Personas: personas@christopher.beard - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\extensions\personas@christopher.beard
    FF - Extension: Veoh Video Compass: searchrecs@veoh.com - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\extensions\searchrecs@veoh.com
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-11 20:59
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
    "ImagePath"="\??\c:\docume~1\Test\LOCALS~1\Temp\NFM61.tmp"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(784)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

    - - - - - - - > 'explorer.exe'(2296)
    c:\windows\system32\WININET.dll
    c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
    c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll
    c:\windows\system32\ieframe.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-12-11 21:00:36
    ComboFix-quarantined-files.txt 2010-12-11 10:00
    ComboFix2.txt 2010-12-10 08:37
    ComboFix3.txt 2010-12-09 11:57
    ComboFix4.txt 2009-10-06 10:36

    Pre-Run: 736,450,699,264 bytes free
    Post-Run: 736,577,126,400 bytes free

    - - End Of File - - 806B384599923122A3ABD635798D9C83
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Regarding the use of Quarantine/remove/delete
    1. :
    2. TDSSKiller: # The utility automatically selects an action (Cure or Delete) for malicious objects.
      [*]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
      [*]Select the action Quarantine to quarantine detected objects.
      [*]The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43


    Regarding the Eset scan:
    1. "Remove found threats"
    1. is Unchecked,
      [*]"Scan unwanted applications" is checked
      [*] Click Start
      [o] Make sure that the option
      and the option
      [o] Click Scanlist]
      =============================================
      Please download OTMovit by Old Timer and save to your desktop.
      • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
      • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
        Code:
        :Processes	
        :Files  
        C:\Documents and Settings\Test\Application Data\OpenCandy\33CFA7345F3E43138A948373453D2158\registrybooster(3).exe 
        C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0003.dta 
        C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0005.dta 
        C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0006.dta 
        C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0007.dta 
        C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0003.dta 
        C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0005.dta 
        C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0006.dta 
        C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0007.dta 
        :Commands
        [purity]
        [emptytemp]
        [start explorer]
        [Reboot]
      • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
      • Click the red Moveit! button.
      • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
      • Close OTMoveIt3
      If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.[/QUOTE]

      An example: each of the entries above showed (unable to clean) as in:
      C:\Documents and Settings\Test\Application Data\OpenCandy\33CFA7345F3E43138A948373453D2158\registrybooster(3).exe

      The line I was referring to in the instructions says:
      Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked So it shouldn't say 'unable to clean' if you didn't check the line and ask it to clean!
      ===============================================
     
  12. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    Thanks again for the reply. Here's the log.


    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\Test\Application Data\OpenCandy\33CFA7345F3E43138A948373453D2158\registrybooster(3).exe moved successfully.
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0003.dta moved successfully.
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0005.dta moved successfully.
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0006.dta moved successfully.
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0007.dta moved successfully.
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0003.dta moved successfully.
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0005.dta moved successfully.
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0006.dta moved successfully.
    C:\TDSSKiller_Quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0007.dta moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 786499 bytes
    ->Flash cache emptied: 965 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 2217 bytes

    User: Test
    ->Temp folder emptied: 671185 bytes
    ->Temporary Internet Files folder emptied: 302357964 bytes
    ->FireFox cache emptied: 118420060 bytes
    ->Google Chrome cache emptied: 8752866 bytes
    ->Flash cache emptied: 18189 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 3127829 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16798 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 414.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12122010_163019

    Files moved on Reboot...
    File C:\WINDOWS\temp\Perflib_Perfdata_2f4.dat not found!

    Registry entries deleted on Reboot...
  13. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    I think I should also mention, Firefox seems to work fine again, and I haven't run into any of the problems I mentioned in my very first post, such as the webhp redirection, or the generic host processes error. Is it all truly fixed?
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\Common Files\Windows Live\.cache\wlc7B.tmp
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    c:\progra~1\DVDACC~1\DVDAX.SYS
    c:\program files\Garena\safedrv.sys
    Folder::
    C:\TDSSKiller_Quarantine
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    c:\\Program Files\\Vuze\\Azureus.exe"=--
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
    "ImagePath"=--
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"=-
    Driver::
    DVDACCSS=-
    GarenaPEngine
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ===============================================================
    Please go to Add/Remove Programs in the Control Panel and remove any entry for Askbar, Ask.com.
    Go to Startup and take same entries off.
    Use Windows explorer> My Computer> Local Drive> Programs> right click> Delete on any "Ask" folders.

    You are doing a great deal of file sharing. As long as you continue to do that, you will get malware.

    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  15. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    Thanks again, here is the log obtained from ComboFix



    ComboFix 10-12-12.03 - Test 12/13/2010 19:58:15.5.4 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2734 [GMT 11:00]
    Running from: c:\documents and settings\Test\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Test\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

    FILE ::
    "c:\\Program Files\\Vuze\\Azureus.exe="
    "c:\progra~1\DVDACC~1\DVDAX.SYS"
    "c:\program files\Common Files\Windows Live\.cache\wlc7B.tmp"
    "c:\program files\Garena\safedrv.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\Windows Live\.cache\wlc7B.tmp
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\object.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0004.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0000\tdlfs0000\tsk0007.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\mbr0000\object.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\object.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0004.dta
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\11.12.2010_19.14.36\boot0001\tdlfs0000\tsk0007.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_GARENAPENGINE
    -------\Service_GarenaPEngine


    ((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 )))))))))))))))))))))))))))))))
    .

    2010-12-12 08:09 . 2010-12-12 08:09 -------- d-----w- c:\windows\system32\QuickTime
    2010-12-12 08:09 . 2010-12-12 08:09 -------- d-----w- c:\program files\Common Files\TechSmith Shared
    2010-12-12 08:09 . 2010-12-12 08:09 -------- d-----w- c:\program files\TechSmith
    2010-12-12 05:30 . 2010-12-12 05:30 -------- d-----w- C:\_OTM
    2010-12-11 08:42 . 2010-12-11 08:42 -------- d-----w- c:\program files\ESET
    2010-12-10 11:52 . 2010-12-12 08:07 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-12-10 09:13 . 2010-12-10 09:27 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-10 09:12 . 2010-12-10 09:12 -------- d-----w- c:\documents and settings\Test\Application Data\Avira
    2010-12-10 09:08 . 2010-11-30 07:48 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-10 09:08 . 2010-11-30 07:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-10 09:08 . 2010-06-17 03:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-12-10 09:08 . 2010-06-17 03:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-12-10 09:08 . 2010-12-10 09:08 -------- d-----w- c:\program files\Avira
    2010-12-10 09:08 . 2010-12-10 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-12-09 02:22 . 2010-12-09 02:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-12-05 12:32 . 2010-11-29 06:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-05 12:32 . 2010-12-05 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-05 12:32 . 2010-11-29 06:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-05 04:53 . 2010-12-05 04:53 -------- d-----w- C:\Nexon
    2010-11-25 05:18 . 2010-11-25 05:18 -------- d-----w- c:\program files\Mayflash Wii Classic Controller Box
    2010-11-25 05:18 . 2009-12-10 09:54 11904 ----a-w- c:\windows\system32\drivers\Maypro.sys
    2010-11-25 05:18 . 2009-12-08 11:04 299008 ----a-w- c:\windows\system32\Projoycpl.dll
    2010-11-25 05:18 . 2009-12-07 11:02 9728 ----a-w- c:\windows\Wii DriverLoader.exe
    2010-11-21 13:38 . 2010-11-21 13:38 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\PunkBuster
    2010-11-21 13:30 . 2010-11-21 13:30 -------- d-----w- c:\documents and settings\Test\Application Data\id Software
    2010-11-21 13:30 . 2010-11-21 13:30 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-11-21 13:30 . 2010-11-21 13:30 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2010-11-21 13:30 . 2010-11-21 13:30 2373712 ----a-w- c:\windows\system32\pbsvc.exe
    2010-11-21 13:30 . 2010-11-21 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-04 12:00 953856 ------w- c:\windows\system32\mfc40u.dll
    2010-09-18 01:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
    .

    ((((((((((((((((((((((((((((( SnapShot_2010-12-09_11.54.07 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-13 09:05 . 2010-12-13 09:05 16384 c:\windows\Temp\Perflib_Perfdata_5e8.dat
    + 2010-12-13 09:05 . 2010-12-13 09:05 16384 c:\windows\Temp\Perflib_Perfdata_100.dat
    + 2010-06-16 03:35 . 2010-12-10 07:58 15019 c:\windows\system32\Wacom_Tablet.dat
    - 2010-06-16 03:35 . 2010-12-07 08:55 15019 c:\windows\system32\Wacom_Tablet.dat
    - 2004-08-04 12:00 . 2010-12-09 11:46 68360 c:\windows\system32\perfc009.dat
    + 2004-08-04 12:00 . 2010-12-13 08:36 68360 c:\windows\system32\perfc009.dat
    + 2010-12-10 09:08 . 2010-06-17 03:27 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2010-07-19 04:33 . 2010-07-19 04:33 594944 c:\windows\system32\tsccvid.dll
    - 2004-08-04 12:00 . 2010-12-09 11:46 435590 c:\windows\system32\perfh009.dat
    + 2004-08-04 12:00 . 2010-12-13 08:36 435590 c:\windows\system32\perfh009.dat
    + 2010-12-12 08:09 . 2010-12-12 08:09 680448 c:\windows\Installer\{49471DB8-7F3C-42DB-89C2-AC50FA0C5290}\IconEF5C48881.exe
    + 2001-09-05 10:00 . 2001-09-05 10:00 1700352 c:\windows\system32\gdiplus.dll
    - 2001-09-05 11:00 . 2001-09-05 11:00 1700352 c:\windows\system32\gdiplus.dll
    + 2010-12-12 08:09 . 2010-12-12 08:09 17410048 c:\windows\Installer\8d8f1e.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{ea0969b3-6e12-4ac0-b6c9-148e81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]

    [HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-05-26 05:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]
    2010-07-12 04:08 2515552 ----a-w- c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{ea0969b3-6e12-4ac0-b6c9-148e81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]

    [HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{EA0969B3-6E12-4AC0-B6C9-148E81247954}"= "c:\program files\Messenger_Plus_Live_Australia\tbMes1.dll" [2010-07-12 2515552]

    [HKEY_CLASSES_ROOT\clsid\{ea0969b3-6e12-4ac0-b6c9-148e81247954}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "bluebirds"="c:\documents and settings\Test\Bluebirds\BlueBirds.exe" [2009-04-29 270336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
    "Six Engine"="c:\program files\ASUS\EPU-4 Engine\FourEngine.exe" [2009-05-15 5750272]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-12 69632]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-10 149280]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-12-20 611712]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
    "EPSON Stylus C45 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE" [2004-01-13 99840]
    "snp2std"="c:\windows\vsnp2std.exe" [2006-12-04 675840]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-13 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-13 13917800]
    "DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2010-05-05 251392]
    "Arctosa"="c:\program files\Razer\Arctosa\razerhid.exe" [2008-10-06 147456]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]

    c:\documents and settings\Test\Start Menu\Programs\Startup\
    Warkeys Update.lnk - c:\program files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe [2009-5-4 244736]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Program Files\\FlashGet\\flashget.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Warcraft III\\war3.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Garena\\Garena.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Valve\\Steam\\SteamApps\\zeromk5\\team fortress 2\\hl2.exe"=
    "c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
    "c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\Program Files\\GGPO\\ggpo.exe"=
    "c:\\Documents and Settings\\Test\\Local Settings\\Apps\\2.0\\7206VM5L.Z3H\\3P1Z7W00.77Z\\supe..tion_d6c7c0f5010e61b8_0001.0000_4482eb9aaee5b72a\\SupercadeClient.exe"=
    "c:\\Program Files\\Valve\\Steam\\Steam.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\zeromk5\\team fortress 2 meet the scout\\smp.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\zeromk5\\team fortress 2 meet the spy\\smp.exe"=
    "c:\\Documents and Settings\\Test\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\Winquake.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\qwcl.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\Glquake.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake\\glqwcl.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\quake 2\\quake2.exe"=
    "c:\\Program Files\\Valve\\Steam\\steamapps\\common\\poker night at the inventory\\CelebrityPoker.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "8376:TCP"= 8376:TCP:League of Legends Launcher
    "8376:UDP"= 8376:UDP:League of Legends Launcher
    "8377:TCP"= 8377:TCP:League of Legends Launcher
    "8377:UDP"= 8377:UDP:League of Legends Launcher
    "1038:TCP"= 1038:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface

    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 11:00 PM 14336]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/10/2010 8:08 PM 135336]
    R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [8/4/2010 11:48 PM 20072]
    R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [8/1/2010 3:13 AM 20328]
    R2 Remote Solver for Flow Simulation 2010;Remote Solver for Flow Simulation 2010;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [11/23/2009 8:48 PM 71464]
    R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [6/12/2010 7:14 PM 5010288]
    R3 ArcFltr;Arctosa Keyboard;c:\windows\system32\drivers\Arctosa.sys [8/11/2010 9:58 PM 16896]
    R3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [4/25/2010 5:39 PM 11136]
    R3 vHidDev;Razer Gaming Device;c:\windows\system32\drivers\vHidDev.sys [4/25/2010 5:39 PM 5760]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/4/2009 6:11 PM 135664]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/8/2009 3:54 PM 1684736]
    S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [1/20/2010 1:59 AM 87336]
    S3 DVDACCSS;DVDACCSS;\??\c:\progra~1\DVDACC~1\DVDAX.SYS --> c:\progra~1\DVDACC~1\DVDAX.SYS [?]
    S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 5:51 PM 30963576]
    S3 npggsvc;nProtect GameGuard Service; [x]
    S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
    S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [6/12/2010 6:37 PM 16168]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-12 c:\windows\Tasks\AdobeAAMUpdater-1.0-TEST-8DA2FE6C8B-Test.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-09 16:44]

    2010-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 01:34]

    2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 07:11]

    2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-04 07:11]

    2010-12-12 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-05-26 05:23]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
    IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    FF - ProfilePath - c:\documents and settings\Test\Application Data\Mozilla\Firefox\Profiles\91f8333l.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Flash Video Downloader - Youtube Downloader: artur.dubovoy@gmail.com - %profile%\extensions\artur.dubovoy@gmail.com
    FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
    FF - Ext: Veoh Video Compass: searchrecs@veoh.com - %profile%\extensions\searchrecs@veoh.com
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-13 20:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(784)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

    - - - - - - - > 'explorer.exe'(1384)
    c:\windows\system32\WININET.dll
    c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
    c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\PnkBstrA.exe
    c:\windows\system32\WTablet\Wacom_TabletUser.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Razer\DeathAdder\razerofa.exe
    c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-12-13 20:10:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-13 09:10
    ComboFix2.txt 2010-12-11 10:00
    ComboFix3.txt 2010-12-10 08:37
    ComboFix4.txt 2010-12-09 11:57
    ComboFix5.txt 2010-12-13 08:56

    Pre-Run: 735,013,687,296 bytes free
    Post-Run: 734,872,268,800 bytes free

    - - End Of File - - 7F4CAF382E7F954350DC2020B75EECEB
  16. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    And this would be the HijackThis log.



    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:15:56 PM, on 12/13/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17091)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Razer\DeathAdder\razerhid.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Razer\Arctosa\razerhid.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Razer\DeathAdder\razerofa.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Messenger Plus Live Australia Toolbar - {ea0969b3-6e12-4ac0-b6c9-148e81247954} - C:\Program Files\Messenger_Plus_Live_Australia\tbMes1.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office14\GROOVEEX.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MI1933~1\Office14\URLREDIR.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Messenger Plus Live Australia Toolbar - {ea0969b3-6e12-4ac0-b6c9-148e81247954} - C:\Program Files\Messenger_Plus_Live_Australia\tbMes1.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O3 - Toolbar: Messenger Plus Live Australia Toolbar - {ea0969b3-6e12-4ac0-b6c9-148e81247954} - C:\Program Files\Messenger_Plus_Live_Australia\tbMes1.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe" -r
    O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
    O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
    O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
    O4 - HKLM\..\Run: [Arctosa] "C:\Program Files\Razer\Arctosa\razerhid.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
    O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
    O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [bluebirds] C:\Documents and Settings\Test\Bluebirds\BlueBirds.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Warkeys Update.lnk = C:\Program Files\Warkeys\AutoWarkey\AutoHotkey\AutoHotkey.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office14\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MI1933~1\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Remote Solver for Flow Simulation 2010 - Mentor Graphics Corporation - C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
    O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
    O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

    --
    End of file - 12575 bytes
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Looking good! Just 2 processes left to remove: But I want to do one more short scan to be sure the MBR is clean:

    Download bootkitremover.rar and save it to your desktop.
    • Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • Double-click on the remover.exe file to run the program.
    • Paste the output in your next reply.
    ==================================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\Ask.com\GenericAskToolbar.dll
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    Driver::
    npggsvc
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . No log needed unless problems persist.
    ====================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
    Let me know if you have any more questions.
    =============================================
    A recommendation: Someday, when you have extra time, review all the processes you have starting on boot. Understand that the only processes that need to start on boot are the antivirus program, firewall if you have 3rd party FW, process for touchpad if on a laptop and network process is using something like Pure Magic.

    Almost everything that starts on boot will continue to run in the background. After you surf for a while and pick up those temporary internet files, the system is going to slow down with all the 'weight'. And many Services can be set to Manual Startup type and do not need to automatically start. Review best Service settings on Black Viper's site: http://www.blackviper.com/WinXP/servicecfg.htm

    Have a Happy and Peaceful Holiday![​IMG]
  18. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    Thank you very much for bearing with me this whole time. I have received the log from running remover.exe so I will paste it here.




    .\debug.cpp(238) : Debug log started at 15.12.2010 - 15:28:37
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x0020d000 "\WINDOWS\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x806e4000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xb85a8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xb84b8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xb7f79000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xb85aa000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
    .\debug.cpp(256) : 0xb7f68000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xb80a8000 0x00009000 "isapnp.sys"
    .\debug.cpp(256) : 0xb80b8000 0x00010000 "ohci1394.sys"
    .\debug.cpp(256) : 0xb80c8000 0x0000e000 "\WINDOWS\system32\DRIVERS\1394BUS.SYS"
    .\debug.cpp(256) : 0xb8670000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xb8328000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xb80d8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xb7f49000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xb8330000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xb80e8000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xb7f31000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xb7f18000 0x00019000 "jraid.sys"
    .\debug.cpp(256) : 0xb7f00000 0x00018000 "\WINDOWS\system32\DRIVERS\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xb80f8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xb8108000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xb7ee0000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xb7ece000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xb8118000 0x0000a000 "PxHelp20.sys"
    .\debug.cpp(256) : 0xb7eb7000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xb7e2a000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xb7dfd000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xb7de3000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xb81b8000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
    .\debug.cpp(256) : 0xb6c39000 0x00a1c000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xb6c25000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xb6bfd000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
    .\debug.cpp(256) : 0xb84a8000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xb6bd9000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xb84b0000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xb81c8000 0x00010000 "\SystemRoot\system32\DRIVERS\nic1394.sys"
    .\debug.cpp(256) : 0xb81d8000 0x0000e000 "\SystemRoot\system32\DRIVERS\l1e51x86.sys"
    .\debug.cpp(256) : 0xb6bc5000 0x00014000 "\SystemRoot\system32\DRIVERS\parport.sys"
    .\debug.cpp(256) : 0xb85f8000 0x00002000 "\SystemRoot\system32\DRIVERS\ASACPI.sys"
    .\debug.cpp(256) : 0xb81e8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xb7c85000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xb81f8000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xb8208000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xb8218000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xb6ba2000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xb8390000 0x00006000 "\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys"
    .\debug.cpp(256) : 0xb7675000 0x00003000 "\SystemRoot\system32\DRIVERS\wacomvhid.sys"
    .\debug.cpp(256) : 0xb8228000 0x00009000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xb83a0000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xb870f000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xb8238000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xb766d000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xb6b8b000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xb8248000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xb8258000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xb83c0000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xb6b7a000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xb8268000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xb83d0000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xb83e0000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xb85fc000 0x00002000 "\SystemRoot\system32\DRIVERS\vHidDev.sys"
    .\debug.cpp(256) : 0xb8278000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xb83e8000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xb83f0000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xb8602000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xb6b1c000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xb7659000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xb8288000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xb8608000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xb854c000 0x00003000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xb8408000 0x00008000 "\SystemRoot\system32\DRIVERS\wacommousefilter.sys"
    .\debug.cpp(256) : 0xb8298000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xb8578000 0x00004000 "\SystemRoot\system32\DRIVERS\kbdhid.sys"
    .\debug.cpp(256) : 0xb4336000 0x00626000 "\SystemRoot\system32\drivers\RtkHDAud.sys"
    .\debug.cpp(256) : 0xb4312000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xb82b8000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xb8614000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xb87ca000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xb8618000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xb8458000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xb861c000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xb8620000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xb8468000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xb8478000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xb7c81000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xb424f000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xb41f6000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xb41d0000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xb41a8000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xb82d8000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xb415e000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xb82e8000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xb82f8000 0x0000f000 "\SystemRoot\system32\DRIVERS\arp1394.sys"
    .\debug.cpp(256) : 0xb8498000 0x00006000 "\SystemRoot\system32\DRIVERS\ssmdrv.sys"
    .\debug.cpp(256) : 0xb8308000 0x0000b000 "\SystemRoot\System32\Drivers\SCDEmu.SYS"
    .\debug.cpp(256) : 0xb4093000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xb4023000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xb8318000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xb3ffd000 0x00026000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
    .\debug.cpp(256) : 0xb8626000 0x00002000 "\??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys"
    .\debug.cpp(256) : 0xb8628000 0x00002000 "\SystemRoot\system32\drivers\AsIO.sys"
    .\debug.cpp(256) : 0xb429a000 0x00003000 "\SystemRoot\system32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xb77e8000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xb8380000 0x00008000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0xb345c000 0x00b79000 "\SystemRoot\system32\DRIVERS\snp2sxp.sys"
    .\debug.cpp(256) : 0xb77d8000 0x0000d000 "\SystemRoot\system32\DRIVERS\STREAM.SYS"
    .\debug.cpp(256) : 0xb83a8000 0x00007000 "\SystemRoot\system32\DRIVERS\SNCAMD.SYS"
    .\debug.cpp(256) : 0xb77c8000 0x0000f000 "\SystemRoot\system32\drivers\usbaudio.sys"
    .\debug.cpp(256) : 0xb4286000 0x00003000 "\SystemRoot\system32\drivers\danew.sys"
    .\debug.cpp(256) : 0xb83b8000 0x00005000 "\SystemRoot\System32\Drivers\Arctosa.sys"
    .\debug.cpp(256) : 0xb3444000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
    .\debug.cpp(256) : 0xb8634000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xb419c000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xb8400000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbd000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xb86bb000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbd012000 0x0060f000 "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xbffa0000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xb30c2000 0x00015000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
    .\debug.cpp(256) : 0xb30b2000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xb2db5000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xb3042000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0xb2d3d000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xb8616000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
    .\debug.cpp(256) : 0xb2737000 0x00011000 "\SystemRoot\System32\Drivers\adfs.SYS"
    .\debug.cpp(256) : 0xb2828000 0x00004000 "\??\C:\WINDOWS\system32\drivers\cpuz133_x32.sys"
    .\debug.cpp(256) : 0xb281c000 0x00004000 "\??\C:\WINDOWS\system32\drivers\cpuz134_x32.sys"
    .\debug.cpp(256) : 0xb24d7000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xb0def000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
    .\debug.cpp(256) : 0xafc7c000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000034"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_00#6&14b37ee3&0&0000#{6994ad05-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000008c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_1532&Pid_010b#5&385a3465&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-11"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{3076b6aa-9c7d-11de-a3c5-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_3#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{98E300F4-D296-4F0F-B5C8-9C30014CF4E3}"
    .\debug.cpp(400) : Destination "\Device\{98E300F4-D296-4F0F-B5C8-9C30014CF4E3}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000033"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgio"
    .\debug.cpp(400) : Destination "\Device\avgio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0925&Pid_03e8#5&2e573136&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ATKACPI"
    .\debug.cpp(400) : Destination "\Device\ATKACPI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Arctosa"
    .\debug.cpp(400) : Destination "\Device\Arctosa"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&33d5ef4b&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{C567FFA8-3DEB-4CC3-BB3E-BD7CBC59612F}"
    .\debug.cpp(400) : Destination "\Device\{C567FFA8-3DEB-4CC3-BB3E-BD7CBC59612F}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0E22&SUBSYS_34FC1458&REV_A1#4&399d3c6a&0&0008#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0020"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A37&SUBSYS_82D41043&REV_00#3&11583659&0&D0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A3C&SUBSYS_82D41043&REV_00#3&11583659&0&D7#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi4:"
    .\debug.cpp(400) : Destination "\Device\Scsi\JRAID1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_0016#6&1cfd2965&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000090"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\$VDMLPT1"
    .\debug.cpp(400) : Destination "\Device\ParallelVdm0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS50________________TN00____#344b395542373532333020322020202020202020#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_197B&DEV_2361&SUBSYS_83871043&REV_02#4&34ebacd6&0&00E4#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0023"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
    .\debug.cpp(400) : Destination "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0925&Pid_03e8#6&27eb7b13&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000008b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev0"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev1"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_1532&Pid_0016#5&385a3465&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
    .\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A35&SUBSYS_82D41043&REV_00#3&11583659&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0012"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev2"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
    .\debug.cpp(400) : Destination "\Device\PSched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{67AC1517-F63D-4067-8874-7907E1F32D4A}"
    .\debug.cpp(400) : Destination "\Device\{67AC1517-F63D-4067-8874-7907E1F32D4A}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev3"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col01#1&3ac5b05f&3&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col03#1&3ac5b05f&3&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev4"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col02#1&2d595ca7&1&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000077"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A39&SUBSYS_82D41043&REV_00#3&11583659&0&D2#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000037"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1969&DEV_1026&SUBSYS_831C1043&REV_B0#4&20515db1&0&00E5#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0024"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev5"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&290cafbe&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000036"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev6"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_010b&MI_00#7&115d5c07&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000093"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureBFCFBFCFOffset7E00LengthE8E0358200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev7"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3#5&c0aa250&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_01#6&14b37ee3&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000008d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col03#1&2d595ca7&1&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000078"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
    .\debug.cpp(400) : Destination "\Device\USBFDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#aa#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000048"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A3A&SUBSYS_82D41043&REV_00#3&11583659&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0014"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A34&SUBSYS_82D41043&REV_00#3&11583659&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD5"
    .\debug.cpp(400) : Destination "\Device\USBFDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{A533DA3B-A111-4DE1-895A-37675D50F4EC}"
    .\debug.cpp(400) : Destination "\Device\{A533DA3B-A111-4DE1-895A-37675D50F4EC}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6"
    .\debug.cpp(400) : Destination "\Device\USBFDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1bd273f9&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD7"
    .\debug.cpp(400) : Destination "\Device\USBFDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS50________________TN00____#344b395542373532333020322020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_197B&DEV_2380&SUBSYS_83131043&REV_00#4&16822c0b&0&00E1#{6bdd1fc1-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0022"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0401#4&2bc541ba&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
    .\debug.cpp(400) : Destination "\Device\00000064"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{9241C8EA-72DE-4B1E-A38F-9173EB35E893}"
    .\debug.cpp(400) : Destination "\Device\{9241C8EA-72DE-4B1E-A38F-9173EB35E893}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ARP1394"
    .\debug.cpp(400) : Destination "\Device\ARP1394"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\V1394#NIC1394#71022010020#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000006d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{77D8FD89-7241-4671-8CB3-B4C050C62675}"
    .\debug.cpp(400) : Destination "\Device\{77D8FD89-7241-4671-8CB3-B4C050C62675}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_010b&MI_00#7&115d5c07&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000093"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_00#6&14b37ee3&0&0000#{fb6c428a-0353-11d1-905f-0000c0cc16ba}"
    .\debug.cpp(400) : Destination "\Device\0000008c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_00#6&14b37ee3&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000008c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_2#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000043"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ssmctl"
    .\debug.cpp(400) : Destination "\Device\ssmctl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col04#1&2d595ca7&1&0003#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Artemis.00"
    .\debug.cpp(400) : Destination "\Device\Artemis.00"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col03#1&2d595ca7&1&0002#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000078"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GH22NS50________________TN00____#344b395542373532333020322020202020202020#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DANew"
    .\debug.cpp(400) : Destination "\Device\DANew"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#WACOMVIRTUALHID&Col01#1&2d595ca7&1&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000076"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CPUZ133"
    .\debug.cpp(400) : Destination "\Device\cpuz133"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&3097edfd&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A38&SUBSYS_82D41043&REV_00#3&11583659&0&D1#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CPUZ134"
    .\debug.cpp(400) : Destination "\Device\cpuz134"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&14d59eda&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\1394BUS0"
    .\debug.cpp(400) : Destination "\Device\1394BUS0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{8F49DF83-B528-4C1E-AA08-19C4F4E79B5C}"
    .\debug.cpp(400) : Destination "\Device\{8F49DF83-B528-4C1E-AA08-19C4F4E79B5C}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ADVirtualDiskDevice"
    .\debug.cpp(400) : Destination "\Device\ADVirtualDisk\Control"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_010b&MI_01&Col01#7&2920e84c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000094"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000035"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_1532&Pid_0016#5&385a3465&0&1#{d2f9ad00-6ae9-11d5-88f8-0080c8ef5b74}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_0016#6&1cfd2965&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000090"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{3076b6a8-9c7d-11de-a3c5-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col03#1&3ac5b05f&3&0002#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
    .\debug.cpp(400) : Destination "\Device\NamedPipe\Spooler\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{586924D0-96B4-4B88-AD6B-2B72A4700998}"
    .\debug.cpp(400) : Destination "\Device\{586924D0-96B4-4B88-AD6B-2B72A4700998}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_3A36&SUBSYS_82D41043&REV_00#3&11583659&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0013"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col02#1&3ac5b05f&3&0001#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000007b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_1532&Pid_010b&MI_01&Col02#7&2920e84c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000095"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&67e9d0c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#GSPYVHid&Col02#1&3ac5b05f&3&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000007b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&22755735&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3141bc6c&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0c45&Pid_62b3&MI_01#6&14b37ee3&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000008d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Asusgio"
    .\debug.cpp(400) : Destination "\Device\Asusgio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NONSPOOLED_LPT1"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskHitachi_HDT721010SLA360_________________ST6OA3AA#5&2ea7e938&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0887&SUBSYS_1043837B&REV_1002#4&219b05b7&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
    .\debug.cpp(400) : Destination "\Device\avipbb"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1d34232f&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 931 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome! Glad to help. System is clean! A heads up for you: whenever you download a program, look carefully at the download page/site. Frequently you'll see items pre-checked so that you will automatically get them along with the download. You don't want these extras! Uncheck before download.

    The Asktoolbar was all over your system. I don't know of anyone who actually downloads it intentionally, so I expect you had some pre-checked downloads.
    ==========================================
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
        [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.(For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.)

        Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
        [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
        [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Have a Happy and Peaceful Holiday![​IMG]
  20. zeromk5

    zeromk5 Newcomer, in training Topic Starter

    I think it's safe to say, the problem has solved. I cannot thank you enough. Not only have you helped me, but you have explained to me why these things had happened in a way that is easy to understand. I will take extra caution from now on, and make note of the six tips you have provided me.

    I wish you a Merry Christmas!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.