Redirected Google search results

Solved
By austevo
May 22, 2011
Topic Status:
Not open for further replies.
  1. Feeling out of my depth but I'll have a go. had a trojan fake alert etc and thought I had everything clean but still have this google redirect thing going on.
    I tried the 7 step removal and have the results below,
    Ran AVG internet security 2011 full system scan, no errors
    Ran a quick scan with Malwarebytes' Anti-malware.
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5651

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/02/2011 1:56:46 PM
    mbam-log-2011-02-01 (13-56-46).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 196386
    Time elapsed: 42 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\Owner\Desktop\.url (Malware.Trace) -> Quarantined and deleted successfully.

    Downloaded and ran GMER.
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-05-19.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 14/10/2005 10:12:08 AM
    System Uptime: 22/05/2011 1:52:44 PM (3 hours ago)
    .
    Motherboard: Intel Corporation | | D945GCZ
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz | | 2800/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 172.349 GiB free.
    E: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\18F0EA4902700
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\18F0EA4902700
    Service: NIC1394
    .
    ==== System Restore Points ===================
    .
    RP1: 22/05/2011 1:55:07 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.2.6
    Adobe Shockwave Player 11.5
    Apple Software Update
    AVG 2011
    AVS Update Manager 1.0
    AVS Video Converter 7
    AVS4YOU Software Navigator 1.4
    Canon Easy-PhotoPrint EX
    Canon Easy-WebPrint EX
    Canon Inkjet Printer/Scanner/Fax Extended Survey Program
    Canon MG5100 series MP Drivers
    Canon MP Navigator EX 4.0
    Canon My Printer
    Canon Solution Menu EX
    Compatibility Pack for the 2007 Office system
    CoreAVC Professional Edition (remove only)
    Creative EAX Settings
    Creative Speaker Settings
    Critical Update for Windows Media Player 11 (KB959772)
    Delta Force: Xtreme - Demo
    Deutz Engine
    Device Control
    Device drivers for Simple Backup
    FrostWire 4.21.3
    Garden Composer
    Google Earth
    Google Update Helper
    Haali Media Splitter
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp deskjet 930c series (Remove only)
    HP Precisionscan Pro 3.1
    HP Product Detection
    HP Share-to-Web
    Intel Matrix Storage Manager
    Intel(R) Network Connections 14.0.40.0
    Java Auto Updater
    Java(TM) 6 Update 25
    LightScribe 1.4.136.1
    LimeWire PRO 4.8.1
    Malwarebytes' Anti-Malware
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MyVirtualHome
    Nero 7 Essentials
    neroxml
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    Piolet 3.1.1
    PowerDVD
    PrintFolder 1.3
    Scattergories
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    System Requirements Lab
    System Requirements Lab for Intel
    The Britannica Trivia Challenge Ver. 2.0
    TomTom HOME 2.8.2.2264
    TomTom HOME Visual Studio Merge Modules
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows Defender Signatures
    Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    XP Registry Cleaner 2.0
    Xvid 1.1.3 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    22/05/2011 11:34:27 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
    21/05/2011 8:51:54 AM, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%2" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
    21/05/2011 5:47:02 AM, error: Service Control Manager [7024] - The AVG8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
    21/05/2011 5:47:02 AM, error: Service Control Manager [7001] - The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error: The service has returned a service-specific error code.
    21/05/2011 10:05:20 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    20/05/2011 7:57:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    20/05/2011 7:57:26 AM, error: Microsoft Antimalware [2001] -
    20/05/2011 7:57:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    20/05/2011 7:50:53 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    20/05/2011 7:33:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm MpFilter
    19/05/2011 5:35:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    19/05/2011 5:35:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    19/05/2011 5:35:20 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    19/05/2011 5:35:20 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    19/05/2011 5:35:20 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    19/05/2011 5:35:20 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    19/05/2011 5:14:18 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Defender service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    19/05/2011 5:14:18 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Microsoft Antimalware Service service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    19/05/2011 5:14:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
    19/05/2011 5:14:13 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    19/05/2011 5:14:08 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    19/05/2011 5:14:04 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The PLFlash DeviceIoControl Service service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The Canon Inkjet Printer/Scanner/Fax Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    19/05/2011 5:14:03 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    19/05/2011 5:14:03 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    19/05/2011 5:14:03 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    19/05/2011 5:14:03 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
    Downloaded and ran DDS by sUBs.
    .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Owner at 15:59:46 on 2011-05-22
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1532.394 [GMT 10:00]
    .
    AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: AVG Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\AVG\AVG10\avgfws.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\AVG\AVG10\avgam.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Desktop\dds.scr
    C:\WINDOWS\system32\WSCRIPT.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com.au/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = localhost
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1287952087359
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-5-22 64512]
    R1 AvgLdx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2008-6-5 248656]
    R1 AvgMfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2007-2-23 34896]
    R1 AvgTdiX;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2008-6-5 297168]
    R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-29 2151128]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]
    R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
    S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
    S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 297752]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-4 135664]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2005-10-14 20160]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-4 135664]
    .
    =============== Created Last 30 ================
    .
    2011-05-22 00:19:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-05-21 21:51:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 21:51:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-21 16:58:12 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-05-21 14:43:28 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-05-21 14:39:49 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    2011-05-21 14:39:49 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2011-05-21 14:39:49 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
    2011-05-21 14:39:49 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2011-05-21 14:39:49 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
    2011-05-21 14:39:49 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2011-05-21 14:39:49 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
    2011-05-21 14:39:49 5632 ----a-w- c:\windows\system32\kbd103.dll
    2011-05-21 14:39:44 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
    2011-05-21 14:39:44 6144 ----a-w- c:\windows\system32\kbd101b.dll
    2011-05-21 14:39:43 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2011-05-21 14:39:43 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-05-21 14:37:17 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-05-21 14:12:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-05-21 14:12:29 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-21 12:33:49 -------- d-----w- c:\program files\Microsoft Security Client
    2011-05-21 02:06:39 -------- d-----w- c:\windows\system32\XPToolsLicenseComponent
    2011-05-21 02:06:39 -------- d-----w- c:\program files\XP Registry Cleaner
    2011-05-21 00:43:20 -------- d-----w- c:\documents and settings\owner\application data\ErrorTeck
    2011-05-19 22:29:30 -------- d-----w- c:\documents and settings\owner\application data\AVG10
    2011-05-19 22:28:54 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-05-19 22:27:46 -------- d-----w- c:\documents and settings\all users\application data\AVG10
    2011-05-19 22:20:12 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-05-18 21:14:15 4282 ----a-w- c:\windows\exovaxesakor.dll
    2011-05-18 07:31:52 0 ----a-w- c:\windows\Xxuheqewipe.bin
    2011-05-18 07:31:51 -------- d-----w- c:\documents and settings\owner\local settings\application data\{ED8AAFA6-C412-4A49-9204-2EB1EB9A225C}
    2011-05-18 07:30:36 -------- d-----w- c:\documents and settings\owner\application data\1C0EE86A5538D0F0BF8AEF7F1DDA08D3
    .
    ==================== Find3M ====================
    .
    2011-05-22 00:19:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-04-14 11:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
    2011-04-04 14:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2011-03-16 06:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-02-21 22:13:02 22992 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
    .
    ============= FINISH: 16:00:54.60 ===============

    I would've taken the pc to the local bloke as my knowledge of computers is limited, especially in here, but he shutdown his shop last month, small town. Thanks in advance for any help is much appreciated
    P.S. AVG while in safe mode found: Rootkit. TDSS.TDL4
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Welcome to TechSpot! Considering that you have 3 versions of AVG running, the system is probably confused as to which on to use!

    This is what shows in the log heading:
    AV: AVG Internet Security 2011
    These are just 2 of the processes you have running from older versions:
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

    Please go to Add/Remove Programs and remove AVG v8 and AVG v10. Then reboot the computer.
    --------------------------------------------
    Did you run GMER? Log?
    ====================================
    I'd like you run Combofix and you will have to uninstall /avg to do it. The AVG authors didn't leave any way to disable the program to run malware scan:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    ---------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ================================
    Please leave all logs in next reply.
    ==================================
    Regarding the following:
    1. HijackThis 2.0.2>> Uninstall, outdated version.
    2. LimeWire PRO 4.8.1>> File sharing security danger to system. Recommend uninstall. If kept, disable and don't use while I'm helping you.
    3. XP Registry Cleaner 2.0>> Advise uninstall. We don't recommend registry cleaners to anyone. If kept, do not use and/or make any registry changes while I'm helping you. (If any changes in registry are needed, I will set them up for you using script, not regedit)
  3. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    Hello there Bobbye and thanks for your help.
    AVG 2011 was the only one in Add/Remove Programs.
    I have downloaded and used AppRemover to remove that one.
    I ran GMER again today.
    GMER 1.0.15.15627 - http://www.gmer.net
    Rootkit scan 2011-05-23 07:23:57
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Intel___ rev.1.0.
    Running: 3q0o6ld8.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kftdipod.sys


    ---- System - GMER 1.0.15 ----

    SSDT A9300356 ZwCreateKey
    SSDT A930034C ZwCreateThread
    SSDT A930035B ZwDeleteKey
    SSDT A9300365 ZwDeleteValueKey
    SSDT A930036A ZwLoadKey
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xACC2C738]
    SSDT A930033D ZwOpenThread
    SSDT A9300374 ZwReplaceKey
    SSDT A930036F ZwRestoreKey
    SSDT A9300360 ZwSetValueKey
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xACC2C7DC]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xACC2C878]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xACC2C914]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB63323A0, 0x59FFE5, 0xE8000020]
    ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
    .text C:\WINDOWS\Explorer.EXE[428] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
    .text C:\WINDOWS\Explorer.EXE[428] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
    .text C:\WINDOWS\System32\svchost.exe[1496] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB000A
    .text C:\WINDOWS\System32\svchost.exe[1496] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EC000A
    .text C:\WINDOWS\System32\svchost.exe[1496] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EA000C
    .text C:\WINDOWS\System32\svchost.exe[1496] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00A8000A
    .text C:\WINDOWS\System32\svchost.exe[1496] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 010C000A
    .text C:\WINDOWS\System32\svchost.exe[1496] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 010D000A
    .text C:\WINDOWS\System32\svchost.exe[1496] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00F4000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E50B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3744] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----
    and
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-05-19.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 14/10/2005 10:12:08 AM
    System Uptime: 23/05/2011 4:21:41 AM (3 hours ago)
    .
    Motherboard: Intel Corporation | | D945GCZ
    Processor: Intel(R) Pentium(R) D CPU 2.80GHz | | 2800/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 171.98 GiB free.
    E: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\18F0EA4902700
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\18F0EA4902700
    Service: NIC1394
    .
    ==== System Restore Points ===================
    .
    RP2: 23/05/2011 6:00:43 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.2.6
    Adobe Shockwave Player 11.5
    Apple Software Update
    AVG 2011
    Avira AntiVir Personal - Free Antivirus
    AVS Update Manager 1.0
    AVS Video Converter 7
    AVS4YOU Software Navigator 1.4
    Canon Easy-PhotoPrint EX
    Canon Easy-WebPrint EX
    Canon Inkjet Printer/Scanner/Fax Extended Survey Program
    Canon MG5100 series MP Drivers
    Canon MP Navigator EX 4.0
    Canon My Printer
    Canon Solution Menu EX
    Compatibility Pack for the 2007 Office system
    CoreAVC Professional Edition (remove only)
    Creative EAX Settings
    Creative Speaker Settings
    Critical Update for Windows Media Player 11 (KB959772)
    Delta Force: Xtreme - Demo
    Deutz Engine
    Device Control
    Device drivers for Simple Backup
    FrostWire 4.21.3
    Garden Composer
    Google Earth
    Google Update Helper
    Haali Media Splitter
    High Definition Audio Driver Package - KB835221
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp deskjet 930c series (Remove only)
    HP Precisionscan Pro 3.1
    HP Product Detection
    HP Share-to-Web
    Intel Matrix Storage Manager
    Intel(R) Network Connections 14.0.40.0
    Java Auto Updater
    Java(TM) 6 Update 25
    LightScribe 1.4.136.1
    Malwarebytes' Anti-Malware
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MyVirtualHome
    Nero 7 Essentials
    neroxml
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    PowerDVD
    PrintFolder 1.3
    Scattergories
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    System Requirements Lab
    System Requirements Lab for Intel
    The Britannica Trivia Challenge Ver. 2.0
    TomTom HOME 2.8.2.2264
    TomTom HOME Visual Studio Merge Modules
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows Defender Signatures
    Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    Xvid 1.1.3 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    23/05/2011 3:21:48 AM, error: Service Control Manager [7003] - The AVG8 E-mail Scanner service depends on the following nonexistent service: avg8wd
    23/05/2011 3:21:48 AM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: The system cannot find the path specified.
    23/05/2011 3:21:48 AM, error: Service Control Manager [7000] - The AVG WatchDog service failed to start due to the following error: The system cannot find the file specified.
    23/05/2011 3:21:48 AM, error: Service Control Manager [7000] - The AVG Firewall service failed to start due to the following error: The system cannot find the file specified.
    22/05/2011 11:34:27 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
    21/05/2011 8:51:54 AM, error: DCOM [10000] - Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}. The error: "%2" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding
    21/05/2011 5:47:02 AM, error: Service Control Manager [7024] - The AVG8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
    21/05/2011 5:47:02 AM, error: Service Control Manager [7001] - The AVG8 E-mail Scanner service depends on the AVG8 WatchDog service which failed to start because of the following error: The service has returned a service-specific error code.
    21/05/2011 10:05:24 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    20/05/2011 7:57:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    20/05/2011 7:57:26 AM, error: Microsoft Antimalware [2001] -
    20/05/2011 7:57:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    20/05/2011 7:50:53 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    20/05/2011 7:33:14 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm MpFilter
    19/05/2011 5:35:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    19/05/2011 5:35:20 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    19/05/2011 5:35:20 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    19/05/2011 5:35:20 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    19/05/2011 5:35:20 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    19/05/2011 5:35:20 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    19/05/2011 5:14:18 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Defender service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    19/05/2011 5:14:18 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Microsoft Antimalware Service service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    19/05/2011 5:14:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
    19/05/2011 5:14:13 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    19/05/2011 5:14:08 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    19/05/2011 5:14:04 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The PLFlash DeviceIoControl Service service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7034] - The Canon Inkjet Printer/Scanner/Fax Extended Survey Program service terminated unexpectedly. It has done this 1 time(s).
    19/05/2011 5:14:03 PM, error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    19/05/2011 5:14:03 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    19/05/2011 5:14:03 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    19/05/2011 5:14:03 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    19/05/2011 5:14:03 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================

    I have downloaded and deactivated Avira whilst using Combofix.
    Combo fix is warning me that AVG Internet Security 2011 is still running, when it was removed with AppRemover. should I try it again?
    Tried AppRemover again and it doesn't find AVG Internet security 2011 but Combofix is still saying it's there. How do I get rid of it?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Got to hand it to AVG! Looks like they have copied and pasted their security program together! Have ever seen 3 versions running at once! This is what is more likely upsetting Combofix!

    DDS header shows:
    Event Viewer shows
    Running Processes show:
    No wonder Combofix is having a fit!
    Seems to me that if the suite has been pieced together as indicated, it would be a good reason why it can't be temporarily disabled and why Combofix gives the notice.

    Try using this installer and see if it will remove v8 and any left overs from AVG 2011:
    AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
    Note:
    • AVG user settings will be removed.
    • Virus Vault contents will be removed.
    • All other items related to AVG installation and use will be removed.
    • You will be asked during the removal procedure to restart your computer. Please do so.
    • Make sure there is no open work in process prior to launching AVG Remover.
    AVG Remover:32bit
    ================================================
    There is a rootkit on the system- that needs to be handled:
    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
  5. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    Hello again.
    MBR check done
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x00000054

    Kernel Drivers (total 115):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x80700000 \WINDOWS\system32\hal.dll
    0x89B3B000 \WINDOWS\system32\KDCOM.DLL
    0xF789B000 \WINDOWS\system32\BOOTVID.dll
    0xF75A8000 ACPI.sys
    0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7597000 pci.sys
    0xF75F7000 isapnp.sys
    0xF7607000 ohci1394.sys
    0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7627000 MountMgr.sys
    0xF74D8000 ftdisk.sys
    0xF770F000 PartMgr.sys
    0xF7637000 VolSnap.sys
    0xF74C0000 atapi.sys
    0xF7B0A000 iaStor.sys
    0xF7647000 disk.sys
    0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF74A0000 fltmgr.sys
    0xF748E000 sr.sys
    0xF7667000 Lbd.sys
    0xB87EC000 drvmcdb.sys
    0xB87D5000 KSecDD.sys
    0xB8748000 Ntfs.sys
    0xB871B000 NDIS.sys
    0xB8701000 Mup.sys
    0xF76D7000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB6017000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB6003000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB7DAF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB5FDF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF77E7000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB5E88000 \SystemRoot\system32\drivers\P17.sys
    0xB5E64000 \SystemRoot\system32\drivers\portcls.sys
    0xF76E7000 \SystemRoot\system32\drivers\drmk.sys
    0xB5E41000 \SystemRoot\system32\drivers\ks.sys
    0xB5E11000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
    0xB5DEB000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
    0xB5DC4000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xB5DB0000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF76F7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF77EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF77F7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7587000 \SystemRoot\system32\DRIVERS\serial.sys
    0xB869D000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7577000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF77FF000 \SystemRoot\System32\Drivers\MxlW2k.SYS
    0xF7567000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7557000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7AB7000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7547000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB8695000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB5D99000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7537000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7527000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7807000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB5D88000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7517000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF780F000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7817000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB6AC4000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF79B3000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB5D2A000 \SystemRoot\system32\DRIVERS\update.sys
    0xB8689000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xB6AB4000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB47FC000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF79DD000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF79F7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xAED70000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79F9000 \SystemRoot\System32\Drivers\Beep.SYS
    0xAF305000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xAF2FD000 \SystemRoot\System32\drivers\vga.sys
    0xF79FB000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79FD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xAF2F5000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xAF2ED000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB4887000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xACD63000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xACD0A000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xACCE2000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xACCBC000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xACC9A000 \SystemRoot\System32\drivers\afd.sys
    0xB47CC000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB47AC000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xAF2E5000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xACC6F000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xACBFF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xAEBF6000 \SystemRoot\System32\Drivers\Fips.SYS
    0xACA83000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF7993000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xAEC1E000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xB7DDF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xACDBE000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xACDB6000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xA616F000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA4D75000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAEC16000 \SystemRoot\System32\drivers\Dxapi.sys
    0xACD7E000 \SystemRoot\System32\watchdog.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xABDCA000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xA4AFF000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xA566E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA4A5A000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA49CD000 \SystemRoot\system32\drivers\wdmaud.sys
    0xABEFA000 \SystemRoot\system32\drivers\sysaudio.sys
    0xAEC3E000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xA48AF000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA494F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xA4032000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA3E04000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 47):
    0 System Idle Process
    4 System
    592 C:\WINDOWS\system32\smss.exe
    648 csrss.exe
    672 C:\WINDOWS\system32\winlogon.exe
    720 C:\WINDOWS\system32\services.exe
    732 C:\WINDOWS\system32\lsass.exe
    924 C:\WINDOWS\system32\nvsvc32.exe
    980 C:\WINDOWS\system32\svchost.exe
    1076 svchost.exe
    1176 C:\WINDOWS\system32\svchost.exe
    1324 svchost.exe
    1440 svchost.exe
    1532 C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    1620 C:\WINDOWS\system32\spoolsv.exe
    1664 C:\WINDOWS\system32\rundll32.exe
    1724 C:\WINDOWS\system32\rundll32.exe
    1748 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1876 svchost.exe
    1968 C:\WINDOWS\explorer.exe
    336 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    496 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    576 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
    136 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    848 C:\Program Files\Java\jre6\bin\jqs.exe
    1060 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    1488 C:\WINDOWS\system32\IoctlSvc.exe
    1716 C:\WINDOWS\system32\svchost.exe
    1980 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    236 C:\WINDOWS\system32\wuauclt.exe
    2428 unsecapp.exe
    2500 wmiprvse.exe
    2604 alg.exe
    2992 C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    3348 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    3356 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    3432 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    3560 C:\WINDOWS\system32\rundll32.exe
    3640 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    3656 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    3668 C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
    3680 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3704 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3716 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    3728 C:\WINDOWS\system32\ctfmon.exe
    976 C:\Program Files\Internet Explorer\iexplore.exe
    1188 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number:

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
    I did the removal first but the log was too big, if need be I'll try to break it up into smaller packets to send
  6. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    part 1

    AVG Removal log deleted by Bobbye- not needed.
  7. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    part 2

    AVG removal log deleted by Bobbye. Not needed.

    The file that's left is 560KB, let me know if you need it I'll break it up or zip it or something.
    thanks again
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Do not leave anymore of the AVG log please!
  9. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    Hmm, just ran DDS again out of boredom and it seems AVG is still there, should I save everything onto an external hard drive and set fire to this computer, I'm getting tempted
    steve
    so am I in the too hard basket? or beyond help?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Instead of dropping into boredom, you should have run the Eset scan and tried again to run Combofix.

    If Combofix still refuses to run saying AVG is installed, please run the Windows Installer Cleanup Utility and remove any AVG related filed.

    We are only on Post #9- way to soon to be considered hard or hopeless!
  11. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    hey Bobbye
    sorry for my boredom, had 5 days off and wasted them all trying to fix this computer, anyhow I'm back to 12 hours a day at work for a while.
    I ran eset, and ran Windows Installer Cleanup Utility , it didn't find AVG so I tried combofix which complained again about AVG but I ran it anyway and this is the result.
    ComboFix 11-05-24.06 - Owner 25/05/2011 22:56:13.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1532.1086 [GMT 10:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\Owner\Application Data\1C0EE86A5538D0F0BF8AEF7F1DDA08D3
    c:\documents and settings\Owner\Application Data\1C0EE86A5538D0F0BF8AEF7F1DDA08D3\enemies-names.txt
    c:\documents and settings\Owner\Application Data\1C0EE86A5538D0F0BF8AEF7F1DDA08D3\local.ini
    c:\documents and settings\Owner\Application Data\1C0EE86A5538D0F0BF8AEF7F1DDA08D3\lsrslt.ini
    c:\documents and settings\Owner\Application Data\Adobe\plugs
    c:\documents and settings\Owner\Application Data\Adobe\shed
    c:\documents and settings\Owner\Application Data\Sun\mxd1.txt
    c:\documents and settings\Owner\WINDOWS
    c:\windows\exovaxesakor.dll
    c:\windows\explorer(2).exe
    c:\windows\patch.exe
    c:\windows\settings.reg
    c:\windows\system32\Data
    .
    ----- BITS: Possible infected sites -----
    .
    hxxp://apnmedia.ask.com
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-25 to 2011-05-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-25 12:35 . 2011-05-25 12:35 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2011-05-25 12:35 . 2011-05-25 12:35 -------- d-----w- c:\program files\Windows Installer Clean Up
    2011-05-25 09:40 . 2011-05-25 09:40 -------- d-----w- c:\program files\ESET
    2011-05-24 11:46 . 2011-05-24 11:46 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-05-24 11:46 . 2011-05-24 11:46 -------- d-----w- c:\documents and settings\Owner\log
    2011-05-24 04:41 . 2011-05-24 04:45 -------- d-----w- C:\OziExplorer
    2011-05-24 04:24 . 2011-05-24 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FileCure
    2011-05-24 04:15 . 2011-05-24 04:15 -------- d-----w- c:\program files\Garmin GPS Plugin
    2011-05-24 04:15 . 2011-05-24 09:59 -------- d-----w- c:\program files\Garmin
    2011-05-24 04:08 . 2011-05-24 04:08 -------- d-----w- c:\documents and settings\Owner\Application Data\GARMIN
    2011-05-22 22:27 . 2011-05-25 10:19 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-22 18:08 . 2011-05-22 18:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
    2011-05-22 17:44 . 2011-05-22 17:44 -------- d-----w- c:\program files\Avira
    2011-05-22 17:44 . 2011-05-22 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-05-22 17:44 . 2011-04-01 07:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-05-22 17:44 . 2011-04-01 07:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-05-22 17:44 . 2010-06-17 05:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-05-22 17:44 . 2010-06-17 05:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-05-22 00:19 . 2011-05-22 00:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-05-21 21:51 . 2010-12-20 08:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 21:51 . 2010-12-20 08:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-21 16:58 . 2011-05-21 14:43 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-05-21 14:43 . 2011-05-21 14:43 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-05-21 14:39 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    2011-05-21 14:39 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2011-05-21 14:39 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
    2011-05-21 14:39 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2011-05-21 14:39 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
    2011-05-21 14:39 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2011-05-21 14:39 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
    2011-05-21 14:39 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
    2011-05-21 14:39 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
    2011-05-21 14:39 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
    2011-05-21 14:39 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2011-05-21 14:39 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-05-21 14:37 . 2011-04-29 02:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-05-21 14:12 . 2011-05-21 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-21 12:33 . 2011-05-21 14:12 -------- d-----w- c:\program files\Microsoft Security Client
    2011-05-21 07:22 . 2011-05-22 06:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-05-21 00:43 . 2011-05-21 00:50 -------- d-----w- c:\documents and settings\Owner\Application Data\ErrorTeck
    2011-05-19 22:28 . 2011-05-19 22:28 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-05-19 22:20 . 2011-05-19 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-05-18 21:21 . 2011-05-21 14:12 -------- d-----w- c:\documents and settings\Administrator
    2011-05-18 07:31 . 2011-05-19 21:59 0 ----a-w- c:\windows\Xxuheqewipe.bin
    2011-05-18 07:31 . 2011-05-18 07:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{ED8AAFA6-C412-4A49-9204-2EB1EB9A225C}
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-22 00:19 . 2010-12-12 00:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-07 05:33 . 2005-10-14 00:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-03-09 139264]
    "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-02 57344]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-14 196608]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-01 1185112]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart\0lsdelete
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-05-27 21:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 05:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2010-07-09 05:24 110696 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-10-31 09:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-01-07 03:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\NovaLogic\\Delta Force Xtreme Demo\\DFXDemo.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/05/2011 12:37 AM 64512]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [23/05/2011 3:44 AM 136360]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [29/04/2011 12:11 PM 2151128]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [22/04/2011 10:21 PM 92592]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/01/2010 6:33 PM 135664]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [14/10/2005 10:21 AM 20160]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/01/2010 6:33 PM 135664]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [29/04/2011 12:11 PM 15232]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 09:11]
    .
    2011-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:57]
    .
    2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 08:33]
    .
    2011-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 08:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com.au/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = localhost
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    Notify-avgrsstarter - avgrsstx.dll
    MSConfigStartUp-nwiz - nwiz.exe
    MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
    AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-25 23:07
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4067135660-1359695194-3170355759-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(672)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'lsass.exe'(732)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-05-25 23:10:34
    ComboFix-quarantined-files.txt 2011-05-25 13:10
    .
    Pre-Run: 185,048,764,416 bytes free
    Post-Run: 185,575,956,480 bytes free
    .
    - - End Of File - - D2414A3245EBAA2C3DEE8C9C74EA481E
    I am grateful for your help even though it might not seem so.
    thanks again steve
     
  12. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    Did a trend micro rootbuster scan while I was bored also, but had no idea what to do with the results (yesterday)

    +----------------------------------------------------
    | Trend Micro RootkitBuster
    | Module version: 3.60.0.1016
    | Computer Name: WINDOWSX-82D2FE
    | User Name: Owner
    +----------------------------------------------------


    --== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
    [HIDDEN_FILE]:
    FullPath : Master Boot Record (MBR) Sector
    FullPathLength: 0
    DesiredAccess : 0x0
    Options : 0x0
    Attributes : 0x0
    ShareAccess : 0x0
    Type : 0x0
    1 hidden files found.

    --== Dump Hidden Registry Value on HKLM ==--
    [HIDDEN_REGISTRY][Hidden Reg Key]:
    KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
    SubKey : Data
    FullLength: 0x5c
    [HIDDEN_REGISTRY][Hidden Reg Key]:
    KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
    SubKey : Data 2
    FullLength: 0x5e
    2 hidden registry entries found.


    --== Dump Hidden Process ==--
    No hidden processes found.

    --== Dump Hidden Driver ==--
    No hidden drivers found.

    --== Service Win32 API Hook List ==--
    [HOOKED_SERVICE_API]:
    Service API : ZwCreateKey
    Image Path :
    OriginalHandler : 0x80578ab4
    CurrentHandler : 0xacf90216
    ServiceNumber : 0x29
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwCreateThread
    Image Path :
    OriginalHandler : 0x80584d39
    CurrentHandler : 0xacf9020c
    ServiceNumber : 0x35
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwDeleteKey
    Image Path :
    OriginalHandler : 0x8059a5c9
    CurrentHandler : 0xacf9021b
    ServiceNumber : 0x3f
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwDeleteValueKey
    Image Path :
    OriginalHandler : 0x805991e8
    CurrentHandler : 0xacf90225
    ServiceNumber : 0x41
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwLoadKey
    Image Path :
    OriginalHandler : 0x805b8287
    CurrentHandler : 0xacf9022a
    ServiceNumber : 0x62
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwOpenProcess
    Image Path :
    OriginalHandler : 0x8057f93a
    CurrentHandler : 0xacf901f8
    ServiceNumber : 0x7a
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwOpenThread
    Image Path :
    OriginalHandler : 0x80596743
    CurrentHandler : 0xacf901fd
    ServiceNumber : 0x80
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwReplaceKey
    Image Path :
    OriginalHandler : 0x806571a8
    CurrentHandler : 0xacf90234
    ServiceNumber : 0xc1
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwRestoreKey
    Image Path :
    OriginalHandler : 0x80656d3d
    CurrentHandler : 0xacf9022f
    ServiceNumber : 0xcc
    ModuleName :
    SDTType : 0x0
    [HOOKED_SERVICE_API]:
    Service API : ZwSetValueKey
    Image Path :
    OriginalHandler : 0x80580088
    CurrentHandler : 0xacf90220
    ServiceNumber : 0xf7
    ModuleName :
    SDTType : 0x0


    --== Dump Hidden Port ==--
    No hidden ports found.

    --== Dump Kernel Code Patching ==--
    [KERNEL_CODE][DEVICE_OBJECT]:
    Driver Name : iaStor
    DeviceObject at : 8A50E030
    1 Kernel code patching found.

    --== Dump Hidden Services ==--
    No hidden services found.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Another of your comments about boredom has been noted. Again, it is not appreciated. Once more mention and the thread will be closed.
    =====================================
    So you ran the Eset scan? What were the results?
    ===================================================
    As for running Trend Micro RootkitBuster, it surely seems to be clear in the beginning of the preliminary removal steps:
    And an excellent example of why we ask that you don't run these type of programs while we are helping clean the system is:
    Did you even pause to consider that this could affect the cleaning in progress?
    =================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\Xxuheqewipe.bin
    Folder::
    c:\documents and settings\Owner\Application Data\ErrorTeck
    c:\program files\Microsoft Security Client
    c:\documents and settings\All Users\Application Data\FileCure
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\NovaLogic\\Delta Force Xtreme Demo\\DFXDemo.exe"=-
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=-
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Recommend uninstalling the following:
    1. FileCure >> ParetoLogic site is not a good site. The FileCure program is a scam to 'alert' you of errors and get you to pay for their program to 'fix' them
    2. ErrorTeck™ is an advanced registry cleaner> we do not recommend registry cleaners to anyone.
    ================================
    Use Windows Explorer to delete the program folders after you uninstall the above.
    =================================
    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    =================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ========-===
    Combofi, Eset, Security Check & HijackThis logs in next reply please. [Nothing else
  14. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    ComboFix 11-05-24.06 - Owner 26/05/2011 19:29:46.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1532.1078 [GMT 10:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .
    FILE ::
    "c:\windows\Xxuheqewipe.bin"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\FileCure
    c:\documents and settings\All Users\Application Data\FileCure\fc_db.db
    c:\documents and settings\All Users\Application Data\FileCure\fc_history.db
    c:\documents and settings\All Users\Application Data\FileCure\fc_ignore.db
    c:\documents and settings\Owner\Application Data\ErrorTeck
    c:\documents and settings\Owner\Application Data\ErrorTeck\Backup\Automatic Backup_05-21-2011_10-48-50.reg
    c:\documents and settings\Owner\Application Data\ErrorTeck\Backup\Automatic Backup_05-21-2011_12-04-33.reg
    c:\documents and settings\Owner\Application Data\ErrorTeck\settings.ini
    c:\program files\Microsoft Security Client
    c:\program files\Microsoft Security Client\Antimalware\EN-US\MpAsDesc.dll.mui
    c:\program files\Microsoft Security Client\Antimalware\EN-US\mpevmsg.dll.mui
    c:\program files\Microsoft Security Client\Backup\en-us\amhelp.chm
    c:\program files\Microsoft Security Client\Backup\en-us\epploc.cab
    c:\program files\Microsoft Security Client\Backup\en-us\eula.rtf
    c:\program files\Microsoft Security Client\Backup\en-us\setupres.dll.mui
    c:\program files\Microsoft Security Client\Backup\x86\windows6.0-kb981889-v2.msu
    c:\program files\Microsoft Security Client\Backup\x86\windows6.1-kb981889.msu
    c:\program files\Microsoft Security Client\CleanUpPolicy.xml
    c:\program files\Microsoft Security Client\en-us\amhelp.chm
    c:\program files\Microsoft Security Client\en-us\eula.rtf
    c:\program files\Microsoft Security Client\en-us\MsMpRes.dll.mui
    c:\program files\Microsoft Security Client\en-us\setupres.dll.mui
    c:\program files\Microsoft Security Client\en-us\shellext.dll.mui
    c:\windows\Xxuheqewipe.bin
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-25 12:35 . 2011-05-25 12:35 3584 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2011-05-25 12:35 . 2011-05-25 12:35 -------- d-----w- c:\program files\Windows Installer Clean Up
    2011-05-25 09:40 . 2011-05-25 09:40 -------- d-----w- c:\program files\ESET
    2011-05-24 11:46 . 2011-05-24 11:46 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-05-24 11:46 . 2011-05-24 11:46 -------- d-----w- c:\documents and settings\Owner\log
    2011-05-24 04:41 . 2011-05-24 04:45 -------- d-----w- C:\OziExplorer
    2011-05-24 04:15 . 2011-05-24 04:15 -------- d-----w- c:\program files\Garmin GPS Plugin
    2011-05-24 04:15 . 2011-05-24 09:59 -------- d-----w- c:\program files\Garmin
    2011-05-24 04:08 . 2011-05-24 04:08 -------- d-----w- c:\documents and settings\Owner\Application Data\GARMIN
    2011-05-22 22:27 . 2011-05-25 21:02 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-22 18:08 . 2011-05-22 18:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
    2011-05-22 17:44 . 2011-05-22 17:44 -------- d-----w- c:\program files\Avira
    2011-05-22 17:44 . 2011-05-22 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-05-22 17:44 . 2011-04-01 07:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-05-22 17:44 . 2011-04-01 07:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-05-22 17:44 . 2010-06-17 05:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-05-22 17:44 . 2010-06-17 05:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-05-22 00:19 . 2011-05-22 00:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-05-21 21:51 . 2010-12-20 08:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 21:51 . 2010-12-20 08:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-21 16:58 . 2011-05-21 14:43 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-05-21 14:43 . 2011-05-21 14:43 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-05-21 14:39 . 2001-08-17 12:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
    2011-05-21 14:39 . 2001-08-17 12:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
    2011-05-21 14:39 . 2001-08-17 12:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
    2011-05-21 14:39 . 2001-08-17 12:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
    2011-05-21 14:39 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
    2011-05-21 14:39 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
    2011-05-21 14:39 . 2001-08-17 04:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
    2011-05-21 14:39 . 2001-08-17 04:55 5632 ----a-w- c:\windows\system32\kbd103.dll
    2011-05-21 14:39 . 2001-08-17 04:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
    2011-05-21 14:39 . 2001-08-17 04:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
    2011-05-21 14:39 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
    2011-05-21 14:39 . 2008-04-14 00:09 6144 ----a-w- c:\windows\system32\kbd106.dll
    2011-05-21 14:37 . 2011-04-29 02:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-05-21 14:12 . 2011-05-21 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-21 07:22 . 2011-05-22 06:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-05-19 22:28 . 2011-05-19 22:28 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-05-19 22:20 . 2011-05-19 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-05-18 21:21 . 2011-05-21 14:12 -------- d-----w- c:\documents and settings\Administrator
    2011-05-18 07:31 . 2011-05-18 07:31 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{ED8AAFA6-C412-4A49-9204-2EB1EB9A225C}
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-22 00:19 . 2010-12-12 00:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-03-07 05:33 . 2005-10-14 00:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-05-25_13.07.13 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-26 09:26 . 2011-05-26 09:26 16384 c:\windows\Temp\Perflib_Perfdata_75c.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-03-09 139264]
    "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-02 57344]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-14 196608]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-07 1753192]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-01 1185112]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart\0lsdelete
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-05-27 21:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 05:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2010-07-09 05:24 110696 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2003-10-31 09:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-01-07 03:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\NovaLogic\\Delta Force Xtreme Demo\\DFXDemo.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/05/2011 12:37 AM 64512]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [23/05/2011 3:44 AM 136360]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [29/04/2011 12:11 PM 2151128]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [22/04/2011 10:21 PM 92592]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/01/2010 6:33 PM 135664]
    S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [14/10/2005 10:21 AM 20160]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/01/2010 6:33 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-29 09:11]
    .
    2011-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:57]
    .
    2011-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 08:33]
    .
    2011-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 08:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com.au/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = localhost
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-26 19:39
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-4067135660-1359695194-3170355759-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(672)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'lsass.exe'(732)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-05-26 19:42:54
    ComboFix-quarantined-files.txt 2011-05-26 09:42
    ComboFix2.txt 2011-05-25 13:10
    .
    Pre-Run: 185,582,956,544 bytes free
    Post-Run: 185,576,955,904 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 67E3992D3C36E400611D2CAA5E21E7CB


    filecure, gone
    errorteck, gone



    Results of screen317's Security Check version 0.99.12
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    Avira AntiVir Personal - Free Antivirus
    ESET Online Scanner v3
    Avira successfully updated!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Ad-Aware
    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 25
    Adobe Flash Player
    Adobe Reader 8.2.6
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Ad-Aware AAWService.exe
    Ad-Aware AAWTray.exe
    Avira Antivir avguard.exe
    ``````````End of Log````````````


    Hijack this log


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:13:19 PM, on 26/05/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1287952087359
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.16.0.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

    --
    End of file - 9184 bytes


    eset


    C:\Documents and Settings\Owner\Desktop\PioletSetup.exe Win32/Adware.Toolbar.Dealio application
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\1C0EE86A5538D0F0BF8AEF7F1DDA08D3\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\1C0EE86A5538D0F0BF8AEF7F1DDA08D3\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\System Volume Information\_restore{0EF91C99-2363-4E66-9E69-6C61CED31DB8}\RP5\A0001148.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Part of the AdAware program labels itself as antivirus. So you now show 3 AV programs in the Combofix header:
    AV: AntiVir Desktop *Disabled/Updated*
    AV: AVG Internet Security 2011 *Enabled/Updated*
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated

    I have sent several emails to Lavasoft, where AdAware is from, asking about this AV part of their current program. So far, I haven't had a reply. When I had the paid some years ago, if did have AdWatch running in RealTime which alerted to any Registry changes. But it wasn't called or considered an antivirus program at that time. So I now ask you to disable it.

    Do you plan to reinstall AVG when we have finished?
    =====================================
    There is only one entry in Eset to be removed. The 'Quobox' is where Combofix sends quarantined files and System Volume is a restore point. Those entries are not active in the system. I will have you drop old restore points and set new clean one when we're through.
    =====================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Files  
      C:\Documents and Settings\Owner\Desktop\PioletSetup.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Please give me an update on how the system is running now.
  16. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    I was going to ask your opinion on which antivirus to use? was thinking of trend micro as an option, what do you think of AVG?
    I turned off adaware and disabled avira as always before scans.

    otm log
    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\Owner\Desktop\PioletSetup.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 2535 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 65536 bytes
    ->Temporary Internet Files folder emptied: 98304 bytes

    User: LocalService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 49554 bytes
    ->Flash cache emptied: 456 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 118761674 bytes
    ->Java cache emptied: 13 bytes
    ->Flash cache emptied: 8702 bytes

    User: Owner
    ->Temp folder emptied: 158763914 bytes
    ->Temporary Internet Files folder emptied: 11574923 bytes
    ->Java cache emptied: 11749 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1570947 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 11115462 bytes
    %systemroot%\System32 .tmp files removed: 14335249 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 4562471 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 306.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 05272011_075702

    Files moved on Reboot...
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VJV49LFM\g1309779[1].txt moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VJV49LFM\pageid=290963808962[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VJV49LFM\searchnation_net[3].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VJV49LFM\searchnation_net[4].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VJV49LFM\searchnation_net[5].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VJV49LFM\search[3].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VA4ZVAOY\home[1].aspx moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VA4ZVAOY\searchnation_net[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VA4ZVAOY\searchnation_net[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VA4ZVAOY\searchnation_net[3].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\adh[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\in[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\pageid=290963808962[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\results4[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\searchnation_net[3].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\searchnation_net[4].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\searchnation_net[5].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\search[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\search[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\T495V2IS\search[6].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\carshowroom_com_au[1].txt moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\detect[2].act moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\google_com_au[1].txt moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\google_com_au[2].txt moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\pageid=290963808962[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\pageid=290963808962[2].htm moved successfully.
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\passback.c.r[1].php not found!
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\redirect[1].txt moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\results4[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\searchnation_net[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\searchnation_net[3].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\search[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\search[3].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\statstracker[3].txt moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\viewChannelModule[1].act moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RS2EOXGO\viewChannelModule[2].act moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\01[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\9bff1cadda[1] moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\g1309779[1].txt moved successfully.
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\get[1].media not found!
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\get[2].media not found!
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\gossipcenter[1].htm not found!
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\gossipcenter_com[1].txt not found!
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\in[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\pageid=290963808962[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\pageid=290963808962[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\pageid=775873629229[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\searchnation_net[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\searchnation_net[3].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\searchnation_net[4].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\QOFSK17J\search[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLKGJ916\base[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLKGJ916\drupal[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLKGJ916\empty[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLKGJ916\payrisev2[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLKGJ916\robert-kristen-st-thomas[1].jpg moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLKGJ916\searchnation_net[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\NLKGJ916\search[3].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\captcha[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\dependent[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\g1309779[1].txt moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\in[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\jquery-1.4.4.min[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\like[1].php moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\script[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\searchnation_net[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\searchnation_net[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\sh43[1].html moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\textarea[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\N5DTQ47N\videoplayback[1] moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12ZWHI6P\diagnoseyourpc_com[1].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12ZWHI6P\ooyala_companion_ads[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12ZWHI6P\searchnation_net[2].htm moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12ZWHI6P\show_ads[1].js moved successfully.
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\12ZWHI6P\spcjs[1].php moved successfully.
    C:\WINDOWS\temp\fla8C4A.tmp moved successfully.
    File C:\WINDOWS\temp\fla8D4D.tmp not found!
    File C:\WINDOWS\temp\fla8D4E.tmp not found!

    Registry entries deleted on Reboot...


    still getting redirected with google search results "waiting for lakyclktolakylok.com" shows up at the bottom of the page when redirection is happening, a random page also opened when "techspot openboards" was the only page I had open.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please note: Files removed in OTM: Total Files Cleaned = 306.00 mb. This is a large number.
    Most are temporary internet files which suggest you are not doing any regular maintenance on the system.

    I did not request a scan with Avira. I thought I made this clear:
    ===========================================
    Suggest you print the following so you can refer to it when using msconfig:
    Please reopen HijackThis to 'do system scan ony.' Check each of the following, if present:

    C:\WINDOWS\system32\IoctlSvc.exe
    C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [CanonSolutionMenuEx] C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe


    Close all Windows except HijackThis and click on "Fix Checked."

    None of the above are malware. None need to start on boot and run in the background. The program can be selected from the All Programs menu when it is needed. To use the print feature, click on File> Print.

    You can use the msconfig utility per my instructions below to uncheck and of these processes on the Startup menu.
    ========================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Change Service Startup type as follows: (023 entry)
    Click on Start> Run> type in services.msc> enter> double click on each of the following and set as instructed:
    1. Canon Inkjet Printer (IJPLMSVC)> Set to Manual Startup type
    2. Java Quick Starter (jqs)> Set to Disable> Stop the Service
    3. PLFlash DeviceIoControl (IoctlSvc)> Set to Manual Startup
    ==============================================
    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot.
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    =============================================
    Regarding antivirus programs: If you want to stay with free programs:
    Have layered Security:
    [o] Keep Avira or get the following
    [o]Avast-Free Antivirus

    If you don't object to paying, I highly recommend using: Nod32
    Although it say 'antispyware' with it, it is not intrusive and I still have 2 other antispyware programs running.

    [o]Use a bi-directional Firewall. Either of the following programs are free and known to be good:
    [o]Comodo
    [o]Zone Alarm

    Add at least 2 antimalware programs. I don't use 'suites'- I prefer free-standing, individual programs. I no longer recommend AVG. It was a good AV program through v7.5. But when a spyware program was bundled with it starting in v8, the performance went down. There have also been several bad updates that caused all users with AVG to think the had the Win32/Heur malware. I most cases, it was a False Positive.
    ============================================
    Update the following:
    Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Adobe Reader Update . Uninstall any earlier updates as they are vulnerabilities.
    ===================================
    Regarding the redirect:
    If you are referring to what you see quickly pass in the lower left corner, that in itself does not mean you're getting redirected. If the system is well protected, those entries that represent tacking Cookies, banners and other types of adware are now going to get on the system, although they can show as the system is loading the page.
  18. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    I ran hijack this system scan, and checked off the list and "fix checked".
    "services.msc" done.
    "msconfig utility" done
    I kept avira.
    I downloaded comodo.
    I updated java and adobe, no older versions were in add/remove programs.
    I normally run "disk cleanup" and also go into control panel/internet options/and delete everything in browsing history every time I get off the internet, although I haven't as much for the past week for fear of affecting this cleaning process. Please tell me if there is anything else I can do in regards to cleanup.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Was this resolved?
  20. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    No, it was still the same, still getting redirected, "lakylok" still showing up in every redirect, if it didn't show it went to selected website.
    When you mentioned to have 2 antimalware programs I went looking for a second and came across "Hitman pro 3.5" which had good reviews in "PCMag.com" it uses a brains trust of "G Data, ESET's NOD32, Avira AntiVir, Prevx, and a-squared" some of which are already on the computer and recommended by you, so I downloaded the free trial and it found a bootkit which I chose to delete and redirecting has stopped, there were some leftover bits and pieces that malwarebyte and avira cleaned up and so far so good. Although the redirecting is gone I'm not certain that all is ok. Security center won't open even though in "services.msc" it shows started and is set to auto.
    what do you think?
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Yes, a few. Based on what I read and the cleaning programs I run. Others may think differently. The publisher's description is:
    Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

    Hitman Pro (version 1 and 2) automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet:
    The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability

    Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.[/quote]

    Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

    The new version of Hitman Pro, version 3, uses:
    None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

    Most of the logs I see have multiple malware infections. Some, like the DNS Changer malware, will require a DNS flush and a router reset. If that isn't done, the resolution to the problem is only temporary
    ==========================================
    Your comment:
    .

    The authors of those programs didn't give permission to use their brains and then charge for help!

    If you ran Hitman on Day 32 and it 'found' a rootkit, you would be required to buy the programs to have it removed
  22. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    And here I was thinking I was the bearer of good news. So I guess PCMag.com and CNet.com don't care about Author's permissions as they and others rated it very highly in their reviews. It also sounded like a good concept using 5 vendors brains rather than one, I won't subscribe to "Hitman 3.5" if that's the way they do business.
    So where do we go to from here?
  23. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    Just checking if you're still helping me, it's been 3 days that's all, I'm wondering what to do next
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Sorry for delay! The current malware seems to hit everyone on a computer:

    Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
    SecCenter::
    {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    {8decf618-9569-4340-b34a-d78d28969b66}
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . I don't need this log.
    ====================
    Open Internet Options- through Tools in IE or through the Control Panel:
    Click on the Security tab> Restricted Sites> Sites> Type each of the following in the dialog box, one at time> Click on Add for each domain. Note: Be sure your spelling is exact or the block won't work:
    ====================================
    Please update the Adobe Reader: Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
    ======================================
    Reboot the computer.
    =====================================
    One more scan: Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      NOTE: The tool should be run from a command line with Administrator privileges.
    3. Scanning should be completed quickly
    4. Paste the output in your next reply.
    =====================================
  25. austevo

    austevo Newcomer, in training Topic Starter Posts: 18

    Hello again
    Ran combofix with the script, all good.
    the first entry - *.lakyclktolakylok.com was accepted but the second -lakyclktolakylok.* wasn't "invalid wildcard sequence came up.
    Adobe installed, old version removed.
    Downloaded bootkit remover and 7 zip. and this is the log
    .\debug.cpp(238) : Debug log started at 05.06.2011 - 09:49:49
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x00229000 "\WINDOWS\system32\ntoskrnl.exe"
    .\debug.cpp(256) : 0x80700000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xf7987000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xf7897000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xf75a8000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xf7989000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
    .\debug.cpp(256) : 0xf7597000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xf75f7000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xf7607000 0x00010000 "ohci1394.sys"
    .\debug.cpp(256) : 0xf7617000 0x0000e000 "\WINDOWS\system32\DRIVERS\1394BUS.SYS"
    .\debug.cpp(256) : 0xf7a4f000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xf7707000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xf7627000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xf74d8000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xf770f000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xf7637000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xf74c0000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xf7b0a000 0x000d5000 "iaStor.sys"
    .\debug.cpp(256) : 0xf7647000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xf7657000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xf74a0000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xf748e000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xf7667000 0x0000f000 "Lbd.sys"
    .\debug.cpp(256) : 0xb87ec000 0x00014000 "drvmcdb.sys"
    .\debug.cpp(256) : 0xb87d5000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xb8748000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xb8732000 0x00016000 "inspect.sys"
    .\debug.cpp(256) : 0xb8705000 0x0002d000 "\WINDOWS\System32\DRIVERS\NDIS.SYS"
    .\debug.cpp(256) : 0xf7717000 0x00005000 "\WINDOWS\System32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xb86eb000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xf76f7000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
    .\debug.cpp(256) : 0xb6064000 0x00c2a000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xb6050000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xf77ef000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xb602c000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xf77f7000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xb5ed5000 0x00157000 "\SystemRoot\system32\drivers\P17.sys"
    .\debug.cpp(256) : 0xb5eb1000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xf7557000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xb5e8e000 0x00023000 "\SystemRoot\system32\drivers\ks.sys"
    .\debug.cpp(256) : 0xb5e5e000 0x00030000 "\SystemRoot\system32\DRIVERS\ctoss2k.sys"
    .\debug.cpp(256) : 0xb5e38000 0x00026000 "\SystemRoot\system32\DRIVERS\ctsfm2k.sys"
    .\debug.cpp(256) : 0xb5e11000 0x00027000 "\SystemRoot\system32\DRIVERS\e100b325.sys"
    .\debug.cpp(256) : 0xb5dfd000 0x00014000 "\SystemRoot\system32\DRIVERS\parport.sys"
    .\debug.cpp(256) : 0xf7547000 0x0000d000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
    .\debug.cpp(256) : 0xf77ff000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xf7807000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xf7537000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xb8663000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xf7527000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xf780f000 0x00007000 "\SystemRoot\System32\Drivers\MxlW2k.SYS"
    .\debug.cpp(256) : 0xf7517000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xf7507000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xf7a5d000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xb6e69000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xb865b000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xb5de6000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xb6e59000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xb6e49000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xb5dd5000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xb6e39000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xf7817000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xf781f000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xb6e29000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xf79b1000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xb5d77000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xb8653000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xb6e19000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xb4b5f000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xf79e7000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xa82ac000 0x00039000 "\SystemRoot\System32\DRIVERS\cmdguard.sys"
    .\debug.cpp(256) : 0xa9035000 0x00004000 "\SystemRoot\system32\DRIVERS\usbscan.sys"
    .\debug.cpp(256) : 0xf79d5000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xb208c000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xf79d7000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xafc6d000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xafc65000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xf79d9000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xf79db000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xafc5d000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xafc55000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xa902d000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xa8279000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xa8220000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xa81fa000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xafc4d000 0x00006000 "\SystemRoot\System32\DRIVERS\cmdhlp.sys"
    .\debug.cpp(256) : 0xa81d2000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xb032e000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xa81b0000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xb031e000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xa88c3000 0x00006000 "\SystemRoot\system32\DRIVERS\ssmdrv.sys"
    .\debug.cpp(256) : 0xa8185000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xa8115000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xb030e000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xa80ef000 0x00026000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
    .\debug.cpp(256) : 0xa88bb000 0x00008000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0xf79df000 0x00002000 "\??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys"
    .\debug.cpp(256) : 0xb02de000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xa88b3000 0x00007000 "\SystemRoot\system32\DRIVERS\usbprint.sys"
    .\debug.cpp(256) : 0xa88ab000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xa801a000 0x000d5000 "\SystemRoot\System32\Drivers\dump_iaStor.sys"
    .\debug.cpp(256) : 0xbf800000 0x001c6000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xa85f6000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xa889b000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbd000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xae3e3000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbd012000 0x00401000 "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xa7562000 0x00015000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
    .\debug.cpp(256) : 0xb86bb000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xa7435000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xaed8c000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0xa73bd000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xb3713000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
    .\debug.cpp(256) : 0xa72c2000 0x00003000 "\SystemRoot\system32\DRIVERS\mdmxsdk.sys"
    .\debug.cpp(256) : 0xa70ba000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xa6905000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
    .\debug.cpp(256) : 0xf79c9000 0x00002000 "\??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS"
    .\debug.cpp(256) : 0xb6cd6000 0x00008000 "\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys"
    .\debug.cpp(256) : 0xa6564000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_1260r_____________________MH23____#4&1a913b34&0&0.1.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IAAStorageDevice-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{783FAB0C-610F-445D-9EF1-D4C53D96B1BD}"
    .\debug.cpp(400) : Destination "\Device\{783FAB0C-610F-445D-9EF1-D4C53D96B1BD}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000031"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Canon&Prod_MG5100_series&Rev_0102#7&700bae7&0&136C3B&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\0000006c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgio"
    .\debug.cpp(400) : Destination "\Device\avgio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CA&SUBSYS_544E8086&REV_01#3&61aaa01&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0009"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000030"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1102&DEV_0007&SUBSYS_100A1102&REV_00#4&1e46f438&0&08F0#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0017"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\$VDMLPT1"
    .\debug.cpp(400) : Destination "\Device\ParallelVdm0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CC&SUBSYS_544E8086&REV_01#3&61aaa01&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0011"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\INTELPRO_{6B740CB3-D40A-43D0-9361-EBB75413AD3A}"
    .\debug.cpp(400) : Destination "\Device\INTELPRO_{6B740CB3-D40A-43D0-9361-EBB75413AD3A}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&10bd2812&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&2b9557d4&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000005b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&324ab58f&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0401#4&2b9557d4&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
    .\debug.cpp(400) : Destination "\Device\00000059"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#8&34a976b0&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&75e94fd&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Lbd"
    .\debug.cpp(400) : Destination "\Device\Lbd"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Usbscan0"
    .\debug.cpp(400) : Destination "\Device\Usbscan0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{a47207b5-3b3e-11e0-8bab-0013202473db}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Usbscan1"
    .\debug.cpp(400) : Destination "\Device\Usbscan1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
    .\debug.cpp(400) : Destination "\Device\PSched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_04a9&Pid_1748&MI_01#6&13ef8106&0&0001#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}"
    .\debug.cpp(400) : Destination "\Device\00000068"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27C9&SUBSYS_544E8086&REV_01#3&61aaa01&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0008"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&256db9b&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27C8&SUBSYS_544E8086&REV_01#3&61aaa01&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0007"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000035"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{C285CD08-E5FA-4F6F-90F5-0B32CF84227D}"
    .\debug.cpp(400) : Destination "\Device\{C285CD08-E5FA-4F6F-90F5-0B32CF84227D}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CTIO"
    .\debug.cpp(400) : Destination "\Device\CTIO"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ConexantDiagnosticsServer"
    .\debug.cpp(400) : Destination "\Device\ConexantDiagnosticsServer"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000034"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{304B4923-4D15-42A1-BFA2-7520B47A86C6}"
    .\debug.cpp(400) : Destination "\Device\{304B4923-4D15-42A1-BFA2-7520B47A86C6}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{7D7FE838-D432-482D-B3D6-DA955792E07E}"
    .\debug.cpp(400) : Destination "\Device\{7D7FE838-D432-482D-B3D6-DA955792E07E}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{63da4a9a-2f53-11e0-8b8d-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000033"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1102&DEV_0007&SUBSYS_100A1102&REV_00#4&1e46f438&0&08F0#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0017"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_04a9&Pid_1748#136C3B#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
    .\debug.cpp(400) : Destination "\Device\USBFDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_104C&DEV_8024&SUBSYS_544E8086&REV_00#4&1e46f438&0&28F0#{6bdd1fc1-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0018"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_04a9&Pid_1748&MI_00#6&13ef8106&0&0000#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\00000067"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\0000005c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\cmdGuard"
    .\debug.cpp(400) : Destination "\Device\cmdGuard"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_15_Model_4#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000003d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0161&SUBSYS_2A12107D&REV_A1#4&29c08469&0&0008#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0020"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{6bf434ba-3c3e-11da-a760-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\catchme"
    .\debug.cpp(400) : Destination "\Device\catchme"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
    .\debug.cpp(400) : Destination "\Device\0000005c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&2b9557d4&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000005b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F03#4&2b9557d4&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000005a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_03f0&Pid_0705#CN19WAD5TSB#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ssmctl"
    .\debug.cpp(400) : Destination "\Device\ssmctl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0E#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000003f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Inspect"
    .\debug.cpp(400) : Destination "\Device\Inspect"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_1260r_____________________MH23____#4&1a913b34&0&0.1.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IAAStorageDevice-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{7350D1F2-3567-420F-A600-732400182C77}"
    .\debug.cpp(400) : Destination "\Device\{7350D1F2-3567-420F-A600-732400182C77}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_1260r_____________________MH23____#4&1a913b34&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IAAStorageDevice-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1102&DEV_0007&SUBSYS_100A1102&REV_00#4&1e46f438&0&08F0#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0017"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\cmdhlp"
    .\debug.cpp(400) : Destination "\Device\cmdhlp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CB&SUBSYS_544E8086&REV_01#3&61aaa01&0&EB#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\1394BUS0"
    .\debug.cpp(400) : Destination "\Device\1394BUS0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MxlW2k"
    .\debug.cpp(400) : Destination "\Device\MxlW2k"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\iaStor0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1102&DEV_0007&SUBSYS_100A1102&REV_00#4&1e46f438&0&08F0#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0017"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27DC&SUBSYS_30818086&REV_01#4&1e46f438&0&40F0#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0019"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&cd00a5&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\drvmcdb"
    .\debug.cpp(400) : Destination "\Device\drvmcdb"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&394e9d99&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature6D2F6D2FOffset7E00Length4A85AD0400#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskVolume01.0.00_U#4&1a913b34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IAAStorageDevice-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_03f0&Pid_0705#CN19WAD5TSB#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{6B740CB3-D40A-43D0-9361-EBB75413AD3A}"
    .\debug.cpp(400) : Destination "\Device\{6B740CB3-D40A-43D0-9361-EBB75413AD3A}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000037"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_15_Model_4#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000036"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PROCEXP113"
    .\debug.cpp(400) : Destination "\Device\PROCEXP113"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
    .\debug.cpp(400) : Destination "\Device\avipbb"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#8&34a976b0&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{6A9B294F-88D9-43F9-B6A7-D9FFD5496AEA}"
    .\debug.cpp(400) : Destination "\Device\{6A9B294F-88D9-43F9-B6A7-D9FFD5496AEA}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CTSFM2K"
    .\debug.cpp(400) : Destination "\Device\CTSFM2K"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 87
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.