TechSpot

Help with a friends W7 laptop browser got hijacked

Solved
By learninmypc
Jan 14, 2012
  1. He had AVG on here & it got partially removed.
    Also his browser has gotten hijacked. I tried to reset it,but it didn't stay. the name of the infection is WhiteSmoke. I removed its entries from add/remove but it still has the browser hijacked.

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.14.04

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 8.0.7601.17514
    mercury :: MERCURY-PC [administrator]

    1/14/2012 2:18:54 PM
    mbam-log-2012-01-14 (14-18-54).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 241809
    Time elapsed: 28 minute(s), 4 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\mercury\AppData\Local\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.

    (end)


    Continuing with other scans
     
  2. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-01-14 16:00:57
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545025B9A300 rev.PB2OC60F
    Running: gmer.exe; Driver: C:\Users\mercury\AppData\Local\Temp\pftiifog.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x908D27A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
     
  3. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514
    Run by mercury at 16:18:17 on 2012-01-14
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3002.2329 [GMT -8:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    svchost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Elantech\ETDCtrl.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\system32\taskhost.exe
    svchost.exe
    svchost.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Launch Manager\LMworker.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Elantech\ETDCtrlHelper.exe
    svchost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\conhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3007394
    uURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Yontoo Layers (Drop Down Deals): {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime (drop down deals)\YontooIEClient.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
    mRun: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe
    mRun: [Acer ePower Management] c:\program files\acer\acer epower management\ePowerTray.exe
    mRun: [LManager] c:\program files\launch manager\LManager.exe
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    TCP: DhcpNameServer = 192.168.1.1 184.16.33.54
    TCP: Interfaces\{51DC8B2C-8656-4CEC-8DC9-0368854B46D8} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{F69E9B89-CE67-482D-9916-3EEB69806A4C} : DhcpNameServer = 192.168.1.1 184.16.33.54
    TCP: Interfaces\{F69E9B89-CE67-482D-9916-3EEB69806A4C}\44162736965637 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{F69E9B89-CE67-482D-9916-3EEB69806A4C}\4727F6A616E603E223 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{F69E9B89-CE67-482D-9916-3EEB69806A4C}\9716E6F63723637373 : DhcpNameServer = 68.87.69.150 68.87.85.102
    TCP: Interfaces\{F69E9B89-CE67-482D-9916-3EEB69806A4C}\C696E6B6379737 : DhcpNameServer = 68.87.69.150 68.87.85.102
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Notify: igfxcui - igfxdev.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\mercury\appdata\roaming\mozilla\firefox\profiles\jbvwe7ea.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3007394&SearchSource=13
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=2&q=
    FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
    FF - plugin: c:\program files\nitro pdf\reader 2\npdf.dll
    FF - plugin: c:\program files\nitro pdf\reader 2\npnitromozilla.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, d19dcb53-22bb-4f7d-8ccf-dd63f0cd1b0e
    FF - user.js: extentions.y2layers.defaultEnableAppsList - BuzzDock,Buzzdock,BuzzdockTease,DropDownDeals,
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-17 435032]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-17 314456]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-17 20568]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-12-17 55128]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-12-17 44768]
    R2 DsiWMIService;Dritek WMI Service;c:\program files\launch manager\dsiwmis.exe [2011-10-26 321104]
    R2 ePowerSvc;Acer ePower Service;c:\program files\acer\acer epower management\ePowerSvc.exe [2011-10-26 735776]
    R2 InstallBrainService;InstallBrain Updater Service;c:\program files\installbrainservice\InstallBrainService.exe [2012-1-6 512848]
    R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2011-10-25 196904]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-12-17 1153368]
    R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2011-10-26 109960]
    R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2011-10-26 122880]
    R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2011-10-26 325672]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-12-17 27192]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-10-26 193056]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-10-27 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-10-27 1343400]
    .
    =============== Created Last 30 ================
    .
    2012-01-14 23:27:24 -------- d-----w- c:\users\mercury\appdata\roaming\SUPERAntiSpyware.com
    2012-01-14 23:26:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-14 23:26:33 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-11 21:52:51 -------- d-----w- c:\users\mercury\appdata\roaming\ooVoo Details
    2012-01-11 21:52:41 -------- d-----w- c:\program files\Yontoo Layers Runtime (Drop Down Deals)
    2012-01-11 21:52:40 -------- d-----w- c:\programdata\Tarma Installer
    2012-01-11 21:52:32 -------- d-----w- c:\program files\ooVoo
    2012-01-11 03:47:05 514560 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 03:47:05 1328128 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 03:47:04 67072 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 03:47:02 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-08 22:28:31 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    2012-01-08 22:28:31 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2012-01-08 22:28:31 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2012-01-08 22:28:31 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    2012-01-07 05:58:33 -------- d-----w- c:\program files\PricePeep
    2012-01-07 05:57:35 -------- d-----w- c:\program files\Conduit
    2012-01-07 05:57:30 -------- d-----w- c:\users\mercury\appdata\local\Conduit
    2012-01-07 05:57:21 -------- d-----w- c:\program files\InstallBrainService
    2011-12-17 22:21:11 -------- d-----w- c:\program files\Belarc
    2011-12-17 22:18:07 -------- d-----w- c:\program files\CCleaner
    2011-12-17 22:06:06 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-12-17 21:49:38 -------- d-----w- c:\program files\FileHippo.com
    2011-12-17 21:25:22 -------- d-----w- c:\windows\system32\SPReview
    2011-12-17 21:24:41 -------- d-----w- c:\windows\system32\EventProviders
    2011-12-17 21:05:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-17 21:05:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-12-17 20:55:54 -------- d-----w- c:\users\mercury\appdata\roaming\Malwarebytes
    2011-12-17 20:55:40 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-17 20:55:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-17 20:55:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-17 20:53:14 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2011-12-17 20:53:14 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    2011-12-17 20:53:13 -------- d-----w- c:\program files\SpywareBlaster
    2011-12-17 20:49:59 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-17 20:49:54 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-12-17 20:49:33 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-17 20:49:25 -------- d-----w- c:\programdata\AVAST Software
    2011-12-17 20:49:25 -------- d-----w- c:\program files\AVAST Software
    2011-12-17 20:27:48 -------- d-----w- c:\users\mercury\appdata\local\VS Revo Group
    2011-12-17 20:27:43 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2011-12-17 20:27:42 -------- d-----w- c:\program files\VS Revo Group
    2011-12-17 19:38:42 26408 ----a-w- c:\windows\system32\nitrolocalmon2.dll
    2011-12-17 19:38:42 17704 ----a-w- c:\windows\system32\nitrolocalui2.dll
    2011-12-17 19:38:27 -------- d-----w- c:\program files\Nitro PDF
    2011-12-17 19:38:27 -------- d-----w- c:\program files\common files\Nitro PDF
    2011-12-17 19:37:29 -------- d-----w- c:\users\mercury\appdata\roaming\Downloaded Installations
    .
    ==================== Find3M ====================
    .
    2011-12-17 22:05:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-17 21:31:10 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-05 04:35:00 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-05 02:48:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-26 04:47:40 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-26 04:47:40 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-26 04:28:12 38912 ----a-w- c:\windows\system32\csrsrv.dll
    .
    ============= FINISH: 16:20:48.72 ===============
     
  4. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/26/2011 4:02:36 PM
    System Uptime: 1/14/2012 4:13:27 PM (0 hours ago)
    .
    Motherboard: Acer | | JE51_MV
    Processor: Intel(R) Celeron(R) CPU 900 @ 2.20GHz | uPGA-478 | 2194/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 220 GiB total, 197.643 GiB free.
    D: is CDROM ()
    F: is FIXED (NTFS) - 0 GiB total, 0.068 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP31: 12/17/2011 1:25:13 PM - Windows 7 Service Pack 1
    RP32: 12/17/2011 1:56:54 PM - Windows Update
    RP33: 12/17/2011 10:47:18 PM - Windows Update
    RP34: 12/31/2011 4:19:51 PM - Scheduled Checkpoint
    RP35: 1/8/2012 5:24:10 PM - Scheduled Checkpoint
    RP36: 1/11/2012 1:42:12 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Acer Crystal Eye webcam
    Acer ePower Management
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    avast! Free Antivirus
    Belarc Advisor 8.2
    CCleaner
    ETDWare PS/2-x86 7.0.6.5_WHQL
    FileHippo.com Update Checker
    InstallBrain Updater Service
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    IZArc 4.1.6
    K-Lite Codec Pack 7.8.0 (Basic)
    Launch Manager
    Malwarebytes Anti-Malware version 1.60.0.1800
    Microsoft .NET Framework 4 Client Profile
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 9.0.1 (x86 en-US)
    Nitro Reader 2
    ooVoo
    PricePeep for FireFox
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Revo Uninstaller Pro 2.5.7
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Skype Click to Call
    Skype™ 5.5
    Spybot - Search & Destroy
    SpywareBlaster 4.5
    SUPERAntiSpyware
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    Yontoo Layers Runtime (Drop Down Deals) 1.10.01
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/14/2012 11:54:04 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
    1/12/2012 8:00:39 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    .
    ==== End Of File ===========================
     
  5. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  6. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-15 08:18:15
    -----------------------------
    08:18:15.225 OS Version: Windows 6.1.7601 Service Pack 1
    08:18:15.226 Number of processors: 1 586 0x170A
    08:18:15.228 ComputerName: MERCURY-PC UserName: mercury
    08:18:22.564 Initialize success
    08:18:22.664 AVAST engine defs: 12011500
    08:18:46.648 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    08:18:46.653 Disk 0 Vendor: Hitachi_HTS545025B9A300 PB2OC60F Size: 238475MB BusType: 11
    08:18:46.689 Disk 0 MBR read successfully
    08:18:46.692 Disk 0 MBR scan
    08:18:46.696 Disk 0 Windows 7 default MBR code
    08:18:46.711 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
    08:18:46.732 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27265024
    08:18:46.747 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 225061 MB offset 27469824
    08:18:46.778 Disk 0 scanning sectors +488394752
    08:18:46.860 Disk 0 scanning C:\Windows\system32\drivers
    08:18:55.304 Service scanning
    08:18:56.648 Modules scanning
    08:19:08.814 Disk 0 trace - called modules:
    08:19:09.178 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
    08:19:09.184 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86100030]
    08:19:09.191 3 CLASSPNP.SYS[8b1ad59e] -> nt!IofCallDriver -> [0x85c1a918]
    08:19:09.198 5 ACPI.sys[8ac9d3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x86033030]
    08:19:09.777 AVAST engine scan C:\Windows
    08:19:11.066 AVAST engine scan C:\Windows\system32
    08:20:28.237 AVAST engine scan C:\Windows\system32\drivers
    08:20:36.992 AVAST engine scan C:\Users\mercury
    08:21:28.239 AVAST engine scan C:\ProgramData
    08:21:38.047 Scan finished successfully
    08:23:08.051 Disk 0 MBR has been saved successfully to "C:\Users\mercury\Desktop\MBR.dat"
    08:23:08.058 The log file has been saved successfully to "C:\Users\mercury\Desktop\aswMBR.txt"
     
  7. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-15 08:18:15
    -----------------------------
    08:18:15.225 OS Version: Windows 6.1.7601 Service Pack 1
    08:18:15.226 Number of processors: 1 586 0x170A
    08:18:15.228 ComputerName: MERCURY-PC UserName: mercury
    08:18:22.564 Initialize success
    08:18:22.664 AVAST engine defs: 12011500
    08:18:46.648 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    08:18:46.653 Disk 0 Vendor: Hitachi_HTS545025B9A300 PB2OC60F Size: 238475MB BusType: 11
    08:18:46.689 Disk 0 MBR read successfully
    08:18:46.692 Disk 0 MBR scan
    08:18:46.696 Disk 0 Windows 7 default MBR code
    08:18:46.711 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
    08:18:46.732 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 27265024
    08:18:46.747 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 225061 MB offset 27469824
    08:18:46.778 Disk 0 scanning sectors +488394752
    08:18:46.860 Disk 0 scanning C:\Windows\system32\drivers
    08:18:55.304 Service scanning
    08:18:56.648 Modules scanning
    08:19:08.814 Disk 0 trace - called modules:
    08:19:09.178 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
    08:19:09.184 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86100030]
    08:19:09.191 3 CLASSPNP.SYS[8b1ad59e] -> nt!IofCallDriver -> [0x85c1a918]
    08:19:09.198 5 ACPI.sys[8ac9d3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x86033030]
    08:19:09.777 AVAST engine scan C:\Windows
    08:19:11.066 AVAST engine scan C:\Windows\system32
    08:20:28.237 AVAST engine scan C:\Windows\system32\drivers
    08:20:36.992 AVAST engine scan C:\Users\mercury
    08:21:28.239 AVAST engine scan C:\ProgramData
    08:21:38.047 Scan finished successfully
    08:23:08.051 Disk 0 MBR has been saved successfully to "C:\Users\mercury\Desktop\MBR.dat"
    08:23:08.058 The log file has been saved successfully to "C:\Users\mercury\Desktop\aswMBR.txt"
     
  8. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Bootkit Remover?
     
  9. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    Gee, I thought I posted it. Will re do it.

    Is this it ?

    .\debug.cpp(238) : Debug log started at 15.01.2012 - 16:53:21
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 Esage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.1
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601), 32-bit
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x82c15000 0x00412000 "\SystemRoot\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x83027000 0x00037000 "\SystemRoot\system32\halmacpi.dll"
    .\debug.cpp(256) : 0x80b9b000 0x00008000 "\SystemRoot\system32\kdcom.dll"
    .\debug.cpp(256) : 0x83226000 0x00085000 "\SystemRoot\system32\mcupdate_GenuineIntel.dll"
    .\debug.cpp(256) : 0x832ab000 0x00011000 "\SystemRoot\system32\PSHED.dll"
    .\debug.cpp(256) : 0x832bc000 0x00008000 "\SystemRoot\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0x832c4000 0x00042000 "\SystemRoot\system32\CLFS.SYS"
    .\debug.cpp(256) : 0x83306000 0x000ab000 "\SystemRoot\system32\CI.dll"
    .\debug.cpp(256) : 0x8ac15000 0x00071000 "\SystemRoot\system32\drivers\Wdf01000.sys"
    .\debug.cpp(256) : 0x8ac86000 0x0000e000 "\SystemRoot\system32\drivers\WDFLDR.SYS"
    .\debug.cpp(256) : 0x8ac94000 0x00048000 "\SystemRoot\system32\drivers\ACPI.sys"
    .\debug.cpp(256) : 0x8acdc000 0x00009000 "\SystemRoot\system32\drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0x8ace5000 0x00008000 "\SystemRoot\system32\drivers\msisadrv.sys"
    .\debug.cpp(256) : 0x8aced000 0x0002a000 "\SystemRoot\system32\drivers\pci.sys"
    .\debug.cpp(256) : 0x8ad17000 0x0000b000 "\SystemRoot\system32\drivers\vdrvroot.sys"
    .\debug.cpp(256) : 0x8ad22000 0x00011000 "\SystemRoot\System32\drivers\partmgr.sys"
    .\debug.cpp(256) : 0x8ad33000 0x00008000 "\SystemRoot\system32\DRIVERS\compbatt.sys"
    .\debug.cpp(256) : 0x8ad3b000 0x0000b000 "\SystemRoot\system32\DRIVERS\BATTC.SYS"
    .\debug.cpp(256) : 0x8ad46000 0x00010000 "\SystemRoot\system32\drivers\volmgr.sys"
    .\debug.cpp(256) : 0x8ad56000 0x0004b000 "\SystemRoot\System32\drivers\volmgrx.sys"
    .\debug.cpp(256) : 0x8ada1000 0x00016000 "\SystemRoot\System32\drivers\mountmgr.sys"
    .\debug.cpp(256) : 0x8adb7000 0x00009000 "\SystemRoot\system32\drivers\atapi.sys"
    .\debug.cpp(256) : 0x8adc0000 0x00023000 "\SystemRoot\system32\drivers\ataport.SYS"
    .\debug.cpp(256) : 0x8ade3000 0x0000a000 "\SystemRoot\system32\drivers\msahci.sys"
    .\debug.cpp(256) : 0x8aded000 0x0000e000 "\SystemRoot\system32\drivers\PCIIDEX.SYS"
    .\debug.cpp(256) : 0x8ac00000 0x00009000 "\SystemRoot\system32\drivers\amdxata.sys"
    .\debug.cpp(256) : 0x833b1000 0x00034000 "\SystemRoot\system32\drivers\fltmgr.sys"
    .\debug.cpp(256) : 0x833e5000 0x00011000 "\SystemRoot\system32\drivers\fileinfo.sys"
    .\debug.cpp(256) : 0x8ae1a000 0x0012f000 "\SystemRoot\System32\Drivers\Ntfs.sys"
    .\debug.cpp(256) : 0x8af49000 0x0002b000 "\SystemRoot\System32\Drivers\msrpc.sys"
    .\debug.cpp(256) : 0x8af74000 0x00013000 "\SystemRoot\System32\Drivers\ksecdd.sys"
    .\debug.cpp(256) : 0x8af87000 0x0005d000 "\SystemRoot\System32\Drivers\cng.sys"
    .\debug.cpp(256) : 0x8afe4000 0x0000e000 "\SystemRoot\System32\drivers\pcw.sys"
    .\debug.cpp(256) : 0x8aff2000 0x00009000 "\SystemRoot\System32\Drivers\Fs_Rec.sys"
    .\debug.cpp(256) : 0x8b030000 0x000b7000 "\SystemRoot\system32\drivers\ndis.sys"
    .\debug.cpp(256) : 0x8b0e7000 0x0003e000 "\SystemRoot\system32\drivers\NETIO.SYS"
    .\debug.cpp(256) : 0x8b125000 0x00025000 "\SystemRoot\System32\Drivers\ksecpkg.sys"
    .\debug.cpp(256) : 0x8b214000 0x0014a000 "\SystemRoot\System32\drivers\tcpip.sys"
    .\debug.cpp(256) : 0x8b35e000 0x00031000 "\SystemRoot\System32\drivers\fwpkclnt.sys"
    .\debug.cpp(256) : 0x8b38f000 0x0003f000 "\SystemRoot\system32\drivers\volsnap.sys"
    .\debug.cpp(256) : 0x8b3ce000 0x00008000 "\SystemRoot\System32\Drivers\spldr.sys"
    .\debug.cpp(256) : 0x8b14a000 0x0002d000 "\SystemRoot\System32\drivers\rdyboost.sys"
    .\debug.cpp(256) : 0x8b3d6000 0x00010000 "\SystemRoot\System32\Drivers\mup.sys"
    .\debug.cpp(256) : 0x8b3e6000 0x00008000 "\SystemRoot\System32\drivers\hwpolicy.sys"
    .\debug.cpp(256) : 0x8b177000 0x00032000 "\SystemRoot\System32\DRIVERS\fvevol.sys"
    .\debug.cpp(256) : 0x8b3ee000 0x00011000 "\SystemRoot\system32\DRIVERS\disk.sys"
    .\debug.cpp(256) : 0x8b1a9000 0x00025000 "\SystemRoot\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0x8b000000 0x0001f000 "\SystemRoot\system32\drivers\cdrom.sys"
    .\debug.cpp(256) : 0x90619000 0x0006d000 "\SystemRoot\System32\Drivers\aswSnx.SYS"
    .\debug.cpp(256) : 0x90686000 0x00007000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0x9068d000 0x00007000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0x90694000 0x0000c000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0x906a0000 0x00021000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0x906c1000 0x0000d000 "\SystemRoot\System32\drivers\watchdog.sys"
    .\debug.cpp(256) : 0x906ce000 0x00008000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0x906d6000 0x00008000 "\SystemRoot\system32\drivers\rdpencdd.sys"
    .\debug.cpp(256) : 0x906de000 0x00008000 "\SystemRoot\system32\drivers\rdprefmp.sys"
    .\debug.cpp(256) : 0x906e6000 0x0000b000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0x906f1000 0x0000e000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0x906ff000 0x00017000 "\SystemRoot\system32\DRIVERS\tdx.sys"
    .\debug.cpp(256) : 0x90716000 0x0000c000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0x90722000 0x0000b000 "\SystemRoot\System32\Drivers\aswTdi.SYS"
    .\debug.cpp(256) : 0x9072d000 0x00032000 "\SystemRoot\System32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0x9075f000 0x0005a000 "\SystemRoot\system32\drivers\afd.sys"
    .\debug.cpp(256) : 0x907b9000 0x00007000 "\SystemRoot\System32\Drivers\aswRdr.SYS"
    .\debug.cpp(256) : 0x907c0000 0x00007000 "\SystemRoot\system32\DRIVERS\wfplwf.sys"
    .\debug.cpp(256) : 0x907c7000 0x0001f000 "\SystemRoot\system32\DRIVERS\pacer.sys"
    .\debug.cpp(256) : 0x907e6000 0x00011000 "\SystemRoot\system32\DRIVERS\vwififlt.sys"
    .\debug.cpp(256) : 0x90600000 0x0000e000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0x8ae00000 0x00013000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0x8b01f000 0x00011000 "\SystemRoot\system32\drivers\termdd.sys"
    .\debug.cpp(256) : 0x83200000 0x00022000 "\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS"
    .\debug.cpp(256) : 0x9060e000 0x00006000 "\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS"
    .\debug.cpp(256) : 0x9040a000 0x00041000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0x9044b000 0x0000a000 "\SystemRoot\system32\drivers\nsiproxy.sys"
    .\debug.cpp(256) : 0x90455000 0x0000a000 "\SystemRoot\system32\drivers\mssmbios.sys"
    .\debug.cpp(256) : 0x9045f000 0x0000c000 "\SystemRoot\System32\drivers\discache.sys"
    .\debug.cpp(256) : 0x9046b000 0x00018000 "\SystemRoot\System32\Drivers\dfsc.sys"
    .\debug.cpp(256) : 0x90483000 0x0000e000 "\SystemRoot\system32\DRIVERS\blbdrive.sys"
    .\debug.cpp(256) : 0x90491000 0x0004b000 "\SystemRoot\System32\Drivers\aswSP.SYS"
    .\debug.cpp(256) : 0x904dc000 0x00021000 "\SystemRoot\system32\DRIVERS\tunnel.sys"
    .\debug.cpp(256) : 0x904fd000 0x00012000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
    .\debug.cpp(256) : 0x9121c000 0x00627000 "\SystemRoot\system32\DRIVERS\igdkmd32.sys"
    .\debug.cpp(256) : 0x91843000 0x000b7000 "\SystemRoot\System32\drivers\dxgkrnl.sys"
    .\debug.cpp(256) : 0x918fa000 0x00039000 "\SystemRoot\System32\drivers\dxgmms1.sys"
    .\debug.cpp(256) : 0x91933000 0x0000b000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0x9193e000 0x0004b000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0x91989000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0x91998000 0x0001f000 "\SystemRoot\system32\drivers\HDAudBus.sys"
    .\debug.cpp(256) : 0x93407000 0x0039a000 "\SystemRoot\system32\DRIVERS\bcmwl6.sys"
    .\debug.cpp(256) : 0x937a1000 0x0000a000 "\SystemRoot\system32\DRIVERS\vwifibus.sys"
    .\debug.cpp(256) : 0x937ab000 0x00052000 "\SystemRoot\system32\DRIVERS\k57nd60x.sys"
    .\debug.cpp(256) : 0x93400000 0x00004000 "\SystemRoot\system32\DRIVERS\CmBatt.sys"
    .\debug.cpp(256) : 0x919b7000 0x00018000 "\SystemRoot\system32\drivers\i8042prt.sys"
    .\debug.cpp(256) : 0x919cf000 0x0000d000 "\SystemRoot\system32\drivers\kbdclass.sys"
    .\debug.cpp(256) : 0x919dc000 0x0001e000 "\SystemRoot\system32\DRIVERS\ETD.sys"
    .\debug.cpp(256) : 0x91200000 0x0000d000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0x9120d000 0x00009000 "\SystemRoot\system32\drivers\wmiacpi.sys"
    .\debug.cpp(256) : 0x9050f000 0x0000d000 "\SystemRoot\system32\drivers\CompositeBus.sys"
    .\debug.cpp(256) : 0x9051c000 0x00012000 "\SystemRoot\system32\DRIVERS\AgileVpn.sys"
    .\debug.cpp(256) : 0x9052e000 0x00018000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0x90546000 0x0000b000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0x90551000 0x00022000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0x90573000 0x00018000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0x9058b000 0x00017000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0x905a2000 0x00017000 "\SystemRoot\system32\DRIVERS\rassstp.sys"
    .\debug.cpp(256) : 0x93404000 0x00002000 "\SystemRoot\system32\drivers\swenum.sys"
    .\debug.cpp(256) : 0x905b9000 0x00034000 "\SystemRoot\system32\drivers\ks.sys"
    .\debug.cpp(256) : 0x905ed000 0x0000e000 "\SystemRoot\system32\drivers\umbus.sys"
    .\debug.cpp(256) : 0x9621f000 0x00044000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0x96263000 0x00011000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0x96c2f000 0x002fc000 "\SystemRoot\system32\drivers\RTKVHDA.sys"
    .\debug.cpp(256) : 0x96f2b000 0x0002f000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0x96f5a000 0x00019000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0x96f73000 0x00023000 "\SystemRoot\system32\drivers\IntcHdmi.sys"
    .\debug.cpp(256) : 0x97d00000 0x00250000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0x96f96000 0x0000a000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0x96fa0000 0x0000d000 "\SystemRoot\System32\Drivers\crashdmp.sys"
    .\debug.cpp(256) : 0x96fad000 0x0000b000 "\SystemRoot\System32\Drivers\dump_dumpata.sys"
    .\debug.cpp(256) : 0x96fb8000 0x0000a000 "\SystemRoot\System32\Drivers\dump_msahci.sys"
    .\debug.cpp(256) : 0x96fc2000 0x00011000 "\SystemRoot\System32\Drivers\dump_dumpfve.sys"
    .\debug.cpp(256) : 0x96fd3000 0x0000b000 "\SystemRoot\system32\DRIVERS\monitor.sys"
    .\debug.cpp(256) : 0x97f60000 0x00009000 "\SystemRoot\System32\TSDDD.dll"
    .\debug.cpp(256) : 0x96fde000 0x00017000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0x96ff5000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0x97f90000 0x0001e000 "\SystemRoot\System32\cdd.dll"
    .\debug.cpp(256) : 0x96c00000 0x00024000 "\SystemRoot\System32\Drivers\usbvideo.sys"
    .\debug.cpp(256) : 0x962a5000 0x0001b000 "\SystemRoot\system32\drivers\luafv.sys"
    .\debug.cpp(256) : 0x962c0000 0x00038000 "\??\C:\Windows\system32\drivers\aswMonFlt.sys"
    .\debug.cpp(256) : 0x96c24000 0x00003000 "\SystemRoot\System32\Drivers\aswFsBlk.SYS"
    .\debug.cpp(256) : 0x962f8000 0x0001a000 "\SystemRoot\system32\drivers\WudfPf.sys"
    .\debug.cpp(256) : 0x96312000 0x00010000 "\SystemRoot\system32\DRIVERS\lltdio.sys"
    .\debug.cpp(256) : 0x96322000 0x00046000 "\SystemRoot\system32\DRIVERS\nwifi.sys"
    .\debug.cpp(256) : 0x96368000 0x00010000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0x96378000 0x00013000 "\SystemRoot\system32\DRIVERS\rspndr.sys"
    .\debug.cpp(256) : 0x9a225000 0x00085000 "\SystemRoot\system32\drivers\HTTP.sys"
    .\debug.cpp(256) : 0x9a2aa000 0x00019000 "\SystemRoot\system32\DRIVERS\bowser.sys"
    .\debug.cpp(256) : 0x9a2c3000 0x00012000 "\SystemRoot\System32\drivers\mpsdrv.sys"
    .\debug.cpp(256) : 0x9a2d5000 0x00023000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0x9a2f8000 0x0003b000 "\SystemRoot\system32\DRIVERS\mrxsmb10.sys"
    .\debug.cpp(256) : 0x9a333000 0x0001b000 "\SystemRoot\system32\DRIVERS\mrxsmb20.sys"
    .\debug.cpp(256) : 0x9a366000 0x00097000 "\SystemRoot\system32\drivers\peauth.sys"
    .\debug.cpp(256) : 0x9a200000 0x0000a000 "\SystemRoot\System32\Drivers\secdrv.SYS"
    .\debug.cpp(256) : 0x9638b000 0x00021000 "\SystemRoot\System32\DRIVERS\srvnet.sys"
    .\debug.cpp(256) : 0x9a20a000 0x0000d000 "\SystemRoot\System32\drivers\tcpipreg.sys"
    .\debug.cpp(256) : 0x963ac000 0x00050000 "\SystemRoot\System32\DRIVERS\srv2.sys"
    .\debug.cpp(256) : 0xaea36000 0x00052000 "\SystemRoot\System32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xaeaf2000 0x0000b000 "\??\C:\Users\mercury\AppData\Local\Temp\aswMBR.sys"
    .\debug.cpp(256) : 0x76e60000 0x0013c000 "\Windows\System32\ntdll.dll"
    .\debug.cpp(256) : 0x48170000 0x00013000 "\Windows\System32\smss.exe"
    .\debug.cpp(256) : 0x770a0000 0x00050000 "\Windows\System32\apisetschema.dll"
    .\debug.cpp(256) : 0x00230000 0x000a6000 "\Windows\System32\autochk.exe"
    .\debug.cpp(256) : 0x76d20000 0x00137000 "\Windows\System32\urlmon.dll"
    .\debug.cpp(256) : 0x76ff0000 0x0009d000 "\Windows\System32\usp10.dll"
    .\debug.cpp(256) : 0x76fd0000 0x00019000 "\Windows\System32\sechost.dll"
    .\debug.cpp(256) : 0x76c90000 0x00083000 "\Windows\System32\clbcatq.dll"
    .\debug.cpp(256) : 0x76fc0000 0x00006000 "\Windows\System32\nsi.dll"
    .\debug.cpp(256) : 0x76040000 0x00c4a000 "\Windows\System32\shell32.dll"
    .\debug.cpp(256) : 0x75f90000 0x000a1000 "\Windows\System32\rpcrt4.dll"
    .\debug.cpp(256) : 0x75d90000 0x001fe000 "\Windows\System32\iertutil.dll"
    .\debug.cpp(256) : 0x75d50000 0x00035000 "\Windows\System32\ws2_32.dll"
    .\debug.cpp(256) : 0x75ca0000 0x000ac000 "\Windows\System32\msvcrt.dll"
    .\debug.cpp(256) : 0x76fb0000 0x00003000 "\Windows\System32\normaliz.dll"
    .\debug.cpp(256) : 0x75c20000 0x0007b000 "\Windows\System32\comdlg32.dll"
    .\debug.cpp(256) : 0x75bd0000 0x0004e000 "\Windows\System32\gdi32.dll"
    .\debug.cpp(256) : 0x75b30000 0x000a0000 "\Windows\System32\advapi32.dll"
    .\debug.cpp(256) : 0x75ad0000 0x00057000 "\Windows\System32\shlwapi.dll"
    .\debug.cpp(256) : 0x75a40000 0x0008f000 "\Windows\System32\oleaut32.dll"
    .\debug.cpp(256) : 0x759f0000 0x00045000 "\Windows\System32\Wldap32.dll"
    .\debug.cpp(256) : 0x76fa0000 0x00005000 "\Windows\System32\psapi.dll"
    .\debug.cpp(256) : 0x75910000 0x000d4000 "\Windows\System32\kernel32.dll"
    .\debug.cpp(256) : 0x75900000 0x0000a000 "\Windows\System32\lpk.dll"
    .\debug.cpp(256) : 0x758e0000 0x0001f000 "\Windows\System32\imm32.dll"
    .\debug.cpp(256) : 0x757e0000 0x000f5000 "\Windows\System32\wininet.dll"
    .\debug.cpp(256) : 0x75680000 0x0015c000 "\Windows\System32\ole32.dll"
    .\debug.cpp(256) : 0x755b0000 0x000c9000 "\Windows\System32\user32.dll"
    .\debug.cpp(256) : 0x75550000 0x00052000 "\Windows\System32\difxapi.dll"
    .\debug.cpp(256) : 0x75520000 0x0002a000 "\Windows\System32\imagehlp.dll"
    .\debug.cpp(256) : 0x75450000 0x000cc000 "\Windows\System32\msctf.dll"
    .\debug.cpp(256) : 0x752b0000 0x0019d000 "\Windows\System32\setupapi.dll"
    .\debug.cpp(256) : 0x75260000 0x0004a000 "\Windows\System32\KernelBase.dll"
    .\debug.cpp(256) : 0x75240000 0x00012000 "\Windows\System32\devobj.dll"
    .\debug.cpp(256) : 0x751b0000 0x00084000 "\Windows\System32\comctl32.dll"
    .\debug.cpp(256) : 0x75090000 0x0011d000 "\Windows\System32\crypt32.dll"
    .\debug.cpp(256) : 0x75060000 0x0002d000 "\Windows\System32\wintrust.dll"
    .\debug.cpp(256) : 0x75030000 0x00027000 "\Windows\System32\cfgmgr32.dll"
    .\debug.cpp(256) : 0x75020000 0x0000c000 "\Windows\System32\msasn1.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#{b9eec35c-0025-11e1-b78f-806e6f6e6963}#0000000340100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_293A&SUBSYS_048A1025&REV_03#3&33fd14ca&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0014"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIPV6#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WUDFLpcDevice"
    .\debug.cpp(400) : Destination "\Device\WUDFLpcDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ROOT#*ISATAP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\aswMBR"
    .\debug.cpp(400) : Destination "\Device\aswMBR"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AgileVPN"
    .\debug.cpp(400) : Destination "\Device\AgileVPN"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#*TEREDO#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANBH#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ASWSP"
    .\debug.cpp(400) : Destination "\Device\aswSP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ01#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000048"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolumeShadowCopy1"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolumeShadowCopy1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&4544ba&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025048A&REV_1000#4&1d89d879&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000065"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\aswSP_Pot2"
    .\debug.cpp(400) : Destination "\Device\aswSP_Pot2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025048A&REV_1000#4&1d89d879&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000065"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIAdminDevice"
    .\debug.cpp(400) : Destination "\Device\WMIAdminDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolumeShadowCopy2"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolumeShadowCopy2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2938&SUBSYS_048A1025&REV_03#3&33fd14ca&0&D1#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomOptiarc_DVD_RW_AD-7580S_________________FX20____#5&88495ee&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VolMgrControl"
    .\debug.cpp(400) : Destination "\Device\VolMgrControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolumeShadowCopy3"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolumeShadowCopy3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&307e7e8&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY5"
    .\debug.cpp(400) : Destination "\Device\Video4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ProcessManagement"
    .\debug.cpp(400) : Destination "\Device\ProcessManagement"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolumeShadowCopy4"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolumeShadowCopy4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY6"
    .\debug.cpp(400) : Destination "\Device\Video5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CompositeBattery"
    .\debug.cpp(400) : Destination "\Device\CompositeBattery"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolumeShadowCopy5"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolumeShadowCopy5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2937&SUBSYS_048A1025&REV_03#3&33fd14ca&0&D0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2934&SUBSYS_048A1025&REV_03#3&33fd14ca&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2939&SUBSYS_048A1025&REV_03#3&33fd14ca&0&EB#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0013"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025048A&REV_1000#4&1d89d879&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\00000065"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY#AUO22EC#4&1319d35&0&UID67568640#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7}"
    .\debug.cpp(400) : Destination "\Device\00000069"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0A#1#{72631e54-78a4-11d0-bcf7-00aa00b7b32a}"
    .\debug.cpp(400) : Destination "\Device\0000004d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolumeShadowCopy6"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolumeShadowCopy6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{51DC8B2C-8656-4CEC-8DC9-0368854B46D8}"
    .\debug.cpp(400) : Destination "\Device\NDMP4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2935&SUBSYS_048A1025&REV_03#3&33fd14ca&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_AGILEVPNMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\TeredoTun"
    .\debug.cpp(400) : Destination "\Device\TeredoTun"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SPDevice"
    .\debug.cpp(400) : Destination "\Device\SPDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PEAuth"
    .\debug.cpp(400) : Destination "\Device\PEAuth"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCIIDE#IDEChannel#4&d22c5f5&0&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\PciIde0Channel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2936&SUBSYS_048A1025&REV_03#3&33fd14ca&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0012"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025048A&REV_1000#4&1d89d879&0&0001#{9ff3b516-cd99-4eaf-8373-f2caf87ed26b}"
    .\debug.cpp(400) : Destination "\Device\00000065"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\vwififlt"
    .\debug.cpp(400) : Destination "\Device\vwififlt"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\aswSnx"
    .\debug.cpp(400) : Destination "\Device\aswSnx"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Harddisk0Partition1"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Psched"
    .\debug.cpp(400) : Destination "\Device\Psched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9eec360-0025-11e1-b78f-806e6f6e6963}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#{b9eec35c-0025-11e1-b78f-806e6f6e6963}#0000000346500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Harddisk0Partition2"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#*TEREDO#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{C0DE3E38-8BA7-479F-8B75-833F294C5AA8}"
    .\debug.cpp(400) : Destination "\Device\NDMP11"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&30193c5d&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000005a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#VID_0402&PID_9665&MI_00#6&12abfde9&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\aswWalkStack"
    .\debug.cpp(400) : Destination "\Device\aswWalkStack"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ASWTDI"
    .\debug.cpp(400) : Destination "\Device\ASWTDI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9eec362-0025-11e1-b78f-806e6f6e6963}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#vdrvroot#0000#{2e34d650-5819-42ca-84ae-d30803bae505}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Harddisk0Partition3"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&2d2138d9&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\00000069"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&1#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolume1"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolume2"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14E4&DEV_4357&SUBSYS_E021105B&REV_01#4&107522af&0&00E1#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0019"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_8086&DEV_2802&SUBSYS_80860101&REV_1000#4&1d89d879&0&0101#{9ff3b516-cd99-4eaf-8373-f2caf87ed26b}"
    .\debug.cpp(400) : Destination "\Device\00000066"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#VID_0402&PID_9665&MI_00#6&12abfde9&0&0000#{6994ad05-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDOSPDevice"
    .\debug.cpp(400) : Destination "\Device\IPSECDOSP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#UMBUS#0000#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}"
    .\debug.cpp(400) : Destination "\Device\00000043"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#volmgr#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolume3"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
    .\debug.cpp(400) : Destination "\Device\USBFDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0A#1#{e849804e-c719-43d8-ac88-96b894c191e2}"
    .\debug.cpp(400) : Destination "\Device\0000004d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ASWSP_Open"
    .\debug.cpp(400) : Destination "\Device\aswSP_Open"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD5"
    .\debug.cpp(400) : Destination "\Device\USBFDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{8472823F-07E0-4C14-8369-84ED615B3497}"
    .\debug.cpp(400) : Destination "\Device\NDMP5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANBH#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14E4&DEV_4357&SUBSYS_E021105B&REV_01#4&107522af&0&00E1#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0019"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&2c8364e2&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY#AUO22EC#4&1319d35&0&UID67568640#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}"
    .\debug.cpp(400) : Destination "\Device\00000069"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9eec361-0025-11e1-b78f-806e6f6e6963}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9eec365-0025-11e1-b78f-806e6f6e6963}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6"
    .\debug.cpp(400) : Destination "\Device\USBFDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_SSTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LOG:"
    .\debug.cpp(400) : Destination "\clfs"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD7"
    .\debug.cpp(400) : Destination "\Device\USBFDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Secdrv"
    .\debug.cpp(400) : Destination "\Device\Secdrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ROOT#*ISATAP#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCIIDE#IDEChannel#4&d22c5f5&0&1#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\PciIde0Channel1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14E4&DEV_1692&SUBSYS_01391025&REV_01#4&200c830f&0&00E2#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0020"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025048A&REV_1000#4&1d89d879&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
    .\debug.cpp(400) : Destination "\Device\00000065"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomOptiarc_DVD_RW_AD-7580S_________________FX20____#5&88495ee&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#VID_0402&PID_9665#5&1044e8d1&0&4#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0D#4&30193c5d&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000050"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E28D896F-9EA8-433A-9C10-66C97C19A921}"
    .\debug.cpp(400) : Destination "\Device\NDMP12"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\nativewifip"
    .\debug.cpp(400) : Destination "\Device\nativewifip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ETD"
    .\debug.cpp(400) : Destination "\Device\ETD"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{F69E9B89-CE67-482D-9916-3EEB69806A4C}"
    .\debug.cpp(400) : Destination "\Device\NDMP3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_SSTPMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025048A&REV_1000#4&1d89d879&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000065"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#{b9eec35c-0025-11e1-b78f-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SASDIFSV"
    .\debug.cpp(400) : Destination "\Device\SASDIFSV"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000039"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Nsi"
    .\debug.cpp(400) : Destination "\Device\Nsi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PartmgrControl"
    .\debug.cpp(400) : Destination "\Device\PartmgrControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{A4ADD0BC-56D2-48A8-A83C-A5657B9CC1A9}"
    .\debug.cpp(400) : Destination "\Device\NDMP2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_293C&SUBSYS_048A1025&REV_03#3&33fd14ca&0&D7#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23_-_Intel(R)_Celeron(R)_CPU__________900__@_2.20GHz#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USNTracker"
    .\debug.cpp(400) : Destination "\Device\USNTracker"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\aswMonFltProxy"
    .\debug.cpp(400) : Destination "\Device\aswMonFltProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14E4&DEV_1692&SUBSYS_01391025&REV_01#4&200c830f&0&00E2#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0020"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{483C9FF8-503D-414B-B402-E4C1F1F568CB}"
    .\debug.cpp(400) : Destination "\Device\NDMP6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000039"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_8086&DEV_2802&SUBSYS_80860101&REV_1000#4&1d89d879&0&0101#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
    .\debug.cpp(400) : Destination "\Device\00000066"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NXTIPSECDevice"
    .\debug.cpp(400) : Destination "\Device\NXTIPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SASKUTIL"
    .\debug.cpp(400) : Destination "\Device\SASKUTIL"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NDMP8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14E4&DEV_4357&SUBSYS_E021105B&REV_01#4&107522af&0&00E1#{435b6226-1dcc-43b3-887e-217dbaa27ba3}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0019"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WwanProt"
    .\debug.cpp(400) : Destination "\Device\WwanProt"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WFPDev"
    .\debug.cpp(400) : Destination "\Device\WFP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArpV6"
    .\debug.cpp(400) : Destination "\Device\WANARPV6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#4&30193c5d&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&19bd6e0b&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2A42&SUBSYS_048A1025&REV_09#3&33fd14ca&0&10#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0001"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UMB#UMB#1&841921d&0&PrinterBusEnumerator#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}"
    .\debug.cpp(400) : Destination "\Device\0000006e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_AGILEVPNMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&374ca46f&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{FC038620-E74B-4F5E-903D-E5F6D9506007}"
    .\debug.cpp(400) : Destination "\Device\NDMP13"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0272&SUBSYS_1025048A&REV_1000#4&1d89d879&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}"
    .\debug.cpp(400) : Destination "\Device\00000065"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0E#4&30193c5d&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000051"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANBH"
    .\debug.cpp(400) : Destination "\Device\NDMP7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AscKmd"
    .\debug.cpp(400) : Destination "\Device\AscKmd"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&30193c5d&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000005a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F13#4&30193c5d&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000005b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MpsDevice"
    .\debug.cpp(400) : Destination "\Device\MPS"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\VolMgrControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIPV6"
    .\debug.cpp(400) : Destination "\Device\NDMP9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DB2B4279-B5CF-4626-9DBA-32D0ECE44C87}"
    .\debug.cpp(400) : Destination "\Device\NDMP10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ASWRDR"
    .\debug.cpp(400) : Destination "\Device\ASWRDR"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\aswSP_Avar"
    .\debug.cpp(400) : Destination "\Device\aswSP_Avar"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VDRVROOT"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SstpDrv"
    .\debug.cpp(400) : Destination "\Device\SstpDrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&184c53fe&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WfpAle"
    .\debug.cpp(400) : Destination "\Device\WfpAle"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIPV6#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&34b87190&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2A42&SUBSYS_048A1025&REV_09#3&33fd14ca&0&10#{1ca05180-a699-450a-9a0c-de4fbe3ddd89}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0001"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskHitachi_HTS545025B9A300_________________PB2OC60F#5&1b3e4693&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-0"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000003`46500000
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff
    .\boot_cleaner.cpp(1061) :
    .\boot_cleaner.cpp(1062) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1063) : --------------------------------------------
    .\boot_cleaner.cpp(1107) : 232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1113) :
    .\boot_cleaner.cpp(1152) : Done;
     
  10. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  11. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    ComboFix 12-01-15.01 - mercury 01/15/2012 10:44:22.1.1 - x86
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3002.2295 [GMT -8:00]
    Running from: c:\users\mercury\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Tarma Installer
    c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
    c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
    c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
    c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
    c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-15 18:49 . 2012-01-15 18:49 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-14 23:27 . 2012-01-14 23:27 -------- d-----w- c:\users\mercury\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-14 23:26 . 2012-01-14 23:27 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-14 23:26 . 2012-01-14 23:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2012-01-11 21:52 . 2012-01-11 21:57 -------- d-----w- c:\users\mercury\AppData\Roaming\ooVoo Details
    2012-01-11 21:52 . 2012-01-11 21:52 -------- d-----w- c:\program files\Yontoo Layers Runtime (Drop Down Deals)
    2012-01-11 21:52 . 2012-01-11 21:52 -------- d-----w- c:\program files\ooVoo
    2012-01-11 03:47 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-11 03:47 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
    2012-01-11 03:47 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
    2012-01-11 03:47 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-08 22:28 . 2012-01-08 22:28 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
    2012-01-08 22:28 . 2012-01-08 22:28 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
    2012-01-08 22:28 . 2012-01-08 22:28 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
    2012-01-08 22:28 . 2012-01-08 22:28 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
    2012-01-07 05:58 . 2012-01-07 05:58 -------- d-----w- c:\program files\PricePeep
    2012-01-07 05:57 . 2012-01-07 05:57 -------- d-----w- c:\program files\Conduit
    2012-01-07 05:57 . 2012-01-08 22:17 -------- d-----w- c:\users\mercury\AppData\Local\Conduit
    2012-01-07 05:57 . 2012-01-07 05:57 -------- d-----w- c:\program files\InstallBrainService
    2011-12-17 22:21 . 2011-12-17 22:21 -------- d-----w- c:\program files\Belarc
    2011-12-17 22:18 . 2012-01-08 22:32 -------- d-----w- c:\program files\CCleaner
    2011-12-17 22:06 . 2012-01-08 22:28 121816 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-12-17 21:49 . 2011-12-17 21:49 -------- d-----w- c:\program files\FileHippo.com
    2011-12-17 21:25 . 2011-12-17 21:25 -------- d-----w- c:\windows\system32\SPReview
    2011-12-17 21:24 . 2011-12-17 21:24 -------- d-----w- c:\windows\system32\EventProviders
    2011-12-17 21:05 . 2012-01-15 00:30 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-17 21:05 . 2011-12-17 21:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-12-17 20:55 . 2011-12-17 20:55 -------- d-----w- c:\users\mercury\AppData\Roaming\Malwarebytes
    2011-12-17 20:55 . 2011-12-17 20:55 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-17 20:55 . 2012-01-08 22:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-17 20:55 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-17 20:53 . 2010-01-11 02:40 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
    2011-12-17 20:53 . 2010-01-11 02:40 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
    2011-12-17 20:53 . 2012-01-14 22:17 -------- d-----w- c:\program files\SpywareBlaster
    2011-12-17 20:50 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-12-17 20:50 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-12-17 20:50 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-12-17 20:50 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-12-17 20:49 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-17 20:49 . 2011-11-28 17:52 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-12-17 20:49 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-17 20:49 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
    2011-12-17 20:49 . 2011-12-17 20:49 -------- d-----w- c:\programdata\AVAST Software
    2011-12-17 20:49 . 2011-12-17 20:49 -------- d-----w- c:\program files\AVAST Software
    2011-12-17 20:27 . 2011-12-17 20:27 -------- d-----w- c:\users\mercury\AppData\Local\VS Revo Group
    2011-12-17 20:27 . 2009-12-30 18:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2011-12-17 20:27 . 2011-12-17 20:27 -------- d-----w- c:\program files\VS Revo Group
    2011-12-17 19:39 . 2011-12-17 19:39 -------- d-----w- c:\users\mercury\AppData\Roaming\Nitro PDF
    2011-12-17 19:38 . 2011-10-25 23:50 17704 ----a-w- c:\windows\system32\nitrolocalui2.dll
    2011-12-17 19:38 . 2011-10-25 23:50 26408 ----a-w- c:\windows\system32\nitrolocalmon2.dll
    2011-12-17 19:38 . 2011-12-17 19:38 -------- d-----w- c:\programdata\Nitro PDF
    2011-12-17 19:38 . 2011-12-17 19:38 -------- d-----w- c:\program files\Nitro PDF
    2011-12-17 19:38 . 2011-12-17 19:38 -------- d-----w- c:\program files\Common Files\Nitro PDF
    2011-12-17 19:37 . 2011-12-17 19:37 -------- d-----w- c:\users\mercury\AppData\Roaming\Downloaded Installations
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-17 22:05 . 2011-10-27 02:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-17 21:31 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
    2011-11-24 04:25 . 2011-12-15 05:32 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-05 04:35 . 2011-12-15 05:33 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-11-05 04:26 . 2011-12-15 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-05 02:48 . 2011-12-15 05:33 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-26 04:47 . 2011-12-15 05:32 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-26 04:47 . 2011-12-15 05:32 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-26 04:28 . 2011-12-15 05:32 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-18 09:28 . 2011-10-27 02:17 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7E7E7B10-35DE-41D0-AD81-A2B126D08FA1}\mpengine.dll
    2012-01-08 22:28 . 2011-12-17 22:06 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2011-11-16 23:41 196384 ----a-w- c:\program files\Yontoo Layers Runtime (Drop Down Deals)\YontooIEClient.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2011-11-24 6497592]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-15 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-15 174104]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-15 151064]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-07-07 9394792]
    "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2010-04-13 548744]
    "Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2010-06-11 715296]
    "LManager"="c:\program files\Launch Manager\LManager.exe" [2010-06-22 968272]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
    R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-24 193056]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-27 1343400]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-11-28 55128]
    S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2010-06-22 321104]
    S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2010-06-11 735776]
    S2 InstallBrainService;InstallBrain Updater Service;c:\program files\InstallBrainService\InstallBrainService.exe [2012-01-07 512848]
    S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [2011-10-25 196904]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-04-14 109960]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-11 122880]
    S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2010-05-15 325672]
    .
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 192.168.1.1 184.16.33.54
    FF - ProfilePath - c:\users\mercury\AppData\Roaming\Mozilla\Firefox\Profiles\jbvwe7ea.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.kirotv.com
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=2&q=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, d19dcb53-22bb-4f7d-8ccf-dd63f0cd1b0e
    FF - user.js: extentions.y2layers.defaultEnableAppsList - BuzzDock,Buzzdock,BuzzdockTease,DropDownDeals,
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-01-15 10:52:59
    ComboFix-quarantined-files.txt 2012-01-15 18:52
    .
    Pre-Run: 211,263,135,744 bytes free
    Post-Run: 211,235,753,984 bytes free
    .
    - - End Of File - - C809DA2A0306D8172262833929A991B9
     
     
  12. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/15/2012 at 10:58:28.
    Operating System: Windows 7 Home Premium


    Processes terminated by Rkill or while it was running:

    \Windows\system32\conhost.exe


    Rkill completed on 01/15/2012 at 10:58:33.
     
  13. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Looks good.

    Any current issues?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    No current issues I know of. Doing above scan now. Posting this from another pc.
     
  15. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    OTL logfile created on: 1/15/2012 11:13:55 AM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\mercury\Desktop
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7601.17514)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.93 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 73.17% Memory free
    5.86 Gb Paging File | 5.10 Gb Available in Paging File | 87.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 219.79 Gb Total Space | 196.80 Gb Free Space | 89.54% Space Free | Partition Type: NTFS
    Drive F: | 100.00 Mb Total Space | 70.14 Mb Free Space | 70.14% Space Free | Partition Type: NTFS

    Computer Name: MERCURY-PC | User Name: mercury | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/01/15 11:11:49 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\mercury\Desktop\OTL.exe
    PRC - [2012/01/06 21:57:20 | 000,512,848 | ---- | M] () -- C:\Program Files\InstallBrainService\InstallBrainService.exe
    PRC - [2011/11/28 10:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/11/28 10:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2011/10/25 15:51:26 | 000,196,904 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
    PRC - [2011/08/11 15:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCore.exe
    PRC - [2011/06/23 20:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
    PRC - [2011/02/24 21:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010/11/20 04:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/06/22 13:34:48 | 000,321,104 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\dsiwmis.exe
    PRC - [2010/06/22 13:34:48 | 000,305,744 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LMworker.exe
    PRC - [2010/06/22 13:34:46 | 000,968,272 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
    PRC - [2010/06/11 13:28:06 | 000,715,296 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
    PRC - [2010/06/11 13:28:02 | 000,735,776 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
    PRC - [2010/06/11 13:27:54 | 000,469,536 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
    PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    PRC - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/11/23 23:05:40 | 000,921,600 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\yui.dll
    MOD - [2009/05/20 13:02:04 | 000,072,200 | ---- | M] () -- C:\Program Files\Launch Manager\CdDirIo.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2012/01/06 21:57:20 | 000,512,848 | ---- | M] () [Auto | Running] -- C:\Program Files\InstallBrainService\InstallBrainService.exe -- (InstallBrainService)
    SRV - [2011/11/28 10:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2011/10/27 07:50:02 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\WAT\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2011/10/25 15:51:26 | 000,196,904 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe -- (NitroReaderDriverReadSpool2)
    SRV - [2011/08/11 15:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
    SRV - [2010/06/22 13:34:48 | 000,321,104 | ---- | M] (Dritek System Inc.) [Auto | Running] -- C:\Program Files\Launch Manager\dsiwmis.exe -- (DsiWMIService)
    SRV - [2010/06/11 13:28:02 | 000,735,776 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
    SRV - [2009/07/13 17:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 17:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
    SRV - [2008/11/09 12:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/11/28 09:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/11/28 09:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/11/28 09:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/11/28 09:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/11/28 09:52:07 | 000,055,128 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/11/28 09:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2011/07/22 08:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
    DRV - [2011/07/12 13:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2011/05/18 08:09:04 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d)
    DRV - [2010/11/20 02:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/11/20 01:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
    DRV - [2010/05/24 14:46:34 | 000,193,056 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
    DRV - [2010/05/15 04:48:24 | 000,325,672 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\k57nd60x.sys -- (k57nd60x) Broadcom NetLink (TM)
    DRV - [2009/12/30 10:21:18 | 000,027,192 | ---- | M] (VS Revo Group) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\revoflt.sys -- (Revoflt)
    DRV - [2009/07/13 15:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\serial.sys -- (Serial)
    DRV - [2009/07/10 18:14:50 | 000,122,880 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3751614569-3616587832-479125100-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-3751614569-3616587832-479125100-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-3751614569-3616587832-479125100-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E8 66 A9 A0 1C C9 CC 01 [binary data]
    IE - HKU\S-1-5-21-3751614569-3616587832-479125100-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
    FF - prefs.js..browser.search.defaultthis.engineName: "WhiteSmoke Bar Customized Web Search"
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=3&q={searchTerms}"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "www.kirotv.com"
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=2&q="


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@nitropdf.com/NitroPDF: C:\Program Files\Nitro PDF\Reader 2\npnitromozilla.dll ( )

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/12/17 12:49:42 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/08 14:28:33 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 9.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2011/10/26 18:15:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\mercury\AppData\Roaming\Mozilla\Extensions
    [2012/01/11 13:52:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\mercury\AppData\Roaming\Mozilla\Firefox\Profiles\jbvwe7ea.default\extensions
    [2012/01/06 21:57:41 | 000,000,000 | ---D | M] (WhiteSmoke Bar Community Toolbar) -- C:\Users\mercury\AppData\Roaming\Mozilla\Firefox\Profiles\jbvwe7ea.default\extensions\{167d9323-f7cc-48f5-948a-6f012831a69f}
    [2011/12/12 21:09:27 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\mercury\AppData\Roaming\Mozilla\Firefox\Profiles\jbvwe7ea.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    [2011/12/17 12:14:58 | 000,000,000 | ---D | M] (WOT) -- C:\Users\mercury\AppData\Roaming\Mozilla\Firefox\Profiles\jbvwe7ea.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    [2012/01/11 13:52:43 | 000,000,000 | ---D | M] (Yontoo Layers (Drop Down Deals)) -- C:\Users\mercury\AppData\Roaming\Mozilla\Firefox\Profiles\jbvwe7ea.default\extensions\plugin@yontoo.com
    [2011/11/09 21:26:01 | 000,003,847 | ---- | M] () -- C:\Users\mercury\AppData\Roaming\Mozilla\Firefox\Profiles\jbvwe7ea.default\searchplugins\avg-secure-search.xml
    [2011/12/17 14:06:06 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/10/26 19:08:16 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    () (No name found) -- C:\USERS\MERCURY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\JBVWE7EA.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
    [2012/01/08 14:28:32 | 000,121,816 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/01/08 14:28:30 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/01/08 14:28:30 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/01/15 10:49:53 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Yontoo Layers (Drop Down Deals)) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime (Drop Down Deals)\YontooIEClient.dll (Yontoo LLC)
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O4 - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronic Corp.)
    O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
    O4 - HKU\S-1-5-21-3751614569-3616587832-479125100-1000..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3751614569-3616587832-479125100-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3751614569-3616587832-479125100-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 184.16.33.54
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{51DC8B2C-8656-4CEC-8DC9-0368854B46D8}: DhcpNameServer = 192.168.2.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F69E9B89-CE67-482D-9916-3EEB69806A4C}: DhcpNameServer = 192.168.1.1 184.16.33.54
    O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 13:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/01/15 11:11:48 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\mercury\Desktop\OTL.exe
    [2012/01/15 10:53:02 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/01/15 10:42:47 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2012/01/15 10:42:47 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2012/01/15 10:42:47 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2012/01/15 10:42:42 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2012/01/15 10:42:39 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/01/15 10:40:28 | 004,384,281 | R--- | C] (Swearware) -- C:\Users\mercury\Desktop\ComboFix.exe
    [2012/01/15 08:17:35 | 004,713,472 | ---- | C] (AVAST Software) -- C:\Users\mercury\Desktop\aswMBR.exe
    [2012/01/14 15:59:52 | 000,000,000 | ---D | C] -- C:\Users\mercury\Documents\New folder
    [2012/01/14 15:27:24 | 000,000,000 | ---D | C] -- C:\Users\mercury\AppData\Roaming\SUPERAntiSpyware.com
    [2012/01/14 15:26:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
    [2012/01/14 15:26:33 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
    [2012/01/14 15:26:33 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2012/01/11 13:52:51 | 000,000,000 | ---D | C] -- C:\Users\mercury\AppData\Roaming\ooVoo Details
    [2012/01/11 13:52:41 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo Layers Runtime (Drop Down Deals)
    [2012/01/11 13:52:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ooVoo
    [2012/01/11 13:52:32 | 000,000,000 | ---D | C] -- C:\Program Files\ooVoo
    [2012/01/11 13:49:58 | 001,143,888 | ---- | C] (ooVoo LLC) -- C:\Users\mercury\Desktop\ooVooSetup.exe
    [2012/01/08 14:32:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
    [2012/01/06 21:58:33 | 000,000,000 | ---D | C] -- C:\Program Files\PricePeep
    [2012/01/06 21:57:35 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
    [2012/01/06 21:57:30 | 000,000,000 | ---D | C] -- C:\Users\mercury\AppData\Local\Conduit
    [2012/01/06 21:57:21 | 000,000,000 | ---D | C] -- C:\Program Files\InstallBrainService
    [2011/12/24 18:14:17 | 000,000,000 | R--D | C] -- C:\Users\mercury\Desktop\Mia's Music
    [2011/12/24 18:13:59 | 000,000,000 | ---D | C] -- C:\Users\mercury\Desktop\Mia's pic
    [2011/12/24 18:13:53 | 000,000,000 | R--D | C] -- C:\Users\mercury\Desktop\MJ's Pic
    [2011/12/24 17:25:25 | 000,000,000 | R--D | C] -- C:\Users\mercury\Desktop\MJ PICS
    [2011/12/17 14:21:11 | 000,000,000 | ---D | C] -- C:\Program Files\Belarc
    [2011/12/17 14:18:07 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2011/12/17 13:54:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
    [2011/12/17 13:49:38 | 000,000,000 | ---D | C] -- C:\Program Files\FileHippo.com
    [2011/12/17 13:25:22 | 000,000,000 | ---D | C] -- C:\Windows\System32\SPReview
    [2011/12/17 13:24:41 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
    [2011/12/17 13:06:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
    [2011/12/17 13:05:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
    [2011/12/17 13:05:59 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2011/12/17 12:55:54 | 000,000,000 | ---D | C] -- C:\Users\mercury\AppData\Roaming\Malwarebytes
    [2011/12/17 12:55:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/12/17 12:55:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/12/17 12:55:36 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2011/12/17 12:55:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/12/17 12:53:20 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
    [2011/12/17 12:53:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
    [2011/12/17 12:53:13 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
    [2011/12/17 12:50:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2011/12/17 12:50:09 | 000,314,456 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2011/12/17 12:50:09 | 000,020,568 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2011/12/17 12:50:03 | 000,034,392 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2011/12/17 12:50:01 | 000,052,952 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2011/12/17 12:49:59 | 000,435,032 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2011/12/17 12:49:54 | 000,055,128 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2011/12/17 12:49:33 | 000,199,816 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2011/12/17 12:49:33 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/12/17 12:49:25 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2011/12/17 12:49:25 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/12/17 12:27:48 | 000,000,000 | ---D | C] -- C:\Users\mercury\AppData\Local\VS Revo Group
    [2011/12/17 12:27:43 | 000,027,192 | ---- | C] (VS Revo Group) -- C:\Windows\System32\drivers\revoflt.sys
    [2011/12/17 12:27:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
    [2011/12/17 12:27:42 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
    [2011/12/17 11:39:48 | 000,000,000 | ---D | C] -- C:\Users\mercury\AppData\Roaming\Nitro PDF
    [2011/12/17 11:38:42 | 000,026,408 | ---- | C] (Nitro PDF Software) -- C:\Windows\System32\nitrolocalmon2.dll
    [2011/12/17 11:38:42 | 000,017,704 | ---- | C] (Nitro PDF Software) -- C:\Windows\System32\nitrolocalui2.dll
    [2011/12/17 11:38:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Nitro PDF
    [2011/12/17 11:38:27 | 000,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
    [2011/12/17 11:38:27 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Nitro PDF
    [2011/12/17 11:37:29 | 000,000,000 | ---D | C] -- C:\Users\mercury\AppData\Roaming\Downloaded Installations

    ========== Files - Modified Within 30 Days ==========

    [2012/01/15 11:11:49 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\mercury\Desktop\OTL.exe
    [2012/01/15 10:56:48 | 001,008,141 | ---- | M] () -- C:\Users\mercury\Desktop\rkill.com
    [2012/01/15 10:49:53 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2012/01/15 10:41:40 | 000,019,520 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2012/01/15 10:41:40 | 000,019,520 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2012/01/15 10:40:33 | 004,384,281 | R--- | M] (Swearware) -- C:\Users\mercury\Desktop\ComboFix.exe
    [2012/01/15 10:38:40 | 000,624,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2012/01/15 10:38:40 | 000,106,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2012/01/15 10:34:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2012/01/15 10:33:56 | 2360,852,480 | -HS- | M] () -- C:\hiberfil.sys
    [2012/01/15 08:52:21 | 000,044,607 | ---- | M] () -- C:\Users\mercury\Desktop\bootkit_remover.zip
    [2012/01/15 08:23:08 | 000,000,512 | ---- | M] () -- C:\Users\mercury\Desktop\MBR.dat
    [2012/01/15 08:17:43 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Users\mercury\Desktop\aswMBR.exe
    [2012/01/14 15:26:37 | 000,001,961 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2012/01/12 18:25:26 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    [2012/01/11 13:52:33 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\ooVoo.lnk
    [2012/01/11 13:49:59 | 001,143,888 | ---- | M] (ooVoo LLC) -- C:\Users\mercury\Desktop\ooVooSetup.exe
    [2012/01/08 14:32:39 | 000,000,965 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
    [2012/01/08 14:22:07 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/05 15:42:27 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
    [2011/12/17 14:21:11 | 000,002,034 | ---- | M] () -- C:\Users\mercury\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
    [2011/12/17 14:21:11 | 000,002,010 | ---- | M] () -- C:\Users\Public\Desktop\Belarc Advisor.lnk
    [2011/12/17 14:06:08 | 000,001,096 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2011/12/17 14:00:20 | 000,266,808 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2011/12/17 13:54:28 | 000,001,141 | ---- | M] () -- C:\Users\mercury\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
    [2011/12/17 13:54:28 | 000,001,117 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
    [2011/12/17 13:49:39 | 000,001,915 | ---- | M] () -- C:\Users\mercury\Desktop\Update Checker.lnk
    [2011/12/17 13:06:05 | 000,001,216 | ---- | M] () -- C:\Users\mercury\Desktop\Spybot - Search & Destroy.lnk
    [2011/12/17 12:53:15 | 000,001,037 | ---- | M] () -- C:\Users\mercury\Desktop\SpywareBlaster.lnk
    [2011/12/17 12:50:10 | 000,001,994 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2011/12/17 12:49:54 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2011/12/17 12:27:45 | 000,001,254 | ---- | M] () -- C:\Users\mercury\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk
    [2011/12/17 11:38:36 | 000,001,993 | ---- | M] () -- C:\Users\Public\Desktop\Nitro Reader.lnk

    ========== Files Created - No Company Name ==========

    [2012/01/15 10:56:46 | 001,008,141 | ---- | C] () -- C:\Users\mercury\Desktop\rkill.com
    [2012/01/15 10:42:47 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/01/15 10:42:47 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/01/15 10:42:47 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/01/15 10:42:47 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/01/15 10:42:47 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/01/15 08:52:18 | 000,044,607 | ---- | C] () -- C:\Users\mercury\Desktop\bootkit_remover.zip
    [2012/01/15 08:23:08 | 000,000,512 | ---- | C] () -- C:\Users\mercury\Desktop\MBR.dat
    [2012/01/14 15:26:37 | 000,001,961 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2012/01/12 18:25:26 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    [2012/01/11 13:52:33 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\ooVoo.lnk
    [2012/01/08 14:22:07 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/01/05 15:42:27 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
    [2011/12/17 14:21:11 | 000,002,034 | ---- | C] () -- C:\Users\mercury\Application Data\Microsoft\Internet Explorer\Quick Launch\Belarc Advisor.lnk
    [2011/12/17 14:21:11 | 000,002,022 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Belarc Advisor.lnk
    [2011/12/17 14:21:11 | 000,002,010 | ---- | C] () -- C:\Users\Public\Desktop\Belarc Advisor.lnk
    [2011/12/17 14:18:08 | 000,000,965 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
    [2011/12/17 13:54:28 | 000,001,141 | ---- | C] () -- C:\Users\mercury\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
    [2011/12/17 13:54:28 | 000,001,117 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
    [2011/12/17 13:49:39 | 000,001,945 | ---- | C] () -- C:\Users\mercury\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Update Checker.lnk
    [2011/12/17 13:49:39 | 000,001,915 | ---- | C] () -- C:\Users\mercury\Desktop\Update Checker.lnk
    [2011/12/17 13:06:05 | 000,001,216 | ---- | C] () -- C:\Users\mercury\Desktop\Spybot - Search & Destroy.lnk
    [2011/12/17 12:53:15 | 000,001,037 | ---- | C] () -- C:\Users\mercury\Desktop\SpywareBlaster.lnk
    [2011/12/17 12:50:10 | 000,001,994 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2011/12/17 12:27:45 | 000,001,254 | ---- | C] () -- C:\Users\mercury\Application Data\Microsoft\Internet Explorer\Quick Launch\Revo Uninstaller Pro.lnk
    [2011/12/17 11:38:36 | 000,002,495 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nitro Reader 2.lnk
    [2011/12/17 11:38:36 | 000,001,993 | ---- | C] () -- C:\Users\Public\Desktop\Nitro Reader.lnk
    [2011/10/26 19:01:19 | 000,175,616 | ---- | C] () -- C:\Windows\System32\unrar.dll
    [2011/10/26 17:59:43 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
    [2011/10/26 17:56:36 | 000,247,560 | ---- | C] () -- C:\Windows\System32\drivers\RTConvEQ.dat
    [2011/10/26 17:56:36 | 000,037,468 | ---- | C] () -- C:\Windows\System32\drivers\RtPCEE3.DAT
    [2011/10/26 17:56:36 | 000,001,448 | ---- | C] () -- C:\Windows\System32\drivers\RtHdatEx.dat
    [2011/10/26 17:56:36 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX3.dat
    [2011/10/26 17:56:36 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX2.dat
    [2011/10/26 17:56:36 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX1.dat
    [2011/10/26 17:56:36 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
    [2011/10/26 17:56:36 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ1.dat
    [2011/10/26 17:56:36 | 000,000,024 | ---- | C] () -- C:\Windows\System32\drivers\rtkhdaud.dat
    [2011/10/26 16:16:55 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
    [2011/10/26 16:16:27 | 000,982,220 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
    [2011/10/26 16:16:09 | 000,134,592 | ---- | C] () -- C:\Windows\System32\igfcg500.bin
    [2011/10/26 16:16:09 | 000,092,216 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
    [2011/10/26 16:15:53 | 000,439,300 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
    [2009/07/13 20:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2009/07/13 20:33:53 | 000,266,808 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2009/07/13 18:05:48 | 000,624,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2009/07/13 18:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2009/07/13 18:05:48 | 000,106,522 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2009/07/13 18:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2009/07/13 18:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2009/07/13 18:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2009/07/13 15:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2009/07/13 15:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
    [2009/07/13 15:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
    [2009/06/10 13:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2011/12/17 11:37:29 | 000,000,000 | ---D | M] -- C:\Users\mercury\AppData\Roaming\Downloaded Installations
    [2011/10/26 18:42:42 | 000,000,000 | ---D | M] -- C:\Users\mercury\AppData\Roaming\Liteon
    [2011/12/17 11:39:48 | 000,000,000 | ---D | M] -- C:\Users\mercury\AppData\Roaming\Nitro PDF
    [2012/01/11 13:57:10 | 000,000,000 | ---D | M] -- C:\Users\mercury\AppData\Roaming\ooVoo Details
    [2009/07/13 20:53:46 | 000,032,020 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/06/10 13:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2012/01/15 10:52:59 | 000,012,666 | ---- | M] () -- C:\ComboFix.txt
    [2009/06/10 13:42:20 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2012/01/15 10:33:56 | 2360,852,480 | -HS- | M] () -- C:\hiberfil.sys
    [2012/01/15 10:33:59 | 3147,804,672 | -HS- | M] () -- C:\pagefile.sys
    [2012/01/15 10:58:33 | 000,000,392 | ---- | M] () -- C:\rkill.log

    < %systemroot%\Fonts\*.com >
    [2009/07/13 20:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/13 20:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/13 20:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/13 20:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 13:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2009/07/13 17:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll
    [2010/11/20 04:21:36 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\winprint.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/11/28 10:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/13 20:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/10/26 15:58:07 | 000,000,221 | -HS- | M] () -- C:\Users\mercury\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012/01/15 08:17:43 | 004,713,472 | ---- | M] (AVAST Software) -- C:\Users\mercury\Desktop\aswMBR.exe
    [2012/01/15 10:40:33 | 004,384,281 | R--- | M] (Swearware) -- C:\Users\mercury\Desktop\ComboFix.exe
    [2012/01/11 13:49:59 | 001,143,888 | ---- | M] (ooVoo LLC) -- C:\Users\mercury\Desktop\ooVooSetup.exe
    [2012/01/15 11:11:49 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\mercury\Desktop\OTL.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 13:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\ADDINS\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >
    [2012/01/14 16:42:42 | 000,008,192 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.chk
    [2012/01/14 16:42:42 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edb.log
    [2011/12/17 13:40:37 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00001.jrs
    [2011/12/17 13:40:37 | 001,048,576 | ---- | M] () -- C:\Windows\SECURITY\Database\edbres00002.jrs

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/12/17 13:42:26 | 000,000,402 | -HS- | M] () -- C:\Users\mercury\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:5C321E34

    < End of report >
     
  16. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    duplicate......
     
  17. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    My goof, sorry,here it is.

    OTL Extras logfile created on: 1/15/2012 11:13:55 AM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\mercury\Desktop
    Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7601.17514)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.93 Gb Total Physical Memory | 2.15 Gb Available Physical Memory | 73.17% Memory free
    5.86 Gb Paging File | 5.10 Gb Available in Paging File | 87.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 219.79 Gb Total Space | 196.80 Gb Free Space | 89.54% Space Free | Partition Type: NTFS
    Drive F: | 100.00 Mb Total Space | 70.14 Mb Free Space | 70.14% Space Free | Partition Type: NTFS

    Computer Name: MERCURY-PC | User Name: mercury | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_USERS\S-1-5-21-3751614569-3616587832-479125100-1000\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3DB0448D-AD82-4923-B305-D001E521A964}" = Acer ePower Management
    "{51F026FA-5146-4232-A8BA-1364740BD053}" = Acer Crystal Eye webcam
    "{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.5.7
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A89BCBC-B2AA-48BF-959F-08EDB1D2C8AB}" = Nitro Reader 2
    "{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
    "{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 4.1.6
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}" = ooVoo
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "avast" = avast! Free Antivirus
    "Belarc Advisor" = Belarc Advisor 8.2
    "CCleaner" = CCleaner
    "Elantech" = ETDWare PS/2-x86 7.0.6.5_WHQL
    "FileHippo.com" = FileHippo.com Update Checker
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "InstallBrain Updater Service" = InstallBrain Updater Service
    "KLiteCodecPack_is1" = K-Lite Codec Pack 7.8.0 (Basic)
    "LManager" = Launch Manager
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Mozilla Firefox 9.0.1 (x86 en-US)" = Mozilla Firefox 9.0.1 (x86 en-US)
    "PricePeep" = PricePeep for FireFox
    "SpywareBlaster_is1" = SpywareBlaster 4.5
    "TVWiz" = Intel(R) TV Wizard
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Messenger" = Yahoo! Messenger
    "Yahoo! Software Update" = Yahoo! Software Update

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 1/2/2012 7:18:37 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842827
    Description = Activation context generation failed for "C:\Program Files\Skype\Toolbars\Internet
    Explorer\SkypeIEPluginBroker.exe".Error in manifest or policy file "C:\Program
    Files\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe" on line 2. Multiple
    requestedPrivileges elements are not allowed in manifest.

    Error - 1/2/2012 7:19:13 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
    - search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
    in element "assemblyIdentity" is invalid.

    Error - 1/6/2012 8:07:03 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842827
    Description = Activation context generation failed for "C:\Program Files\Skype\Toolbars\Internet
    Explorer\SkypeIEPluginBroker.exe".Error in manifest or policy file "C:\Program
    Files\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe" on line 2. Multiple
    requestedPrivileges elements are not allowed in manifest.

    Error - 1/6/2012 8:07:36 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
    - search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
    in element "assemblyIdentity" is invalid.

    Error - 1/8/2012 8:01:59 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842827
    Description = Activation context generation failed for "C:\Program Files\Skype\Toolbars\Internet
    Explorer\SkypeIEPluginBroker.exe".Error in manifest or policy file "C:\Program
    Files\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe" on line 2. Multiple
    requestedPrivileges elements are not allowed in manifest.

    Error - 1/8/2012 8:02:29 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
    - search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
    in element "assemblyIdentity" is invalid.

    Error - 1/11/2012 6:36:40 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842827
    Description = Activation context generation failed for "C:\Program Files\Skype\Toolbars\Internet
    Explorer\SkypeIEPluginBroker.exe".Error in manifest or policy file "C:\Program
    Files\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe" on line 2. Multiple
    requestedPrivileges elements are not allowed in manifest.

    Error - 1/11/2012 6:37:25 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
    - search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
    in element "assemblyIdentity" is invalid.

    Error - 1/15/2012 1:21:32 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842827
    Description = Activation context generation failed for "C:\Program Files\Skype\Toolbars\Internet
    Explorer\SkypeIEPluginBroker.exe".Error in manifest or policy file "C:\Program
    Files\Skype\Toolbars\Internet Explorer\SkypeIEPluginBroker.exe" on line 2. Multiple
    requestedPrivileges elements are not allowed in manifest.

    Error - 1/15/2012 1:22:03 PM | Computer Name = mercury-PC | Source = SideBySide | ID = 16842815
    Description = Activation context generation failed for "c:\program files\spybot
    - search & destroy\DelZip179.dll".Error in manifest or policy file "c:\program files\spybot
    - search & destroy\DelZip179.dll" on line 8. The value "*" of attribute "language"
    in element "assemblyIdentity" is invalid.

    [ System Events ]
    Error - 1/10/2012 11:58:47 PM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the ShellHWDetection service.

    Error - 1/11/2012 12:12:46 AM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the Wlansvc service.

    Error - 1/11/2012 7:34:54 PM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the ShellHWDetection service.

    Error - 1/11/2012 10:35:04 PM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the ShellHWDetection service.

    Error - 1/13/2012 12:00:39 AM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the ShellHWDetection service.

    Error - 1/14/2012 3:54:04 PM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the Wlansvc service.

    Error - 1/14/2012 5:48:20 PM | Computer Name = mercury-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 1:47:15 PM on ?1/?14/?2012 was unexpected.

    Error - 1/15/2012 2:44:13 PM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 1/15/2012 2:47:06 PM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.

    Error - 1/15/2012 2:49:56 PM | Computer Name = mercury-PC | Source = Service Control Manager | ID = 7030
    Description = The PEVSystemStart service is marked as an interactive service. However,
    the system is configured to not allow interactive services. This service may not
    function properly.


    < End of report >
     
  18. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    With the exception of not getting google search results from the address bar, everything else seems ok.
    And just noticed it has an MS update waiting.
     
  19. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    More details please.
    What browser?
    See if you have same issue after running the fix listed below.

    =============================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
      FF - prefs.js..browser.search.defaultthis.engineName: "WhiteSmoke Bar Customized Web Search"
      [2012/01/06 21:57:41 | 000,000,000 | ---D | M] (WhiteSmoke Bar Community Toolbar) -- C:\Users\mercury\AppData\Roaming\Mozilla\Firefox\Profiles\jbvwe7ea.default\extensions\{167d9323-f7cc-48f5-948a-6f012831a69f}
      @Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:5C321E34
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  20. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    Browser is Firefox 9.01
    Doing next fix. (on different pc posting this)
     
  21. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    Ran the fix Run OTL

    Under the Custom Scans/Fixes box at the bottom, paste in the following,
    rebooted but see no log to post.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    Re-run the fix.
     
  23. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    I've re run the fix. Is it supposed to reboot by its self or am I to reboot it?
     
  24. Broni

    Broni Malware Annihilator Posts: 47,704   +268

    It should reboot itself.
    If it doesn't run the fix from safe mode.
     
  25. learninmypc

    learninmypc TS Evangelist Topic Starter Posts: 5,398   +240

    How do I get to safe mode in W7 ? I've tried the F8 key but it didn't do it.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.