TechSpot

Infected by Rootkit.ZeroAccess and remnants remain in system

By jdeeganjr
Mar 9, 2012
  1. I am running a Dell Dimension 3000 using Microsoft XP Professional with Service Pack 3 and all Microsoft updates installed soon after they have been released. I am currently using, and have used for several years, Symantec Enpoint Protection SEP) for my anti-virus program with all updates applied and current anti-virus signatures. SEP did not detect or prevent the Rootkit.ZeroAccess intrusion when it occurred. Nor did SEP detect the infection during full system scans that I periodically run.

    However, I suspected that something was wrong with my system and upon investigation using Kaspersky's Root Kit Killer was able to diagnose the presence of Rootkit.ZeroAccess. TDSSKiller wasw not able to remove the rootkit virus. I used a rootkit tool that I found on the Symantec website to "partially" remove the virus. However, a check of the network traffic monitored and blocked by SEP revealed that rootkit-related code was still on my system and periodically attempting to "call home" and answer calls from "home." I have disconnected my computer from the internet until I am confident that the problem has been solved and am using a different computer to communicate with you.

    I have followed the instructions in the Guide and include below the results from the actions I have taken. Unfortunately, I never could get DDS to run, either in normal mode or in safe mode. The script would simply hang and never complete. I let the script run for 20-30 minutes without completion. I have run all of the other diagnostic programs. Here are my results.

    Thank you in advance for help,

    The log from TDSSKiller after using the SEP Rootkit.ZeroAccess tool.
    21:49:01.0093 3876 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
    21:49:01.0140 3876 ============================================================
    21:49:01.0140 3876 Current date / time: 2012/03/08 21:49:01.0140
    21:49:01.0140 3876 SystemInfo:
    21:49:01.0140 3876
    21:49:01.0140 3876 OS Version: 5.1.2600 ServicePack: 3.0
    21:49:01.0140 3876 Product type: Workstation
    21:49:01.0140 3876 ComputerName: DEEGAN
    21:49:01.0140 3876 UserName: jdeegan
    21:49:01.0140 3876 Windows directory: C:\WINDOWS
    21:49:01.0140 3876 System windows directory: C:\WINDOWS
    21:49:01.0140 3876 Processor architecture: Intel x86
    21:49:01.0140 3876 Number of processors: 2
    21:49:01.0140 3876 Page size: 0x1000
    21:49:01.0140 3876 Boot type: Normal boot
    21:49:01.0140 3876 ============================================================
    21:49:02.0984 3876 Drive \Device\Harddisk0\DR0 - Size: 0x1C9FEF0000 (114.50 Gb), SectorSize: 0x200, Cylinders: 0x3A62, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    21:49:02.0984 3876 Drive \Device\Harddisk1\DR1 - Size: 0x1C9FEF0000 (114.50 Gb), SectorSize: 0x200, Cylinders: 0x3A62, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    21:49:03.0156 3876 Drive \Device\Harddisk4\DR8 - Size: 0x7D00000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    21:49:03.0156 3876 \Device\Harddisk0\DR0:
    21:49:03.0156 3876 MBR used
    21:49:03.0156 3876 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xE4F80E2
    21:49:03.0156 3876 \Device\Harddisk1\DR1:
    21:49:03.0156 3876 MBR used
    21:49:03.0156 3876 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xE4FBFA3
    21:49:03.0156 3876 \Device\Harddisk4\DR8:
    21:49:03.0171 3876 MBR used
    21:49:03.0171 3876 \Device\Harddisk4\DR8\Partition0: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x3E7DE
    21:49:03.0203 3876 Initialize success
    21:49:03.0203 3876 ============================================================
    21:49:05.0062 1444 ============================================================
    21:49:05.0062 1444 Scan started
    21:49:05.0062 1444 Mode: Manual;
    21:49:05.0062 1444 ============================================================
    21:49:06.0156 1444 Abiosdsk - ok
    21:49:06.0203 1444 abp480n5 - ok
    21:49:06.0265 1444 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    21:49:06.0265 1444 ACPI - ok
    21:49:06.0328 1444 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    21:49:06.0328 1444 ACPIEC - ok
    21:49:06.0406 1444 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\WINDOWS\system32\drivers\adfs.sys
    21:49:06.0406 1444 adfs - ok
    21:49:06.0437 1444 adpu160m - ok
    21:49:06.0500 1444 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    21:49:06.0515 1444 aec - ok
    21:49:06.0562 1444 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    21:49:06.0562 1444 AFD - ok
    21:49:06.0609 1444 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    21:49:06.0609 1444 agp440 - ok
    21:49:06.0640 1444 Aha154x - ok
    21:49:06.0671 1444 aic78u2 - ok
    21:49:06.0703 1444 aic78xx - ok
    21:49:06.0734 1444 AliIde - ok
    21:49:06.0765 1444 amsint - ok
    21:49:06.0796 1444 asc - ok
    21:49:06.0828 1444 asc3350p - ok
    21:49:06.0859 1444 asc3550 - ok
    21:49:06.0921 1444 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\aspi32.sys
    21:49:06.0921 1444 Aspi32 - ok
    21:49:06.0968 1444 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    21:49:06.0968 1444 AsyncMac - ok
    21:49:07.0015 1444 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    21:49:07.0015 1444 atapi - ok
    21:49:07.0046 1444 Atdisk - ok
    21:49:07.0093 1444 atirage3 (79e888ccceafb49764b254c2537f1afb) C:\WINDOWS\system32\DRIVERS\atimpae.sys
    21:49:07.0093 1444 atirage3 - ok
    21:49:07.0140 1444 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    21:49:07.0140 1444 Atmarpc - ok
    21:49:07.0171 1444 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    21:49:07.0171 1444 audstub - ok
    21:49:07.0218 1444 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    21:49:07.0218 1444 Beep - ok
    21:49:07.0265 1444 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    21:49:07.0281 1444 cbidf2k - ok
    21:49:07.0312 1444 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    21:49:07.0312 1444 CCDECODE - ok
    21:49:07.0343 1444 cd20xrnt - ok
    21:49:07.0390 1444 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    21:49:07.0390 1444 Cdaudio - ok
    21:49:07.0437 1444 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    21:49:07.0437 1444 Cdfs - ok
    21:49:07.0484 1444 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    21:49:07.0484 1444 Cdrom - ok
    21:49:07.0515 1444 Changer - ok
    21:49:07.0578 1444 CmdIde - ok
    21:49:07.0609 1444 Cohbtokdfh - ok
    21:49:07.0656 1444 COH_Mon (86a22dff16e8ca67601044efe6825537) C:\WINDOWS\system32\Drivers\COH_Mon.sys
    21:49:07.0656 1444 COH_Mon - ok
    21:49:07.0703 1444 Cpqarray - ok
    21:49:07.0781 1444 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
    21:49:07.0781 1444 cpudrv - ok
    21:49:07.0828 1444 cpuz132 - ok
    21:49:07.0890 1444 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    21:49:07.0890 1444 CVirtA - ok
    21:49:07.0937 1444 cwbmidi_device (7623d295feca7f311b750373fe9aed51) C:\WINDOWS\system32\drivers\cwbmidi.sys
    21:49:07.0937 1444 cwbmidi_device - ok
    21:49:07.0984 1444 cwbwdm_device (86e32e528092092188c58bcf4a9f96c5) C:\WINDOWS\system32\drivers\cwbwdm.sys
    21:49:07.0984 1444 cwbwdm_device - ok
    21:49:08.0015 1444 dac2w2k - ok
    21:49:08.0031 1444 dac960nt - ok
    21:49:08.0093 1444 DefragFS (d38c27df7b3e8840b4b92ed5c5c06c2c) C:\WINDOWS\system32\drivers\DefragFS.sys
    21:49:08.0093 1444 DefragFS - ok
    21:49:08.0156 1444 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    21:49:08.0156 1444 Disk - ok
    21:49:08.0234 1444 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    21:49:08.0265 1444 dmboot - ok
    21:49:08.0312 1444 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
    21:49:08.0328 1444 dmio - ok
    21:49:08.0343 1444 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    21:49:08.0343 1444 dmload - ok
    21:49:08.0390 1444 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    21:49:08.0406 1444 DMusic - ok
    21:49:08.0468 1444 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
    21:49:08.0468 1444 DNE - ok
    21:49:08.0500 1444 dpti2o - ok
    21:49:08.0531 1444 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    21:49:08.0531 1444 drmkaud - ok
    21:49:08.0593 1444 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    21:49:08.0593 1444 E100B - ok
    21:49:08.0718 1444 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    21:49:08.0718 1444 eeCtrl - ok
    21:49:08.0765 1444 EGATHDRV (7f220875288944c9c7856e2bc8613b1f) C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
    21:49:08.0765 1444 EGATHDRV - ok
    21:49:08.0781 1444 EL90XBC - ok
    21:49:08.0828 1444 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    21:49:08.0828 1444 EraserUtilRebootDrv - ok
    21:49:08.0890 1444 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    21:49:08.0890 1444 Fastfat - ok
    21:49:08.0921 1444 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    21:49:08.0921 1444 Fdc - ok
    21:49:08.0984 1444 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    21:49:08.0984 1444 Fips - ok
    21:49:09.0015 1444 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    21:49:09.0031 1444 Flpydisk - ok
    21:49:09.0078 1444 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    21:49:09.0078 1444 FltMgr - ok
    21:49:09.0156 1444 FreshIO (caac750e6d27866c28494e0de9fa802a) C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
    21:49:09.0156 1444 FreshIO - ok
    21:49:09.0187 1444 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    21:49:09.0187 1444 Fs_Rec - ok
    21:49:09.0218 1444 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    21:49:09.0218 1444 Ftdisk - ok
    21:49:09.0265 1444 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    21:49:09.0265 1444 GearAspiWDM - ok
    21:49:09.0328 1444 GenericMount (69f8f310654d699c7e5bd5c67279980f) C:\WINDOWS\system32\DRIVERS\GenericMount.sys
    21:49:09.0328 1444 GenericMount - ok
    21:49:09.0375 1444 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    21:49:09.0375 1444 Gpc - ok
    21:49:09.0406 1444 hpn - ok
    21:49:09.0453 1444 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    21:49:09.0468 1444 HPZid412 - ok
    21:49:09.0500 1444 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    21:49:09.0500 1444 HPZipr12 - ok
    21:49:09.0531 1444 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    21:49:09.0531 1444 HPZius12 - ok
    21:49:09.0578 1444 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    21:49:09.0578 1444 HTTP - ok
    21:49:09.0609 1444 i2omgmt - ok
    21:49:09.0640 1444 i2omp - ok
    21:49:09.0687 1444 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    21:49:09.0703 1444 i8042prt - ok
    21:49:09.0796 1444 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    21:49:09.0843 1444 ialm - ok
    21:49:09.0906 1444 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
    21:49:09.0906 1444 Imapi - ok
    21:49:09.0937 1444 ini910u - ok
    21:49:09.0984 1444 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    21:49:09.0984 1444 IntelIde - ok
    21:49:10.0015 1444 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    21:49:10.0015 1444 intelppm - ok
    21:49:10.0078 1444 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    21:49:10.0078 1444 Ip6Fw - ok
    21:49:10.0125 1444 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    21:49:10.0125 1444 IpFilterDriver - ok
    21:49:10.0171 1444 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    21:49:10.0171 1444 IpInIp - ok
    21:49:10.0203 1444 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    21:49:10.0203 1444 IpNat - ok
    21:49:10.0250 1444 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    21:49:10.0250 1444 IPSec - ok
    21:49:10.0281 1444 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    21:49:10.0296 1444 IRENUM - ok
    21:49:10.0343 1444 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    21:49:10.0343 1444 isapnp - ok
    21:49:10.0375 1444 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    21:49:10.0375 1444 Kbdclass - ok
    21:49:10.0421 1444 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    21:49:10.0421 1444 kmixer - ok
    21:49:10.0468 1444 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    21:49:10.0468 1444 KSecDD - ok
    21:49:10.0500 1444 lbrtfdc - ok
    21:49:10.0578 1444 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
    21:49:10.0578 1444 MBAMProtector - ok
    21:49:10.0640 1444 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
    21:49:10.0640 1444 mf - ok
    21:49:10.0687 1444 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    21:49:10.0687 1444 mnmdd - ok
    21:49:10.0734 1444 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    21:49:10.0750 1444 Modem - ok
    21:49:10.0781 1444 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    21:49:10.0781 1444 Mouclass - ok
    21:49:10.0875 1444 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    21:49:10.0890 1444 MountMgr - ok
    21:49:11.0078 1444 mraid35x - ok
    21:49:11.0265 1444 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    21:49:11.0265 1444 MREMP50 - ok
    21:49:11.0281 1444 MREMPR5 - ok
    21:49:11.0375 1444 MRENDIS5 - ok
    21:49:11.0484 1444 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    21:49:11.0484 1444 MRESP50 - ok
    21:49:11.0687 1444 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    21:49:11.0718 1444 MRxDAV - ok
    21:49:11.0781 1444 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    21:49:11.0796 1444 MRxSmb - ok
    21:49:11.0828 1444 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    21:49:11.0828 1444 Msfs - ok
    21:49:11.0890 1444 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    21:49:11.0890 1444 MSKSSRV - ok
    21:49:11.0921 1444 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    21:49:11.0921 1444 MSPCLOCK - ok
    21:49:11.0953 1444 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    21:49:11.0953 1444 MSPQM - ok
    21:49:11.0984 1444 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    21:49:11.0984 1444 mssmbios - ok
    21:49:12.0031 1444 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    21:49:12.0031 1444 MSTEE - ok
    21:49:12.0078 1444 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    21:49:12.0078 1444 Mup - ok
    21:49:12.0125 1444 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    21:49:12.0125 1444 NABTSFEC - ok
    21:49:12.0187 1444 NAL (a467e1deb3bb2b57426c8a5993ba933e) C:\WINDOWS\system32\Drivers\iqvw32.sys
    21:49:12.0187 1444 NAL - ok
    21:49:12.0343 1444 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120307.035\NAVENG.SYS
    21:49:12.0343 1444 NAVENG - ok
    21:49:12.0437 1444 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120307.035\NAVEX15.SYS
    21:49:12.0437 1444 NAVEX15 - ok
    21:49:12.0484 1444 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    21:49:12.0484 1444 NDIS - ok
    21:49:12.0531 1444 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    21:49:12.0531 1444 NdisIP - ok
    21:49:12.0578 1444 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    21:49:12.0578 1444 NdisTapi - ok
    21:49:12.0609 1444 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    21:49:12.0609 1444 Ndisuio - ok
    21:49:12.0656 1444 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    21:49:12.0656 1444 NdisWan - ok
    21:49:12.0718 1444 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    21:49:12.0718 1444 NDProxy - ok
    21:49:12.0750 1444 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    21:49:12.0750 1444 NetBIOS - ok
    21:49:12.0796 1444 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    21:49:12.0796 1444 NetBT - ok
    21:49:12.0875 1444 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    21:49:12.0890 1444 nm - ok
    21:49:12.0937 1444 NmPar (46253ca6d525c9d90a3dbf0ba0398bc9) C:\WINDOWS\system32\DRIVERS\NmPar.sys
    21:49:12.0953 1444 NmPar - ok
    21:49:13.0000 1444 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
    21:49:13.0000 1444 NPF - ok
    21:49:13.0046 1444 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    21:49:13.0046 1444 Npfs - ok
    21:49:13.0093 1444 NtApm (325ffaeceeace80d2643e6bdc7c1f9e2) C:\WINDOWS\system32\DRIVERS\NtApm.sys
    21:49:13.0093 1444 NtApm - ok
    21:49:13.0171 1444 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    21:49:13.0218 1444 Ntfs - ok
    21:49:13.0250 1444 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    21:49:13.0250 1444 Null - ok
    21:49:13.0796 1444 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    21:49:14.0281 1444 nv - ok
    21:49:14.0343 1444 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    21:49:14.0343 1444 NwlnkFlt - ok
    21:49:14.0375 1444 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    21:49:14.0375 1444 NwlnkFwd - ok
    21:49:14.0437 1444 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    21:49:14.0437 1444 Parport - ok
    21:49:14.0484 1444 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    21:49:14.0484 1444 PartMgr - ok
    21:49:14.0531 1444 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    21:49:14.0531 1444 ParVdm - ok
    21:49:14.0562 1444 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    21:49:14.0562 1444 PCI - ok
    21:49:14.0593 1444 PCIDump - ok
    21:49:14.0625 1444 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    21:49:14.0625 1444 PCIIde - ok
    21:49:14.0687 1444 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    21:49:14.0687 1444 Pcmcia - ok
    21:49:14.0718 1444 PDCOMP - ok
    21:49:14.0750 1444 PDFRAME - ok
    21:49:14.0781 1444 PDRELI - ok
    21:49:14.0812 1444 PDRFRAME - ok
    21:49:14.0843 1444 perc2 - ok
    21:49:14.0875 1444 perc2hib - ok
    21:49:15.0000 1444 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    21:49:15.0000 1444 PptpMiniport - ok
    21:49:15.0031 1444 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    21:49:15.0046 1444 Processor - ok
    21:49:15.0109 1444 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    21:49:15.0109 1444 PSched - ok
    21:49:15.0156 1444 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    21:49:15.0156 1444 PSI - ok
    21:49:15.0203 1444 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    21:49:15.0203 1444 Ptilink - ok
    21:49:15.0250 1444 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
    21:49:15.0250 1444 PxHelp20 - ok
    21:49:15.0281 1444 ql1080 - ok
    21:49:15.0296 1444 Ql10wnt - ok
    21:49:15.0328 1444 ql12160 - ok
    21:49:15.0359 1444 ql1240 - ok
    21:49:15.0390 1444 ql1280 - ok
    21:49:15.0437 1444 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    21:49:15.0437 1444 RasAcd - ok
    21:49:15.0500 1444 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    21:49:15.0500 1444 Rasl2tp - ok
    21:49:15.0562 1444 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    21:49:15.0562 1444 RasPppoe - ok
    21:49:15.0609 1444 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    21:49:15.0609 1444 Raspti - ok
    21:49:15.0656 1444 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    21:49:15.0656 1444 Rdbss - ok
    21:49:15.0687 1444 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    21:49:15.0687 1444 RDPCDD - ok
    21:49:15.0734 1444 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    21:49:15.0750 1444 rdpdr - ok
    21:49:15.0796 1444 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    21:49:15.0812 1444 RDPWD - ok
    21:49:15.0875 1444 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    21:49:15.0875 1444 redbook - ok
    21:49:15.0906 1444 RimUsb - ok
    21:49:15.0953 1444 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    21:49:15.0953 1444 RimVSerPort - ok
    21:49:16.0000 1444 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    21:49:16.0000 1444 ROOTMODEM - ok
    21:49:16.0093 1444 RTL8023xp (47b8ea4493ebffb3d6a0e06cd03c5aba) C:\WINDOWS\system32\DRIVERS\FA311XP.SYS
    21:49:16.0093 1444 RTL8023xp - ok
    21:49:16.0140 1444 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    21:49:16.0140 1444 rtl8139 - ok
    21:49:16.0171 1444 SANDRA - ok
    21:49:16.0218 1444 SBRE - ok
    21:49:16.0296 1444 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    21:49:16.0296 1444 Secdrv - ok
    21:49:16.0375 1444 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    21:49:16.0406 1444 senfilt - ok
    21:49:16.0453 1444 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    21:49:16.0453 1444 serenum - ok
    21:49:16.0500 1444 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    21:49:16.0500 1444 Serial - ok
    21:49:16.0578 1444 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    21:49:16.0593 1444 Sfloppy - ok
    21:49:16.0625 1444 Simbad - ok
    21:49:16.0671 1444 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    21:49:16.0671 1444 SLIP - ok
    21:49:16.0750 1444 smwdm (86c4d93b7b7818d066c52fdb03c6c921) C:\WINDOWS\system32\drivers\smwdm.sys
    21:49:16.0750 1444 smwdm - ok
    21:49:16.0781 1444 Sparrow - ok
    21:49:16.0921 1444 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    21:49:16.0937 1444 SPBBCDrv - ok
    21:49:16.0984 1444 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    21:49:16.0984 1444 splitter - ok
    21:49:17.0031 1444 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
    21:49:17.0031 1444 sr - ok
    21:49:17.0093 1444 SRTSP (620bbcc5c4c4407447866793c36e1215) C:\WINDOWS\system32\Drivers\SRTSP.SYS
    21:49:17.0093 1444 SRTSP - ok
    21:49:17.0156 1444 SRTSPL (995e15de499ca58445e39a2fba7d170e) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    21:49:17.0171 1444 SRTSPL - ok
    21:49:17.0203 1444 SRTSPX (1b63f794f283b974a79084514df206a0) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
    21:49:17.0203 1444 SRTSPX - ok
    21:49:17.0265 1444 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    21:49:17.0281 1444 Srv - ok
    21:49:17.0312 1444 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    21:49:17.0312 1444 streamip - ok
    21:49:17.0375 1444 SUSTUCAM (0349f7702b819986c292825c676d00fa) C:\WINDOWS\system32\DRIVERS\sustucam.sys
    21:49:17.0375 1444 SUSTUCAM - ok
    21:49:17.0421 1444 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    21:49:17.0421 1444 swenum - ok
    21:49:17.0453 1444 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    21:49:17.0468 1444 swmidi - ok
    21:49:17.0515 1444 symc810 - ok
    21:49:17.0546 1444 symc8xx - ok
    21:49:17.0593 1444 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    21:49:17.0609 1444 SymEvent - ok
    21:49:17.0656 1444 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    21:49:17.0656 1444 SYMREDRV - ok
    21:49:17.0703 1444 symsnap (a5cf31080e99718949bcc38c83f13452) C:\WINDOWS\system32\DRIVERS\symsnap.sys
    21:49:17.0703 1444 symsnap - ok
    21:49:17.0750 1444 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    21:49:17.0750 1444 SYMTDI - ok
    21:49:17.0781 1444 sym_hi - ok
    21:49:17.0812 1444 sym_u3 - ok
    21:49:17.0859 1444 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    21:49:17.0859 1444 sysaudio - ok
    21:49:17.0890 1444 SysPlant (c8f9eb4ac42740d036b0b9f0809b335b) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys
    21:49:17.0890 1444 SysPlant - ok
    21:49:17.0968 1444 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    21:49:17.0968 1444 Tcpip - ok
    21:49:18.0031 1444 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
    21:49:18.0046 1444 Tcpip6 - ok
    21:49:18.0078 1444 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    21:49:18.0093 1444 TDPIPE - ok
    21:49:18.0140 1444 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    21:49:18.0156 1444 TDTCP - ok
    21:49:18.0203 1444 Teefer2 (75346634d815c9fda103ae5fada072b3) C:\WINDOWS\system32\DRIVERS\teefer2.sys
    21:49:18.0203 1444 Teefer2 - ok
    21:49:18.0250 1444 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    21:49:18.0250 1444 TermDD - ok
    21:49:18.0296 1444 TosIde - ok
    21:49:18.0359 1444 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
    21:49:18.0359 1444 tunmp - ok
    21:49:18.0406 1444 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
    21:49:18.0406 1444 TVICHW32 - ok
    21:49:18.0453 1444 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    21:49:18.0468 1444 Udfs - ok
    21:49:18.0500 1444 ultra - ok
    21:49:18.0546 1444 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    21:49:18.0562 1444 Update - ok
    21:49:18.0609 1444 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    21:49:18.0625 1444 usbaudio - ok
    21:49:18.0671 1444 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    21:49:18.0671 1444 usbccgp - ok
    21:49:18.0703 1444 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    21:49:18.0703 1444 usbehci - ok
    21:49:18.0750 1444 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    21:49:18.0765 1444 usbhub - ok
    21:49:18.0796 1444 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    21:49:18.0796 1444 usbprint - ok
    21:49:18.0843 1444 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    21:49:18.0843 1444 usbscan - ok
    21:49:18.0875 1444 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    21:49:18.0875 1444 USBSTOR - ok
    21:49:18.0906 1444 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    21:49:18.0906 1444 usbuhci - ok
    21:49:18.0953 1444 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    21:49:18.0953 1444 usbvideo - ok
    21:49:19.0000 1444 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    21:49:19.0000 1444 VgaSave - ok
    21:49:19.0031 1444 ViaIde - ok
    21:49:19.0078 1444 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    21:49:19.0078 1444 VolSnap - ok
    21:49:19.0109 1444 VProEventMonitor (ef3506b04eb9124240b35148eaacbaa5) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
    21:49:19.0109 1444 VProEventMonitor - ok
    21:49:19.0140 1444 vsdatant - ok
    21:49:19.0218 1444 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    21:49:19.0218 1444 Wanarp - ok
    21:49:19.0281 1444 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
    21:49:19.0296 1444 Wdf01000 - ok
    21:49:19.0328 1444 WDICA - ok
    21:49:19.0375 1444 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    21:49:19.0375 1444 wdmaud - ok
    21:49:19.0421 1444 WimFltr (090a2b8f055343815556a01f725f6c35) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
    21:49:19.0437 1444 WimFltr - ok
    21:49:19.0609 1444 WPS (d81ef0d8716500a573cd82185ef3e42d) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
    21:49:19.0609 1444 WPS - ok
    21:49:19.0671 1444 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
    21:49:19.0671 1444 WpsHelper - ok
    21:49:19.0718 1444 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    21:49:19.0718 1444 WSTCODEC - ok
    21:49:19.0765 1444 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    21:49:19.0765 1444 WudfPf - ok
    21:49:19.0812 1444 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    21:49:19.0812 1444 WudfRd - ok
    21:49:19.0875 1444 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    21:49:19.0984 1444 \Device\Harddisk0\DR0 - ok
    21:49:20.0000 1444 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR1
    21:49:22.0796 1444 \Device\Harddisk1\DR1 - ok
    21:49:22.0828 1444 MBR (0x1B8) (ad00bc00aca714232fd4768277895154) \Device\Harddisk4\DR8
    21:49:25.0593 1444 \Device\Harddisk4\DR8 - ok
    21:49:25.0593 1444 Boot (0x1200) (89f2c810a8038e78c80a14ff359355e4) \Device\Harddisk0\DR0\Partition0
    21:49:25.0593 1444 \Device\Harddisk0\DR0\Partition0 - ok
    21:49:25.0609 1444 Boot (0x1200) (cd642ed4c466c642e62839d2aa735447) \Device\Harddisk1\DR1\Partition0
    21:49:25.0609 1444 \Device\Harddisk1\DR1\Partition0 - ok
    21:49:25.0640 1444 Boot (0x1200) (b66a625fb30818cf5e6150aa1cb4a95f) \Device\Harddisk4\DR8\Partition0
    21:49:25.0640 1444 \Device\Harddisk4\DR8\Partition0 - ok
    21:49:25.0640 1444 ============================================================
    21:49:25.0640 1444 Scan finished
    21:49:25.0640 1444 ============================================================
    21:49:25.0671 1396 Detected object count: 0
    21:49:25.0671 1396 Actual detected object count: 0
    21:49:49.0234 3844 Deinitialize success

    The log from Malwarebytes Anti-malware:
    Malwarebytes Anti-Malware (PRO) 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.07.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    jdeegan :: DEEGAN [administrator]

    Protection: Enabled

    3/7/2012 9:17:42 AM
    mbam-log-2012-03-07 (09-17-42).txt

    Scan type: Flash scan
    Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: Registry | File System | P2P
    Objects scanned: 153266
    Time elapsed: 1 minute(s), 6 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    The log from ansMBR:
    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-06 13:08:30
    -----------------------------
    13:08:30.625 OS Version: Windows 5.1.2600 Service Pack 3
    13:08:30.625 Number of processors: 2 586 0x401
    13:08:30.625 ComputerName: DEEGAN UserName:
    13:08:31.562 Initialize success
    13:08:42.718 AVAST engine defs: 12030600
    13:08:50.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    13:08:50.671 Disk 0 Vendor: Maxtor_6Y120P0 YAR41BW0 Size: 117246MB BusType: 3
    13:08:50.671 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
    13:08:50.671 Disk 1 Vendor: Maxtor_6Y120P0 YAR41BW0 Size: 117246MB BusType: 3
    13:08:50.671 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T0L0-18
    13:08:50.671 Disk 2 Vendor: IOMEGA_ZIP_250 42.S Size: 117246MB BusType: 2
    13:08:50.687 Disk 0 MBR read successfully
    13:08:50.687 Disk 0 MBR scan
    13:08:50.718 Disk 0 Windows XP default MBR code
    13:08:50.718 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 117232 MB offset 63
    13:08:50.734 Disk 0 scanning sectors +240091425
    13:08:50.781 Disk 0 scanning C:\WINDOWS\system32\drivers
    13:09:08.140 Service scanning
    13:09:26.859 Service SysPlant C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
    13:09:27.203 Service Teefer2 C:\WINDOWS\system32\DRIVERS\teefer2.sys **LOCKED** 32
    13:09:29.843 Service WPS C:\WINDOWS\system32\drivers\wpsdrvnt.sys **LOCKED** 32
    13:09:29.906 Service WpsHelper C:\WINDOWS\system32\drivers\WpsHelper.sys **LOCKED** 32
    13:09:30.781 Modules scanning
    13:09:37.359 Disk 0 trace - called modules:
    13:09:37.375 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    13:09:37.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5acab8]
    13:09:37.375 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a63ad98]
    13:09:37.375 Scan finished successfully
    13:10:00.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\jdeegan\Desktop\MBR.dat"
    13:10:00.343 The log file has been saved successfully to "C:\Documents and Settings\jdeegan\Desktop\aswMBR.txt"

    The log from Symantec Endpoint Protection:
    Symantec Endpoint Protect Ver. 11.0.7101.1056
    Virus Definitions dated 03/08/2012

    Partial Log of Network Threat Protection Traffic log for 03/07/2012 and 03/08/2012


    183517 3/7/2012 11:59:04 PM Blocked 10 Incoming UDP 192.168.1.2 00-1E-2A-47-63-5C 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 9 3/7/2012 11:58:03 PM 3/7/2012 11:58:14 PM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP
    183636 3/8/2012 7:12:07 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 7:11:05 AM 3/8/2012 7:11:05 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

    ....... more of the same

    183657 3/8/2012 8:24:04 AM Blocked 10 Outgoing UDP 192.168.1.255 FF-FF-FF-FF-FF-FF 138 192.168.1.2 00-1E-2A-47-63-5C 138 C:\WINDOWS\system32\ntoskrnl.exe jdeegan DEEGAN Default 1 3/8/2012 8:23:03 AM 3/8/2012 8:23:03 AM GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP

    Finally, the log from GMER:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-08 08:27:05
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6Y120P0 rev.YAR41BW0
    Running: GMER.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8A222128 ZwAlertResumeThread
    SSDT 8A4C4DC8 ZwAlertThread
    SSDT 8A21E310 ZwAllocateVirtualMemory
    SSDT 8A58D4D8 ZwConnectPort
    SSDT 8A4150E8 ZwCreateMutant
    SSDT 8A222160 ZwCreateThread
    SSDT 8A23E410 ZwFreeVirtualMemory
    SSDT 8A4151B8 ZwImpersonateAnonymousToken
    SSDT 8A2216B8 ZwImpersonateThread
    SSDT 8A239618 ZwMapViewOfSection
    SSDT 8A248008 ZwOpenEvent
    SSDT 8A4E81F0 ZwOpenProcessToken
    SSDT 8A23B180 ZwOpenThreadToken
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB6B87BA0]
    SSDT 8A4B5AD0 ZwResumeThread
    SSDT 8A431100 ZwSetContextThread
    SSDT 8A22AF38 ZwSetInformationProcess
    SSDT 8A221848 ZwSetInformationThread
    SSDT 8A248130 ZwSuspendProcess
    SSDT 8A41B788 ZwSuspendThread
    SSDT 8A4D2738 ZwTerminateProcess
    SSDT 8A225860 ZwTerminateThread
    SSDT 8A4C6E78 ZwUnmapViewOfSection
    SSDT 8A224BB0 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution + 122 804E497C 4 Bytes [E8, 50, 41, 8A]
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7105380, 0x8D6CD5, 0xE8000020]
    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB7027F80]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 46CB3704 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 46CB41DF C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] ws2_32.dll!socket 71AB4211 5 Bytes JMP 46CB354C C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 46CB35DC C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] ws2_32.dll!send 71AB4C27 5 Bytes JMP 46CB3B92 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2972] ws2_32.dll!recv 71AB676F 5 Bytes JMP 46CB4549 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3804] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device ftdisk.sys (FT Disk Driver/Microsoft Corporation)
    Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    Again, I could not get DDS to run successfully and am unable to produce its log.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  3. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Run boot_cleaner in Normal mode or Safe mode?

    Should I run boot_cleaner.exe in normal mode or in safe mode? Presently, my infected machine is disconnected from the internet and will not be re-connected without specific direction from you.

    Thanks in advance for your help.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You can run it from either mode.
     
  5. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Results From boot_cleaner.exe

    .\debug.cpp(238) : Debug log started at 09.03.2012 - 22:24:58
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 Esage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.1
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x00229000 "\WINDOWS\system32\ntoskrnl.exe"
    .\debug.cpp(256) : 0x80700000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xf7987000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xf7897000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xf75a8000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xf7989000 0x00002000 "\WINDOWS\System32\DRIVERS\WMILIB.SYS"
    .\debug.cpp(256) : 0xf7597000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xf75f7000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xf7a4f000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xf7707000 0x00007000 "\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf798b000 0x00002000 "intelide.sys"
    .\debug.cpp(256) : 0xf7607000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xf74d8000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xf798d000 0x00002000 "dmload.sys"
    .\debug.cpp(256) : 0xf74b2000 0x00026000 "dmio.sys"
    .\debug.cpp(256) : 0xf770f000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xf7617000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xf749a000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xf7627000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xf7637000 0x0000d000 "\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xf747a000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xf7647000 0x0000a000 "PxHelp20.sys"
    .\debug.cpp(256) : 0xf7459000 0x00021000 "symsnap.sys"
    .\debug.cpp(256) : 0xf7442000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xf742f000 0x00013000 "DefragFS.sys"
    .\debug.cpp(256) : 0xf7b52000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xf7402000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xf787d000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xf7657000 0x0000b000 "agp440.sys"
    .\debug.cpp(256) : 0xb87fc000 0x00003000 "\SystemRoot\system32\DRIVERS\tunmp.sys"
    .\debug.cpp(256) : 0xb7c8a000 0x00009000 "\SystemRoot\System32\DRIVERS\intelppm.sys"
    .\debug.cpp(256) : 0xf7787000 0x00006000 "\SystemRoot\System32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xb78a0000 0x00024000 "\SystemRoot\System32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xf778f000 0x00008000 "\SystemRoot\System32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xb788c000 0x00014000 "\SystemRoot\system32\DRIVERS\FA311XP.SYS"
    .\debug.cpp(256) : 0xb7c7a000 0x00010000 "\SystemRoot\System32\DRIVERS\mf.sys"
    .\debug.cpp(256) : 0xb6c59000 0x00c33000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xb6c45000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xb7c6a000 0x0000d000 "\SystemRoot\System32\DRIVERS\i8042prt.sys"
    .\debug.cpp(256) : 0xf7797000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xf779f000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xb7c5a000 0x00010000 "\SystemRoot\System32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xb87f8000 0x00004000 "\SystemRoot\System32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xb68b0000 0x00014000 "\SystemRoot\System32\DRIVERS\parport.sys"
    .\debug.cpp(256) : 0xb7c4a000 0x0000b000 "\SystemRoot\system32\drivers\Imapi.sys"
    .\debug.cpp(256) : 0xb7c3a000 0x00010000 "\SystemRoot\System32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xb7c2a000 0x0000f000 "\SystemRoot\System32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xb688d000 0x00023000 "\SystemRoot\System32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xf77a7000 0x00006000 "\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys"
    .\debug.cpp(256) : 0xb684d000 0x00040000 "\SystemRoot\system32\drivers\smwdm.sys"
    .\debug.cpp(256) : 0xb6829000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xb7c1a000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xb6776000 0x000b3000 "\SystemRoot\system32\drivers\senfilt.sys"
    .\debug.cpp(256) : 0xb7c0a000 0x0000d000 "\SystemRoot\system32\DRIVERS\GenericMount.sys"
    .\debug.cpp(256) : 0xf7677000 0x0000e000 "\SystemRoot\system32\DRIVERS\WDFLDR.SYS"
    .\debug.cpp(256) : 0xb6705000 0x00071000 "\SystemRoot\System32\Drivers\wdf01000.sys"
    .\debug.cpp(256) : 0xf7a94000 0x00001000 "\SystemRoot\System32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xf7697000 0x0000d000 "\SystemRoot\System32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xb87ec000 0x00003000 "\SystemRoot\System32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xb5e8e000 0x00017000 "\SystemRoot\System32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xf76a7000 0x0000b000 "\SystemRoot\System32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xf76b7000 0x0000c000 "\SystemRoot\System32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xf77af000 0x00005000 "\SystemRoot\System32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xb5e7d000 0x00011000 "\SystemRoot\System32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xf76c7000 0x00009000 "\SystemRoot\System32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xf77b7000 0x00005000 "\SystemRoot\System32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xf77bf000 0x00005000 "\SystemRoot\System32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xb5e4d000 0x00030000 "\SystemRoot\System32\DRIVERS\rdpdr.sys"
    .\debug.cpp(256) : 0xf76d7000 0x0000a000 "\SystemRoot\System32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xb5e2a000 0x00023000 "\SystemRoot\system32\DRIVERS\teefer2.sys"
    .\debug.cpp(256) : 0xf79ab000 0x00002000 "\SystemRoot\System32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xb5dcc000 0x0005e000 "\SystemRoot\System32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xb87cc000 0x00004000 "\SystemRoot\System32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xf7577000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xf7537000 0x0000f000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xf79ad000 0x00002000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xb3c31000 0x0004b000 "\SystemRoot\System32\Drivers\SRTSP.SYS"
    .\debug.cpp(256) : 0xb3ab1000 0x00180000 "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120309.002\NAVEX15.SYS"
    .\debug.cpp(256) : 0xb3a8b000 0x00026000 "\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS"
    .\debug.cpp(256) : 0xb3a77000 0x00014000 "\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120309.002\NAVENG.SYS"
    .\debug.cpp(256) : 0xf77cf000 0x00007000 "\SystemRoot\System32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xf77df000 0x00008000 "\SystemRoot\System32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0xb7cb6000 0x00004000 "\SystemRoot\System32\DRIVERS\usbscan.sys"
    .\debug.cpp(256) : 0xf77e7000 0x00007000 "\SystemRoot\System32\DRIVERS\usbprint.sys"
    .\debug.cpp(256) : 0xf77ef000 0x00006000 "\SystemRoot\system32\DRIVERS\HPZius12.sys"
    .\debug.cpp(256) : 0xb8780000 0x0000d000 "\SystemRoot\system32\DRIVERS\HPZid412.sys"
    .\debug.cpp(256) : 0xb7cb2000 0x00004000 "\SystemRoot\system32\DRIVERS\HPZipr12.sys"
    .\debug.cpp(256) : 0xb8740000 0x0000a000 "\SystemRoot\System32\Drivers\SRTSPX.SYS"
    .\debug.cpp(256) : 0xf79b7000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xf7a84000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xf79b9000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xf77ff000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xf79bb000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xf79bd000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xf7807000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xf780f000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xb7caa000 0x00003000 "\SystemRoot\System32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xb3954000 0x00013000 "\SystemRoot\System32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xb38fb000 0x00059000 "\SystemRoot\System32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xf76e7000 0x0000f000 "\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys"
    .\debug.cpp(256) : 0xb38d5000 0x00026000 "\SystemRoot\System32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xf7687000 0x00009000 "\SystemRoot\System32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xb38ad000 0x00028000 "\SystemRoot\System32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xb3875000 0x00038000 "\SystemRoot\system32\DRIVERS\tcpip6.sys"
    .\debug.cpp(256) : 0xb3820000 0x0002d000 "\SystemRoot\System32\Drivers\SYMTDI.SYS"
    .\debug.cpp(256) : 0xf7567000 0x00009000 "\SystemRoot\system32\drivers\ip6fw.sys"
    .\debug.cpp(256) : 0xb37fe000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xf7557000 0x00009000 "\SystemRoot\System32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xb3794000 0x0006a000 "\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys"
    .\debug.cpp(256) : 0xb3769000 0x0002b000 "\SystemRoot\System32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xb36f9000 0x00070000 "\SystemRoot\System32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xf7507000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xb369b000 0x0005e000 "\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys"
    .\debug.cpp(256) : 0xb367d000 0x0001e000 "\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys"
    .\debug.cpp(256) : 0xb3659000 0x00024000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
    .\debug.cpp(256) : 0xb39e7000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c7000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xb5db0000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xf7737000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbd000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xb86f8000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbd012000 0x00408000 "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xbd41a000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xb3635000 0x00004000 "\??\C:\WINDOWS\system32\drivers\mbam.sys"
    .\debug.cpp(256) : 0xb28d8000 0x00004000 "\SystemRoot\System32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xb24e7000 0x0002d000 "\SystemRoot\System32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xb24d2000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xb292c000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0xf79b5000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
    .\debug.cpp(256) : 0xb2437000 0x00011000 "\SystemRoot\System32\Drivers\adfs.SYS"
    .\debug.cpp(256) : 0xb26bc000 0x00004000 "\SystemRoot\System32\drivers\aspi32.sys"
    .\debug.cpp(256) : 0xf79dd000 0x00002000 "\??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS"
    .\debug.cpp(256) : 0xb2157000 0x00058000 "\SystemRoot\System32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xb212f000 0x00028000 "\??\C:\WINDOWS\system32\drivers\WpsHelper.sys"
    .\debug.cpp(256) : 0xb3a67000 0x00005000 "\SystemRoot\System32\Drivers\SYMREDRV.SYS"
    .\debug.cpp(256) : 0xb1fcf000 0x00009000 "\SystemRoot\System32\DRIVERS\ipfltdrv.sys"
    .\debug.cpp(256) : 0xb1716000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NONSPOOLED_LPT3"
    .\debug.cpp(400) : Destination "\Device\Parallel2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_03f0&Pid_5711&MI_01#6&736207e&9&0001#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}"
    .\debug.cpp(400) : Destination "\Device\00000080"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0004#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000004c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SymantecSnapshotControl"
    .\debug.cpp(400) : Destination "\Device\SymantecSnapshot\Control"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYMC_TEEFER2MP#0004#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000056"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANBH#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000005c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SymEvent"
    .\debug.cpp(400) : Destination "\Device\SymEvent"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&316e3fd5&2&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYMC_TEEFER2MP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000053"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{7F467572-CE21-40F9-AF1A-1D6E60BFCD58}"
    .\debug.cpp(400) : Destination "\Device\{7F467572-CE21-40F9-AF1A-1D6E60BFCD58}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RaxcoPerfectDisk"
    .\debug.cpp(400) : Destination "\Device\RaxcoPerfectDisk"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{82B7CDF4-D3E8-46C2-929E-460009729EBB}"
    .\debug.cpp(400) : Destination "\Device\{82B7CDF4-D3E8-46C2-929E-460009729EBB}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Teefer2"
    .\debug.cpp(400) : Destination "\Device\Teefer2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MF#PCI#VEN_9710&DEV_9805&SUBSYS_00101000&REV_01#5&15cad8e5&0&08F0#Child0000#{97f76ef0-f883-11d0-af1f-0000f800845c}"
    .\debug.cpp(400) : Destination "\Device\0000007b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000004b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#8&33937a14&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{42EE3A35-3C4E-4F93-9F4E-98AEE4DB7F73}"
    .\debug.cpp(400) : Destination "\Device\{42EE3A35-3C4E-4F93-9F4E-98AEE4DB7F73}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tun0"
    .\debug.cpp(400) : Destination "\Device\Tun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip6"
    .\debug.cpp(400) : Destination "\Device\Ip6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\$VDMLPT1"
    .\debug.cpp(400) : Destination "\Device\ParallelVdm0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10EC&DEV_8139&SUBSYS_F31D1385&REV_10#4&1c660dd6&0&00F0#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
    .\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{e7abf18a-a712-11da-9571-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomSONY_DVD_RW_DRU-810A____________________1.0d____#3138313531393037383930312041335535303131#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-20"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#6&23107a29&0&LPT3#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
    .\debug.cpp(400) : Destination "\Device\Parallel2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DE1468B6-0E94-4C3B-B22C-022EF841F7EA}"
    .\debug.cpp(400) : Destination "\Device\{DE1468B6-0E94-4C3B-B22C-022EF841F7EA}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{fa2c19f2-8b92-11da-a991-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\EraserUtilDrv11122"
    .\debug.cpp(400) : Destination "\Device\EraserUtilDrv11122"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&15bf541d&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Usbscan0"
    .\debug.cpp(400) : Destination "\Device\Usbscan0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{87A0D3EA-3773-4754-A626-B9B52BAEE4FB}"
    .\debug.cpp(400) : Destination "\Device\{87A0D3EA-3773-4754-A626-B9B52BAEE4FB}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
    .\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
    .\debug.cpp(400) : Destination "\Device\PSched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\BBDRVCHANNEL"
    .\debug.cpp(400) : Destination "\Device\BBDrvDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVEX15"
    .\debug.cpp(400) : Destination "\Device\NAVEX15"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&27d8ed6e&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#8&33937a14&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature14CF14CEOffset7E00Length1C9F01C400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomSONY_DVD_RW_DRU-810A____________________1.0d____#3138313531393037383930312041335535303131#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-20"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPFILTERDRIVER"
    .\debug.cpp(400) : Destination "\Device\IPFILTERDRIVER"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_03f0&Pid_5711&MI_00#6&736207e&9&0000#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\0000007f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskMaxtor_6Y120P0__________________________YAR41BW0#33593836414d4557202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T1L0-c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02#3&172e68dd&0&FD#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000004d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\EraserCtrlDrv"
    .\debug.cpp(400) : Destination "\Device\EraserCtrlDrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000049"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#*TUNMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000001"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SymSnap_{bc5b8170-6a35-11e1-bea6-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\SymantecSnapshot\Volume0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\H:"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&df40f89&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{3D74913A-5402-48F3-87DB-B96113351857}"
    .\debug.cpp(400) : Destination "\Device\{3D74913A-5402-48F3-87DB-B96113351857}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive2"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbMmDp32"
    .\debug.cpp(400) : Destination "\Device\MbMmDp32"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#6&3744f10&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive3"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DR6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_03f0&Pid_5711#MY63MB923J04J7#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1f51acb0&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000061"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive4"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DR8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\EraserUtilDrvI14"
    .\debug.cpp(400) : Destination "\Device\EraserUtilDrv11122"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NAVENG"
    .\debug.cpp(400) : Destination "\Device\NAVENG"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\00000071"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SRTSPX"
    .\debug.cpp(400) : Destination "\Device\SRTSPX"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02#3&172e68dd&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{94155A9F-EF91-4176-BC01-A7928A9B88FE}"
    .\debug.cpp(400) : Destination "\Device\{94155A9F-EF91-4176-BC01-A7928A9B88FE}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WpsHelper"
    .\debug.cpp(400) : Destination "\Device\WpsHelper"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02#3&172e68dd&0&FD#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Generic&Prod_Flash_Disk&Rev_7.77#6&29952896&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\0000007e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D2&SUBSYS_019D1028&REV_02#3&172e68dd&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_15_Model_4#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000005d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{3653620E-3F75-46C3-8F6D-5E6B4E796141}"
    .\debug.cpp(400) : Destination "\Device\{3653620E-3F75-46C3-8F6D-5E6B4E796141}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&df40f89&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WPS"
    .\debug.cpp(400) : Destination "\Device\WPS"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
    .\debug.cpp(400) : Destination "\Device\00000071"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{e8d48f80-e9f7-11db-ab23-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F13#4&1506bb2e&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\EGATHDRV"
    .\debug.cpp(400) : Destination "\Device\egathdrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_HP&Prod_Photosmart_C4180&Rev_1.00#7&23f4f2fc&0&MY63MB923J04J7&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000087"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYMC_TEEFER2MP#0003#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000055"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000043"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskMaxtor_6Y120P0__________________________YAR41BW0#335959324d54454c202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{6b873414-ac28-11d8-9595-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{11BFC21C-7496-412B-9DBE-0C338621BB4D}"
    .\debug.cpp(400) : Destination "\Device\{11BFC21C-7496-412B-9DBE-0C338621BB4D}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{CA4E9F1E-78A8-486E-987E-BC3E100469FD}"
    .\debug.cpp(400) : Destination "\Device\{CA4E9F1E-78A8-486E-987E-BC3E100469FD}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0401#4&1506bb2e&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
    .\debug.cpp(400) : Destination "\Device\00000072"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_06E4&SUBSYS_0A5E19F1&REV_A1#5&28662550&0&0010F0#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0015"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ADVirtualDiskDevice"
    .\debug.cpp(400) : Destination "\Device\ADVirtualDisk\Control"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomSONY_DVD_RW_DRU-810A____________________1.0d____#3138313531393037383930312041335535303131#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-20"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#GENERICMOUNT#0000#{c1eaf9f9-7e63-46d1-8f9c-455bbd02414d}"
    .\debug.cpp(400) : Destination "\Device\00000005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#6&3744f10&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskIOMEGA_ZIP_250__________________________42.S____#3030424442343438344336303133303220202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-18"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_058f&Pid_9385#5&33d83d18&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D4&SUBSYS_019D1028&REV_02#3&172e68dd&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
    .\debug.cpp(400) : Destination "\Device\NamedPipe\Spooler\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000057"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SymTDI"
    .\debug.cpp(400) : Destination "\Device\SymTDI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{CD389828-45C7-47A5-ADAF-ACC8B429BD0F}"
    .\debug.cpp(400) : Destination "\Device\{CD389828-45C7-47A5-ADAF-ACC8B429BD0F}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{335C9CB7-5B58-4A0A-B9CD-303E75B892F4}"
    .\debug.cpp(400) : Destination "\Device\{335C9CB7-5B58-4A0A-B9CD-303E75B892F4}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANBH"
    .\debug.cpp(400) : Destination "\Device\NdisWanBh"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
    .\debug.cpp(400) : Destination "\Device\DmLoader"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24D5&SUBSYS_019D1028&REV_02#3&172e68dd&0&FD#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&1506bb2e&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SmwdmDev"
    .\debug.cpp(400) : Destination "\Device\Smwdm0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{7934b9fd-4918-11e0-8ecb-001e2a47635c}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT3"
    .\debug.cpp(400) : Destination "\Device\NamedPipe\Spooler\LPT3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{bf4bae21-9882-11d9-a712-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip6fw"
    .\debug.cpp(400) : Destination "\Device\Ip6fw"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{45a2cca6-1a86-11e1-a53e-001e2a47635c}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature28261C11Offset7E00Length1C9F7F4600#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SRTSP"
    .\debug.cpp(400) : Destination "\Device\SRTSP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MBAMProtector"
    .\debug.cpp(400) : Destination "\Device\MBAMProtector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&182344f5&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24DD&SUBSYS_019D1028&REV_02#3&172e68dd&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000051"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SymSnap_{bc5b8171-6a35-11e1-bea6-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\SymantecSnapshot\Volume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_15_Model_4#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000005e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NONSPOOLED_LPT1"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000050"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DOT4#Vid_03f0&Pid_5711&MI_02&DOT4&PRINT_HPZ#8&139922a9&0&0#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}"
    .\debug.cpp(400) : Destination "\Device\HPZID412PRINT_HPZ1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24DE&SUBSYS_019D1028&REV_02#3&172e68dd&0&EB#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CSIO"
    .\debug.cpp(400) : Destination "\Device\CSIO"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SymantecSnapShot0"
    .\debug.cpp(400) : Destination "\Device\SymantecSnapshot\Volume0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SymantecSnapShot1"
    .\debug.cpp(400) : Destination "\Device\SymantecSnapshot\Volume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\EraserUtilRebootDrv"
    .\debug.cpp(400) : Destination "\Device\EraserUtilDrv11122"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1061) :
    .\boot_cleaner.cpp(1062) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1063) : --------------------------------------------
    .\boot_cleaner.cpp(1107) : 114 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1113) :
    .\boot_cleaner.cpp(1152) : Done;
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Questions About Running ComboFix

    I have downloaded ComboFix from the site you identified. When running the program on my infected computer (which is not connected to the internet), I could not install the Recovery Console because it requires an internet connection. When I told ComboFix to not install the Console, it advised that the program's scan would not be as comprehensive as it would be otherwise.

    Do you want me to re-connected my infected machine to the internet?

    Prior to runnning ComboFix and disabling my Symantec Ednpoint Protection (SEP) anitvirus and disabling Malwarebytes Antimalware programs, SEP reported that the file ComboFix.exe was infected. SEP said that ComboFix contained the virus Trojan.ADH.2 and then quarantined the file. Is this simply a false positive or is ComboFix really compromised?

    Please advise.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It's false positive.
    You must delete your Combofix file and download fresh one.
    Reconnect to the internet, restart computer in Safe Mode with Networking.
    There you don't have to worry about disabling anything.

    I'll be back in couple of hours.
     
  9. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Problem Running ComboFix

    I downloaded ComboFix and the multiple versions of RKill as directed.

    1. I first disabled SEP and MBAM. I then ran ComboFix in normal mode but not connected to the internet. ComboFix did not like the fact that it couldn't install Recovery Console because it couldn't connect to the internet. ComboFix hanged. No results.

    2. I deleted ComboFix and rebooted in safe mode with networking. SEP and MBAM still disabled. I downloaded another copy of ComboFix and re-named it as directed. Recovery Console downloaded and installed. I ran ComboFix and it again hanged. No results.

    3. I deleted ComboFix and rebooted again in safe mode with networking. I ran RKill.exe - no results. I ran RKill.com and it completed successfully. Here's its log.

    *********************************

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/09/2012 at 20:53:58.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\Documents and Settings\jdeegan\Desktop\rkill.com


    Rkill completed on 03/09/2012 at 20:54:02.

    *********************************

    4. I did not reboot. I downloaded another copy of ComboFix and renamed it as directed. I ran this third named version of ComboFix and it again hanged. No results.

    No other changes have been made to my infected computer.

    What should I do next?
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Restart in Safe Mode again.

    Make sure Combofix file is located on your desktop.

    Go Start>Run and paste this command:

    "%userprofile%\desktop\ComboFix.exe" /KillAll /nombr

    See if it'll run now.
     
  11. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    ComboFix Still Hangs

    I downloaded another copy of ComboFix and renamed it uniquely. I copied it to my desktop. I ran it in safe mode from the command prompt as you directed. ComboFix hanged. No results.

    I downloaded yet another copy of ComboFix and again renamed it uniquely. I copied it to my desktop and ran it in normal mode from the command prompt as you directed. ComboFix hanged. No results.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  13. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Log From TDSSKiller

    I tried ComboFix one more time before running TDSSKiller. I re-booted in normal more and first ran RKill.com, Here is the log:

    *******************************************************************

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/10/2012 at 18:56:30.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\wuauclt.exe


    Rkill completed on 03/10/2012 at 18:56:36.

    **********************************************************************

    This is the first time RKill reported terminating a process. Don't know if this is significant or not.

    I then ran ComboFix hoping that it might complete successfully. Wrong. It again hanged. No results.

    I then re-booted in normal mode and ran TDSSKiller. Here is the log:

    19:26:06.0906 0920 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
    19:26:06.0953 0920 ============================================================
    19:26:06.0953 0920 Current date / time: 2012/03/10 19:26:06.0953
    19:26:06.0953 0920 SystemInfo:
    19:26:06.0953 0920
    19:26:06.0953 0920 OS Version: 5.1.2600 ServicePack: 3.0
    19:26:06.0953 0920 Product type: Workstation
    19:26:06.0953 0920 ComputerName: DEEGAN
    19:26:06.0953 0920 UserName: jdeegan
    19:26:06.0953 0920 Windows directory: C:\WINDOWS
    19:26:06.0953 0920 System windows directory: C:\WINDOWS
    19:26:06.0953 0920 Processor architecture: Intel x86
    19:26:06.0953 0920 Number of processors: 2
    19:26:06.0953 0920 Page size: 0x1000
    19:26:06.0953 0920 Boot type: Normal boot
    19:26:06.0953 0920 ============================================================
    19:26:08.0843 0920 Drive \Device\Harddisk0\DR0 - Size: 0x1C9FEF0000 (114.50 Gb), SectorSize: 0x200, Cylinders: 0x3A62, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    19:26:08.0843 0920 Drive \Device\Harddisk1\DR1 - Size: 0x1C9FEF0000 (114.50 Gb), SectorSize: 0x200, Cylinders: 0x3A62, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    19:26:08.0859 0920 Drive \Device\Harddisk4\DR8 - Size: 0x7D00000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    19:26:08.0875 0920 \Device\Harddisk0\DR0:
    19:26:08.0875 0920 MBR used
    19:26:08.0875 0920 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xE4F80E2
    19:26:08.0875 0920 \Device\Harddisk1\DR1:
    19:26:08.0875 0920 MBR used
    19:26:08.0875 0920 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xE4FBFA3
    19:26:08.0875 0920 \Device\Harddisk4\DR8:
    19:26:08.0875 0920 MBR used
    19:26:08.0875 0920 \Device\Harddisk4\DR8\Partition0: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x3E7DE
    19:26:08.0921 0920 Initialize success
    19:26:08.0921 0920 ============================================================
    19:26:12.0453 0948 ============================================================
    19:26:12.0468 0948 Scan started
    19:26:12.0468 0948 Mode: Manual;
    19:26:12.0468 0948 ============================================================
    19:26:13.0609 0948 Abiosdsk - ok
    19:26:13.0703 0948 abp480n5 - ok
    19:26:13.0843 0948 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    19:26:13.0843 0948 ACPI - ok
    19:26:13.0890 0948 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    19:26:13.0890 0948 ACPIEC - ok
    19:26:13.0937 0948 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\WINDOWS\system32\drivers\adfs.sys
    19:26:13.0937 0948 adfs - ok
    19:26:13.0968 0948 adpu160m - ok
    19:26:14.0031 0948 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    19:26:14.0031 0948 aec - ok
    19:26:14.0078 0948 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    19:26:14.0093 0948 AFD - ok
    19:26:14.0125 0948 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    19:26:14.0140 0948 agp440 - ok
    19:26:14.0171 0948 Aha154x - ok
    19:26:14.0203 0948 aic78u2 - ok
    19:26:14.0234 0948 aic78xx - ok
    19:26:14.0265 0948 AliIde - ok
    19:26:14.0296 0948 amsint - ok
    19:26:14.0328 0948 asc - ok
    19:26:14.0359 0948 asc3350p - ok
    19:26:14.0390 0948 asc3550 - ok
    19:26:14.0437 0948 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\aspi32.sys
    19:26:14.0453 0948 Aspi32 - ok
    19:26:14.0500 0948 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    19:26:14.0500 0948 AsyncMac - ok
    19:26:14.0546 0948 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    19:26:14.0546 0948 atapi - ok
    19:26:14.0578 0948 Atdisk - ok
    19:26:14.0609 0948 atirage3 (79e888ccceafb49764b254c2537f1afb) C:\WINDOWS\system32\DRIVERS\atimpae.sys
    19:26:14.0625 0948 atirage3 - ok
    19:26:14.0671 0948 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    19:26:14.0687 0948 Atmarpc - ok
    19:26:14.0718 0948 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    19:26:14.0718 0948 audstub - ok
    19:26:14.0765 0948 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    19:26:14.0765 0948 Beep - ok
    19:26:14.0828 0948 catchme - ok
    19:26:14.0875 0948 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    19:26:14.0890 0948 cbidf2k - ok
    19:26:14.0921 0948 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    19:26:14.0937 0948 CCDECODE - ok
    19:26:14.0968 0948 cd20xrnt - ok
    19:26:15.0000 0948 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    19:26:15.0000 0948 Cdaudio - ok
    19:26:15.0046 0948 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    19:26:15.0062 0948 Cdfs - ok
    19:26:15.0093 0948 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    19:26:15.0109 0948 Cdrom - ok
    19:26:15.0140 0948 Changer - ok
    19:26:15.0203 0948 CmdIde - ok
    19:26:15.0234 0948 Cohbtokdfh - ok
    19:26:15.0281 0948 COH_Mon (86a22dff16e8ca67601044efe6825537) C:\WINDOWS\system32\Drivers\COH_Mon.sys
    19:26:15.0296 0948 COH_Mon - ok
    19:26:15.0328 0948 Cpqarray - ok
    19:26:15.0406 0948 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
    19:26:15.0421 0948 cpudrv - ok
    19:26:15.0468 0948 cpuz132 - ok
    19:26:15.0531 0948 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    19:26:15.0531 0948 CVirtA - ok
    19:26:15.0578 0948 cwbmidi_device (7623d295feca7f311b750373fe9aed51) C:\WINDOWS\system32\drivers\cwbmidi.sys
    19:26:15.0593 0948 cwbmidi_device - ok
    19:26:15.0625 0948 cwbwdm_device (86e32e528092092188c58bcf4a9f96c5) C:\WINDOWS\system32\drivers\cwbwdm.sys
    19:26:15.0640 0948 cwbwdm_device - ok
    19:26:15.0671 0948 dac2w2k - ok
    19:26:15.0703 0948 dac960nt - ok
    19:26:15.0750 0948 DefragFS (d38c27df7b3e8840b4b92ed5c5c06c2c) C:\WINDOWS\system32\drivers\DefragFS.sys
    19:26:15.0765 0948 DefragFS - ok
    19:26:15.0812 0948 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    19:26:15.0828 0948 Disk - ok
    19:26:15.0890 0948 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    19:26:15.0968 0948 dmboot - ok
    19:26:16.0000 0948 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
    19:26:16.0031 0948 dmio - ok
    19:26:16.0062 0948 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    19:26:16.0078 0948 dmload - ok
    19:26:16.0109 0948 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    19:26:16.0109 0948 DMusic - ok
    19:26:16.0171 0948 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
    19:26:16.0187 0948 DNE - ok
    19:26:16.0218 0948 dpti2o - ok
    19:26:16.0250 0948 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    19:26:16.0250 0948 drmkaud - ok
    19:26:16.0312 0948 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    19:26:16.0328 0948 E100B - ok
    19:26:16.0437 0948 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    19:26:16.0453 0948 eeCtrl - ok
    19:26:16.0484 0948 EGATHDRV (7f220875288944c9c7856e2bc8613b1f) C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
    19:26:16.0500 0948 EGATHDRV - ok
    19:26:16.0531 0948 EL90XBC - ok
    19:26:16.0546 0948 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    19:26:16.0546 0948 EraserUtilRebootDrv - ok
    19:26:16.0625 0948 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    19:26:16.0625 0948 Fastfat - ok
    19:26:16.0671 0948 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    19:26:16.0687 0948 Fdc - ok
    19:26:16.0734 0948 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    19:26:16.0734 0948 Fips - ok
    19:26:16.0781 0948 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    19:26:16.0796 0948 Flpydisk - ok
    19:26:16.0828 0948 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    19:26:16.0843 0948 FltMgr - ok
    19:26:16.0937 0948 FreshIO (caac750e6d27866c28494e0de9fa802a) C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
    19:26:16.0937 0948 FreshIO - ok
    19:26:16.0984 0948 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    19:26:16.0984 0948 Fs_Rec - ok
    19:26:17.0015 0948 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    19:26:17.0031 0948 Ftdisk - ok
    19:26:17.0093 0948 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    19:26:17.0093 0948 GearAspiWDM - ok
    19:26:17.0140 0948 GenericMount (69f8f310654d699c7e5bd5c67279980f) C:\WINDOWS\system32\DRIVERS\GenericMount.sys
    19:26:17.0156 0948 GenericMount - ok
    19:26:17.0203 0948 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    19:26:17.0218 0948 Gpc - ok
    19:26:17.0250 0948 hpn - ok
    19:26:17.0296 0948 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    19:26:17.0312 0948 HPZid412 - ok
    19:26:17.0359 0948 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    19:26:17.0359 0948 HPZipr12 - ok
    19:26:17.0390 0948 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    19:26:17.0406 0948 HPZius12 - ok
    19:26:17.0453 0948 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    19:26:17.0453 0948 HTTP - ok
    19:26:17.0484 0948 i2omgmt - ok
    19:26:17.0515 0948 i2omp - ok
    19:26:17.0562 0948 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    19:26:17.0578 0948 i8042prt - ok
    19:26:17.0687 0948 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    19:26:17.0765 0948 ialm - ok
    19:26:17.0828 0948 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
    19:26:17.0843 0948 Imapi - ok
    19:26:17.0875 0948 ini910u - ok
    19:26:17.0906 0948 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    19:26:17.0921 0948 IntelIde - ok
    19:26:17.0953 0948 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    19:26:17.0968 0948 intelppm - ok
    19:26:18.0000 0948 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    19:26:18.0000 0948 Ip6Fw - ok
    19:26:18.0062 0948 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    19:26:18.0062 0948 IpFilterDriver - ok
    19:26:18.0093 0948 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    19:26:18.0109 0948 IpInIp - ok
    19:26:18.0156 0948 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    19:26:18.0171 0948 IpNat - ok
    19:26:18.0203 0948 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    19:26:18.0203 0948 IPSec - ok
    19:26:18.0250 0948 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    19:26:18.0265 0948 IRENUM - ok
    19:26:18.0312 0948 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    19:26:18.0328 0948 isapnp - ok
    19:26:18.0359 0948 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    19:26:18.0375 0948 Kbdclass - ok
    19:26:18.0421 0948 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    19:26:18.0421 0948 kmixer - ok
    19:26:18.0468 0948 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    19:26:18.0484 0948 KSecDD - ok
    19:26:18.0515 0948 lbrtfdc - ok
    19:26:18.0578 0948 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
    19:26:18.0578 0948 MBAMProtector - ok
    19:26:18.0640 0948 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
    19:26:18.0656 0948 mf - ok
    19:26:18.0687 0948 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    19:26:18.0703 0948 mnmdd - ok
    19:26:18.0734 0948 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    19:26:18.0750 0948 Modem - ok
    19:26:18.0781 0948 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    19:26:18.0796 0948 Mouclass - ok
    19:26:18.0828 0948 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    19:26:18.0843 0948 MountMgr - ok
    19:26:18.0875 0948 mraid35x - ok
    19:26:18.0953 0948 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    19:26:18.0968 0948 MREMP50 - ok
    19:26:18.0968 0948 MREMPR5 - ok
    19:26:18.0984 0948 MRENDIS5 - ok
    19:26:19.0000 0948 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    19:26:19.0015 0948 MRESP50 - ok
    19:26:19.0062 0948 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    19:26:19.0062 0948 MRxDAV - ok
    19:26:19.0140 0948 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    19:26:19.0187 0948 MRxSmb - ok
    19:26:19.0234 0948 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    19:26:19.0234 0948 Msfs - ok
    19:26:19.0281 0948 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    19:26:19.0281 0948 MSKSSRV - ok
    19:26:19.0312 0948 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    19:26:19.0328 0948 MSPCLOCK - ok
    19:26:19.0359 0948 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    19:26:19.0359 0948 MSPQM - ok
    19:26:19.0406 0948 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    19:26:19.0406 0948 mssmbios - ok
    19:26:19.0453 0948 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    19:26:19.0468 0948 MSTEE - ok
    19:26:19.0515 0948 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    19:26:19.0531 0948 Mup - ok
    19:26:19.0578 0948 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    19:26:19.0593 0948 NABTSFEC - ok
    19:26:19.0640 0948 NAL (a467e1deb3bb2b57426c8a5993ba933e) C:\WINDOWS\system32\Drivers\iqvw32.sys
    19:26:19.0656 0948 NAL - ok
    19:26:19.0812 0948 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120309.002\NAVENG.SYS
    19:26:19.0812 0948 NAVENG - ok
    19:26:19.0906 0948 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120309.002\NAVEX15.SYS
    19:26:19.0937 0948 NAVEX15 - ok
    19:26:19.0984 0948 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    19:26:20.0000 0948 NDIS - ok
    19:26:20.0046 0948 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    19:26:20.0062 0948 NdisIP - ok
    19:26:20.0093 0948 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    19:26:20.0109 0948 NdisTapi - ok
    19:26:20.0156 0948 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    19:26:20.0156 0948 Ndisuio - ok
    19:26:20.0203 0948 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    19:26:20.0218 0948 NdisWan - ok
    19:26:20.0265 0948 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    19:26:20.0281 0948 NDProxy - ok
    19:26:20.0296 0948 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    19:26:20.0312 0948 NetBIOS - ok
    19:26:20.0343 0948 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    19:26:20.0359 0948 NetBT - ok
    19:26:20.0453 0948 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    19:26:20.0453 0948 nm - ok
    19:26:20.0515 0948 NmPar (46253ca6d525c9d90a3dbf0ba0398bc9) C:\WINDOWS\system32\DRIVERS\NmPar.sys
    19:26:20.0515 0948 NmPar - ok
    19:26:20.0562 0948 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
    19:26:20.0593 0948 NPF - ok
    19:26:20.0609 0948 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    19:26:20.0625 0948 Npfs - ok
    19:26:20.0671 0948 NtApm (325ffaeceeace80d2643e6bdc7c1f9e2) C:\WINDOWS\system32\DRIVERS\NtApm.sys
    19:26:20.0687 0948 NtApm - ok
    19:26:20.0750 0948 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    19:26:20.0812 0948 Ntfs - ok
    19:26:20.0859 0948 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    19:26:20.0859 0948 Null - ok
    19:26:21.0390 0948 nv (4b54dcd6adee535df80f07c59ddd8f14) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    19:26:21.0953 0948 nv - ok
    19:26:22.0015 0948 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    19:26:22.0015 0948 NwlnkFlt - ok
    19:26:22.0046 0948 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    19:26:22.0062 0948 NwlnkFwd - ok
    19:26:22.0125 0948 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    19:26:22.0140 0948 Parport - ok
    19:26:22.0187 0948 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    19:26:22.0203 0948 PartMgr - ok
    19:26:22.0250 0948 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    19:26:22.0250 0948 ParVdm - ok
    19:26:22.0296 0948 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    19:26:22.0296 0948 PCI - ok
    19:26:22.0328 0948 PCIDump - ok
    19:26:22.0375 0948 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    19:26:22.0375 0948 PCIIde - ok
    19:26:22.0421 0948 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    19:26:22.0437 0948 Pcmcia - ok
    19:26:22.0468 0948 PDCOMP - ok
    19:26:22.0500 0948 PDFRAME - ok
    19:26:22.0531 0948 PDRELI - ok
    19:26:22.0562 0948 PDRFRAME - ok
    19:26:22.0578 0948 perc2 - ok
    19:26:22.0609 0948 perc2hib - ok
    19:26:22.0734 0948 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    19:26:22.0750 0948 PptpMiniport - ok
    19:26:22.0796 0948 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    19:26:22.0796 0948 Processor - ok
    19:26:22.0859 0948 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    19:26:22.0875 0948 PSched - ok
    19:26:22.0921 0948 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    19:26:22.0921 0948 PSI - ok
    19:26:22.0968 0948 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    19:26:22.0984 0948 Ptilink - ok
    19:26:23.0031 0948 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
    19:26:23.0046 0948 PxHelp20 - ok
    19:26:23.0062 0948 ql1080 - ok
    19:26:23.0093 0948 Ql10wnt - ok
    19:26:23.0125 0948 ql12160 - ok
    19:26:23.0156 0948 ql1240 - ok
    19:26:23.0187 0948 ql1280 - ok
    19:26:23.0234 0948 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    19:26:23.0234 0948 RasAcd - ok
    19:26:23.0296 0948 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    19:26:23.0312 0948 Rasl2tp - ok
    19:26:23.0359 0948 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    19:26:23.0375 0948 RasPppoe - ok
    19:26:23.0406 0948 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    19:26:23.0421 0948 Raspti - ok
    19:26:23.0468 0948 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    19:26:23.0484 0948 Rdbss - ok
    19:26:23.0515 0948 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    19:26:23.0515 0948 RDPCDD - ok
    19:26:23.0562 0948 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    19:26:23.0578 0948 rdpdr - ok
    19:26:23.0640 0948 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    19:26:23.0656 0948 RDPWD - ok
    19:26:23.0718 0948 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    19:26:23.0734 0948 redbook - ok
    19:26:23.0765 0948 RimUsb - ok
    19:26:23.0812 0948 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    19:26:23.0828 0948 RimVSerPort - ok
    19:26:23.0875 0948 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    19:26:23.0875 0948 ROOTMODEM - ok
    19:26:23.0968 0948 RTL8023xp (47b8ea4493ebffb3d6a0e06cd03c5aba) C:\WINDOWS\system32\DRIVERS\FA311XP.SYS
    19:26:23.0984 0948 RTL8023xp - ok
    19:26:24.0031 0948 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    19:26:24.0031 0948 rtl8139 - ok
    19:26:24.0062 0948 SANDRA - ok
    19:26:24.0093 0948 SBRE - ok
    19:26:24.0171 0948 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    19:26:24.0187 0948 Secdrv - ok
    19:26:24.0265 0948 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    19:26:24.0328 0948 senfilt - ok
    19:26:24.0375 0948 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    19:26:24.0390 0948 serenum - ok
    19:26:24.0437 0948 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    19:26:24.0453 0948 Serial - ok
    19:26:24.0531 0948 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    19:26:24.0546 0948 Sfloppy - ok
    19:26:24.0578 0948 Simbad - ok
    19:26:24.0625 0948 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    19:26:24.0640 0948 SLIP - ok
    19:26:24.0703 0948 smwdm (86c4d93b7b7818d066c52fdb03c6c921) C:\WINDOWS\system32\drivers\smwdm.sys
    19:26:24.0718 0948 smwdm - ok
    19:26:24.0750 0948 Sparrow - ok
    19:26:24.0843 0948 SPBBCDrv (e87cf104f12c92401c4d33c50a3d5dc8) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    19:26:24.0843 0948 SPBBCDrv - ok
    19:26:24.0890 0948 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    19:26:24.0890 0948 splitter - ok
    19:26:24.0937 0948 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    19:26:24.0937 0948 sr - ok
    19:26:25.0000 0948 SRTSP (620bbcc5c4c4407447866793c36e1215) C:\WINDOWS\system32\Drivers\SRTSP.SYS
    19:26:25.0015 0948 SRTSP - ok
    19:26:25.0062 0948 SRTSPL (995e15de499ca58445e39a2fba7d170e) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    19:26:25.0078 0948 SRTSPL - ok
    19:26:25.0140 0948 SRTSPX (1b63f794f283b974a79084514df206a0) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
    19:26:25.0140 0948 SRTSPX - ok
    19:26:25.0203 0948 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    19:26:25.0218 0948 Srv - ok
    19:26:25.0265 0948 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    19:26:25.0281 0948 streamip - ok
    19:26:25.0328 0948 SUSTUCAM (0349f7702b819986c292825c676d00fa) C:\WINDOWS\system32\DRIVERS\sustucam.sys
    19:26:25.0343 0948 SUSTUCAM - ok
    19:26:25.0375 0948 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    19:26:25.0390 0948 swenum - ok
    19:26:25.0421 0948 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    19:26:25.0421 0948 swmidi - ok
    19:26:25.0468 0948 symc810 - ok
    19:26:25.0500 0948 symc8xx - ok
    19:26:25.0562 0948 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    19:26:25.0578 0948 SymEvent - ok
    19:26:25.0625 0948 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    19:26:25.0625 0948 SYMREDRV - ok
    19:26:25.0671 0948 symsnap (a5cf31080e99718949bcc38c83f13452) C:\WINDOWS\system32\DRIVERS\symsnap.sys
    19:26:25.0687 0948 symsnap - ok
    19:26:25.0734 0948 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    19:26:25.0734 0948 SYMTDI - ok
    19:26:25.0765 0948 sym_hi - ok
    19:26:25.0796 0948 sym_u3 - ok
    19:26:25.0828 0948 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    19:26:25.0828 0948 sysaudio - ok
    19:26:25.0890 0948 SysPlant (c8f9eb4ac42740d036b0b9f0809b335b) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys
    19:26:25.0890 0948 SysPlant - ok
    19:26:25.0953 0948 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    19:26:25.0968 0948 Tcpip - ok
    19:26:26.0015 0948 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
    19:26:26.0031 0948 Tcpip6 - ok
    19:26:26.0125 0948 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    19:26:26.0171 0948 TDPIPE - ok
    19:26:26.0375 0948 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    19:26:26.0421 0948 TDTCP - ok
    19:26:26.0609 0948 Teefer2 (75346634d815c9fda103ae5fada072b3) C:\WINDOWS\system32\DRIVERS\teefer2.sys
    19:26:26.0609 0948 Teefer2 - ok
    19:26:26.0640 0948 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    19:26:26.0656 0948 TermDD - ok
    19:26:26.0687 0948 TosIde - ok
    19:26:26.0750 0948 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
    19:26:26.0765 0948 tunmp - ok
    19:26:26.0812 0948 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
    19:26:26.0812 0948 TVICHW32 - ok
    19:26:26.0875 0948 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    19:26:26.0875 0948 Udfs - ok
    19:26:26.0906 0948 ultra - ok
    19:26:26.0968 0948 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    19:26:26.0984 0948 Update - ok
    19:26:27.0046 0948 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    19:26:27.0062 0948 usbaudio - ok
    19:26:27.0109 0948 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    19:26:27.0109 0948 usbccgp - ok
    19:26:27.0156 0948 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    19:26:27.0156 0948 usbehci - ok
    19:26:27.0218 0948 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    19:26:27.0234 0948 usbhub - ok
    19:26:27.0281 0948 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    19:26:27.0281 0948 usbprint - ok
    19:26:27.0312 0948 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    19:26:27.0328 0948 usbscan - ok
    19:26:27.0359 0948 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    19:26:27.0375 0948 USBSTOR - ok
    19:26:27.0406 0948 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    19:26:27.0421 0948 usbuhci - ok
    19:26:27.0468 0948 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    19:26:27.0484 0948 usbvideo - ok
    19:26:27.0515 0948 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    19:26:27.0515 0948 VgaSave - ok
    19:26:27.0546 0948 ViaIde - ok
    19:26:27.0593 0948 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    19:26:27.0593 0948 VolSnap - ok
    19:26:27.0640 0948 VProEventMonitor (ef3506b04eb9124240b35148eaacbaa5) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys
    19:26:27.0656 0948 VProEventMonitor - ok
    19:26:27.0687 0948 vsdatant - ok
    19:26:27.0750 0948 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    19:26:27.0750 0948 Wanarp - ok
    19:26:27.0812 0948 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
    19:26:27.0828 0948 Wdf01000 - ok
    19:26:27.0859 0948 WDICA - ok
    19:26:27.0906 0948 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    19:26:27.0906 0948 wdmaud - ok
    19:26:27.0968 0948 WimFltr (090a2b8f055343815556a01f725f6c35) C:\WINDOWS\system32\DRIVERS\wimfltr.sys
    19:26:27.0984 0948 WimFltr - ok
    19:26:28.0171 0948 WPS (d81ef0d8716500a573cd82185ef3e42d) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
    19:26:28.0171 0948 WPS - ok
    19:26:28.0234 0948 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
    19:26:28.0234 0948 WpsHelper - ok
    19:26:28.0281 0948 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    19:26:28.0281 0948 WS2IFSL - ok
    19:26:28.0328 0948 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    19:26:28.0343 0948 WSTCODEC - ok
    19:26:28.0390 0948 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    19:26:28.0406 0948 WudfPf - ok
    19:26:28.0437 0948 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    19:26:28.0453 0948 WudfRd - ok
    19:26:28.0515 0948 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    19:26:28.0640 0948 \Device\Harddisk0\DR0 - ok
    19:26:28.0640 0948 MBR (0x1B8) (35c6b2fcde68facbefe0a4a7200bae58) \Device\Harddisk1\DR1
    19:26:31.0468 0948 \Device\Harddisk1\DR1 - ok
    19:26:31.0500 0948 MBR (0x1B8) (ad00bc00aca714232fd4768277895154) \Device\Harddisk4\DR8
    19:26:34.0265 0948 \Device\Harddisk4\DR8 - ok
    19:26:34.0281 0948 Boot (0x1200) (89f2c810a8038e78c80a14ff359355e4) \Device\Harddisk0\DR0\Partition0
    19:26:34.0281 0948 \Device\Harddisk0\DR0\Partition0 - ok
    19:26:34.0281 0948 Boot (0x1200) (cd642ed4c466c642e62839d2aa735447) \Device\Harddisk1\DR1\Partition0
    19:26:34.0281 0948 \Device\Harddisk1\DR1\Partition0 - ok
    19:26:34.0312 0948 Boot (0x1200) (9ff7978c0fd761f6f674dbafa692ffc1) \Device\Harddisk4\DR8\Partition0
    19:26:34.0312 0948 \Device\Harddisk4\DR8\Partition0 - ok
    19:26:34.0312 0948 ============================================================
    19:26:34.0312 0948 Scan finished
    19:26:34.0312 0948 ============================================================
    19:26:34.0343 0940 Detected object count: 0
    19:26:34.0343 0940 Actual detected object count: 0
    19:26:44.0828 0916 Deinitialize success

    These results are the same as those I included in my first post. Apparently, no evidence of the Rootkit as detectable by TDSSKiller. But yet, the rootkit has created "hooks" into my system and attempts to "call home" on a regular basis and attempts to receive calls from "home."
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  15. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Results From the OTL Scan - Part 1

    Here are the results from the file OTL.txt

    OTL logfile created on: 3/10/2012 9:15:01 PM - Run 1
    OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\jdeegan\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.68% Memory free
    4.85 Gb Paging File | 4.45 Gb Available in Paging File | 91.77% Paging File free
    Paging file location(s): D:\pagefile.sys 3067 4096 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 114.48 Gb Total Space | 82.92 Gb Free Space | 72.43% Space Free | Partition Type: NTFS
    Drive D: | 114.49 Gb Total Space | 43.63 Gb Free Space | 38.11% Space Free | Partition Type: NTFS
    Drive F: | 434.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive G: | 124.72 Mb Total Space | 38.26 Mb Free Space | 30.68% Space Free | Partition Type: FAT

    Computer Name: DEEGAN | User Name: jdeegan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012/03/10 21:09:08 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jdeegan\Desktop\OTL.exe
    PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2011/11/04 14:40:06 | 000,687,400 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Update\NASvc.exe
    PRC - [2011/09/29 14:43:40 | 001,851,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    PRC - [2011/09/29 14:39:56 | 001,906,200 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    PRC - [2011/09/29 14:38:16 | 001,471,904 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    PRC - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    PRC - [2011/06/23 23:44:06 | 000,115,624 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    PRC - [2011/06/23 23:43:46 | 000,108,456 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    PRC - [2010/12/21 07:04:30 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
    PRC - [2010/03/03 19:39:38 | 004,590,432 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    PRC - [2009/09/21 20:19:20 | 001,964,528 | ---- | M] (Symantec) -- C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
    PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2007/11/06 08:37:56 | 000,734,472 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    PRC - [2007/11/06 08:37:48 | 000,414,984 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    PRC - [2007/02/20 20:35:02 | 000,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
    PRC - [2000/09/11 09:43:02 | 000,090,112 | ---- | M] (Ziff Davis Media, Inc.) -- C:\Program Files\ClockRack\ClockRack.exe
    PRC - [2000/05/20 16:23:48 | 000,086,016 | ---- | M] () -- C:\WINDOWS\StartupMonitor.exe


    ========== Modules (No Company Name) ==========

    MOD - [2012/02/21 16:24:34 | 000,221,696 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.ServiceProce#\d7fbfc6836ce7e53486ddb79b598ca8d\System.ServiceProcess.ni.dll
    MOD - [2012/02/21 16:19:56 | 000,762,368 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\01e360ed3a3cb2b0a3c47c7f3eb09e58\System.Runtime.Remoting.ni.dll
    MOD - [2012/02/21 16:19:52 | 000,786,944 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\47a2b7b2fa872de3078d49d0a4c10cb2\System.EnterpriseServices.ni.dll
    MOD - [2012/02/21 16:19:50 | 000,646,656 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Transactions\c3a03bb69e38f5ed9ebce72d48a722ef\System.Transactions.ni.dll
    MOD - [2012/02/21 16:10:18 | 013,137,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f28df9c2988724883cf19532d7f9f151\System.Windows.Forms.ni.dll
    MOD - [2012/02/21 16:09:45 | 000,980,480 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuration\363b05dd092178671e56531a9c4999b6\System.Configuration.ni.dll
    MOD - [2012/02/21 16:09:41 | 005,618,176 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\21071fcc838660d96f10920c4c3cd206\System.Xml.ni.dll
    MOD - [2012/02/21 16:09:29 | 006,798,336 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Data\97586cdb698c29ba95fd83e44a0c0ca6\System.Data.ni.dll
    MOD - [2012/02/21 16:09:16 | 007,054,336 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Core\a2b1103ad3d9f329e0c9164994137c81\System.Core.ni.dll
    MOD - [2012/02/21 16:08:57 | 001,652,736 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2ff57b810eb920860469184dd683cb8a\System.Drawing.ni.dll
    MOD - [2012/02/21 16:08:51 | 009,090,560 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\3ff4657a86a0e14b4be577969e0ec762\System.ni.dll
    MOD - [2011/12/14 16:23:20 | 014,407,680 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\52f4f785f7cf45a64606a8e13c8cf04c\mscorlib.ni.dll
    MOD - [2007/11/06 08:38:10 | 000,365,832 | ---- | M] () -- C:\Program Files\Raxco\PerfectDisk\sqlite3.dll
    MOD - [2007/11/06 08:37:54 | 000,075,016 | ---- | M] () -- C:\Program Files\Raxco\PerfectDisk\PDDb.dll
    MOD - [2007/01/13 19:06:10 | 000,657,920 | ---- | M] () -- C:\Program Files\File Shredder\fsshell.dll
    MOD - [2000/05/20 16:23:48 | 000,086,016 | ---- | M] () -- C:\WINDOWS\StartupMonitor.exe


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- -- (SandraAgentSrv)
    SRV - File not found [On_Demand | Stopped] -- -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
    SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
    SRV - File not found [Disabled | Stopped] -- -- (Rasccgrr_n)
    SRV - File not found [On_Demand | Stopped] -- -- (NFCTQRHV)
    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - File not found [Disabled | Stopped] -- -- (AMPingService)
    SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2011/11/04 14:40:06 | 000,687,400 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Nero\Update\NASvc.exe -- (NAUpdate)
    SRV - [2011/09/29 14:43:40 | 001,851,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
    SRV - [2011/09/29 14:39:56 | 001,906,200 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
    SRV - [2011/09/29 14:15:56 | 000,357,808 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
    SRV - [2011/08/25 17:53:00 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe -- (IntuitUpdateServiceV4)
    SRV - [2011/06/23 23:43:46 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
    SRV - [2011/06/23 23:43:46 | 000,108,456 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
    SRV - [2010/12/21 07:04:30 | 000,987,704 | ---- | M] (Secunia) [On_Demand | Stopped] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
    SRV - [2010/12/21 07:04:30 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
    SRV - [2010/03/03 19:39:38 | 004,590,432 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Ghost\Agent\VProSvc.exe -- (Norton Ghost)
    SRV - [2010/02/19 12:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
    SRV - [2010/02/17 10:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
    SRV - [2010/02/12 07:09:06 | 001,574,408 | ---- | M] (Symantec) [On_Demand | Stopped] -- C:\Program Files\Norton Ghost\Shared\Drivers\GenericMountHelper.exe -- (GenericMount Helper Service)
    SRV - [2009/09/26 18:33:19 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2009/09/21 20:19:20 | 001,964,528 | ---- | M] (Symantec) [On_Demand | Running] -- C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe -- (SymSnapService)
    SRV - [2007/11/06 08:37:56 | 000,734,472 | ---- | M] (Raxco Software, Inc.) [On_Demand | Running] -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine)
    SRV - [2007/11/06 08:37:48 | 000,414,984 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe -- (PDAgent)
    SRV - [2007/02/20 20:35:02 | 000,073,728 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (vsdatant)
    DRV - File not found [Kernel | On_Demand | Unknown] -- -- (ugtdapod)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (SBRE)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (SANDRA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (RimUsb)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (MRENDIS5)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (MREMPR5)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (EL90XBC)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (cpuz132)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (catchme)
    DRV - [2012/03/09 01:00:00 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120309.002\NAVEX15.SYS -- (NAVEX15)
    DRV - [2012/03/09 01:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120309.002\NAVENG.SYS -- (NAVENG)
    DRV - [2012/02/21 15:37:45 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2012/02/03 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2012/02/03 04:00:00 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2011/09/29 14:39:58 | 000,099,744 | ---- | M] (Symantec Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys -- (SysPlant)
    DRV - [2011/09/29 14:38:56 | 000,043,936 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\WPSDRVnt.sys -- (WPS)
    DRV - [2011/09/07 18:35:56 | 000,321,016 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
    DRV - [2011/09/07 18:35:56 | 000,287,352 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
    DRV - [2011/09/07 18:35:56 | 000,043,768 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
    DRV - [2011/06/22 19:05:28 | 000,167,936 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wpshelper.sys -- (WpsHelper)
    DRV - [2010/12/21 16:25:02 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
    DRV - [2010/12/10 18:48:54 | 000,067,520 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Teefer2.sys -- (Teefer2)
    DRV - [2010/09/01 03:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
    DRV - [2010/03/17 15:53:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
    DRV - [2010/03/17 15:53:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
    DRV - [2010/02/12 07:10:12 | 000,057,840 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GenericMount.sys -- (GenericMount)
    DRV - [2010/02/11 07:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
    DRV - [2009/12/18 15:42:12 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
    DRV - [2009/12/18 09:58:52 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)
    DRV - [2009/10/01 22:03:40 | 000,131,000 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WimFltr.sys -- (WimFltr)
    DRV - [2009/09/21 20:40:14 | 000,015,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys -- (VProEventMonitor)
    DRV - [2009/09/21 20:20:42 | 000,138,592 | ---- | M] (StorageCraft) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symsnap.sys -- (symsnap)
    DRV - [2009/09/03 16:03:48 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2009/09/03 16:03:48 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2008/11/18 18:17:08 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
    DRV - [2008/04/13 23:23:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
    DRV - [2008/04/13 23:06:42 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)
    DRV - [2008/04/13 21:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
    DRV - [2008/04/09 08:28:44 | 000,080,512 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NmPar.sys -- (NmPar)
    DRV - [2008/02/20 20:19:56 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
    DRV - [2007/10/22 05:33:40 | 000,068,624 | ---- | M] (Raxco Software, Inc.) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\DefragFs.sys -- (DefragFS)
    DRV - [2007/04/04 18:50:54 | 000,038,272 | ---- | M] (Susteen, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sustucam.sys -- (SUSTUCAM)
    DRV - [2006/01/24 16:38:40 | 000,078,720 | ---- | M] (Netgear Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\FA311XP.SYS -- (RTL8023xp)
    DRV - [2005/08/18 18:22:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2005/05/17 03:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2004/10/25 20:22:50 | 000,002,410 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys -- (FreshIO)
    DRV - [2004/09/17 10:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
    DRV - [2002/08/29 07:00:00 | 000,009,344 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ntapm.sys -- (NtApm)
    DRV - [2002/07/17 07:53:02 | 000,016,877 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
    DRV - [2001/08/17 07:49:00 | 000,075,136 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atimpae.sys -- (atirage3)
    DRV - [2001/08/17 07:19:28 | 000,072,832 | ---- | M] (Crystal Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cwbwdm.sys -- (cwbwdm_device)
    DRV - [2001/08/17 07:19:26 | 000,003,072 | ---- | M] (Crystal Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cwbmidi.sys -- (cwbmidi_device)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.myheritage.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
    IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKLM\..\SearchScopes\{BE28C22E-F666-424d-B5FD-125C4AFEE34E}: "URL" = http://search.myheritage.com?orig=ds&q={searchTerms}


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/q?s=^DJI&d=t
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\SearchScopes,DefaultScope = {3C73980A-5208-4E5E-91FA-C9D438A43715}
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\SearchScopes\{3C73980A-5208-4E5E-91FA-C9D438A43715}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\SearchScopes\{BE28C22E-F666-424d-B5FD-125C4AFEE34E}: "URL" = http://search.myheritage.com?orig=ds&q={searchTerms}
    IE - HKU\S-1-5-21-602162358-1060284298-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpWinExt,version=4.0: File not found
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
    FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: File not found
    FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/12/23 10:00:47 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2011/03/27 17:39:19 | 000,000,768 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 activate.adobe.com
    O2 - BHO: (RoboForm Toolbar Helper) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No CLSID value found.
    O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (&RoboForm Toolbar) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O3 - HKLM\..\Toolbar: (no name) - {8dcb7100-df86-4384-8842-8fa844297b3f} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\Toolbar\ShellBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\Toolbar\WebBrowser: (&RoboForm Toolbar) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
    O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe ()
    O4 - HKLM..\Run: [Run StartupMonitor] C:\WINDOWS\StartupMonitor.exe ()
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ClockRack.lnk = C:\Program Files\ClockRack\ClockRack.exe (Ziff Davis Media, Inc.)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: verbosestatus = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 01 00 00 00 [binary data]
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyDocs = 1
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 1
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = [binary data]
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 80 FF FF 03 [binary data]
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = [binary data]
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 1
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuPinnedList = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 1
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 1
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeAnimation = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoChangeKeyboardNavigationIndicators = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoThemesTab = 0
    O7 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
    O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
    O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
    O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
    O8 - Extra context menu item: Show RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
    O15 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O15 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (Reg Error: Key error.)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
    O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} http://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab (Reg Error: Key error.)
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe (Reg Error: Key error.)
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38130.7132638889 (Reg Error: Key error.)
    O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab (SysInfo Class)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: DirectAnimation Java Classes (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A0DF70B4-C142-47D6-8143-48BD5A3428A9}: DhcpNameServer = 192.168.1.254 192.168.1.254
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{CA4E9F1E-78A8-486E-987E-BC3E100469FD}: DhcpNameServer = 192.168.1.1
    O18 - Protocol\Handler\x-excid {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\WINDOWS\Downloaded Program Files\mimectl.dll ()
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.l3acm - C:\WINDOWS\System32\l3codecx.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)
    Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/03/10 21:13:15 | 000,594,944 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jdeegan\Desktop\OTL.exe
    [2012/03/10 19:25:54 | 002,063,920 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\jdeegan\Desktop\TDSSKiller.exe
    [2012/03/09 18:31:52 | 000,000,000 | ---D | C] -- C:\SERT
    [2012/03/09 18:29:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/03/09 17:56:05 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/03/09 17:56:05 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/03/09 17:56:05 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/03/09 17:56:05 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/03/09 17:55:55 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/03/09 17:37:26 | 000,000,000 | ---D | C] -- C:\Virus Logs
    [2012/03/09 17:23:36 | 000,000,000 | ---D | C] -- C:\Program Files\Boot Cleaner
    [2012/03/09 17:23:16 | 000,083,968 | ---- | C] (Esage Lab) -- C:\Documents and Settings\jdeegan\Desktop\boot_cleaner.exe
    [2012/03/09 13:56:42 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec Support Tool
    [2012/03/06 20:11:09 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\jdeegan\Desktop\dds.scr
    [2012/03/06 13:43:38 | 000,091,305 | ---- | C] (Eicon Technology) -- C:\WINDOWS\System32\dllcache\dimaint.sys
    [2012/03/06 13:35:11 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
    [2012/03/06 13:32:49 | 000,000,000 | ---D | C] -- C:\Program Files\RKill
    [2012/03/06 12:29:18 | 000,000,000 | ---D | C] -- C:\Program Files\EMSISoft
    [2012/03/06 11:04:04 | 000,335,504 | ---- | C] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
    [2012/03/06 11:03:42 | 000,000,000 | ---D | C] -- C:\Program Files\Bit Defender Root Kit
    [2012/03/06 10:26:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jdeegan\Application Data\FixZeroAccess
    [2012/03/06 10:25:40 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec Fix Zero Access
    [2012/03/06 10:16:49 | 000,000,000 | ---D | C] -- C:\Program Files\Stinger
    [2012/03/06 09:44:14 | 000,000,000 | ---D | C] -- C:\Program Files\Root Kit Revealer
    [2012/03/06 09:31:21 | 000,000,000 | ---D | C] -- C:\Program Files\GMER
    [2012/03/06 09:30:18 | 000,000,000 | ---D | C] -- C:\Program Files\aswMBR
    [2012/03/05 18:21:04 | 000,000,000 | ---D | C] -- C:\Program Files\Hijack This
    [2012/03/05 18:19:24 | 000,000,000 | ---D | C] -- C:\Program Files\Root Kit Buster
    [2012/03/05 17:52:42 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
    [2012/03/04 21:40:13 | 000,000,000 | ---D | C] -- C:\Program Files\File Monitor
    [2012/03/01 09:25:28 | 000,000,000 | ---D | C] -- C:\Data\FFOutput
    [2012/02/29 13:26:35 | 000,000,000 | ---D | C] -- C:\Data\TurboTax
    [2012/02/28 11:46:22 | 000,000,000 | ---D | C] -- C:\Data\Quicken
    [2012/02/28 10:53:28 | 000,000,000 | ---D | C] -- C:\Data\Quicken-2012-02-28
    [2012/02/28 10:20:31 | 004,200,024 | ---- | C] (Amyuni Technologies
    http://www.amyuni.com) -- C:\WINDOWS\System32\cdintf400.dll
    [2012/02/28 10:20:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Quicken 2012
    [2012/02/28 10:20:07 | 000,000,000 | ---D | C] -- C:\Program Files\Quicken
    [2012/02/27 10:44:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\jdeegan\Application Data\Malwarebytes
    [2012/02/27 10:44:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2012/02/27 10:44:52 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012/02/27 10:44:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2012/02/21 15:55:40 | 000,000,000 | ---D | C] -- C:\Program Files\Defraggler
    [2012/02/21 15:52:59 | 000,000,000 | ---D | C] -- C:\Program Files\Kaspersky-Root-Kit-Killer
    [2012/02/21 15:12:26 | 000,000,000 | ---D | C] -- C:\Program Files\License-Crawler
    [2012/02/21 15:02:34 | 000,000,000 | ---D | C] -- C:\Data\Windows Live Mail
    [2012/02/21 15:02:34 | 000,000,000 | ---D | C] -- C:\Data\Temp
    [2012/02/21 15:02:25 | 000,000,000 | ---D | C] -- C:\Data\Taxes
    [2012/02/21 15:02:25 | 000,000,000 | ---D | C] -- C:\Data\RoboType
    [2012/02/21 15:02:19 | 000,000,000 | ---D | C] -- C:\Data\RoboForm
    [2012/02/21 15:02:15 | 000,000,000 | ---D | C] -- C:\Data\Quicken-Version-11
    [2012/02/21 15:01:47 | 000,000,000 | ---D | C] -- C:\Data\Photoshop Creative
    [2012/02/21 15:01:47 | 000,000,000 | ---D | C] -- C:\Data\PAB
    [2012/02/21 15:01:47 | 000,000,000 | ---D | C] -- C:\Data\My Videos
    [2012/02/21 15:01:46 | 000,000,000 | ---D | C] -- C:\Data\My Registry Distiller Logs
    [2012/02/21 15:01:46 | 000,000,000 | ---D | C] -- C:\Data\My Pictures
    [2012/02/21 15:01:46 | 000,000,000 | ---D | C] -- C:\Data\My Music
    [2012/02/21 15:01:45 | 000,000,000 | ---D | C] -- C:\Data\Miscellaneous
    [2012/02/21 15:01:45 | 000,000,000 | ---D | C] -- C:\Data\KeyFinder
    [2012/02/21 14:53:31 | 000,000,000 | ---D | C] -- C:\Data\Graphics
    [2012/02/21 14:53:31 | 000,000,000 | ---D | C] -- C:\Data\Family Lawyer
    [2012/02/21 14:53:31 | 000,000,000 | ---D | C] -- C:\Data\Expstudio Audio Editor
    [2012/02/21 14:53:30 | 000,000,000 | ---D | C] -- C:\Data\Draft
    [2012/02/21 14:53:29 | 000,000,000 | ---D | C] -- C:\Data\Dell-Documentation
    [2012/02/21 14:44:42 | 000,000,000 | ---D | C] -- C:\Data\Deegan
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/03/10 21:09:08 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jdeegan\Desktop\OTL.exe
    [2012/03/10 19:21:26 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/03/10 19:20:58 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
    [2012/03/10 19:20:36 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
    [2012/03/09 18:29:40 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2012/03/09 17:46:12 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\jdeegan\Desktop\rkill.exe
    [2012/03/09 17:45:18 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\jdeegan\Desktop\rkill.com
    [2012/03/09 14:08:23 | 000,002,627 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Nero Burning ROM 10.lnk
    [2012/03/07 16:55:18 | 001,401,344 | ---- | M] () -- C:\Documents and Settings\jdeegan\Desktop\HijackThis-2.msi
    [2012/03/07 16:54:52 | 001,401,344 | ---- | M] () -- C:\Documents and Settings\jdeegan\Desktop\HijackThis.msi
    [2012/03/07 08:42:05 | 000,000,046 | ---- | M] () -- C:\WINDOWS\System32\_WKERNEL.FRE
    [2012/03/06 20:11:12 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\jdeegan\Desktop\dds.scr
    [2012/03/06 20:09:42 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\jdeegan\Desktop\GMER.exe
    [2012/03/06 11:04:05 | 000,335,504 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\TrufosAlt.sys
    [2012/03/05 17:52:41 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
    [2012/03/05 11:24:50 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\jdeegan\Desktop\TDSSKiller.exe
    [2012/03/04 14:43:29 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2012/03/01 09:31:06 | 000,002,676 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
    [2012/02/28 10:20:26 | 000,000,120 | ---- | M] () -- C:\WINDOWS\QUICKEN.INI
    [2012/02/26 12:00:00 | 000,250,048 | -HS- | M] () -- C:\ntldr
    [2012/02/26 12:00:00 | 000,047,564 | -HS- | M] () -- C:\ntdetect.com
    [2012/02/26 12:00:00 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\jdeegan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/26 12:00:00 | 000,001,526 | ---- | M] () -- C:\Documents and Settings\jdeegan\Local Settings\Application Data\FASTWiz.html
    [2012/02/26 12:00:00 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\jdeegan\Local Settings\Application Data\FASTApp.html
    [2012/02/26 12:00:00 | 000,000,256 | ---- | M] () -- C:\Documents and Settings\jdeegan\pool.bin
    [2012/02/26 12:00:00 | 000,000,132 | ---- | M] () -- C:\Documents and Settings\jdeegan\Application Data\Adobe BMP Format CS5 Prefs
    [2012/02/26 12:00:00 | 000,000,130 | ---- | M] () -- C:\Documents and Settings\jdeegan\Local Settings\Application Data\fusioncache.dat
    [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () -- C:\msdos.sys
    [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () -- C:\io.sys
    [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () -- C:\config.sys
    [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () -- C:\autoexec.bat
    [2012/02/21 16:30:58 | 003,672,048 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/02/21 16:12:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2012/02/21 16:07:32 | 000,503,106 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/02/21 16:07:32 | 000,086,464 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/02/21 15:37:45 | 000,126,584 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
    [2012/02/21 15:37:45 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
    [2012/02/21 15:37:45 | 000,007,468 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
    [2012/02/21 15:37:45 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
     
  16. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Results From the OTL Scan - Part 2

    ========== Files Created - No Company Name ==========

    [2012/03/09 20:48:55 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\jdeegan\Desktop\rkill.exe
    [2012/03/09 20:48:48 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\jdeegan\Desktop\rkill.com
    [2012/03/09 18:29:40 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2012/03/09 18:29:39 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2012/03/09 17:56:05 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/03/09 17:56:05 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/03/09 17:56:05 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/03/09 17:56:05 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/03/09 17:56:05 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/03/09 09:28:36 | 000,001,526 | ---- | C] () -- C:\Documents and Settings\jdeegan\Desktop\Notepad.lnk
    [2012/03/07 16:55:18 | 001,401,344 | ---- | C] () -- C:\Documents and Settings\jdeegan\Desktop\HijackThis-2.msi
    [2012/03/07 16:54:51 | 001,401,344 | ---- | C] () -- C:\Documents and Settings\jdeegan\Desktop\HijackThis.msi
    [2012/03/06 20:09:40 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\jdeegan\Desktop\GMER.exe
    [2012/02/21 15:59:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/21 15:59:25 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
    [2012/02/05 15:57:54 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
    [2012/02/05 15:57:54 | 000,285,176 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
    [2012/02/05 15:57:54 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
    [2012/02/05 15:57:22 | 002,130,002 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
    [2011/11/24 16:22:40 | 001,926,500 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-602162358-1060284298-854245398-1003-0.dat
    [2011/11/24 16:22:38 | 000,431,818 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2011/11/24 14:12:36 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
    [2011/11/10 14:23:16 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\jdeegan\Application Data\Adobe BMP Format CS5 Prefs
    [2011/10/24 18:17:10 | 000,042,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\EUBKMON.sys
    [2011/05/31 18:06:48 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
    [2011/03/30 15:37:00 | 000,000,033 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\{081230F8-EA50-42A9-983C-D22ABC2EED3B}.ini
    [2011/03/07 19:09:25 | 000,117,103 | ---- | C] () -- C:\WINDOWS\hpoins11.dat
    [2011/03/07 17:04:03 | 000,011,634 | ---- | C] () -- C:\WINDOWS\hpomdl11.dat
    [2011/02/10 12:09:43 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/01/28 21:31:24 | 000,215,144 | R--- | C] () -- C:\WINDOWS\pw32a0.dll
    [2011/01/14 12:54:32 | 000,000,120 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
    [2010/12/22 16:42:32 | 000,000,087 | ---- | C] () -- C:\WINDOWS\winDecrypt.INI
    [2010/12/22 16:10:28 | 000,001,024 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sowdp88.dat
    [2010/12/22 16:10:26 | 000,000,048 | ---- | C] () -- C:\WINDOWS\System32\pdfutil.ini
    [2010/08/13 15:43:51 | 002,861,696 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2010/06/13 18:45:43 | 003,128,792 | ---- | C] () -- C:\WINDOWS\rapidui.exe
    [2010/05/06 08:37:48 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini
    [2010/03/16 18:51:40 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll

    ========== LOP Check ==========

    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund LLC
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FreeRIP
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\logs
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MyHeritage
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\r2 Studios
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\regid.1986-12.com.adobe
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SurfAnonymousFree
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SystemOptimizeExpert
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
    [2012/02/05 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3}
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\aignes
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\AKVIS LLC
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Broderbund Software
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\CoreFTP
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\DBsign
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\eXPert PDF Reader
    [2012/03/06 10:26:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\FixZeroAccess
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Free Audio Converter
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\FreeAudioPack
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\FreeCDRipper
    [2012/03/04 16:05:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\FreshDiagnose
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Game Copy Wizard
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\GetRightToGo
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\GlarySoft
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\IEPro
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Image Zone Express
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\IObit
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\IsolatedStorage
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\JLC's Software
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\KLS Soft
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Leadertech
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Millennia
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\MiniDm
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Moyea
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\MPEG Streamclip
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\MyHeritage
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\NCH Swift Sound
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\nCleaner
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\OfficeUpdate12
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Orbit
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\OrgPlus6
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\PandoraRecovery
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\PCMagazine
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\ProtectStar
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\r2 Studios
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\SPE
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Static Windows Live Mail Backup
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\SurfAnonymousFree
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\SystemOptimizeExpert
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\Systenance
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\TechWizard
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\The Complete Genealogy Reporter - FTB
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\TweakNow PowerPack
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\TweakNow PowerPack 2009
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\TweakNow PowerPack 2010
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\TweakNow PowerPack 2011
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\TweakNow RegCleaner 2011
    [2012/02/26 12:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jdeegan\Application Data\V
    [2012/03/10 19:20:58 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job
    [2012/03/10 19:20:36 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
    [2011/06/03 22:20:59 | 000,000,292 | ---- | M] () -- C:\WINDOWS\Tasks\photostageShakeIcon.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () -- C:\autoexec.bat
    [2012/03/04 14:43:29 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2012/03/09 18:29:40 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () -- C:\config.sys
    [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () -- C:\io.sys
    [2012/02/26 12:00:00 | 000,000,000 | -HS- | M] () -- C:\msdos.sys
    [2012/02/26 12:00:00 | 000,047,564 | -HS- | M] () -- C:\ntdetect.com
    [2012/02/26 12:00:00 | 000,250,048 | -HS- | M] () -- C:\ntldr

    < %systemroot%\Fonts\*.com >
    [2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2005/03/19 15:08:48 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2002/01/10 10:08:34 | 000,046,592 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpprn02.dll
    [2006/04/10 13:02:32 | 000,074,240 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp054.dll
    [2007/04/09 12:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
    [2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2005/03/19 09:53:22 | 000,262,144 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2005/03/18 20:46:22 | 000,262,144 | ---- | M] () -- C:\WINDOWS\System32\config\security.sav
    [2005/03/19 09:53:22 | 021,495,808 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2005/03/19 09:53:22 | 008,126,464 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2004/08/19 19:54:17 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\jdeegan\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2004/05/22 19:33:06 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\jdeegan\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/09/20 03:02:40 | 000,083,968 | ---- | M] (Esage Lab) -- C:\Documents and Settings\jdeegan\Desktop\boot_cleaner.exe
    [2012/03/06 20:09:42 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\jdeegan\Desktop\GMER.exe
    [2012/03/10 21:09:08 | 000,594,944 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jdeegan\Desktop\OTL.exe
    [2012/03/09 17:46:12 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\jdeegan\Desktop\rkill.exe
    [2012/03/05 11:24:50 | 002,063,920 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\jdeegan\Desktop\TDSSKiller.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\tasks\*.* >
    [2002/08/29 07:00:00 | 000,000,065 | RH-- | M] () -- C:\WINDOWS\tasks\desktop.ini
    [2012/03/10 19:20:58 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
    [2012/03/10 19:20:36 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
    [2011/06/03 22:20:59 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\photostageShakeIcon.job
    [2012/03/10 19:20:08 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/12/26 16:59:37 | 000,000,538 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >
    Expstudio Audio Editor FREE Uninstaller.exe

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2012/03/10 21:21:11 | 000,114,688 | -HS- | M] () -- C:\Documents and Settings\jdeegan\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2007/06/26 21:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008/04/14 04:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2002/08/29 07:00:00 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2002/08/20 11:32:18 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2002/08/20 11:32:22 | 000,000,807 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
    [2008/05/02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008/04/13 22:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 04:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2002/08/20 14:08:38 | 000,069,663 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgsin.exe
    [2002/08/29 07:00:00 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2002/08/29 07:00:00 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2002/08/29 07:00:00 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2002/08/20 11:32:20 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/07/17 10:41:06 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\All Users\Start Menu\Programs\RoboType auto-start.lnk:SummaryInformation
    @Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:مهندسة
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:810B9F0D
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F9819010

    < End of report >
     
  17. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Results From the OTL Scan - Part 3

    OTL Extras log file

    OTL Extras logfile created on: 3/10/2012 9:15:01 PM - Run 1
    OTL by OldTimer - Version 3.2.36.3 Folder = C:\Documents and Settings\jdeegan\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 1.39 Gb Available Physical Memory | 69.68% Memory free
    4.85 Gb Paging File | 4.45 Gb Available in Paging File | 91.77% Paging File free
    Paging file location(s): D:\pagefile.sys 3067 4096 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 114.48 Gb Total Space | 82.92 Gb Free Space | 72.43% Space Free | Partition Type: NTFS
    Drive D: | 114.49 Gb Total Space | 43.63 Gb Free Space | 38.11% Space Free | Partition Type: NTFS
    Drive F: | 434.05 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    Drive G: | 124.72 Mb Total Space | 38.26 Mb Free Space | 30.68% Space Free | Partition Type: FAT

    Computer Name: DEEGAN | User Name: jdeegan | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [Open in FileSnoop] -- C:\Program Files\PC Magazine Utilities\FileSnoop\FileSnoop.exe "%L" (Ziff Davis Media, Inc)
    Directory [Open in WMatch] -- C:\Program Files\PC Magazine Utilities\WMatch\WMatch.exe "%L" (Ziff Davis Media, Inc)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
    "139:TCP" = 139:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22002
    "9051:UDP" = 9051:UDP:LocalSubNet:Enabled:FiOS Tech Wizard
    "1417:TCP" = 1417:TCP:*:Enabled:Akamai NetSession Interface
    "5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
    "C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
    "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
    "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.)
    "C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
    "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
    "C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
    "C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
    "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.)
    "C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server -- (Intuit Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
    "{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
    "{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
    "{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
    "{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
    "{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
    "{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
    "{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
    "{0A1E0BDA-5E8F-436d-8BE5-7E97C5CB899D}" = Quicken 2012
    "{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
    "{0DD140D3-9563-481E-AA75-BA457CBDAEF2}" = PC Inspector File Recovery
    "{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
    "{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
    "{10F5D9BB-E2F2-4B18-A65D-928B73D22E6F}" = USB-IrDA Adapter
    "{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
    "{15FEDA5F-141C-4127-8D7E-B962D1742728}" = Adobe Photoshop CS5
    "{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
    "{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
    "{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
    "{18026153-83A4-40E0-96B6-41E441607518}" = Eraser 6.0.9.2343
    "{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
    "{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}" = iSEEK AnswerWorks English Runtime
    "{1FE80E58-0774-4EC3-B6BA-68876B88D4B9}" = TurboTax 2011 wvaiper
    "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
    "{212F5777-1190-4DEF-8E4D-6B2F313B45E7}" = PerfectDisk
    "{2223FC2F-B862-4F83-BC9E-DDF2DADF2859}" = Intel(R) Network Connections 13.0.42.0
    "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
    "{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
    "{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10
    "{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 26
    "{303F7619-4E67-450F-985A-A2DF51B30AC8}" = Adobe Setup
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
    "{315F5FFC-1A5C-4A2A-B8E7-1C5B1174C198}_is1" = AML Free Registry Cleaner 4.23
    "{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
    "{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
    "{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
    "{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
    "{3B3D2CFD-3C21-4AA0-94DE-45577B5BAB16}" = Family Tree Maker 2011
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
    "{3DD1FE66-5536-41E3-B786-70068887B3F4}" = The Print Shop 12
    "{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
    "{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
    "{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
    "{4833435D-7A4D-4D15-86F4-51C2D15549CF}" = AKVIS Coloriage
    "{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4CCC7F68-A437-4559-A840-F5E010934951}" = HP Driver Diagnostics
    "{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
    "{501451DE-5808-4599-B544-8BD0915B6B24}_is1" = FreeRIP v3.6
    "{523B2B1B-D8DB-4B41-90FF-C4D799E2758A}" = Nero ControlCenter 10 Help (CHM)
    "{52E26953-00EF-42B3-A075-A57E86A38D07}" = File Rescue Plus
    "{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
    "{555868C6-49FB-484F-BB43-8980651A1B00}" = Nero BurnRights 10 Help (CHM)
    "{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{578596FF-7F65-4767-9F90-37920741148C}" = MSN Toolbar Platform
    "{57B2281D-A34A-4a48-8C68-169B8873659D}" = c4100_Help
    "{5E06C076-E4E7-4239-A886-B3D8AC84C166}" = HP Print Diagnostic Utility
    "{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager
    "{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
    "{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
    "{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
    "{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}" = Nero Update
    "{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
    "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
    "{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
    "{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
    "{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
    "{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}" = Microsoft Outlook Web Access S/MIME
    "{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
    "{76EFAC4F-1712-401F-B2AE-590B170C9BCE}" = StartupMonitor
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{7A5D731D-B4B3-490E-B339-75685712BAAB}" = Nero Burning ROM 10
    "{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
    "{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
    "{7F6D7FD9-648D-4DD9-BB6E-3990C675ECA4}" = NVIDIA PhysX
    "{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
    "{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
    "{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
    "{8461C192-EA40-4F9F-AA0A-47C17399AEF9}" = Symantec Endpoint Protection
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
    "{89DA4B7C-E1FC-473a-B81B-88F552C17A14}" = Registry Distiller
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver
    "{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
    "{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
    "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{90AE0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Organization Chart 2.0
    "{90F80409-6000-11D3-8CFE-0150048383C9}" = Remove Hidden Data Tool
    "{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
    "{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
    "{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10
    "{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow! Deluxe
    "{95C2FBF3-4462-41E3-89DC-0F784387BD53}" = Family Lawyer 2004
    "{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9A447261-D079-4165-933F-6B03D3FF356B}" = USB Mini Driver
    "{9B6B24BE-80E7-46C4-9FA5-B167D5E0F345}" = Nero BurningROM 10 Help (CHM)
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{A127C3C0-055E-38CF-B38F-1E85F8BBBFFE}" = Adobe Community Help
    "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
    "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
    "{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
    "{AC76BA86-1033-F400-7760-000000000004}_950" = Adobe Acrobat 9.5.0 - CPSID_83708
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
    "{B0255743-165B-4BD5-8DA8-37DFB9930015}" = Norton Ghost
    "{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 285.58
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 285.58
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView" = NVIDIA nView 135.95
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX" = NVIDIA PhysX System Software 9.11.0621
    "{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
    "{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
    "{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
    "{BC7E2C06-D255-4300-AA12-33AB54D009AC}" = Adobe Creative Suite 4 Design Standard
    "{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
    "{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
    "{C86E7C99-E4AD-79C7-375B-1AEF9A91EC2B}" = Acrobat.com
    "{C871525F-7116-4d26-BA6D-215F59B6F88B}" = C4100
    "{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
    "{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
    "{CAF5B770-082F-40C4-853D-3973BB81BDAA}" = TurboTax 2011 WinPerTaxSupport
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
    "{CD95F661-A5C4-44F5-A6AA-ECDD91C240C3}" = WinZip 15.5
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
    "{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
    "{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
    "{D94A8E22-DF2B-4107-9E51-608A60A7671D}" = Personal Ancestral File 5
    "{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
    "{DCED0AD4-784D-4667-B4A0-6FE953FAC4BB}" = TurboTax 2011 wnjiper
    "{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
    "{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
    "{E463E171-4082-4744-A466-F7CBE8502789}" = TurboTax 2011 WinPerReleaseEngine
    "{E516FB0A-8817-4C32-9CE2-2DF13E66BEF1}" = ProtectStar (TM) Data Shredder v2.2 Freeware
    "{E7C6D565-2E48-4303-A114-AFE7B2E561AF}_is1" = FotoSketcher 1.95
    "{EE556A3E-EB37-4392-9637-BAA8EC2F47FA}" = TurboTax 2011 wrapper
    "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
    "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
    "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
    "{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
    "{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
    "{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
    "{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
    "{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
    "{F7FC9307-374E-4017-8E9D-DE1154780480}" = System Requirements Lab for Intel
    "{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
    "{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
    "{FAD3D68B-2F9C-459B-AA79-C04B9090FD72}" = TurboTax 2011 WinPerFedFormset
    "{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
    "{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
    "{FC274982-5AAD-4C20-848D-4424A5043010}_is1" = WinUtilities 10.41 Free Edition
    "{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
    "{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
    "{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
    "{FE83F463-7E61-4B18-9FA0-B94B90A0B6B9}" = Nero Burning ROM 10
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "7-Zip" = 7-Zip 9.20
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe_1e3ba55b33b1e8227645fb9c82acca3" = Adobe Creative Suite 4 Design Standard
    "AI RoboForm" = RoboForm 7-7-2 (All Users)
    "aignesamdeadlink" = AM-DeadLink 3.2
    "AMP Font Viewer" = AMP Font Viewer
    "Audacity_is1" = Audacity 1.2.6
    "CCleaner" = CCleaner
    "chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
    "Clipomatic" = Clipomatic
    "Core FTP LE 2.1" = Core FTP LE 2.1
    "CrossFont" = CrossFont
    "Defraggler" = Defraggler
    "Disk Investigator" = Disk Investigator 1.4
    "DiskJockey_98" = DiskJockey 98 Pro
    "Empty Temp Folders 2.8.3" = Empty Temp Folders 2.8.3
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "Eusing Free Registry Cleaner" = Eusing Free Registry Cleaner
    "Everything" = Everything 1.1.4.301
    "Examine32_is1" = Examine32 v4.03 (evaluation version)
    "Family Tree Builder" = MyHeritage Family Tree Builder
    "Family Tree Maker 2011" = Family Tree Maker 2011
    "File Shredder_is1" = File Shredder 2.0
    "FileSnoop_is1" = FileSnoop 2
    "FindOrphans" = FindOrphans
    "FLV Player" = FLV Player 2.0 (build 25)
    "FontViewer" = FontViewer
    "FormatFactory" = FormatFactory 2.70
    "Free Audio Converter_is1" = Free Audio Converter 4.1
    "Free Burn MP3-CD_is1" = Free Burn MP3-CD v1.2
    "Free CD Music Converter 10" = Free CD Music Converter 10
    "Free Internet Window Washer" = Free Internet Window Washer
    "Free MP3 to CD Converter & Burner (by minidvdsoft)_is1" = Free DVD ISO Burner version 2.5
    "Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.9
    "FreeUndelete" = FreeUndelete
    "FreshDevices - FreshDiagnose_is1" = FreshDiagnose
    "FreshDevices - FreshUI_is1" = FreshUI
    "Glary Utilities_is1" = Glary Utilities 2.34.0.1190
    "HHD Hex Editor 4.x" = HHD Software Free Hex Editor Neo 4.64
    "HP Document Viewer" = HP Document Viewer 7.0
    "HP Imaging Device Functions" = HP Imaging Device Functions 7.0
    "HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
    "Icon XTractor_is1" = Icon XTractor Version 1.0
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "iISystem Wiper_is1" = iISystem Wiper 2.3
    "Index.dat Analyzer_is1" = Index.dat Analyzer v2.5
    "InstallShield_{9A447261-D079-4165-933F-6B03D3FF356B}" = USB Mini Driver
    "IrfanView" = IrfanView (remove only)
    "JLC's Internet TV" = JLC's Internet TV
    "KeyFinder_is1" = Magical Jelly Bean KeyFinder
    "KLS Mail Backup_is1" = KLS Mail Backup 1.9.8.0
    "Lavasoft Reghance 2.1" = Lavasoft Reghance 2.1
    "Legacy 7.5" = Legacy 7.5
    "ListZapper_is1" = ListZapper (PC Magazine)
    "LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
    "MoffFreeCalc_is1" = Moffsoft FreeCalc
    "Mooseoft Encrypter" = Mooseoft Encrypter
    "MSN Music Assistant" = MSN Music Assistant
    "nCleaner" = nCleaner second 2.3.4.0
    "NeroVision!UninstallKey" = Nero Digital
    "NetMos Technology" = NetMos Multi-IO Controller
    "NMIX!UninstallKey" = NeroMIX
    "PandoraRecovery" = PandoraRecovery (Remove Only)
    "PC Magazine Startup Cop Pro" = PC Magazine Startup Cop Pro
    "PC Magazine TaskPower" = PC Magazine TaskPower
    "PC Magazine's FileTouch_is1" = FileTouch 2.1
    "PC Magazine's RegistryRobot_is1" = RegistryRobot 1.1
    "PC Magazine's UnClean_is1" = UnClean 2.0
    "PC Magazine's WinTidy_is1" = WinTidy 2.0
    "PC Wizard 2008_is1" = PC Wizard 2008.1.84
    "PCMagazine WMatch_is1" = PCMagazine WMatch Version 3.0
    "Pepsky Free Music Converter 4.3.6.916_is1" = Pepsky Free Music Converter 4.3.6.916
    "Personal Address Book 4.0.2" = Personal Address Book 4.0.2
    "PhotoStage" = PhotoStage Slideshow Producer
    "Privacy Mantra 3.00" = Privacy Mantra 3.00
    "RAR Password Recovery Magic_is1" = RAR Password Recovery Magic v6.1.1.232
    "RarZilla Free Unrar" = RarZilla Free Unrar
    "Recuva" = Recuva (remove only)
    "ReNamer_is1" = ReNamer
    "RoboType_is1" = RoboType (PC Magazine)
    "Secunia PSI" = Secunia PSI (2.0.0.1003)
    "ShellCrypt" = ShellCrypt
    "Shred_is1" = Shred 2 (PC Magazine)
    "SPG Audio Converter_is1" = SPG Audio Converter 1.0
    "Subject Search Scanner" = Subject Search Scanner
    "SurfAnonymousFree" = Surf Anonymous Free
    "Switch" = Switch Sound File Converter
    "SystemRequirementsLab" = System Requirements Lab
    "TrayMin" = TrayMin
    "TreePrint" = TreePrint
    "TurboTax 2011" = TurboTax 2011
    "Tweak UI 2.10" = Tweak UI
    "Tweaking.com - Windows Repair (All in One)" = Tweaking.com - Windows Repair (All in One)
    "TweakNow PowerPack 2011_is1" = TweakNow PowerPack 2011
    "TweakNow RegCleaner 2011_is1" = TweakNow RegCleaner 2011
    "whois_is1" = whois 2.5
    "Windows Media Encoder 9" = Windows Media Encoder 9 Series
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows Update Remover" = Windows Update Remover
    "WinLiveSuite_Wave3" = Windows Live Essentials
    "Wise Disk Cleaner_is1" = Wise Disk Cleaner 5.83
    "Wise Registry Cleaner_is1" = Wise Registry Cleaner 5.9.1

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "V" = V - The File Viewer

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 3/10/2012 4:21:27 PM | Computer Name = DEEGAN | Source = SescLU | ID = 13
    Description = LiveUpdate returned a non-critical error. Available content updates
    may have failed to install.

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
    Shared\ccSvcHst.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
    C:\JD-ComboFix\PV.3XE (PID 2680) Time: Saturday, March 10, 2012 3:21:28 PM

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\Smc.exe Event Info: Terminate Process Action Taken: Blocked
    Actor
    Process: C:\JD-ComboFix\PV.3XE (PID 2680) Time: Saturday, March 10, 2012 3:21:28
    PM

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Common Files\Symantec
    Shared\ccApp.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
    C:\JD-ComboFix\PV.3XE (PID 2680) Time: Saturday, March 10, 2012 3:21:28 PM

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    Event
    Info: Terminate Process Action Taken: Blocked Actor Process: C:\JD-ComboFix\PV.3XE
    (PID 2680) Time: Saturday, March 10, 2012 3:21:28 PM

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
    Event
    Info: Terminate Process Action Taken: Blocked Actor Process: C:\JD-ComboFix\PV.3XE
    (PID 2680) Time: Saturday, March 10, 2012 3:21:28 PM

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\SmcGui.exe Event Info: Terminate Process Action Taken: Blocked
    Actor
    Process: C:\JD-ComboFix\PV.3XE (PID 2680) Time: Saturday, March 10, 2012 3:21:28
    PM

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE
    Event
    Info: Terminate Process Action Taken: Blocked Actor Process: C:\JD-ComboFix\PV.3XE
    (PID 2680) Time: Saturday, March 10, 2012 3:21:28 PM

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\Rtvscan.exe Event Info: Terminate Process Action Taken: Blocked
    Actor
    Process: C:\JD-ComboFix\PV.3XE (PID 2680) Time: Saturday, March 10, 2012 3:21:28
    PM

    Error - 3/10/2012 4:21:28 PM | Computer Name = DEEGAN | Source = Symantec AntiVirus | ID = 16711725
    Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec\Symantec
    Endpoint Protection\SescLU.exe Event Info: Terminate Process Action Taken: Blocked
    Actor
    Process: C:\JD-ComboFix\PV.3XE (PID 2680) Time: Saturday, March 10, 2012 3:21:28
    PM

    [ System Events ]
    Error - 3/10/2012 7:09:31 PM | Computer Name = DEEGAN | Source = Service Control Manager | ID = 7001
    Description = The DNS Client service depends on the TCP/IP Protocol Driver service
    which failed to start because of the following error: %%31

    Error - 3/10/2012 7:09:31 PM | Computer Name = DEEGAN | Source = Service Control Manager | ID = 7001
    Description = The TCP/IP NetBIOS Helper service depends on the AFD Networking Support
    Environment service which failed to start because of the following error: %%31

    Error - 3/10/2012 7:09:31 PM | Computer Name = DEEGAN | Source = Service Control Manager | ID = 7001
    Description = The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol
    Driver service which failed to start because of the following error: %%31

    Error - 3/10/2012 7:09:31 PM | Computer Name = DEEGAN | Source = Service Control Manager | ID = 7001
    Description = The IPSEC Services service depends on the IPSEC driver service which
    failed to start because of the following error: %%31

    Error - 3/10/2012 7:09:31 PM | Computer Name = DEEGAN | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SPBBCDrv SRTSP SRTSPX SYMTDI
    Tcpip
    Tcpip6
    WPS
    WS2IFSL

    Error - 3/10/2012 7:11:57 PM | Computer Name = DEEGAN | Source = Service Control Manager | ID = 7031
    Description = The Symantec Event Manager service terminated unexpectedly. It has
    done this 1 time(s). The following corrective action will be taken in 200 milliseconds:
    Restart the service.

    Error - 3/10/2012 7:11:57 PM | Computer Name = DEEGAN | Source = Service Control Manager | ID = 7031
    Description = The Symantec Settings Manager service terminated unexpectedly. It
    has done this 1 time(s). The following corrective action will be taken in 100
    milliseconds: Restart the service.

    Error - 3/10/2012 7:11:57 PM | Computer Name = DEEGAN | Source = Service Control Manager | ID = 7031
    Description = The Symantec Endpoint Protection service terminated unexpectedly.
    It has done this 1 time(s). The following corrective action will be taken in 10000
    milliseconds: Restart the service.

    Error - 3/10/2012 7:49:48 PM | Computer Name = DEEGAN | Source = ParVdm | ID = 458754
    Description = Unable to get device object pointer for port object.

    Error - 3/10/2012 8:20:09 PM | Computer Name = DEEGAN | Source = ParVdm | ID = 458754
    Description = Unable to get device object pointer for port object.


    < End of report >
     
  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
      SRV - File not found [Disabled | Stopped] -- -- (Rasccgrr_n)
      SRV - File not found [Disabled | Stopped] -- -- (SandraAgentSrv)
      SRV - File not found [On_Demand | Stopped] -- -- (NFCTQRHV)
      SRV - File not found [Disabled | Stopped] -- -- (AMPingService)
      DRV - File not found [Kernel | On_Demand | Unknown] -- -- (ugtdapod)
      DRV - File not found [Kernel | On_Demand | Stopped] -- -- (vsdatant)
      O2 - BHO: (no name) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - No CLSID value found.
      O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
      O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {8dcb7100-df86-4384-8842-8fa844297b3f} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
      O3 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html File not found
      O15 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
      O15 - HKU\S-1-5-21-602162358-1060284298-854245398-1003\..Trusted Domains: turbotax.com ([]https in Trusted sites)
      O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} http://www.hp.com/cpso-support-new/S...dObjSigned.cab (Reg Error: Key error.)
      O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...22/wmv9VCM.CAB (Reg Error: Key error.)
      O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} http://download.microsoft.com/downlo...WebCleaner.cab (Reg Error: Key error.)
      O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe (Reg Error: Key error.)
      O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
      O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.co...130.7132638889 (Reg Error: Key error.)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O16 - DPF: DirectAnimation Java Classes (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java (Reg Error: Key error.)
      @Alternate Data Stream - 88 bytes -> C:\Documents and Settings\All Users\Start Menu\Programs\RoboType auto-start.lnk:SummaryInformation
      @Alternate Data Stream - 48 bytes -> C:\Documents and Settings\All Users\DRM:مهندسة
      @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:810B9F0D
      @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F9819010
      
      :Commands
      [purity]
      [emptytemp]
      [emptyjava]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
     
  19. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Results from OTL RunFix

    All processes killed
    ========== OTL ==========
    Service RoxLiveShare9 stopped successfully!
    Service RoxLiveShare9 deleted successfully!
    Service Rasccgrr_n stopped successfully!
    Service Rasccgrr_n deleted successfully!
    Service SandraAgentSrv stopped successfully!
    Service SandraAgentSrv deleted successfully!
    Service NFCTQRHV stopped successfully!
    Service NFCTQRHV deleted successfully!
    Service AMPingService stopped successfully!
    Service AMPingService deleted successfully!
    Error: No service named ugtdapod was found to stop!
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ugtdapod deleted successfully.
    Service vsdatant stopped successfully!
    Service vsdatant deleted successfully!
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8dcb7100-df86-4384-8842-8fa844297b3f}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
    Registry value HKEY_USERS\S-1-5-21-602162358-1060284298-854245398-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google Sidewiki...\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-602162358-1060284298-854245398-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\turbotax.com\ deleted successfully.
    Starting removal of ActiveX control {156BF4B7-AE3A-4365-BD88-95A75AF8F09D}
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{156BF4B7-AE3A-4365-BD88-95A75AF8F09D}\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{156BF4B7-AE3A-4365-BD88-95A75AF8F09D}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{156BF4B7-AE3A-4365-BD88-95A75AF8F09D}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{156BF4B7-AE3A-4365-BD88-95A75AF8F09D}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{156BF4B7-AE3A-4365-BD88-95A75AF8F09D}\ not found.
    Starting removal of ActiveX control {33564D57-0000-0010-8000-00AA00389B71}
    C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{33564D57-0000-0010-8000-00AA00389B71}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{33564D57-0000-0010-8000-00AA00389B71}\ not found.
    Starting removal of ActiveX control {4B48D5DF-9021-45F7-A240-60304302A215}
    C:\WINDOWS\Downloaded Program Files\WebCleaner.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4B48D5DF-9021-45F7-A240-60304302A215}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B48D5DF-9021-45F7-A240-60304302A215}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4B48D5DF-9021-45F7-A240-60304302A215}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B48D5DF-9021-45F7-A240-60304302A215}\ not found.
    Starting removal of ActiveX control {62475759-9E84-458E-A1AB-5D2C442ADFDE}
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{62475759-9E84-458E-A1AB-5D2C442ADFDE}\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{62475759-9E84-458E-A1AB-5D2C442ADFDE}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62475759-9E84-458E-A1AB-5D2C442ADFDE}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{62475759-9E84-458E-A1AB-5D2C442ADFDE}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62475759-9E84-458E-A1AB-5D2C442ADFDE}\ not found.
    Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
    C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
    Starting removal of ActiveX control {9F1C11AA-197B-4942-BA54-47A8489BB47F}
    not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F1C11AA-197B-4942-BA54-47A8489BB47F}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Starting removal of ActiveX control DirectAnimation Java Classes
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
    Starting removal of ActiveX control Microsoft XML Parser for Java
    Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
    ADS C:\Documents and Settings\All Users\Start Menu\Programs\RoboType auto-start.lnk:SummaryInformation deleted successfully.
    Unable to delete ADS C:\Documents and Settings\All Users\DRM:?????? .
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:810B9F0D deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\TEMP:F9819010 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator.DEEGAN
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 1475479 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 134 bytes
    ->Flash cache emptied: 56475 bytes

    User: jdeegan
    ->Temp folder emptied: 59671846 bytes
    ->Temporary Internet Files folder emptied: 2048134 bytes
    ->Java cache emptied: 13365 bytes
    ->Flash cache emptied: 69593 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 49805 bytes

    User: NetworkService
    ->Temp folder emptied: 907492 bytes
    ->Temporary Internet Files folder emptied: 246262 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5350961 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34282 bytes
    RecycleBin emptied: 80702825 bytes

    Total Files Cleaned = 144.00 mb


    [EMPTYJAVA]

    User: Administrator.DEEGAN

    User: All Users

    User: Default User

    User: jdeegan
    ->Java cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator.DEEGAN

    User: All Users

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: jdeegan
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.36.3 log created on 03102012_221748

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\Perflib_Perfdata_2ac.dat not found!
    C:\WINDOWS\temp\Perflib_Perfdata_c1c.dat moved successfully.

    Registry entries deleted on Reboot...
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    How is computer doing at the moment?

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  21. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Today's Status as Reported by GMER

    I ran an abbreviated scan by GMER this morning to see if the latest efforts by OTL helped eradicate Rootki.ZeroAccess from my computer. Unfortunately, it does not appear to have worked. Here is today's GMER scan (just a portion of the scan):

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-11 09:14:29
    Windows 5.1.2600 Service Pack 3
    Running: GMER.exe; Driver: C:\DOCUME~1\jdeegan\LOCALS~1\Temp\ugtdapod.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8A447428 ZwAlertResumeThread
    SSDT 899A0C20 ZwAlertThread
    SSDT 8A452358 ZwAllocateVirtualMemory
    SSDT 8A3D4388 ZwConnectPort
    SSDT 8A450A58 ZwCreateMutant
    SSDT 8A56B008 ZwCreateThread
    SSDT 8A44B978 ZwFreeVirtualMemory
    SSDT 8A603728 ZwImpersonateAnonymousToken
    SSDT 8A45DE78 ZwImpersonateThread
    SSDT 8A45A758 ZwMapViewOfSection
    SSDT 8A44D6C8 ZwOpenEvent
    SSDT 8A4454C0 ZwOpenProcessToken
    SSDT 8A44D7D0 ZwOpenThreadToken
    SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF758CBA0]
    SSDT 8A5F8108 ZwResumeThread
    SSDT 89A63C50 ZwSetContextThread
    SSDT 8A44BEF0 ZwSetInformationProcess
    SSDT 8A454CF0 ZwSetInformationThread
    SSDT 8A454BE8 ZwSuspendProcess
    SSDT 89A681B8 ZwSuspendThread
    SSDT 8A42D7B0 ZwTerminateProcess
    SSDT 89AA43C0 ZwTerminateThread
    SSDT 8A505058 ZwUnmapViewOfSection
    SSDT 8A451360 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 8 Bytes [E8, 4B, 45, 8A, B8, 81, A6, ...]
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6BDD380, 0x8D6CD5, 0xE8000020]

    ---- EOF - GMER 1.0.15 ----

    I will follow the the additonal directions you gave to me later this afternoon and post the results.
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    GMER log looks just fine.

    Are you experiencing any current issues?
     
  23. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Rootkit.ZeroAccess Continues to Try to "Call Home"

    My infected computer continues to display Rootkit.ZeroAccess infection behavior.

    Before connecting my computer to the internet, I re-activated Symantec Endpoint Protection (SEP) and MBAM. I then re-booted in normal mode with my network cable attached to my router.

    The SEP Network Threat Protection traffic log shows the exact same behavior as before. Every couple of minutes, Rootkit.ZeroAccess remnants attempt to "call home" and/or answer a call from "home."

    The log looks exactly as I listed in my first post and so I will not repeat it here. Please advise if you want me to post this information collected today.

    I will now proceed to run the steps you identified last night. I will post those results as they become available.
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please complete all steps from my reply #20
     
  25. jdeeganjr

    jdeeganjr TS Rookie Topic Starter Posts: 20

    Steps Completed From Reply #20

    Here are the results from the instructions you provided in Reply #20.

    The Results from SecurityCheck:

    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Symantec Endpoint Protection
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Norton Ghost
    Secunia PSI (2.0.0.1003)
    Free Internet Window Washer
    CCleaner
    Eusing Free Registry Cleaner
    nCleaner second 2.3.4.0
    TweakNow RegCleaner 2011
    Wise Disk Cleaner 5.83
    Wise Registry Cleaner 5.9.1
    AML Free Registry Cleaner 4.23
    EasyCleaner
    Java(TM) 6 Update 26
    Out of date Java installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Norton ccSvcHst.exe
    Malwarebytes' Anti-Malware mbamservice.exe
    Malwarebytes' Anti-Malware mbamgui.exe
    ``````````End of Log````````````

    *****************************************************************************

    The results from Farbar Service Scanner:

    Farbar Service Scanner Version: 01-03-2012
    Ran by jdeegan (administrator) on 11-03-2012 at 16:42:24
    Running from "C:\Documents and Settings\jdeegan\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ********************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    DNE(12) Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) Tcpip6(14) WPS(13)
    0x1300000005000000010000000200000003000000040000000D0000000D0000000D0000000D0000000D0000000D0000000600000007000000090000000A0000000B0000000C0000000E00000008000000
    IpSec Tag value is correct.

    **** End of log ****

    *********************************************************************************

    I tried running TempFileCleaner (TFC) three times. Each time I let the program run for at least one-half hour. Every time the program hanged. No results.

    *********************************************************************************

    Results from ESET Online Scanner:

    The run took more than two hours to complete. Thye scan reported that no infected files were found:

    132885 Scanned Files
    0 Infected
    2:01:32 Total Scan Time

    *******************************************************************************

    My Symantec Endpoint Protection (SEP) continues to report persistent attempts by Rootkit.ZeroAccess remnants embedded in my systems to "call home" and answer calls from "home." These communication attempts are reported as blocked by the SEP Network Threat Protection system. The communication attempts occur every 1 to 3 minutes.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...