TechSpot

Netbt.sys rootkit problem

By lemowill
Jan 16, 2012
  1. I have Avast Antivirus and scanned - showing that there is a hidden process in the netbt.sys file. Regardless of removal attempts, nothing has worked thus far. The following are the logs requested with the absence of the DDS (i've tried several times times to get those logs but it hangs whenever reaching 3/4 and even in safe mode it won't complete):

    Malwarebytes Anti-Malware (PRO) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.14.05

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    PsychoDunpeal :: IBMDESKTOP [administrator]

    Protection: Enabled

    1/14/2012 8:50:27 PM
    mbam-log-2012-01-14 (20-50-27).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 203236
    Time elapsed: 38 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-14 23:11:21
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6E040L0 rev.NAR61590
    Running: swv8c679.exe; Driver: C:\DOCUME~1\PSYCHO~1\LOCALS~1\Temp\uwloykob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xEF20DFC4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xEF272510]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xEF2316A9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xEF210456]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xEF2104AE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xEF2105C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xEF23105D]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xEF2103AC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xEF2104FE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xEF210400]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xEF210572]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xEF20DFE8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xEF231D6F]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xEF232025]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xEF210848]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEF231BDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEF231A45]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xEF2725C0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xEF20DDB2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xEF20E00C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xEF2109BC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xEF20EAA4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xEF210486]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xEF2104D6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xEF2105EE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xEF2313B9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xEF2103D8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xEF210680]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xEF21053E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xEF21042E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xEF210764]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xEF21059C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xEF272658]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xEF2318C0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xEF20E96A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xEF231712]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xEF27A9E6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xEF2306D0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xEF20E030]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xEF20E054]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xEF20DE0C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xEF20DF48]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xEF231E76]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xEF20DF24]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xEF20DF6C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xEF20E078]

    INT 0x62 ? 833DEBF8
    INT 0x63 ? 831C9BF8
    INT 0x82 ? 833DEBF8
    INT 0xA4 ? 831C9BF8
    INT 0xB4 ? 831C9BF8

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEF2867A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 140 804E27AC 4 Bytes [E8, DF, 20, EF]
    .text ntoskrnl.exe!_abnormal_termination + 2D8 804E2944 4 Bytes [6A, E9, 20, EF] {PUSH -0x17; AND BH, CH}
    PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP EF28515C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056B8E8 4 Bytes CALL EF20F00F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP EF2867A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP EF28369C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    ? spsu.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload F7B3E8AC 5 Bytes JMP 831C91D8
    .text an61j2nj.SYS F79D9386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
    .text an61j2nj.SYS F79D93AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text an61j2nj.SYS F79D93C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
    .text an61j2nj.SYS F79D93C9 1 Byte [2E]
    .text an61j2nj.SYS F79D93C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
    .text ...
    .rsrc C:\WINDOWS\System32\DRIVERS\netbt.sys entry point in ".rsrc" section [0xEF68EA14]
    ? C:\WINDOWS\System32\DRIVERS\netbt.sys suspicious PE modification
    .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 322E BF81E77A 5 Bytes JMP EF210AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngSetLastError + 768D BF8286C9 5 Bytes JMP EF210B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateBitmap + DDB0 BF845CC9 5 Bytes JMP EF210C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngMultiByteToWideChar + 2F30 BF852C45 5 Bytes JMP EF210ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 347A BF8630B7 5 Bytes JMP EF210DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 3505 BF863142 5 Bytes JMP EF210FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetCurrentCodePage + 411E BF8813C1 5 Bytes JMP EF210F76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!FONTOBJ_pxoGetXform + CC3E BF8C31D6 5 Bytes JMP EF210CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!PATHOBJ_vGetBounds + 5046 BF8EDC53 5 Bytes JMP EF210D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!PATHOBJ_vGetBounds + 52C6 BF8EDED3 5 Bytes JMP EF210D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!PATHOBJ_vGetBounds + 74EC BF8F00F9 5 Bytes JMP EF2109F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 19C1 BF91313E 5 Bytes JMP EF210B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 2595 BF913D12 5 Bytes JMP EF210C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 4EF4 BF916671 5 Bytes JMP EF2110D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
     
  2. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\spoolsv.exe[128] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\spoolsv.exe[128] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[128] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\spoolsv.exe[128] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[128] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\spoolsv.exe[128] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\spoolsv.exe[128] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\spoolsv.exe[128] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\spoolsv.exe[128] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\spoolsv.exe[128] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\spoolsv.exe[128] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\spoolsv.exe[128] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\system32\spoolsv.exe[128] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\system32\spoolsv.exe[128] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\system32\spoolsv.exe[128] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\system32\spoolsv.exe[128] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\system32\spoolsv.exe[128] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\Explorer.EXE[284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A
    .text C:\WINDOWS\Explorer.EXE[284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
    .text C:\WINDOWS\Explorer.EXE[284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BD000C
    .text C:\WINDOWS\Explorer.EXE[284] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00361014
    .text C:\WINDOWS\Explorer.EXE[284] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00360804
    .text C:\WINDOWS\Explorer.EXE[284] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360A08
    .text C:\WINDOWS\Explorer.EXE[284] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00360C0C
    .text C:\WINDOWS\Explorer.EXE[284] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360E10
    .text C:\WINDOWS\Explorer.EXE[284] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003601F8
    .text C:\WINDOWS\Explorer.EXE[284] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003603FC
    .text C:\WINDOWS\Explorer.EXE[284] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00360600
    .text C:\WINDOWS\Explorer.EXE[284] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00370804
    .text C:\WINDOWS\Explorer.EXE[284] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370A08
    .text C:\WINDOWS\Explorer.EXE[284] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00370600
    .text C:\WINDOWS\Explorer.EXE[284] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003701F8
    .text C:\WINDOWS\Explorer.EXE[284] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003703FC
    .text C:\WINDOWS\system32\ctfmon.exe[328] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000A01F8
    .text C:\WINDOWS\system32\ctfmon.exe[328] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\ctfmon.exe[328] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000A03FC
    .text C:\WINDOWS\system32\ctfmon.exe[328] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\ctfmon.exe[328] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00361014
    .text C:\WINDOWS\system32\ctfmon.exe[328] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00360804
    .text C:\WINDOWS\system32\ctfmon.exe[328] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360A08
    .text C:\WINDOWS\system32\ctfmon.exe[328] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00360C0C
    .text C:\WINDOWS\system32\ctfmon.exe[328] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360E10
    .text C:\WINDOWS\system32\ctfmon.exe[328] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003601F8
    .text C:\WINDOWS\system32\ctfmon.exe[328] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003603FC
    .text C:\WINDOWS\system32\ctfmon.exe[328] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00360600
    .text C:\WINDOWS\system32\ctfmon.exe[328] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00370804
    .text C:\WINDOWS\system32\ctfmon.exe[328] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370A08
    .text C:\WINDOWS\system32\ctfmon.exe[328] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00370600
    .text C:\WINDOWS\system32\ctfmon.exe[328] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003701F8
    .text C:\WINDOWS\system32\ctfmon.exe[328] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003703FC
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[504] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[504] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[504] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 001401F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 001403FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00711014
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00710804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00710A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00710C0C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00710E10
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 007101F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 007103FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00710600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00720804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00720A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00720600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 007201F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[660] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 007203FC
    .text C:\WINDOWS\System32\smss.exe[972] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[1068] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[1068] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[1092] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000701F8
    .text C:\WINDOWS\system32\winlogon.exe[1092] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[1092] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000703FC
    .text C:\WINDOWS\system32\winlogon.exe[1092] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[1092] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\winlogon.exe[1092] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\winlogon.exe[1092] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\winlogon.exe[1092] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\winlogon.exe[1092] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\winlogon.exe[1092] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\winlogon.exe[1092] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\winlogon.exe[1092] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\system32\winlogon.exe[1092] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\system32\winlogon.exe[1092] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\system32\winlogon.exe[1092] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\system32\winlogon.exe[1092] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\system32\winlogon.exe[1092] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\system32\services.exe[1140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\services.exe[1140] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[1140] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\services.exe[1140] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\system32\services.exe[1140] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\system32\services.exe[1140] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\system32\services.exe[1140] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\system32\services.exe[1140] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\system32\services.exe[1140] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\lsass.exe[1152] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\system32\svchost.exe[1320] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\system32\svchost.exe[1320] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\system32\svchost.exe[1320] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\system32\svchost.exe[1320] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\system32\svchost.exe[1320] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000D01F8
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000D03FC
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00361014
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00360804
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360A08
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00360C0C
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360E10
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003601F8
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003603FC
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00360600
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00370804
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370A08
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00370600
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003701F8
    .text c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1352] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003703FC
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1368] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1368] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1424] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1424] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\svchost.exe[1424] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\system32\svchost.exe[1424] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009D000A
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009E000A
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009C000C
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006B0804
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 006B0A08
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 006B0600
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 006B01F8
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1564] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 006B03FC
     
  3. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    .text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0072000A
    .text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0073000A
    .text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0071000C
    .text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\System32\svchost.exe[1648] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\System32\svchost.exe[1648] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\System32\svchost.exe[1648] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0203000A
    .text C:\WINDOWS\System32\svchost.exe[1648] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\System32\svchost.exe[1648] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\System32\svchost.exe[1648] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\System32\svchost.exe[1648] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\System32\svchost.exe[1648] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F3000A
    .text C:\WINDOWS\system32\wscntfy.exe[1748] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[1748] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1752] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[1752] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1752] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[1752] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\System32\svchost.exe[1752] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\System32\svchost.exe[1752] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\System32\svchost.exe[1752] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\System32\svchost.exe[1752] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\System32\svchost.exe[1752] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\System32\svchost.exe[1752] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[1788] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1788] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\System32\svchost.exe[1788] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\System32\svchost.exe[1788] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\System32\svchost.exe[1788] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\System32\svchost.exe[1788] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\System32\svchost.exe[1788] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\System32\svchost.exe[1788] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\System32\svchost.exe[1788] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\System32\svchost.exe[1788] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\System32\svchost.exe[1788] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\System32\svchost.exe[1788] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\System32\svchost.exe[1788] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\System32\svchost.exe[1788] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 001501F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 001503FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D0804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D0600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D01F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1840] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D03FC
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 001501F8
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 001503FC
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D1014
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D0804
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0A08
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D0C0C
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0E10
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D01F8
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D03FC
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D0600
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003E0804
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003E0A08
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003E0600
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003E01F8
    .text C:\Program Files\Juniper Networks\Common Files\dsNcService.exe[1912] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003E03FC
    .text C:\WINDOWS\System32\svchost.exe[1956] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[1956] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1956] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[1956] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\System32\svchost.exe[1956] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\System32\svchost.exe[1956] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\System32\svchost.exe[1956] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\System32\svchost.exe[1956] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\System32\svchost.exe[1956] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\System32\svchost.exe[1956] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000D01F8
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000D03FC
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00341014
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00340804
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00340A08
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00340C0C
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00340E10
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003401F8
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003403FC
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00340600
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00350804
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00350A08
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00350600
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003501F8
    .text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2108] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003503FC
    .text C:\WINDOWS\System32\svchost.exe[2200] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[2200] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[2200] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[2200] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[2200] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\System32\svchost.exe[2200] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\System32\svchost.exe[2200] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\System32\svchost.exe[2200] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\System32\svchost.exe[2200] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\System32\svchost.exe[2200] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\System32\svchost.exe[2200] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\System32\svchost.exe[2200] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\WINDOWS\System32\svchost.exe[2200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
    .text C:\WINDOWS\System32\svchost.exe[2200] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\System32\svchost.exe[2200] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
    .text C:\WINDOWS\System32\svchost.exe[2200] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\System32\svchost.exe[2200] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000801F8
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000803FC
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F1014
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F0804
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F0C0C
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0E10
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F0600
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00300804
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00300A08
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00300600
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003001F8
    .text C:\WINDOWS\System32\wdfmgr.exe[2616] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003003FC
    .text C:\Documents and Settings\PsychoDunpeal\Desktop\swv8c679.exe[3160] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\Documents and Settings\PsychoDunpeal\Desktop\swv8c679.exe[3160] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\alg.exe[3344] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\alg.exe[3344] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62]
    .text C:\WINDOWS\System32\alg.exe[3344] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\alg.exe[3344] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\alg.exe[3344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E0804
    .text C:\WINDOWS\System32\alg.exe[3344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\System32\alg.exe[3344] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E0600
    .text C:\WINDOWS\System32\alg.exe[3344] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\System32\alg.exe[3344] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\System32\alg.exe[3344] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F1014
    .text C:\WINDOWS\System32\alg.exe[3344] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F0804
    .text C:\WINDOWS\System32\alg.exe[3344] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0A08
    .text C:\WINDOWS\System32\alg.exe[3344] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F0C0C
    .text C:\WINDOWS\System32\alg.exe[3344] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0E10
    .text C:\WINDOWS\System32\alg.exe[3344] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F01F8
    .text C:\WINDOWS\System32\alg.exe[3344] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F03FC
    .text C:\WINDOWS\System32\alg.exe[3344] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F0600
     
  4. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 833712D8
    IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F86C9C4C] spsu.sys
    IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F86C9CA0] spsu.sys
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8699040] spsu.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F869913C] spsu.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F86990BE] spsu.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F86997FC] spsu.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F86996D2] spsu.sys
    IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 831C92D8
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlInitUnicodeString] F44D8B48
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!swprintf] C1815753
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeSetEvent] 00002590
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 467C8D51
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 76F6E84A
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] D88BFFFF
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmFreeMappingAddress] 8504C483
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 5F0A75DB
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 5B08438D
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmUnmapIoSpace] 5DE58B5E
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 259068C3
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IofCompleteRequest] 006A0000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 88F0E853
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IofCallDriver] 558DFFFF
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 90838DF8
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 52000025
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoConnectInterrupt] 03895750
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoDetachDevice] FFF363E8
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeWaitForSingleObject] 0C458AFF
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeInitializeEvent] 8B104D8B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeCancelTimer] 43881855
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 1C458B08
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlInitAnsiString] 0F544389
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 89FF45B6
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoQueueWorkItem] 4D8B0C4B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmMapIoSpace] 50538920
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 8924558B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoReportDetectedDevice] 5389584B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0A43885C
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 0646B60F
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!NlsMbCodePageTag] A818C483
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!PoRequestPowerIrp] 8D7F743F
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001A8C8B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0835100
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!sprintf] 7E8D503F
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] B9E85728
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ObfDereferenceObject] 0F0000D1
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 8D0646B6
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 001B8093
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ZwClose] E0835200
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] E857503F
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 0000EBB4
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 026B938D
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!PoStartNextPowerIrp] C6830000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoCreateDevice] 0008B908
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlCopyUnicodeString] FA8B0000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 758BA5F3
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 064E8A08
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ZwOpenKey] 883FE180
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 0002688B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoStartTimer] 06468A00
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeInitializeTimer] 8306E8C0
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoInitializeTimer] 023C18C4
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeInitializeDpc] 02698388
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeInitializeSpinLock] 19750000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoInitializeIrp] 028C838D
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ZwCreateKey] 52500000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 00C143E8
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 08C48300
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ZwSetValueKey] 0575C085
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeInsertQueueDpc] EB08708D
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 074E8A54
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoStartPacket] 026A8B88
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 83660000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 7601487E
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoFreeMdl] 4AC68305
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmUnlockPages] F63302EB
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 5614558B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 75E85352
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 8BFFFFF4
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 0CC483F0
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeSynchronizeExecution] 2075F685
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoStartNextPacket] 050C7D80
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeBugCheckEx] 0092850F
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 458B0000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeSetTimer] E85350F8
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!_allmul] FFFFF848
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmProbeAndLockPages] 8408C483
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!_except_handler3] BE7875C0
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!PoSetPowerState] 00000008
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] F346E853
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlWriteRegistryValue] C483FFFF
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 00F46804
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!_aulldiv] 838D0000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!strstr] 00001A8C
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!_strupr] E850006A
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeQuerySystemTime] FFFF87CA
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 0000F468
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!KeTickCount] 808B8D00
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 6A00001B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoDeleteDevice] B7E85100
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 33FFFF87
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoAllocateWorkItem] 6B8389C0
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoAllocateIrp] 89000002
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoAllocateMdl] 00026F83
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 73838900
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmLockPagableDataSection] 89000002
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 00027783
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 7B838900
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!ExFreePoolWithTag] 89000002
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoFreeIrp] 00027F83
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!IoFreeWorkItem] 83838900
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!InitSafeBootMode] 53000002
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!RtlCompareMemory] 02878389
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!PoCallDriver] 7FE80000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!memmove] 83FFFF68
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[ntoskrnl.exe!MmHighestUserAddress] 8B5F1CC4
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!KfRaiseIrql] 8B000000
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!KfLowerIrql] 56C35DE5
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
    IAT \SystemRoot\System32\Drivers\an61j2nj.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185
     
  5. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[1140] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00610002
    IAT C:\WINDOWS\system32\services.exe[1140] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00610000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Ntfs \Ntfs 833DD1F8

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{BC7B5C8D-678B-4087-9B8B-663031F2BD86} 82DB21F8
    Device \Driver\PCI_PNP5078 \Device\00000050 spsu.sys
    Device \Driver\usbuhci \Device\USBPDO-0 831C81F8
    Device \Driver\sptd \Device\655651328 spsu.sys
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8336F1F8
    Device \Driver\dmio \Device\DmControl\DmConfig 8336F1F8
    Device \Driver\dmio \Device\DmControl\DmPnP 8336F1F8
    Device \Driver\dmio \Device\DmControl\DmInfo 8336F1F8
    Device \Driver\usbuhci \Device\USBPDO-1 831C81F8
    Device \Driver\usbuhci \Device\USBPDO-2 831C81F8
    Device \Driver\usbehci \Device\USBPDO-3 831A61F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{45BFA4A6-0077-4C51-B1B8-9D9F08B46B69} 82DB21F8

    AttachedDevice \Driver\Tcpip \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\Ftdisk \Device\HarddiskVolume1 833DF1F8
    Device \Driver\Cdrom \Device\CdRom0 8319A1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82CD7CE2
    Device \Driver\atapi \Device\Ide\IdePort0 [F85ECB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82CD7CE2
    Device \Driver\atapi \Device\Ide\IdePort1 [F85ECB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 82CD7CE2
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F85ECB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\Cdrom \Device\CdRom1 8319A1F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 82DB21F8
    Device \Driver\NetBT \Device\NetbiosSmb 82DB21F8

    AttachedDevice \Driver\Tcpip \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\usbuhci \Device\USBFDO-0 831C81F8
    Device \Driver\usbuhci \Device\USBFDO-1 831C81F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 83028500
    Device \Driver\usbuhci \Device\USBFDO-2 831C81F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 83028500
    Device \Driver\usbehci \Device\USBFDO-3 831A61F8
    Device \Driver\Ftdisk \Device\FtControl 833DF1F8
    Device \Driver\an61j2nj \Device\Scsi\an61j2nj1 8316F1F8
    Device \Driver\an61j2nj \Device\Scsi\an61j2nj1Port2Path0Target0Lun0 8316F1F8
    Device \FileSystem\Cdfs \Cdfs 82D6F1F8
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6E040L0__________________________NAR61590#314532324a4d4558202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0xBF 0x6C 0xA2 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0xE5 0x5B 0xBE ...
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x52 0xF5 0x64 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0xBF 0x6C 0xA2 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xCB 0xE5 0x5B 0xBE ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x13 0x52 0xF5 0x64 ...

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\System32\DRIVERS\netbt.sys suspicious modification; TDL3 <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware problem.

    It's important that you carefully read the instructions given with each program. The GMER program clearly states:
    It is apparent that you missed this since the log you left is 4 posts long!
    ========================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ==========================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ==========================================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    [*]Double-click SystemLook.exe to run it.
    [*]Copy the content of the following codebox into the main textfield:
    Code:
    
    :filefind
    netbt.sys
    
    
    [*]Click the Look button to start the scan.
    [*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    [/list]Note: The log can also be found on your Desktop entitled SystemLook.txt
    ===============================
    Try running DDs again. If it still won't complete, do the following:
    Please download this file: xp_scr_fix

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr.It's the .scr file extension causing the problem.
    =================================
    Logs for TDSSKiller, Combofix, System Look and 2 from DDS in next reply please.
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  7. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    problem

    Hey, thanks for the help. Ok, before with gmer, the select all box was greyed out so i couldn't uncheck it. Anyway, ok, so i ran the tdsskiller fine and i quarantined what was found but then when i was running combofix, everything was ok up itl i continued the scan and then it stuck. I've done it three times now and same thing. I did not touch the window or mouse the mouse or anything once i clicked ok to scan. What should i do? the Log for tdss is posted after this below.
     
  8. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    13:53:42.0546 3476 TDSS rootkit removing tool 2.7.2.0 Jan 14 2012 20:07:30
    13:53:43.0062 3476 ============================================================
    13:53:43.0062 3476 Current date / time: 2012/01/16 13:53:43.0062
    13:53:43.0062 3476 SystemInfo:
    13:53:43.0062 3476
    13:53:43.0062 3476 OS Version: 5.1.2600 ServicePack: 3.0
    13:53:43.0062 3476 Product type: Workstation
    13:53:43.0062 3476 ComputerName: IBMDESKTOP
    13:53:43.0140 3476 UserName: PsychoDunpeal
    13:53:43.0140 3476 Windows directory: C:\WINDOWS
    13:53:43.0140 3476 System windows directory: C:\WINDOWS
    13:53:43.0140 3476 Processor architecture: Intel x86
    13:53:43.0140 3476 Number of processors: 1
    13:53:43.0140 3476 Page size: 0x1000
    13:53:43.0140 3476 Boot type: Normal boot
    13:53:43.0140 3476 ============================================================
    13:53:46.0093 3476 Drive \Device\Harddisk0\DR0 - Size: 0x951240000, SectorSize: 0x200, Cylinders: 0x1301, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
    13:53:46.0437 3476 Initialize success
    13:54:03.0781 3632 ============================================================
    13:54:03.0781 3632 Scan started
    13:54:03.0781 3632 Mode: Manual;
    13:54:03.0781 3632 ============================================================
    13:54:04.0187 3632 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
    13:54:04.0187 3632 Aavmker4 - ok
    13:54:04.0265 3632 Abiosdsk - ok
    13:54:04.0312 3632 abp480n5 - ok
    13:54:04.0375 3632 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    13:54:04.0390 3632 ACPI - ok
    13:54:04.0500 3632 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    13:54:04.0515 3632 ACPIEC - ok
    13:54:04.0609 3632 adpu160m - ok
    13:54:04.0734 3632 aeaudio (b2886807ac2543da273765cef4d82d68) C:\WINDOWS\system32\drivers\aeaudio.sys
    13:54:04.0890 3632 aeaudio - ok
    13:54:05.0015 3632 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    13:54:05.0031 3632 aec - ok
    13:54:05.0125 3632 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    13:54:05.0140 3632 AFD - ok
    13:54:05.0218 3632 Aha154x - ok
    13:54:05.0281 3632 aic78u2 - ok
    13:54:05.0390 3632 aic78xx - ok
    13:54:05.0765 3632 AliIde - ok
    13:54:05.0843 3632 amsint - ok
    13:54:05.0890 3632 asc - ok
    13:54:05.0937 3632 asc3350p - ok
    13:54:05.0984 3632 asc3550 - ok
    13:54:06.0765 3632 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    13:54:06.0781 3632 aswFsBlk - ok
    13:54:07.0250 3632 aswFW (9b88d53227e0bc1ce62a981b2fcd67c8) C:\WINDOWS\system32\drivers\aswFW.sys
    13:54:07.0265 3632 aswFW - ok
    13:54:07.0453 3632 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
    13:54:07.0468 3632 aswMon2 - ok
    13:54:07.0578 3632 aswNdis (7b948e3657bea62e437bc46ca6ef6012) C:\WINDOWS\system32\DRIVERS\aswNdis.sys
    13:54:07.0625 3632 aswNdis - ok
    13:54:07.0796 3632 aswNdis2 (2d26aaee48a48e64129b4ae1d0ab3a3b) C:\WINDOWS\system32\drivers\aswNdis2.sys
    13:54:07.0828 3632 aswNdis2 - ok
    13:54:07.0953 3632 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
    13:54:08.0000 3632 aswRdr - ok
    13:54:08.0140 3632 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
    13:54:08.0171 3632 aswSnx - ok
    13:54:08.0375 3632 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
    13:54:08.0437 3632 aswSP - ok
    13:54:08.0578 3632 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
    13:54:08.0578 3632 aswTdi - ok
    13:54:08.0703 3632 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    13:54:08.0718 3632 AsyncMac - ok
    13:54:08.0843 3632 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    13:54:08.0906 3632 atapi - ok
    13:54:09.0000 3632 Atdisk - ok
    13:54:09.0078 3632 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    13:54:09.0093 3632 Atmarpc - ok
    13:54:09.0281 3632 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    13:54:09.0359 3632 audstub - ok
    13:54:09.0531 3632 AvgLdx86 - ok
    13:54:09.0562 3632 AvgTdiX - ok
    13:54:09.0671 3632 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    13:54:09.0671 3632 Beep - ok
    13:54:09.0796 3632 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    13:54:09.0796 3632 cbidf2k - ok
    13:54:09.0921 3632 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    13:54:09.0921 3632 CCDECODE - ok
    13:54:10.0015 3632 cd20xrnt - ok
    13:54:10.0109 3632 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    13:54:10.0109 3632 Cdaudio - ok
    13:54:10.0250 3632 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    13:54:10.0250 3632 Cdfs - ok
    13:54:10.0578 3632 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    13:54:10.0578 3632 Cdrom - ok
    13:54:10.0703 3632 Changer - ok
    13:54:10.0796 3632 CmdIde - ok
    13:54:10.0875 3632 Cpqarray - ok
    13:54:10.0953 3632 dac2w2k - ok
    13:54:11.0015 3632 dac960nt - ok
    13:54:11.0140 3632 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    13:54:11.0203 3632 Disk - ok
    13:54:11.0328 3632 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    13:54:12.0687 3632 dmboot - ok
    13:54:14.0406 3632 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    13:54:14.0750 3632 dmio - ok
    13:54:15.0375 3632 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    13:54:15.0484 3632 dmload - ok
    13:54:16.0234 3632 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    13:54:16.0328 3632 DMusic - ok
    13:54:16.0671 3632 dpti2o - ok
    13:54:17.0140 3632 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    13:54:17.0156 3632 drmkaud - ok
    13:54:18.0140 3632 dsNcAdpt (4823163c246868863d41a2f5ee06a21e) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
    13:54:18.0484 3632 dsNcAdpt - ok
    13:54:18.0781 3632 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    13:54:19.0187 3632 E100B - ok
    13:54:19.0578 3632 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    13:54:19.0609 3632 Fastfat - ok
    13:54:20.0062 3632 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    13:54:20.0187 3632 Fdc - ok
    13:54:20.0562 3632 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    13:54:20.0703 3632 Fips - ok
    13:54:21.0609 3632 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    13:54:21.0640 3632 Flpydisk - ok
    13:54:22.0312 3632 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    13:54:22.0484 3632 FltMgr - ok
    13:54:23.0031 3632 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    13:54:23.0062 3632 Fs_Rec - ok
    13:54:23.0468 3632 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    13:54:23.0515 3632 Ftdisk - ok
    13:54:23.0953 3632 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    13:54:24.0000 3632 Gpc - ok
    13:54:24.0500 3632 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    13:54:24.0562 3632 hidusb - ok
    13:54:24.0937 3632 hpn - ok
    13:54:25.0312 3632 hpt3xx - ok
    13:54:27.0000 3632 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    13:54:27.0078 3632 HTTP - ok
    13:54:27.0359 3632 i2omgmt - ok
    13:54:27.0671 3632 i2omp - ok
    13:54:27.0984 3632 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    13:54:28.0015 3632 i8042prt - ok
    13:54:28.0437 3632 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    13:54:28.0765 3632 ialm - ok
    13:54:28.0906 3632 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    13:54:28.0906 3632 Imapi - ok
    13:54:29.0000 3632 ini910u - ok
    13:54:29.0031 3632 IntelIde - ok
    13:54:29.0109 3632 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    13:54:29.0109 3632 intelppm - ok
    13:54:29.0218 3632 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    13:54:29.0218 3632 ip6fw - ok
    13:54:29.0328 3632 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    13:54:29.0343 3632 IpFilterDriver - ok
    13:54:29.0593 3632 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    13:54:29.0593 3632 IpInIp - ok
    13:54:29.0750 3632 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    13:54:29.0750 3632 IpNat - ok
    13:54:29.0890 3632 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    13:54:29.0890 3632 IPSec - ok
    13:54:30.0031 3632 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    13:54:30.0031 3632 IRENUM - ok
    13:54:30.0187 3632 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    13:54:30.0187 3632 isapnp - ok
    13:54:30.0343 3632 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    13:54:30.0359 3632 Kbdclass - ok
    13:54:30.0671 3632 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    13:54:30.0687 3632 kbdhid - ok
    13:54:30.0859 3632 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    13:54:30.0875 3632 kmixer - ok
    13:54:31.0015 3632 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    13:54:31.0015 3632 KSecDD - ok
    13:54:31.0109 3632 lbrtfdc - ok
    13:54:31.0265 3632 LVPr2Mon - ok
    13:54:31.0421 3632 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
    13:54:31.0421 3632 MBAMProtector - ok
    13:54:31.0546 3632 mispofzb - ok
    13:54:31.0656 3632 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    13:54:31.0671 3632 mnmdd - ok
    13:54:31.0828 3632 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    13:54:31.0843 3632 Modem - ok
    13:54:31.0953 3632 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    13:54:31.0953 3632 Mouclass - ok
    13:54:32.0093 3632 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    13:54:32.0093 3632 mouhid - ok
    13:54:32.0640 3632 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    13:54:32.0703 3632 MountMgr - ok
    13:54:33.0031 3632 mraid35x - ok
    13:54:33.0171 3632 MREMP50 - ok
    13:54:33.0250 3632 MREMPR5 - ok
    13:54:33.0265 3632 MRENDIS5 - ok
    13:54:33.0281 3632 MRESP50 - ok
    13:54:33.0484 3632 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    13:54:33.0484 3632 MRxDAV - ok
    13:54:33.0687 3632 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    13:54:33.0718 3632 MRxSmb - ok
    13:54:33.0937 3632 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    13:54:33.0937 3632 Msfs - ok
    13:54:34.0125 3632 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    13:54:34.0125 3632 MSKSSRV - ok
    13:54:34.0296 3632 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    13:54:34.0296 3632 MSPCLOCK - ok
    13:54:34.0609 3632 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    13:54:34.0625 3632 MSPQM - ok
    13:54:34.0750 3632 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    13:54:34.0750 3632 mssmbios - ok
    13:54:34.0890 3632 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    13:54:34.0890 3632 MSTEE - ok
    13:54:35.0015 3632 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    13:54:35.0031 3632 Mup - ok
    13:54:35.0125 3632 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    13:54:35.0140 3632 NABTSFEC - ok
    13:54:35.0281 3632 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    13:54:35.0281 3632 NDIS - ok
    13:54:35.0421 3632 ndiscm (b797ee2ef919c95561dee78b72b33e5b) C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
    13:54:35.0500 3632 ndiscm - ok
    13:54:35.0656 3632 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    13:54:35.0671 3632 NdisIP - ok
    13:54:35.0781 3632 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    13:54:35.0781 3632 NdisTapi - ok
    13:54:35.0890 3632 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    13:54:35.0890 3632 Ndisuio - ok
    13:54:35.0937 3632 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    13:54:35.0953 3632 NdisWan - ok
    13:54:36.0000 3632 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    13:54:36.0000 3632 NDProxy - ok
    13:54:36.0046 3632 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    13:54:36.0046 3632 NetBIOS - ok
    13:54:36.0093 3632 NetBT (789a8dbc7919aac537ca5db5255894a5) C:\WINDOWS\system32\DRIVERS\netbt.sys
    13:54:36.0093 3632 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 789a8dbc7919aac537ca5db5255894a5, Fake md5: 0c80e410cd2f47134407ee7dd19cc86b
    13:54:36.0109 3632 NetBT ( Rootkit.Win32.TDSS.tdl3 ) - infected
    13:54:36.0109 3632 NetBT - detected Rootkit.Win32.TDSS.tdl3 (0)
    13:54:36.0234 3632 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    13:54:36.0234 3632 Npfs - ok
    13:54:36.0296 3632 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    13:54:36.0328 3632 Ntfs - ok
    13:54:36.0515 3632 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    13:54:36.0515 3632 Null - ok
    13:54:36.0578 3632 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    13:54:36.0593 3632 NwlnkFlt - ok
    13:54:36.0687 3632 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    13:54:36.0687 3632 NwlnkFwd - ok
    13:54:36.0812 3632 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    13:54:36.0828 3632 Parport - ok
    13:54:36.0937 3632 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    13:54:36.0937 3632 PartMgr - ok
    13:54:37.0046 3632 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    13:54:37.0046 3632 ParVdm - ok
    13:54:37.0171 3632 pbfilter (65fb0c4aa30d84849e0e4c97cb5501ce) C:\Program Files\PeerBlock\pbfilter.sys
    13:54:37.0218 3632 pbfilter - ok
    13:54:37.0406 3632 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    13:54:37.0406 3632 PCI - ok
    13:54:37.0546 3632 PCIDump - ok
    13:54:37.0656 3632 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    13:54:37.0671 3632 PCIIde - ok
    13:54:37.0781 3632 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    13:54:37.0781 3632 Pcmcia - ok
    13:54:37.0859 3632 PDCOMP - ok
    13:54:37.0906 3632 PDFRAME - ok
    13:54:37.0953 3632 PDRELI - ok
    13:54:37.0984 3632 PDRFRAME - ok
    13:54:38.0031 3632 perc2 - ok
    13:54:38.0078 3632 perc2hib - ok
    13:54:38.0218 3632 PID_0928 (d2d2fa02b722336960eeae0ae7107891) C:\WINDOWS\system32\DRIVERS\LV561AV.SYS
    13:54:38.0406 3632 PID_0928 - ok
    13:54:38.0578 3632 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    13:54:38.0578 3632 PptpMiniport - ok
    13:54:38.0718 3632 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    13:54:38.0718 3632 Processor - ok
    13:54:38.0843 3632 psadd (ce5114c9d3ab67e6f6f8017c5f975292) C:\WINDOWS\system32\DRIVERS\psadd.sys
    13:54:38.0937 3632 psadd - ok
    13:54:39.0062 3632 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    13:54:39.0078 3632 PSched - ok
    13:54:39.0203 3632 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    13:54:39.0281 3632 PSI - ok
    13:54:39.0468 3632 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    13:54:39.0468 3632 Ptilink - ok
    13:54:39.0546 3632 ql1080 - ok
    13:54:39.0625 3632 Ql10wnt - ok
    13:54:39.0656 3632 ql12160 - ok
    13:54:39.0687 3632 ql1240 - ok
    13:54:39.0734 3632 ql1280 - ok
    13:54:39.0812 3632 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    13:54:39.0812 3632 RasAcd - ok
    13:54:39.0921 3632 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    13:54:39.0937 3632 Rasl2tp - ok
    13:54:40.0031 3632 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    13:54:40.0046 3632 RasPppoe - ok
    13:54:40.0171 3632 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    13:54:40.0171 3632 Raspti - ok
    13:54:40.0281 3632 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    13:54:40.0281 3632 Rdbss - ok
    13:54:40.0406 3632 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    13:54:40.0421 3632 RDPCDD - ok
    13:54:40.0546 3632 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    13:54:40.0546 3632 rdpdr - ok
    13:54:40.0671 3632 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    13:54:40.0687 3632 RDPWD - ok
    13:54:40.0812 3632 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    13:54:40.0812 3632 redbook - ok
    13:54:40.0921 3632 RPSKT - ok
    13:54:41.0031 3632 SASDIFSV - ok
    13:54:41.0046 3632 SASENUM - ok
    13:54:41.0078 3632 SASKUTIL - ok
    13:54:41.0250 3632 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    13:54:41.0250 3632 Secdrv - ok
    13:54:41.0390 3632 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    13:54:41.0390 3632 serenum - ok
    13:54:41.0531 3632 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    13:54:41.0531 3632 Serial - ok
    13:54:41.0703 3632 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    13:54:41.0703 3632 Sfloppy - ok
    13:54:41.0796 3632 Simbad - ok
    13:54:41.0859 3632 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    13:54:41.0875 3632 SLIP - ok
    13:54:42.0031 3632 smwdm (675c3c4d6da71e6be31548150521b561) C:\WINDOWS\system32\drivers\smwdm.sys
    13:54:42.0218 3632 smwdm - ok
    13:54:42.0312 3632 Sparrow - ok
    13:54:42.0437 3632 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    13:54:42.0453 3632 splitter - ok
    13:54:42.0640 3632 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
    13:54:42.0640 3632 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
    13:54:42.0656 3632 sptd ( LockedFile.Multi.Generic ) - warning
    13:54:42.0656 3632 sptd - detected LockedFile.Multi.Generic (1)
    13:54:42.0781 3632 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    13:54:42.0781 3632 sr - ok
    13:54:42.0906 3632 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    13:54:42.0921 3632 Srv - ok
    13:54:43.0078 3632 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    13:54:43.0078 3632 streamip - ok
    13:54:43.0187 3632 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    13:54:43.0187 3632 swenum - ok
    13:54:43.0265 3632 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    13:54:43.0281 3632 swmidi - ok
    13:54:43.0375 3632 symc810 - ok
    13:54:43.0453 3632 symc8xx - ok
    13:54:43.0531 3632 sym_hi - ok
    13:54:43.0562 3632 sym_u3 - ok
    13:54:43.0640 3632 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    13:54:43.0656 3632 sysaudio - ok
    13:54:43.0812 3632 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    13:54:43.0843 3632 Tcpip - ok
    13:54:43.0968 3632 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
    13:54:43.0984 3632 Tcpip6 - ok
    13:54:44.0078 3632 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    13:54:44.0093 3632 TDPIPE - ok
    13:54:44.0218 3632 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    13:54:44.0218 3632 TDTCP - ok
    13:54:44.0343 3632 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    13:54:44.0343 3632 TermDD - ok
    13:54:44.0468 3632 TosIde - ok
    13:54:44.0562 3632 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    13:54:44.0578 3632 Udfs - ok
    13:54:44.0656 3632 ultra - ok
    13:54:44.0796 3632 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    13:54:44.0812 3632 Update - ok
    13:54:44.0953 3632 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    13:54:44.0968 3632 usbaudio - ok
    13:54:45.0062 3632 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    13:54:45.0062 3632 usbccgp - ok
    13:54:45.0171 3632 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    13:54:45.0187 3632 usbehci - ok
    13:54:45.0296 3632 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    13:54:45.0312 3632 usbhub - ok
    13:54:45.0453 3632 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    13:54:45.0453 3632 usbscan - ok
    13:54:45.0578 3632 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    13:54:45.0578 3632 USBSTOR - ok
    13:54:45.0687 3632 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    13:54:45.0687 3632 usbuhci - ok
    13:54:45.0812 3632 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    13:54:45.0812 3632 VgaSave - ok
    13:54:45.0890 3632 ViaIde - ok
    13:54:45.0968 3632 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    13:54:45.0968 3632 VolSnap - ok
    13:54:46.0093 3632 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    13:54:46.0093 3632 Wanarp - ok
    13:54:46.0171 3632 WDICA - ok
    13:54:46.0250 3632 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    13:54:46.0265 3632 wdmaud - ok
    13:54:46.0500 3632 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    13:54:46.0500 3632 WS2IFSL - ok
    13:54:46.0625 3632 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    13:54:46.0625 3632 WSTCODEC - ok
    13:54:46.0734 3632 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    13:54:46.0890 3632 \Device\Harddisk0\DR0 - ok
    13:54:46.0906 3632 Boot (0x1200) (478cabece415b16df415717e7b6d7f1f) \Device\Harddisk0\DR0\Partition0
    13:54:46.0906 3632 \Device\Harddisk0\DR0\Partition0 - ok
    13:54:46.0906 3632 ============================================================
    13:54:46.0906 3632 Scan finished
    13:54:46.0906 3632 ============================================================
    13:54:46.0937 3444 Detected object count: 2
    13:54:46.0937 3444 Actual detected object count: 2
    13:55:49.0484 3444 C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
    13:55:57.0968 3444 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
    13:55:58.0093 3444 \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
    13:55:58.0140 3444 \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
    13:55:58.0187 3444 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
    13:55:58.0281 3444 \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine
    13:55:59.0015 3444 \Device\Harddisk0\DR0\TDLFS\keywords - copied to quarantine
    13:55:59.0031 3444 \Device\Harddisk0\DR0\TDLFS\ccdb.tmp - copied to quarantine
    13:55:59.0062 3444 NetBT ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Quarantine
    13:55:59.0328 3444 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
    13:55:59.0468 3444 sptd ( LockedFile.Multi.Generic ) - User select action: Quarantine
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let's see if we can get the program running:

    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode.
    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    -------------------------------------
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 3 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Rkill instructions
    Once you've gotten one of them to run
    • immediately double click on friday.exe to run
    • If normal mode still doesn't work, run BOTH tools from safe mode.

    In you have done #2, please post BOTH logs, rKill and Combofix.
    ====================================================
    Try DDS again, after Rkill- do not reboot after Rkill.
    =================================================
    If it still won't run, uninstall DDS if it's on the system, then do this:

    Please download this file: xp_scr_fix

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr.
    ==========================================
    Hopefully this will product a successful run of Combofix and DDS. Leave logs for both (2 from DDS) in your next reply.

    It's the .scr file extension causing the problem.
     
  10. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    More problems

    Ok, so i tried to run combofix in safe mode first and it started again and like when it was to be scanning it stuck. So i had to restart. NOW, when i restarted, my computer went into a bootloop and would not start up - it shows the windows xp professional logo and then when that disappears, it does so as though it is about to give me the login screen but nothing. So, i know you said that any problems etc, come to you first: I wasnt going to try and fix/do it on my own etc.
     
  11. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    I've got the system to get in to safe mode but only without network support. Nothing trying to start normally - even if using last known good config. I can however get into the recovery console. But what should i do next? When in safe mode however, i tried the steps you gave but everything still sticks/doesn't finish/work. What do you suggest i do?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please see if you can run the following:

    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    ===========================================
    Follow with download of Farbar Service Scanner
    • Check Include all files option
    • Press the Scan button
    • Log named FSS.txt will be created in the same directory as the tool
    • Please paste the log into your next reply
     
  13. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000011d

    Kernel Drivers (total 73):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EE000 \WINDOWS\system32\hal.dll
    0xF8CB8000 \WINDOWS\system32\KDCOM.DLL
    0xF8BC8000 \WINDOWS\system32\BOOTVID.dll
    0xF8697000 spua.sys
    0xF8CBA000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xF867F000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xF8651000 ACPI.sys
    0xF8640000 pci.sys
    0xF87B8000 isapnp.sys
    0xF8D80000 pciide.sys
    0xF8A38000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xF87C8000 MountMgr.sys
    0xF8621000 ftdisk.sys
    0xF8CBC000 dmload.sys
    0xF85FB000 dmio.sys
    0xF8A40000 PartMgr.sys
    0xF87D8000 VolSnap.sys
    0xF85E3000 atapi.sys
    0xF87E8000 disk.sys
    0xF87F8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF85C3000 fltmgr.sys
    0xF85B1000 sr.sys
    0xF859A000 KSecDD.sys
    0xF850D000 Ntfs.sys
    0xF84E0000 NDIS.sys
    0xF84B2000 aswNdis2.sys
    0xF8CBE000 aswNdis.sys
    0xF8498000 Mup.sys
    0xF8B10000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xF841B000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xF8B40000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF8B50000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xF88C8000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF88D8000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF83F8000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF83C1000 \SystemRoot\System32\Drivers\ajdmtotn.SYS
    0xF8391000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF88E8000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF8AE8000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF8AF8000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF8CCC000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF8333000 \SystemRoot\System32\DRIVERS\update.sys
    0xF8C74000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF88F8000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xF8CD0000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xF8B98000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xF8CD4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF8E94000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8CD8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF8BB8000 \SystemRoot\System32\drivers\vga.sys
    0xF82F7000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0xF8A68000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF8A78000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF844B000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xF8938000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xF8BB0000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xF843F000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xF8C50000 \SystemRoot\System32\DRIVERS\kbdhid.sys
    0xF8948000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF8297000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF8CE6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF8C8C000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF8B60000 \SystemRoot\System32\watchdog.sys
    0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
    0xF8E54000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBFF50000 \SystemRoot\System32\framebuf.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF7DF5000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF8B00000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll
    0x10000000 \Program Files\DAEMON Tools Lite\daemon.dll

    Processes (total 12):
    0 System Idle Process
    4 System
    168 C:\WINDOWS\system32\smss.exe
    216 csrss.exe
    240 C:\WINDOWS\system32\winlogon.exe
    284 C:\WINDOWS\system32\services.exe
    296 C:\WINDOWS\system32\lsass.exe
    452 C:\WINDOWS\system32\svchost.exe
    512 svchost.exe
    572 C:\WINDOWS\system32\svchost.exe
    564 C:\WINDOWS\explorer.exe
    948 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: Maxtor6E040L0, Rev: NAR61590
    PhysicalDrive1 Model Number: SeagateFreeAgent Go, Rev: 0148

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    298 GB \\.\PhysicalDrive1 RE: Unknown MBR code
    SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  14. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    Farbar Service Scanner Version: 18-01-2012 01
    Ran by Administrator (administrator) on 26-01-2012 at 17:35:13
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Minimal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.

    NetBt Service is not running. Checking service configuration:
    The start type of NetBt service is OK.
    The ImagePath of NetBt service is OK.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.

    IpSec Service is not running. Checking service configuration:
    The start type of IpSec service is OK.
    The ImagePath of IpSec service is OK.


    Connection Status:
    ==============
    Localhost is blocked.
    LAN connected.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    netman Service is not running. Checking service configuration:
    The start type of netman service is OK.
    The ImagePath of netman service is OK.
    The ServiceDll of netman service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is set to Demand. The default start type is Auto.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

    EventSystem Service is not running. Checking service configuration:
    The start type of EventSystem service is OK.
    The ImagePath of EventSystem: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
    The ServiceDll of EventSystem: "C:\WINDOWS\System32\es.dll".


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2001-08-23 07:00] - [2008-04-13 14:21] - 0162816 ____A () 789A8DBC7919AAC537CA5DB5255894A5

    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    aswFW(11) aswTdi(10) AvgTdiX(86) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(9)
    0x0C00000005000000010000000200000003000000040000000B0000000A0000000900000056000000060000000700000008000000
    IpSec Tag value is correct.

    **** End of log ****
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay.

    Reset TCPIP:
    1. Click on Start> Run> type in cmd> Enter

    2. At the command prompt> copy/paste (or type) the following command: (observe all spacing)

    Code:
    netsh int ip reset c:\resetlog.txt
    and then press ENTER

    3. Reboot the computer
    4. Run the Farbar scan again and post log.
    ================================================
    Bootkit Remover:

    Download Bootkit Remover.zip and save to your desktop.
    1. Extract the boot cleaner.exe file from the RAR using a program capable of extracting compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the boot cleaner.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
    Then run the following:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START boot cleaner.exe fix   \\.\PhysicalDrive1  
    EXIT
    
    
    • Go FILE > SAVE AS and in the drop down box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run remover.exe again and post its output.

    When done, run boot cleaner.exe again and post its output.
     
  16. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    Followed the instructions but i do not think that it worked... :|... it had to all be done in safe mode as the computer is still stuck in a bootloop if attempting to boot normally. Logs and outputs below:

    Farbar Service Scanner Version: 18-01-2012 01
    Ran by Administrator (administrator) on 05-02-2012 at 00:28:22
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Minimal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.

    NetBt Service is not running. Checking service configuration:
    The start type of NetBt service is OK.
    The ImagePath of NetBt service is OK.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.

    IpSec Service is not running. Checking service configuration:
    The start type of IpSec service is OK.
    The ImagePath of IpSec service is OK.


    Connection Status:
    ==============
    Localhost is blocked.
    LAN connected.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    netman Service is not running. Checking service configuration:
    The start type of netman service is OK.
    The ImagePath of netman service is OK.
    The ServiceDll of netman service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    The start type of wscsvc service is OK.
    The ImagePath of wscsvc service is OK.
    The ServiceDll of wscsvc service is OK.


    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is set to Demand. The default start type is Auto.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

    EventSystem Service is not running. Checking service configuration:
    The start type of EventSystem service is OK.
    The ImagePath of EventSystem: "C:\WINDOWS\System32\svchost.exe -k netsvcs".
    The ServiceDll of EventSystem: "C:\WINDOWS\System32\es.dll".


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2001-08-23 07:00] - [2008-04-13 14:21] - 0162816 ____A () 789A8DBC7919AAC537CA5DB5255894A5

    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    aswFW(11) aswTdi(10) AvgTdiX(86) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(9)
    0x0C00000005000000010000000200000003000000040000000B0000000A0000000900000056000000060000000700000008000000
    IpSec Tag value is correct.

    **** End of log ****


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  17. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    .\debug.cpp(238) : Debug log started at 05.02.2012 - 05:41:56
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 Esage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.1
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x00216a80 "\WINDOWS\system32\ntoskrnl.exe"
    .\debug.cpp(256) : 0x806ee000 0x00020300 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xf8cb8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xf8bc8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xf8697000 0x00100000 "spuq.sys"
    .\debug.cpp(256) : 0xf8cba000 0x00002000 "\WINDOWS\System32\Drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0xf867f000 0x00018000 "\WINDOWS\System32\Drivers\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xf8651000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xf8640000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xf87b8000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xf8d80000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xf8a38000 0x00007000 "\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf87c8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xf8621000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xf8cbc000 0x00002000 "dmload.sys"
    .\debug.cpp(256) : 0xf85fb000 0x00026000 "dmio.sys"
    .\debug.cpp(256) : 0xf8a40000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xf87d8000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xf85e3000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xf87e8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xf87f8000 0x0000d000 "\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xf85c3000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xf85b1000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xf859a000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xf850d000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xf84e0000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xf84b2000 0x0002e000 "aswNdis2.sys"
    .\debug.cpp(256) : 0xf8cbe000 0x00002000 "aswNdis.sys"
    .\debug.cpp(256) : 0xf8498000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xf8b10000 0x00006000 "\SystemRoot\System32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xf841b000 0x00024000 "\SystemRoot\System32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xf8b40000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xf8b50000 0x00007000 "\SystemRoot\System32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xf88c8000 0x00010000 "\SystemRoot\System32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xf88d8000 0x0000f000 "\SystemRoot\System32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xf83f8000 0x00023000 "\SystemRoot\System32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xf83c1000 0x00037000 "\SystemRoot\System32\Drivers\a4djpe76.SYS"
    .\debug.cpp(256) : 0xf8391000 0x00030000 "\SystemRoot\System32\DRIVERS\rdpdr.sys"
    .\debug.cpp(256) : 0xf88e8000 0x0000a000 "\SystemRoot\System32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xf8ae8000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xf8af8000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xf8ccc000 0x00002000 "\SystemRoot\System32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xf8333000 0x0005e000 "\SystemRoot\System32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xf8c74000 0x00004000 "\SystemRoot\System32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xf88f8000 0x0000f000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xf8cd0000 0x00002000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xf8b98000 0x00005000 "\SystemRoot\System32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xf8cd4000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xf8e94000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xf8cd8000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xf8bb8000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xf82f7000 0x00014000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xf8a68000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xf8a78000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xf8b70000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xf8447000 0x00003000 "\SystemRoot\System32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xf8938000 0x00009000 "\SystemRoot\System32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xf8ba8000 0x00007000 "\SystemRoot\System32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xf843f000 0x00003000 "\SystemRoot\System32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xf8c50000 0x00004000 "\SystemRoot\System32\DRIVERS\kbdhid.sys"
    .\debug.cpp(256) : 0xf8948000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xf828b000 0x00024000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
    .\debug.cpp(256) : 0xf8273000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
    .\debug.cpp(256) : 0xf8ce6000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c4000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xf8c90000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xf8bc0000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf9c4000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xf8da7000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbff50000 0x00003000 "\SystemRoot\System32\framebuf.dll"
    .\debug.cpp(256) : 0xbffa0000 0x00046000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(256) : 0x10000000 0x000a8000 "\Program Files\DAEMON Tools Lite\daemon.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0148#2GE7C1LB&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000078"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2003#6&26724aba&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_ERSZAV&Prod_WPYR4D2N856Z&Rev_1.03#5&36e5972&0&000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761Port2Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1ffc0696&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
    .\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{6b56bd6e-f8ae-11db-a72f-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0461&Pid_4d15#5&2879f961&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0bc2&Pid_2120#2GE7C1LB#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24CD&SUBSYS_02671014&REV_01#3&61aaa01&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f9239048-41a4-11e1-9729-9f6d871c1634}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{5634e750-bfbc-11df-879a-000d603fefad}"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-ROM_GCR-8482B_______________1.02____#5&130ca3eb&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I:"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C2&SUBSYS_02671014&REV_01#3&61aaa01&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPA000#4&5d18f2df&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000051"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-ROM_GCR-8482B_______________1.02____#5&130ca3eb&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2003#6&26724aba&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureA4B57300Offset7E00Length4A85AD0400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&38d47588&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C7&SUBSYS_02671014&REV_01#3&61aaa01&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3167e447&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0461&Pid_4d15#6&22f3b98d&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_413c&Pid_2003#5&2879f961&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureA8000000Offset7E00Length951230400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C4&SUBSYS_02671014&REV_01#3&61aaa01&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&18090371&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_ERSZAV&Prod_WPYR4D2N856Z&Rev_1.03#5&36e5972&0&000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761Port2Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{24ede842-f8b2-11db-a8d4-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#6&2f814c26&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\FloppyPDO0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
    .\debug.cpp(400) : Destination "\Device\DmLoader"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskMaxtor_6E040L0__________________________NAR61590#314532324a4d4558202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{24ede843-f8b2-11db-a8d4-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#3&61aaa01&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000052"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#THM0#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0461&Pid_4d15#6&22f3b98d&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\boot_cleaner.cpp(793) : Restoring boot code at \\.\PhysicalDrive1...
    .\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 50
    .\boot_cleaner.cpp(910) : ERROR: Can't read first sector of the disk.
    .\boot_cleaner.cpp(1152) : Done;
     
  18. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    .\debug.cpp(238) : Debug log started at 05.02.2012 - 05:41:56
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 Esage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.1
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x00216a80 "\WINDOWS\system32\ntoskrnl.exe"
    .\debug.cpp(256) : 0x806ee000 0x00020300 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xf8cb8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xf8bc8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xf8697000 0x00100000 "spuq.sys"
    .\debug.cpp(256) : 0xf8cba000 0x00002000 "\WINDOWS\System32\Drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0xf867f000 0x00018000 "\WINDOWS\System32\Drivers\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xf8651000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xf8640000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xf87b8000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xf8d80000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xf8a38000 0x00007000 "\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf87c8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xf8621000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xf8cbc000 0x00002000 "dmload.sys"
    .\debug.cpp(256) : 0xf85fb000 0x00026000 "dmio.sys"
    .\debug.cpp(256) : 0xf8a40000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xf87d8000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xf85e3000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xf87e8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xf87f8000 0x0000d000 "\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xf85c3000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xf85b1000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xf859a000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xf850d000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xf84e0000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xf84b2000 0x0002e000 "aswNdis2.sys"
    .\debug.cpp(256) : 0xf8cbe000 0x00002000 "aswNdis.sys"
    .\debug.cpp(256) : 0xf8498000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xf8b10000 0x00006000 "\SystemRoot\System32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xf841b000 0x00024000 "\SystemRoot\System32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xf8b40000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xf8b50000 0x00007000 "\SystemRoot\System32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xf88c8000 0x00010000 "\SystemRoot\System32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xf88d8000 0x0000f000 "\SystemRoot\System32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xf83f8000 0x00023000 "\SystemRoot\System32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xf83c1000 0x00037000 "\SystemRoot\System32\Drivers\a4djpe76.SYS"
    .\debug.cpp(256) : 0xf8391000 0x00030000 "\SystemRoot\System32\DRIVERS\rdpdr.sys"
    .\debug.cpp(256) : 0xf88e8000 0x0000a000 "\SystemRoot\System32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xf8ae8000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xf8af8000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xf8ccc000 0x00002000 "\SystemRoot\System32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xf8333000 0x0005e000 "\SystemRoot\System32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xf8c74000 0x00004000 "\SystemRoot\System32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xf88f8000 0x0000f000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xf8cd0000 0x00002000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xf8b98000 0x00005000 "\SystemRoot\System32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xf8cd4000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xf8e94000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xf8cd8000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xf8bb8000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xf82f7000 0x00014000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xf8a68000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xf8a78000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xf8b70000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xf8447000 0x00003000 "\SystemRoot\System32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xf8938000 0x00009000 "\SystemRoot\System32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xf8ba8000 0x00007000 "\SystemRoot\System32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xf843f000 0x00003000 "\SystemRoot\System32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xf8c50000 0x00004000 "\SystemRoot\System32\DRIVERS\kbdhid.sys"
    .\debug.cpp(256) : 0xf8948000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xf828b000 0x00024000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
    .\debug.cpp(256) : 0xf8273000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
    .\debug.cpp(256) : 0xf8ce6000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c4000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xf8c90000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xf8bc0000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf9c4000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xf8da7000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbff50000 0x00003000 "\SystemRoot\System32\framebuf.dll"
    .\debug.cpp(256) : 0xbffa0000 0x00046000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(256) : 0x10000000 0x000a8000 "\Program Files\DAEMON Tools Lite\daemon.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0148#2GE7C1LB&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000078"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2003#6&26724aba&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_ERSZAV&Prod_WPYR4D2N856Z&Rev_1.03#5&36e5972&0&000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761Port2Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1ffc0696&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
    .\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{6b56bd6e-f8ae-11db-a72f-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0461&Pid_4d15#5&2879f961&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0bc2&Pid_2120#2GE7C1LB#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24CD&SUBSYS_02671014&REV_01#3&61aaa01&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f9239048-41a4-11e1-9729-9f6d871c1634}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{5634e750-bfbc-11df-879a-000d603fefad}"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-ROM_GCR-8482B_______________1.02____#5&130ca3eb&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I:"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C2&SUBSYS_02671014&REV_01#3&61aaa01&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPA000#4&5d18f2df&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000051"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-ROM_GCR-8482B_______________1.02____#5&130ca3eb&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2003#6&26724aba&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureA4B57300Offset7E00Length4A85AD0400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&38d47588&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C7&SUBSYS_02671014&REV_01#3&61aaa01&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3167e447&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0461&Pid_4d15#6&22f3b98d&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_413c&Pid_2003#5&2879f961&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureA8000000Offset7E00Length951230400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C4&SUBSYS_02671014&REV_01#3&61aaa01&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&18090371&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_ERSZAV&Prod_WPYR4D2N856Z&Rev_1.03#5&36e5972&0&000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761Port2Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{24ede842-f8b2-11db-a8d4-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#6&2f814c26&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\FloppyPDO0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
    .\debug.cpp(400) : Destination "\Device\DmLoader"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskMaxtor_6E040L0__________________________NAR61590#314532324a4d4558202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{24ede843-f8b2-11db-a8d4-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#3&61aaa01&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000052"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#THM0#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0461&Pid_4d15#6&22f3b98d&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\boot_cleaner.cpp(793) : Restoring boot code at \\.\PhysicalDrive1...
    .\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 50
    .\boot_cleaner.cpp(910) : ERROR: Can't read first sector of the disk.
    .\boot_cleaner.cpp(1152) : Done;
     
  19. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    .\debug.cpp(238) : Debug log started at 05.02.2012 - 05:43:15
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 Esage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.1
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x00216a80 "\WINDOWS\system32\ntoskrnl.exe"
    .\debug.cpp(256) : 0x806ee000 0x00020300 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xf8cb8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xf8bc8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xf8697000 0x00100000 "spuq.sys"
    .\debug.cpp(256) : 0xf8cba000 0x00002000 "\WINDOWS\System32\Drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0xf867f000 0x00018000 "\WINDOWS\System32\Drivers\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xf8651000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xf8640000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xf87b8000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xf8d80000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xf8a38000 0x00007000 "\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf87c8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xf8621000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xf8cbc000 0x00002000 "dmload.sys"
    .\debug.cpp(256) : 0xf85fb000 0x00026000 "dmio.sys"
    .\debug.cpp(256) : 0xf8a40000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xf87d8000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xf85e3000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xf87e8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xf87f8000 0x0000d000 "\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xf85c3000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xf85b1000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xf859a000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xf850d000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xf84e0000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xf84b2000 0x0002e000 "aswNdis2.sys"
    .\debug.cpp(256) : 0xf8cbe000 0x00002000 "aswNdis.sys"
    .\debug.cpp(256) : 0xf8498000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xf8b10000 0x00006000 "\SystemRoot\System32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xf841b000 0x00024000 "\SystemRoot\System32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xf8b40000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xf8b50000 0x00007000 "\SystemRoot\System32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xf88c8000 0x00010000 "\SystemRoot\System32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xf88d8000 0x0000f000 "\SystemRoot\System32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xf83f8000 0x00023000 "\SystemRoot\System32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xf83c1000 0x00037000 "\SystemRoot\System32\Drivers\a4djpe76.SYS"
    .\debug.cpp(256) : 0xf8391000 0x00030000 "\SystemRoot\System32\DRIVERS\rdpdr.sys"
    .\debug.cpp(256) : 0xf88e8000 0x0000a000 "\SystemRoot\System32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xf8ae8000 0x00006000 "\SystemRoot\System32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xf8af8000 0x00006000 "\SystemRoot\System32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xf8ccc000 0x00002000 "\SystemRoot\System32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xf8333000 0x0005e000 "\SystemRoot\System32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xf8c74000 0x00004000 "\SystemRoot\System32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xf88f8000 0x0000f000 "\SystemRoot\System32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xf8cd0000 0x00002000 "\SystemRoot\System32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xf8b98000 0x00005000 "\SystemRoot\System32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xf8cd4000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xf8e94000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xf8cd8000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xf8bb8000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xf82f7000 0x00014000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xf8a68000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xf8a78000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xf8b70000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xf8447000 0x00003000 "\SystemRoot\System32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xf8938000 0x00009000 "\SystemRoot\System32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xf8ba8000 0x00007000 "\SystemRoot\System32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xf843f000 0x00003000 "\SystemRoot\System32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xf8c50000 0x00004000 "\SystemRoot\System32\DRIVERS\kbdhid.sys"
    .\debug.cpp(256) : 0xf8948000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xf828b000 0x00024000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
    .\debug.cpp(256) : 0xf8273000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
    .\debug.cpp(256) : 0xf8ce6000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c4000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xf8c90000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xf8bc0000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf9c4000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xf8da7000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbff50000 0x00003000 "\SystemRoot\System32\framebuf.dll"
    .\debug.cpp(256) : 0xbffa0000 0x00046000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(256) : 0x10000000 0x000a8000 "\Program Files\DAEMON Tools Lite\daemon.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0148#2GE7C1LB&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000078"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2003#6&26724aba&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_ERSZAV&Prod_WPYR4D2N856Z&Rev_1.03#5&36e5972&0&000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761Port2Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1ffc0696&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
    .\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{6b56bd6e-f8ae-11db-a72f-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0461&Pid_4d15#5&2879f961&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0bc2&Pid_2120#2GE7C1LB#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24CD&SUBSYS_02671014&REV_01#3&61aaa01&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f9239048-41a4-11e1-9729-9f6d871c1634}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{5634e750-bfbc-11df-879a-000d603fefad}"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-ROM_GCR-8482B_______________1.02____#5&130ca3eb&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I:"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C2&SUBSYS_02671014&REV_01#3&61aaa01&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPA000#4&5d18f2df&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000051"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_CD-ROM_GCR-8482B_______________1.02____#5&130ca3eb&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_413c&Pid_2003#6&26724aba&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureA4B57300Offset7E00Length4A85AD0400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&38d47588&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C7&SUBSYS_02671014&REV_01#3&61aaa01&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3167e447&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0461&Pid_4d15#6&22f3b98d&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_413c&Pid_2003#5&2879f961&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureA8000000Offset7E00Length951230400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_24C4&SUBSYS_02671014&REV_01#3&61aaa01&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&18090371&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_ERSZAV&Prod_WPYR4D2N856Z&Rev_1.03#5&36e5972&0&000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761Port2Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{24ede842-f8b2-11db-a8d4-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#6&2f814c26&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\FloppyPDO0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
    .\debug.cpp(400) : Destination "\Device\DmLoader"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskMaxtor_6E040L0__________________________NAR61590#314532324a4d4558202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{24ede843-f8b2-11db-a8d4-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#3&61aaa01&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000052"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#THM0#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\Scsi\a4djpe761"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0461&Pid_4d15#6&22f3b98d&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1061) :
    .\boot_cleaner.cpp(1062) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1063) : --------------------------------------------
    .\boot_cleaner.cpp(1107) : 37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1113) :
    .\boot_cleaner.cpp(1152) : Done;
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I didn't need the debug file. Please try the following as listed:

    The reset command is available in the IP context of the NetShell utility. Follow these steps to use the reset command to reset TCP/IP manually:
    1. To open a command prompt: Click Start> Run> type cmd> Enter
    2. At the command prompt: copy and paste (or type) the following command and then press ENTER:
    Code:
          netsh int ip reset c:\resetlog.txt
    Note If you do not want to specify a directory path for the log file, use the following command:
    netsh int ip reset resetlog.txt
    3. Reboot the computer.

    Check for connectivity.
    ====================================
    Regarding you first post about netbt: "Regardless of removal attempts" Tell me what you did in these attempts.

    What happens here:
    Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.

    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    =====================================
    Are you downloading these scans to a flash drive then connecting to the problem computer?

    Have you tried to run Combofix?
    ======================================
    If the reset command didn't work, please do the following:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      sptd.*
      NetBT.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  21. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    Ok, i reset it gain using the command you gave. Then i restarted. It would not load into safe mode with networking - it sticks on the start up screen before the dialog box pops up to acknowledge that it is operating in safe mode. The computer only works/loads all the way up if it is booted into just plain safe mode.

    As for removal attempts, I used hijackthis, avant normal and boot scan, spybot, malwarebytes, ad-adware, cleanup!, avg, ccleaner, microsoft malware removal tool, online pc-cillin scans. Those were a while ago and i just got accustomed to using it ad gave up til i found this techboard.

    Yes, because i cannot download them on the computer anymore, i use a usb and place the items on the desktop to run. I tried running combofix several times and it was after the first run that the computer went into a boot loop. Combofix stuck even though i touched nothing each time. It got the recovery console installed though and then when it started to run, it stuck after a while.

    The log for the system look below:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:03 on 06/02/2012 by Administrator
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "sptd.*"
    C:\WINDOWS\system32\drivers\sptd.sys --a---- 717296 bytes [04:51 14/09/2010] [04:51 14/09/2010] (Unable to calculate MD5)

    Searching for "NetBT.*"
    C:\WINDOWS\$NtServicePackUninstall$\netbt.sys -----c- 162816 bytes [01:54 15/08/2010] [03:14 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B
    C:\WINDOWS\ServicePackFiles\i386\netbt.sys ------- 162816 bytes [17:20 03/05/2007] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
    C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netbt.sys --a---- 162816 bytes [20:01 31/08/2009] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D
    C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [12:00 23/08/2001] [19:21 13/04/2008] 789A8DBC7919AAC537CA5DB5255894A5

    -= EOF =-
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please note: I will be Offline on Wednesday, 2/8 and Thursday, 2/9. When I return on Friday, 2/10, I will pick up the oldest threads first.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hard to know which is going to get you going! Is the system still as it was in our last exchange- loop?

    When you ran the MBR Check, it showed this:
    ---------------------------------------
    The unknown MBR code was on the external hard drive/USB drive and that's what I wrote the fix for. Did you have that connected when you ran the fix?
     
  24. lemowill

    lemowill TS Enthusiast Topic Starter Posts: 126

    Yea it is still in a loop but loads into safemode without network support only. Yea i had the drive connected and it still said the same thing. Here is the output below:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Restoring boot code at \\.\PhysicalDrive1...
    ATA_Read(): DeviceIoControl() ERROR 50
    ERROR: Can't read first sector of the disk.

    Done;
    Press any key to quit...
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Boot into Safe Mode- just plain Safe Mode is fine
    Click on Start> Run> type in services.msc> Enter> find each of the Services below and set startup Type to Automatic and Start the Service.:

    1. Dnscache
    2. Dhcp
    3. Tcpip
    4. IpSec
    5. sharedaccess
    6. netman
    Note: When you open each Service to change startup, click on the Dependency tab. Look at the top box for 'services that this service needs to run'>>> Make sure that any Services this depends on to run is also on either Automatic or Manual.

    If you need help finding the Service names, go to Black Viper's site:
    http://www.blackviper.com/2008/05/1...32-bit-service-pack-3-service-configurations/ and scroll down to the chart with the Services.
    ==========================
    Reboot the Computer.
    ==========================
    We need to get Combofix running so I can move some files. I'd like you to go ahead and uninstall what you have, then downlod again following this in the exact order:
    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode. If it won't run, go one to #2.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    3.See which one of the following runs. You do not need to download all three versions:
    This is a slight variation on the RKill:
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, add the following:

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    (Directions courtesy bleeping computer)

    4. With both RKill and exehelper on board:
    Go right to the renamed (Combofix) and double click on friday.exe to run
    If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

    If successful, please leave RKill, Exehelper and Combofix logs.
    ====================================
    Please run System Look once more> this is the driver we're looking for:
    Code:
    :filefind
    afd.*
    
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...