TechSpot

Redirected to incorrect sites when clicking on resulting search links

By anxious
Jun 12, 2011
  1. First off, thank you, very much for taking the time to help so many people!

    Major computer problems started a couple of days ago. A website I visited somehow resulted in a "rogue" that would not stop popping up, telling me I have a 24 viruses and needed to download their program. I did what I was instructed to (via McAfee) to fix that problem, but now this just showed up. I don't known if it is related or not.

    I think I have the starting information you need. I am definitely not a computer guru, though, so if I messed up, please just let me know and I can try to correct it!

    MalwareBytes Log (There are two even though I only ran it once. I'm not sure which one you need, so I am posting both.):

    First Log
    alwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6832

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    6/11/2011 1:35:59 AM
    mbam-log-2011-06-11 (01-35-59).txt

    Scan type: Full scan (C:\|D:\|E:\|F:\|)
    Objects scanned: 355037
    Time elapsed: 1 hour(s), 45 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 21

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vyotfqln (Rogue.AntivirusSuite.Gen) -> Value: vyotfqln -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\c.clan\AppData\Local\abzezc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10086.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10087.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10088.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10089.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10090.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10091.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10092.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10093.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache10094.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Local\Temp\jar_cache12539.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$R85PWX1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$R99GBYH.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$RBDGPMH.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$RBLHA68.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$RGAETZS.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$RHAUUT7.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$RJ500CM.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$RLFU5HF.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\$Recycle.Bin\s-1-5-21-60730305-3682503428-79390655-1000\$RYDUA5R.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\c.clan\AppData\Roaming\microsoft\Windows\start menu\Programs\security shield.lnk (Rogue.SecurityShield) -> Quarantined and deleted successfully.

    Second Log
    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6845

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    6/12/2011 9:14:09 PM
    mbam-log-2011-06-12 (21-14-09).txt

    Scan type: Quick scan
    Objects scanned: 172518
    Time elapsed: 7 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\c.clan\AppData\Local\Temp\D6C3.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.

    GMER Results

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-12 21:24:08
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000032 SAMSUNG_ rev.CP10
    Running: 0969flyc.exe; Driver: C:\Users\CFEB2~1.CLA\AppData\Local\Temp\pgloqpow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 MBR read error
    Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8B84CD48]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8B84CD72]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8B84CD5E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8B84CD34]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

    AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Device\0000005f -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD321KJ#4&228bd848&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----


    DDS Logs

    Attach
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 1/20/2008 4:08:27 AM
    System Uptime: 6/12/2011 9:32:19 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0RY206
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 288 GiB total, 184.674 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 5.761 GiB free.
    E: is CDROM (UDF)
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    1000 Best Fonts
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.3.2
    AMD Fuel
    AOL Install
    Apple Application Support
    Apple Software Update
    ATI Catalyst Control Center
    ATI Catalyst Install Manager
    ATI Catalyst Registration
    Brother MFL-Pro Suite
    Browser Address Error Redirector
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Hungarian
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Polish
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Thai
    Catalyst Control Center Localization Turkish
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help English
    CCC Help French
    CCC Help German
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Spanish
    CCC Help Thai
    CCC Help Turkish
    CloudCare
    Conexant D850 PCI V.92 Modem
    Coupon Printer for Windows
    CutePDF Writer 2.7
    Dell DataSafe Online
    Dell Getting Started Guide
    Dell Support Center
    Digital Line Detect
    Digital Photo Navigator 1.5
    Drivers Install For Linksys Easylink Advisor
    EarthLink Setup Files
    Everio MediaBrowser
    Fax Solutions
    Google Desktop
    Google Toolbar for Internet Explorer
    Google Update Helper
    GP_Patch
    Guitar Praise
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Internet Service Offers Launcher
    Java(TM) SE Runtime Environment 6
    K-Lite Codec Pack 7.1.0 (Basic)
    KODAK Share Button App
    Linksys EasyLink Advisor 1.6 (0032)
    Malwarebytes' Anti-Malware version 1.51.0.1200
    McAfee AntiVirus Plus
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft IntelliPoint 8.0
    Microsoft Office Excel Viewer
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Works
    Modem Diagnostic Tool
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Music, Photos & Videos Launcher
    NetWaiting
    NVIDIA Drivers
    NVIDIANetworkDiagnostic
    Paint Shop Pro 7 Anniversary Edition
    Pando Media Booster
    PaperPort Image Printer
    Product Documentation Launcher
    QuickTime
    Real Alternative 2.0.2
    Realtek High Definition Audio Driver
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    ScanSoft PaperPort 11
    screensaver_ksbj
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Serif DrawPlus 4.0
    Sid Meier's Civilization 4 Complete
    Skins
    Sonic Activation Module
    TestDrive Client
    The Weather Channel Desktop 6
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    User's Guides
    VideoSpirit Pro 1.70
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Walmart MP3 Music Downloads
    Windows Driver Package - Eastman Kodak KODAK Digital Camera (01/29/2010 1.4.1.0)
    Windows Mobile Device Center
    Windows Mobile Device Center Driver Update
    Windows Movie Maker 2.6
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/12/2011 9:33:22 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Null
    6/12/2011 9:33:07 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    6/12/2011 9:32:48 PM, Error: EventLog [6008] - The previous system shutdown at 9:30:25 PM on 6/12/2011 was unexpected.
    6/12/2011 11:04:11 AM, Error: Service Control Manager [7031] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    6/11/2011 9:54:16 PM, Error: EventLog [6008] - The previous system shutdown at 9:51:17 PM on 6/11/2011 was unexpected.
    6/11/2011 4:14:12 PM, Error: Service Control Manager [7034] - The McAfee Firewall Core Service service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================

    DDS
    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.6001.19019
    Run by c.clan at 21:36:27 on 2011-06-12
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2193 [GMT -5:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    AV: CloudCare *Disabled/Updated* {567F6DDD-22AE-6081-DE6F-F28A4699C7E6}
    SP: CloudCare AntiSpyware *Disabled/Updated* {ED1E8C39-0494-6F0F-E4DF-C9F83D1E8D5B}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\AERTSrv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
    C:\Program Files\Bsecure\InetCtrl.exe
    C:\Program Files\Bsecure\BsecAV.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Bsecure\BSecAMX.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Bsecure\BsecTray.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
    C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\System32\mobsync.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Bar = Preserve
    uWindow Title = Internet Explorer provided by Dell
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080120
    BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110611161436.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
    uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [<NO NAME>]
    mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [FaxCenterServer] "c:\program files\dell pc fax\fm3032.exe" /s
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
    mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
    mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
    mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
    mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [Bsecure] c:\program files\bsecure\BsecTray.exe
    mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_ActiveX.exe -update activex
    StartupFolder: c:\users\c.clan\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\camera~1.lnk - c:\program files\pixela\everio mediabrowser\MBCameraMonitor.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    LSP: %ProgramFiles%\Bsecure\InetCtrl43.dll
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{94EE6A8B-5BB2-470C-B334-7DA00E445979} : DhcpNameServer = 192.168.1.254
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2011-3-8 4608]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-8 64512]
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-25 459728]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-4-21 64648]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-3-18 163400]
    R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-1-26 176128]
    R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2011-1-26 284672]
    R2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ati technologies\ati.ace\reservation manager\AMD Reservation Manager.exe [2010-6-17 140224]
    R2 Bsecure;CloudCare;c:\program files\bsecure\InetCtrl.exe [2011-2-25 55136]
    R2 BsecureAV;CloudCare AntiVirus;c:\program files\bsecure\BsecAV.exe [2011-2-25 135080]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-3-8 21504]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-8 2151128]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-10 366640]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-6-29 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-6-29 214904]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-6-29 214904]
    R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-21 165000]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-21 159832]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-21 148520]
    R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-3-7 37944]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-1-26 7566848]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-1-26 238592]
    R3 BSecACFltr;BSecACFltr;c:\windows\system32\drivers\BSecACFltr.sys [2011-2-25 21624]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-21 57432]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-10 22712]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-25 179248]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-25 59288]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-21 337912]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-12 135664]
    S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\drivers\dc3d.sys [2010-7-21 44432]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-8 15232]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-10 39984]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-21 85984]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-25 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-25 40552]
    S4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-21 84072]
    .
    =============== Created Last 30 ================
    .
    2011-06-11 04:46:24 -------- d-----w- c:\users\c.clan\appdata\roaming\Malwarebytes
    2011-06-11 04:46:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-11 04:46:11 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-11 04:46:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-11 04:46:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-22 04:21:50 -------- d-----w- c:\users\c.clan\appdata\local\WMTools Downloaded Files
    2011-05-22 04:18:40 -------- d-----w- c:\program files\Movie Maker 2.6
    2011-05-22 03:40:19 175616 ----a-w- c:\windows\system32\unrar.dll
    2011-05-22 03:40:18 -------- d-----w- c:\program files\K-Lite Codec Pack
    2011-05-22 03:37:28 -------- d-----w- c:\program files\Real Alternative
    2011-05-22 01:03:17 -------- d-----w- c:\program files\VideoSpirit Pro
    2011-05-21 21:20:35 -------- d-----w- c:\programdata\PIXELA
    2011-05-21 20:56:34 -------- d-----w- c:\program files\PIXELA
    2011-05-21 20:55:16 -------- d-----w- c:\program files\Digital Photo Navigator 1.5
    .
    ==================== Find3M ====================
    .
    2011-04-19 02:26:54 624640 ----a-w- c:\windows\screensaver_ksbj.scr
    2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: SAMSUNG_ rev.CP10 -> Harddisk0\DR0 ->
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85B54ECC]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86cf0879; SUB DWORD [EBP-0x4], 0x86cf0135; PUSH EDI; CALL 0xffffffffffffdf2c; }
    1 ntkrnlpa!IofCallDriver[0x82259912] -> \Device\Harddisk0\DR0[0x86783AC8]
    3 CLASSPNP[0x8BDA08B3] -> ntkrnlpa!IofCallDriver[0x82259912] -> [0x85AD2150]
    5 acpi[0x8060B6BC] -> ntkrnlpa!IofCallDriver[0x82259912] -> [0x85AD2C90]
    [0x86D6F160] -> IRP_MJ_CREATE -> 0x85B54ECC
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\0000005f -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD321KJ#4&228bd848&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 21:39:27.45 ===============

    I would greatly appreciate any advice! Thank you!
     
  2. anxious

    anxious TS Rookie Topic Starter

    New problems: Not every time, but about half of the time when we start IE, it shuts down right away. Then a box comes up in the bottom right-hand corner that says something about how IE was shut down by Data Execution Prevention. Also, we received six emails from Bsecure about requests we never made.

    The redirection problem seems to have gone away! I am still scared to continue using the computer for important tasks, though, until we get the okay. We have the new problems, plus, I read somewhere that even though your computer seems to be clean, it may not be.

    Thank you for any help!

    ****Edited to add****

    Ugh, I'm adding to this post since I just posted this a little bit ago. I'm very sorry, but I forgot we have a regularly scheduled cleaning done on Tuesday mornings (4 AM, before we get up). I just checked and it cleans the recycle bin, shortcuts, temporary files, active X controls and registry. If this means I need to go back and redo the first steps before you can help, please just let me know. Again, I'm sorry!!!
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The reason your thread wasn't picked up sooner is because you marked it Active. A thread is not active until Broni or I pick it up and begin helping you. When that is done, whoever picks it up markes it Active.
    =============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Reminder to be patient
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    To begin with- no matter what cleaning you did, this must be corrected:
    You should have only 1 antivirus program. You have 4. This makes the system more vulnerable, not less. It appears that you may have paid for 3 security suites: McAfee, Cloud Care and Lavasoft

    If any of these are in a trial period, you should remove them, leaving you with 1 AV, 1 FW.
    Multiple spyware programs are okay.

    Please decide which you want to keep and remove the others. Reboot the system when finished.
    ================================================
    Thank you for using the Edit feature instead of making a new post. What was removed was okay. I noticed quite a few files were still in the Recycle bin. You do not need to wait until your scheduled cleaning> if files or folders are sent to the recycle bin, especially those that are malware, you should then empty the bin. It's possible that if you went to restore a file in the bin and restored them all or chose the wrong one, malware could be released back into the system.
    ====================================================
    You have a rootkit. Please run the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Please paste the log into your next reply.
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ===============================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
     
  4. anxious

    anxious TS Rookie Topic Starter

    Sorry about marking the thread!

    Anti-Virus software: I removed Lavasoft. Cloud Care has the option of including McAfee's anti-virus software, but since we already had McAfee, that option was just turned off. If it is best if we remove McAfee and then purchase it through Cloud Care instead, let us know, please!

    TDSSKiller Log

    C:\Windows\system32\drivers\partmgr.sys - copied to quarantine
    \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
    \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
    \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
    \Device\Harddisk0\DR0\TDLFS\tests - copied to quarantine
    \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
    \Device\Harddisk0\DR0\TDLFS\module.dll - copied to quarantine
    \Device\Harddisk0\DR0\TDLFS\clc.dll - copied to quarantine

    ComboFix Log

    (While ComboFix was running, my monitor went blank. I tried waiting, but not seeing any mention of this in your instructions, I finally got nervous enough to do a hard reboot. After restarting in normal mode, I just ran ComboFix again. Everything seemed to work okay then. If it makes any difference, the first time, it made it through stage 2 before going blank.)

    ComboFix 11-06-16.02 - c.clan 06/17/2011 4:41.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2475 [GMT -5:00]
    Running from: c:\users\c.clan\Desktop\ComboFix.exe
    AV: CloudCare *Disabled/Updated* {567F6DDD-22AE-6081-DE6F-F28A4699C7E6}
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: CloudCare AntiSpyware *Disabled/Updated* {ED1E8C39-0494-6F0F-E4DF-C9F83D1E8D5B}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\LHT130.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-17 to 2011-06-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-17 09:50 . 2011-06-17 09:52 -------- d-----w- c:\users\c.clan\AppData\Local\temp
    2011-06-17 09:50 . 2011-06-17 09:50 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-17 09:50 . 2011-06-17 09:50 -------- d-----w- c:\users\CFEB2~1~CLA\AppData\Local\temp
    2011-06-17 09:11 . 2011-06-17 09:11 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-06-15 01:00 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-06-15 01:00 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-15 01:00 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-06-15 01:00 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-06-15 01:00 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-15 01:00 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-15 01:00 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-15 01:00 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-15 00:59 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-15 00:59 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-14 23:33 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-06-14 23:33 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-06-14 22:09 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
    2011-06-14 22:09 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-06-14 22:09 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-06-14 22:09 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-06-14 22:09 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-06-14 22:09 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-06-14 22:08 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-06-14 22:08 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
    2011-06-14 22:08 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
    2011-06-14 22:08 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-06-14 22:08 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-06-14 22:08 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-06-14 22:08 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-06-14 20:48 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 20:48 . 2011-06-14 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-14 20:48 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-11 04:46 . 2011-06-11 04:46 -------- d-----w- c:\users\c.clan\AppData\Roaming\Malwarebytes
    2011-06-11 04:46 . 2011-06-11 04:46 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-07 17:35 . 2011-06-07 17:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2011-05-22 04:21 . 2011-05-22 04:21 -------- d-----w- c:\users\c.clan\AppData\Local\WMTools Downloaded Files
    2011-05-22 04:18 . 2011-06-14 22:15 -------- d-----w- c:\program files\Movie Maker 2.6
    2011-05-22 03:40 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
    2011-05-22 03:40 . 2011-05-22 03:40 -------- d-----w- c:\program files\K-Lite Codec Pack
    2011-05-22 03:37 . 2011-05-22 03:37 -------- d-----w- c:\program files\Real Alternative
    2011-05-22 01:03 . 2011-05-22 03:33 -------- d-----w- c:\program files\VideoSpirit Pro
    2011-05-21 21:20 . 2011-05-21 21:20 -------- d-----w- c:\programdata\PIXELA
    2011-05-21 20:56 . 2011-05-21 20:56 -------- d-----w- c:\program files\PIXELA
    2011-05-21 20:55 . 2011-05-21 20:55 -------- d-----w- c:\program files\Digital Photo Navigator 1.5
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-19 02:26 . 2011-04-19 02:25 624640 ----a-w- c:\windows\screensaver_ksbj.scr
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-20 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-06-04 822384]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-20 1838592]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
    "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-02 1306216]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
    "Bsecure"="c:\program files\Bsecure\BsecTray.exe" [2010-12-02 74592]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe" [2011-04-04 235168]
    .
    c:\users\c.clan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    CurseClientStartup.ccip [2010-12-5 0]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Camera Monitor SD.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2011-5-21 541976]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-20 50688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 135664]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2010-07-21 44432]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-03-13 85984]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-14 84072]
    S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-03-13 64648]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-03-13 163400]
    S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-01-26 176128]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-27 284672]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 140224]
    S2 Bsecure;CloudCare;c:\program files\Bsecure\InetCtrl.exe [2010-12-02 55136]
    S2 BsecureAV;CloudCare AntiVirus;c:\program files\Bsecure\BsecAV.exe [2010-12-02 135080]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-03-13 159832]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-03-13 148520]
    S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [2010-02-18 37944]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-01-26 7566848]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-01-26 238592]
    S3 BSecACFltr;BSecACFltr;c:\windows\system32\DRIVERS\BSecACFltr.sys [2010-02-05 21624]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-03-13 57432]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-03-13 337912]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - BsecureFilter
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 05:50]
    .
    2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 05:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080120
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    LSP: %ProgramFiles%\Bsecure\InetCtrl43.dll
    TCP: DhcpNameServer = 192.168.1.254
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-17 04:52
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: SAMSUNG_ rev.CP10 -> Harddisk0\DR0 ->
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85B54ECC]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86cf0879; SUB DWORD [EBP-0x4], 0x86cf0135; PUSH EDI; CALL 0xffffffffffffdf2c; }
    1 ntkrnlpa!IofCallDriver[0x82281912] -> \Device\Harddisk0\DR0[0x8665EAC8]
    3 CLASSPNP[0x8BD9E8B3] -> ntkrnlpa!IofCallDriver[0x82281912] -> [0x85AE7A28]
    5 acpi[0x806086BC] -> ntkrnlpa!IofCallDriver[0x82281912] -> [0x85AC2C90]
    [0x86E969A0] -> IRP_MJ_CREATE -> 0x85B54ECC
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\0000005f -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD321KJ#4&228bd848&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ae,ab,c3,1d,c3,d5,30,4b,8a,91,32,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ae,ab,c3,1d,c3,d5,30,4b,8a,91,32,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-06-17 04:54:36
    ComboFix-quarantined-files.txt 2011-06-17 09:54
    .
    Pre-Run: 237,919,539,200 bytes free
    Post-Run: 237,992,333,312 bytes free
    .
    - - End Of File - - 9D220630BAFF04D6505C463744507245

    ***** Thank you very much for taking the time to help us! We really appreciate it! *****

    Adding: I know, we're not supposed to run other scans, but something triggered a McAfee scan earlier. I caught it first going when it was at like 60-something percent, and I wasn't sure what to do then, so I just let it continue. It found several infected files, a tracking cookie and one potentially unwanted program. It automatically removed everything but the program, which was quarantined. The quarantined program is called Tool-NirCmd. It says the other problems were Patched-SYSFile.d (Trojan - cleaned) and TDSS.c!mem (Trojan - cleaned).

    Ahhh, I just looked and our scheduled scan is on Fridays at 4 AM.

    *sheepish* Well, on the bright side, I think that should be the end of our regular weekly scans for the week. Sorry about that! It's really easy to forget about them once they're set up.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Examples of why we advise against using other scanning or cleaning programs while we are actively helping:

    One of the biggest failings is that these scan will show the infection no matter where the location: For instance:
    If the location of the malware is in the System Volume, that is where restore points are kept. It isn't active in the system any longer and at the end of cleaning, I have you drop old restore points and set a new clean one. Out thread with the Steps advises against doing a System Restore while cleaning is in progress.

    If the location of the malware is in the Qoobox, that is where Combofix puts the quarantined files. It isn't active in the system. At the end of cleaning. when Combofix is uninstalled. everything in the Qoobox is removed with it.

    If the location is the Java cache, you will have to empty the cache (temporary internet files) in order to remove the entry.

    If the location is the Recycler, then entry is in the trash! The Recycler is a system file (hidden) when the contents of the Recycle Bin are sent when entries are deleted. The AV can't remove anything in the Recycler folder. It has to be done in a special way

    But if you don't know about System Volume or the Qoobox or the Java cache or the Recycler, you look at your AV scan log and see entries- although they may not longer be active, the scan will still show it. This confuses the user and in some cases such as the above locations, the AV advising it has cleaned or quarantines or remove these entries means nothing!

    To quote my friends at majorgeeks.com:
    __________________
    Patched-SYSFile.d> http://vil.nai.com/vil/content/v_267060.htm> https://community.mcafee.com/thread/25183
    TDSS.c!mem> http://www.computing.net/answers/security/trojan-tdss-cmem-what-is-it/31477.html
    ==========================================
    I'd like you to run the following again, and please include the entire log:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
     
  6. anxious

    anxious TS Rookie Topic Starter

    That makes a lot of sense. I have turned off McAfee's schedule scans until this is done. Again, I'm sorry about that!

    TDSSKiller said that there were no infections found. This is the report, just in case:

    2011/06/18 19:33:35.0286 6384 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
    2011/06/18 19:33:35.0832 6384 ================================================================================
    2011/06/18 19:33:35.0832 6384 SystemInfo:
    2011/06/18 19:33:35.0832 6384
    2011/06/18 19:33:35.0832 6384 OS Version: 6.0.6002 ServicePack: 2.0
    2011/06/18 19:33:35.0832 6384 Product type: Workstation
    2011/06/18 19:33:35.0832 6384 ComputerName: CCLAN-PC
    2011/06/18 19:33:35.0832 6384 UserName: c.clan
    2011/06/18 19:33:35.0832 6384 Windows directory: C:\Windows
    2011/06/18 19:33:35.0832 6384 System windows directory: C:\Windows
    2011/06/18 19:33:35.0832 6384 Processor architecture: Intel x86
    2011/06/18 19:33:35.0832 6384 Number of processors: 2
    2011/06/18 19:33:35.0832 6384 Page size: 0x1000
    2011/06/18 19:33:35.0832 6384 Boot type: Normal boot
    2011/06/18 19:33:35.0832 6384 ================================================================================
    2011/06/18 19:33:36.0316 6384 Initialize success
    2011/06/18 19:33:40.0621 6632 ================================================================================
    2011/06/18 19:33:40.0621 6632 Scan started
    2011/06/18 19:33:40.0621 6632 Mode: Manual;
    2011/06/18 19:33:40.0621 6632 ================================================================================
    2011/06/18 19:33:41.0011 6632 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    2011/06/18 19:33:41.0058 6632 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
    2011/06/18 19:33:41.0089 6632 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
    2011/06/18 19:33:41.0120 6632 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
    2011/06/18 19:33:41.0183 6632 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
    2011/06/18 19:33:41.0245 6632 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
    2011/06/18 19:33:41.0261 6632 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
    2011/06/18 19:33:41.0292 6632 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    2011/06/18 19:33:41.0339 6632 aliide (dc67a153fdb8105b25d05334b5e1d8e2) C:\Windows\system32\drivers\aliide.sys
    2011/06/18 19:33:41.0401 6632 amacpi (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\DRIVERS\null.sys
    2011/06/18 19:33:41.0526 6632 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
    2011/06/18 19:33:41.0557 6632 amdide (835c4c3355088298a5ebd818fa31430f) C:\Windows\system32\drivers\amdide.sys
    2011/06/18 19:33:41.0588 6632 amdiox86 (ff258424f0b2ef25eb98f04ee386e6e3) C:\Windows\system32\DRIVERS\amdiox86.sys
    2011/06/18 19:33:41.0620 6632 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
    2011/06/18 19:33:41.0682 6632 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
    2011/06/18 19:33:41.0885 6632 amdkmdag (d05cf4523e0c04ef82454abfd84fdc1d) C:\Windows\system32\DRIVERS\atikmdag.sys
    2011/06/18 19:33:41.0978 6632 amdkmdap (92dc2e0ae49148f83b24d89c737b0c97) C:\Windows\system32\DRIVERS\atikmpag.sys
    2011/06/18 19:33:42.0025 6632 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
    2011/06/18 19:33:42.0056 6632 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
    2011/06/18 19:33:42.0103 6632 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    2011/06/18 19:33:42.0150 6632 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    2011/06/18 19:33:42.0384 6632 atikmdag (d05cf4523e0c04ef82454abfd84fdc1d) C:\Windows\system32\DRIVERS\atikmdag.sys
    2011/06/18 19:33:42.0524 6632 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    2011/06/18 19:33:42.0618 6632 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    2011/06/18 19:33:42.0665 6632 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    2011/06/18 19:33:42.0696 6632 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    2011/06/18 19:33:42.0743 6632 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    2011/06/18 19:33:42.0774 6632 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    2011/06/18 19:33:42.0790 6632 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    2011/06/18 19:33:42.0821 6632 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    2011/06/18 19:33:42.0883 6632 BSecACFltr (c9aff970593e598b896f22898d768105) C:\Windows\system32\DRIVERS\BSecACFltr.sys
    2011/06/18 19:33:42.0930 6632 BsecureFilter (0a00fd8d22ecf4031964414f699b7bbd) C:\Windows\system32\drivers\BsecFltr.sys
    2011/06/18 19:33:42.0961 6632 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    2011/06/18 19:33:43.0102 6632 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    2011/06/18 19:33:43.0148 6632 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    2011/06/18 19:33:43.0211 6632 cfwids (ecaf4a51580244fef1aa32cb984f13bf) C:\Windows\system32\drivers\cfwids.sys
    2011/06/18 19:33:43.0226 6632 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
    2011/06/18 19:33:43.0273 6632 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    2011/06/18 19:33:43.0336 6632 cmdide (e79cbb2195e965f6e3256e2c1b23fd1c) C:\Windows\system32\drivers\cmdide.sys
    2011/06/18 19:33:43.0351 6632 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\drivers\compbatt.sys
    2011/06/18 19:33:43.0398 6632 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
    2011/06/18 19:33:43.0445 6632 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
    2011/06/18 19:33:43.0523 6632 dc3d (b6672f62f75fb952d7ae7cb4e80011a9) C:\Windows\system32\DRIVERS\dc3d.sys
    2011/06/18 19:33:43.0570 6632 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    2011/06/18 19:33:43.0648 6632 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    2011/06/18 19:33:43.0710 6632 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    2011/06/18 19:33:43.0772 6632 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    2011/06/18 19:33:43.0835 6632 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys
    2011/06/18 19:33:43.0866 6632 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
    2011/06/18 19:33:43.0975 6632 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    2011/06/18 19:33:44.0053 6632 elagopro (7ec42ec12a4bac14bcca99fb06f2d125) C:\Windows\system32\DRIVERS\elagopro.sys
    2011/06/18 19:33:44.0084 6632 elaunidr (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\elaunidr.sys
    2011/06/18 19:33:44.0147 6632 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
    2011/06/18 19:33:44.0240 6632 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    2011/06/18 19:33:44.0256 6632 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    2011/06/18 19:33:44.0303 6632 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
    2011/06/18 19:33:44.0365 6632 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    2011/06/18 19:33:44.0396 6632 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    2011/06/18 19:33:44.0428 6632 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
    2011/06/18 19:33:44.0459 6632 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    2011/06/18 19:33:44.0506 6632 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    2011/06/18 19:33:44.0537 6632 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
    2011/06/18 19:33:44.0646 6632 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2011/06/18 19:33:44.0677 6632 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    2011/06/18 19:33:44.0708 6632 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    2011/06/18 19:33:44.0740 6632 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    2011/06/18 19:33:44.0786 6632 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
    2011/06/18 19:33:44.0864 6632 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\Windows\system32\DRIVERS\HSX_DPV.sys
    2011/06/18 19:33:44.0880 6632 HSXHWBS2 (ed98350ecd4a5a9c9f1e641c09872bb2) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
    2011/06/18 19:33:44.0942 6632 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    2011/06/18 19:33:44.0974 6632 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
    2011/06/18 19:33:45.0020 6632 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    2011/06/18 19:33:45.0052 6632 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
    2011/06/18 19:33:45.0098 6632 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    2011/06/18 19:33:45.0192 6632 IntcAzAudAddService (f8f53c5449f15b23d4c61d51d2701da8) C:\Windows\system32\drivers\RTKVHDA.sys
    2011/06/18 19:33:45.0254 6632 intelide (0084046c084d68e494f8cf36bcf08186) C:\Windows\system32\drivers\intelide.sys
    2011/06/18 19:33:45.0286 6632 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
    2011/06/18 19:33:45.0332 6632 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2011/06/18 19:33:45.0395 6632 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
    2011/06/18 19:33:45.0442 6632 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    2011/06/18 19:33:45.0488 6632 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    2011/06/18 19:33:45.0520 6632 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
    2011/06/18 19:33:45.0582 6632 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    2011/06/18 19:33:45.0598 6632 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    2011/06/18 19:33:45.0644 6632 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    2011/06/18 19:33:45.0691 6632 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2011/06/18 19:33:45.0707 6632 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    2011/06/18 19:33:45.0769 6632 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    2011/06/18 19:33:45.0894 6632 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    2011/06/18 19:33:45.0956 6632 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
    2011/06/18 19:33:46.0003 6632 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
    2011/06/18 19:33:46.0050 6632 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
    2011/06/18 19:33:46.0097 6632 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    2011/06/18 19:33:46.0206 6632 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
    2011/06/18 19:33:46.0253 6632 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
    2011/06/18 19:33:46.0315 6632 mfeapfk (688b626fca708ee9eb161cad1f7363a9) C:\Windows\system32\drivers\mfeapfk.sys
    2011/06/18 19:33:46.0362 6632 mfeavfk (693a8d924b640223974e0a88f2baf0f4) C:\Windows\system32\drivers\mfeavfk.sys
    2011/06/18 19:33:46.0409 6632 mfebopk (52c40d19873528bd15823c969d3ad227) C:\Windows\system32\drivers\mfebopk.sys
    2011/06/18 19:33:46.0471 6632 mfefirek (e37b98d49df546f4059483d49e349a53) C:\Windows\system32\drivers\mfefirek.sys
    2011/06/18 19:33:46.0518 6632 mfehidk (44184f32392fa2e94d08d056ce750d56) C:\Windows\system32\drivers\mfehidk.sys
    2011/06/18 19:33:46.0565 6632 mfenlfk (aedda57376e051e8e152b72d2df5387c) C:\Windows\system32\DRIVERS\mfenlfk.sys
    2011/06/18 19:33:46.0612 6632 mferkdet (5f5313bfd1e73233885a26ab77488f6f) C:\Windows\system32\drivers\mferkdet.sys
    2011/06/18 19:33:46.0658 6632 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\Windows\system32\drivers\mferkdk.sys
    2011/06/18 19:33:46.0721 6632 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\Windows\system32\drivers\mfesmfk.sys
    2011/06/18 19:33:46.0768 6632 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\Windows\system32\drivers\mfetdi2k.sys
    2011/06/18 19:33:46.0814 6632 mfewfpk (547c95b8a73fd111b0d7af7c0f6736a3) C:\Windows\system32\drivers\mfewfpk.sys
    2011/06/18 19:33:46.0877 6632 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    2011/06/18 19:33:46.0924 6632 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    2011/06/18 19:33:46.0970 6632 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    2011/06/18 19:33:47.0002 6632 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    2011/06/18 19:33:47.0048 6632 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    2011/06/18 19:33:47.0095 6632 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
    2011/06/18 19:33:47.0111 6632 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    2011/06/18 19:33:47.0158 6632 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    2011/06/18 19:33:47.0204 6632 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    2011/06/18 19:33:47.0251 6632 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2011/06/18 19:33:47.0282 6632 mrxsmb10 (d4a3c7c580c4ccb5c06f2ada933ad507) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2011/06/18 19:33:47.0314 6632 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2011/06/18 19:33:47.0360 6632 msahci (d420bc42a637ac3cc4f411220549c0dc) C:\Windows\system32\drivers\msahci.sys
    2011/06/18 19:33:47.0392 6632 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
    2011/06/18 19:33:47.0470 6632 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    2011/06/18 19:33:47.0501 6632 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    2011/06/18 19:33:47.0579 6632 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    2011/06/18 19:33:47.0626 6632 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    2011/06/18 19:33:47.0641 6632 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    2011/06/18 19:33:47.0688 6632 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    2011/06/18 19:33:47.0719 6632 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    2011/06/18 19:33:47.0766 6632 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    2011/06/18 19:33:47.0813 6632 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    2011/06/18 19:33:47.0875 6632 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    2011/06/18 19:33:47.0922 6632 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    2011/06/18 19:33:47.0969 6632 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    2011/06/18 19:33:48.0000 6632 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    2011/06/18 19:33:48.0031 6632 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    2011/06/18 19:33:48.0078 6632 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    2011/06/18 19:33:48.0094 6632 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    2011/06/18 19:33:48.0125 6632 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    2011/06/18 19:33:48.0203 6632 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    2011/06/18 19:33:48.0265 6632 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    2011/06/18 19:33:48.0312 6632 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    2011/06/18 19:33:48.0374 6632 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    2011/06/18 19:33:48.0421 6632 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    2011/06/18 19:33:48.0484 6632 NuidFltr (ef2b9a14ec5dd74ade3417faf1b45e16) C:\Windows\system32\DRIVERS\NuidFltr.sys
    2011/06/18 19:33:48.0499 6632 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    2011/06/18 19:33:48.0562 6632 NVENETFD (1657f3fbd9061526c14ff37e79306f98) C:\Windows\system32\DRIVERS\nvm60x32.sys
    2011/06/18 19:33:48.0624 6632 NVNET (1efec38a852ab35883bfff3427b92b3f) C:\Windows\system32\DRIVERS\nvmfdx32.sys
    2011/06/18 19:33:48.0671 6632 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
    2011/06/18 19:33:48.0718 6632 nvstor (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\drivers\nvstor.sys
    2011/06/18 19:33:48.0764 6632 nvstor32 (dc5f166422beebf195e3e4bb8ab4ee22) C:\Windows\system32\DRIVERS\nvstor32.sys
    2011/06/18 19:33:48.0796 6632 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
    2011/06/18 19:33:48.0889 6632 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
    2011/06/18 19:33:48.0936 6632 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
    2011/06/18 19:33:48.0967 6632 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sy@
    2011/06/18 19:33:48.0998 6632 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
    2011/06/18 19:33:49.0061 6632 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    2011/06/18 19:33:49.0108 6632 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
    2011/06/18 19:33:49.0154 6632 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    2011/06/18 19:33:49.0232 6632 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    2011/06/18 19:33:49.0357 6632 Point32 (60a044879c4fa76314494f5fddc43b93) C:\Windows\system32\DRIVERS\point32.sys
    2011/06/18 19:33:49.0420 6632 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    2011/06/18 19:33:49.0451 6632 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
    2011/06/18 19:33:49.0513 6632 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    2011/06/18 19:33:49.0591 6632 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\Windows\system32\Drivers\PxHelp20.sys
    2011/06/18 19:33:49.0654 6632 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
    2011/06/18 19:33:49.0700 6632 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    2011/06/18 19:33:49.0763 6632 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    2011/06/18 19:33:49.0997 6632 R300 (d05cf4523e0c04ef82454abfd84fdc1d) C:\Windows\system32\DRIVERS\atikmdag.sys
    2011/06/18 19:33:50.0106 6632 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    2011/06/18 19:33:50.0153 6632 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2011/06/18 19:33:50.0200 6632 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    2011/06/18 19:33:50.0215 6632 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    2011/06/18 19:33:50.0262 6632 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    2011/06/18 19:33:50.0293 6632 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2011/06/18 19:33:50.0371 6632 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys
    2011/06/18 19:33:50.0387 6632 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    2011/06/18 19:33:50.0434 6632 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    2011/06/18 19:33:50.0496 6632 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    2011/06/18 19:33:50.0543 6632 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    2011/06/18 19:33:50.0574 6632 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2011/06/18 19:33:50.0621 6632 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
    2011/06/18 19:33:50.0652 6632 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
    2011/06/18 19:33:50.0699 6632 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    2011/06/18 19:33:50.0746 6632 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\drivers\sffdisk.sys
    2011/06/18 19:33:50.0777 6632 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
    2011/06/18 19:33:50.0792 6632 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\drivers\sffp_sd.sys
    2011/06/18 19:33:50.0824 6632 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    2011/06/18 19:33:50.0870 6632 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
    2011/06/18 19:33:50.0886 6632 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
    2011/06/18 19:33:50.0917 6632 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
    2011/06/18 19:33:50.0980 6632 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    2011/06/18 19:33:51.0026 6632 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    2011/06/18 19:33:51.0089 6632 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    2011/06/18 19:33:51.0136 6632 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    2011/06/18 19:33:51.0151 6632 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    2011/06/18 19:33:51.0229 6632 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    2011/06/18 19:33:51.0260 6632 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    2011/06/18 19:33:51.0292 6632 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    2011/06/18 19:33:51.0338 6632 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    2011/06/18 19:33:51.0416 6632 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
    2011/06/18 19:33:51.0448 6632 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
    2011/06/18 19:33:51.0494 6632 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    2011/06/18 19:33:51.0557 6632 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    2011/06/18 19:33:51.0604 6632 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    2011/06/18 19:33:51.0619 6632 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    2011/06/18 19:33:51.0666 6632 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    2011/06/18 19:33:51.0728 6632 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2011/06/18 19:33:51.0760 6632 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    2011/06/18 19:33:51.0775 6632 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    2011/06/18 19:33:51.0806 6632 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
    2011/06/18 19:33:51.0853 6632 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    2011/06/18 19:33:51.0916 6632 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
    2011/06/18 19:33:51.0962 6632 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
    2011/06/18 19:33:51.0994 6632 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    2011/06/18 19:33:52.0025 6632 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    2011/06/18 19:33:52.0072 6632 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    2011/06/18 19:33:52.0150 6632 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    2011/06/18 19:33:52.0181 6632 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    2011/06/18 19:33:52.0243 6632 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    2011/06/18 19:33:52.0290 6632 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    2011/06/18 19:33:52.0321 6632 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
    2011/06/18 19:33:52.0352 6632 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    2011/06/18 19:33:52.0430 6632 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
    2011/06/18 19:33:52.0477 6632 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2011/06/18 19:33:52.0524 6632 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
    2011/06/18 19:33:52.0586 6632 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
    2011/06/18 19:33:52.0602 6632 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    2011/06/18 19:33:52.0649 6632 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
    2011/06/18 19:33:52.0664 6632 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
    2011/06/18 19:33:52.0696 6632 viaide (f3b4762eb85a2aff4999401f14c3262b) C:\Windows\system32\drivers\viaide.sys
    2011/06/18 19:33:52.0742 6632 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    2011/06/18 19:33:52.0789 6632 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    2011/06/18 19:33:52.0805 6632 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    2011/06/18 19:33:52.0867 6632 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
    2011/06/18 19:33:52.0914 6632 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    2011/06/18 19:33:52.0961 6632 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/06/18 19:33:52.0976 6632 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/06/18 19:33:53.0023 6632 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
    2011/06/18 19:33:53.0086 6632 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    2011/06/18 19:33:53.0179 6632 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
    2011/06/18 19:33:53.0257 6632 WmiAcpi (17eac0d023a65fa9b02114cc2baacad5) C:\Windows\system32\drivers\wmiacpi.sys
    2011/06/18 19:33:53.0320 6632 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    2011/06/18 19:33:53.0366 6632 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    2011/06/18 19:33:53.0429 6632 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    2011/06/18 19:33:53.0476 6632 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
    2011/06/18 19:33:53.0522 6632 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
    2011/06/18 19:33:53.0538 6632 ================================================================================
    2011/06/18 19:33:53.0538 6632 Scan finished
    2011/06/18 19:33:53.0538 6632 ================================================================================
    2011/06/18 19:33:53.0554 7372 Detected object count: 0
    2011/06/18 19:33:53.0554 7372 Actual detected object count: 0
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, hopefully that has been handled. I would like for you to update and run a new scan with Combofix. It was giving the mixed message of a rootkit after the first scan. Let's make sure it's gone.
    I'd also like you to run this online virus scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  8. anxious

    anxious TS Rookie Topic Starter

    ComboFix Log

    ComboFix 11-06-17.04 - c.clan 06/19/2011 19:37:47.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2698 [GMT -5:00]
    Running from: c:\users\c.clan\Desktop\ComboFix.exe
    AV: CloudCare *Disabled/Updated* {567F6DDD-22AE-6081-DE6F-F28A4699C7E6}
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: CloudCare AntiSpyware *Disabled/Updated* {ED1E8C39-0494-6F0F-E4DF-C9F83D1E8D5B}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-20 00:59 . 2011-06-20 00:59 -------- d-----w- c:\users\c.clan\AppData\Local\temp
    2011-06-20 00:59 . 2011-06-20 00:59 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-20 00:59 . 2011-06-20 00:59 -------- d-----w- c:\users\CFEB2~1~CLA\AppData\Local\temp
    2011-06-17 09:11 . 2011-06-17 09:11 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-06-15 01:00 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-06-15 01:00 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-15 01:00 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-06-15 01:00 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-06-15 01:00 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-15 01:00 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-15 01:00 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-15 01:00 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-15 00:59 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-15 00:59 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-14 23:33 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-06-14 23:33 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-06-14 22:09 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
    2011-06-14 22:09 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-06-14 22:09 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-06-14 22:09 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-06-14 22:09 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-06-14 22:09 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-06-14 22:08 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-06-14 22:08 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
    2011-06-14 22:08 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
    2011-06-14 22:08 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-06-14 22:08 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-06-14 22:08 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-06-14 22:08 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-06-14 20:48 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 20:48 . 2011-06-14 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-14 20:48 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-11 04:46 . 2011-06-11 04:46 -------- d-----w- c:\users\c.clan\AppData\Roaming\Malwarebytes
    2011-06-11 04:46 . 2011-06-11 04:46 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-07 17:35 . 2011-06-07 17:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2011-05-22 04:21 . 2011-05-22 04:21 -------- d-----w- c:\users\c.clan\AppData\Local\WMTools Downloaded Files
    2011-05-22 04:18 . 2011-06-14 22:15 -------- d-----w- c:\program files\Movie Maker 2.6
    2011-05-22 03:40 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
    2011-05-22 03:40 . 2011-05-22 03:40 -------- d-----w- c:\program files\K-Lite Codec Pack
    2011-05-22 03:37 . 2011-05-22 03:37 -------- d-----w- c:\program files\Real Alternative
    2011-05-22 01:03 . 2011-05-22 03:33 -------- d-----w- c:\program files\VideoSpirit Pro
    2011-05-21 21:20 . 2011-05-21 21:20 -------- d-----w- c:\programdata\PIXELA
    2011-05-21 20:56 . 2011-05-21 20:56 -------- d-----w- c:\program files\PIXELA
    2011-05-21 20:55 . 2011-05-21 20:55 -------- d-----w- c:\program files\Digital Photo Navigator 1.5
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-17 22:52 . 2011-03-08 20:28 54248 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2011-04-19 02:26 . 2011-04-19 02:25 624640 ----a-w- c:\windows\screensaver_ksbj.scr
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-20 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-06-04 822384]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-20 1838592]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
    "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-02 1306216]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
    "Bsecure"="c:\program files\Bsecure\BsecTray.exe" [2010-12-02 74592]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe" [2011-04-04 235168]
    .
    c:\users\c.clan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    CurseClientStartup.ccip [2010-12-5 0]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Camera Monitor SD.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2011-5-21 541976]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-20 50688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 135664]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2010-07-21 44432]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-03-13 85984]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-14 84072]
    S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-03-13 64648]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-03-13 163400]
    S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-01-26 176128]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-27 284672]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 140224]
    S2 Bsecure;CloudCare;c:\program files\Bsecure\InetCtrl.exe [2010-12-02 55136]
    S2 BsecureAV;CloudCare AntiVirus;c:\program files\Bsecure\BsecAV.exe [2010-12-02 135080]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-03-13 159832]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-03-13 148520]
    S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [2010-02-18 37944]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-01-26 7566848]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-01-26 238592]
    S3 BSecACFltr;BSecACFltr;c:\windows\system32\DRIVERS\BSecACFltr.sys [2010-02-05 21624]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-03-13 57432]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-03-13 337912]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 24007954
    *NewlyCreated* - 86461997
    *NewlyCreated* - 99727552
    *Deregistered* - 24007954
    *Deregistered* - 86461997
    *Deregistered* - 99727552
    *Deregistered* - BsecureFilter
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 05:50]
    .
    2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 05:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080120
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    LSP: %ProgramFiles%\Bsecure\InetCtrl43.dll
    TCP: DhcpNameServer = 192.168.1.254
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-19 19:59
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: SAMSUNG_ rev.CP10 -> Harddisk0\DR0 ->
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    c:\windows\system32\DRIVERS\nvstor32.sys NVIDIA Corporation NVIDIA nForce(TM) SATA Driver
    1 ntkrnlpa!IofCallDriver[0x82281912] -> \Device\Harddisk0\DR0[0x8665EAC8]
    3 CLASSPNP[0x8BD9E8B3] -> ntkrnlpa!IofCallDriver[0x82281912] -> [0x85AE7A28]
    5 acpi[0x806086BC] -> ntkrnlpa!IofCallDriver[0x82281912] -> [0x85AC2C90]
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\0000005f -> \??\SCSI#Disk&Ven_SAMSUNG&Prod_HD321KJ#4&228bd848&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr]
    "ImagePath"="System32\drivers\partmgr.sy@"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ae,ab,c3,1d,c3,d5,30,4b,8a,91,32,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ae,ab,c3,1d,c3,d5,30,4b,8a,91,32,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-06-19 20:01:47
    ComboFix-quarantined-files.txt 2011-06-20 01:01
    ComboFix2.txt 2011-06-17 09:54
    .
    Pre-Run: 236,514,488,320 bytes free
    Post-Run: 236,517,752,832 bytes free
    .
    - - End Of File - - BB6229B955290C835C5A31C300D50533

    ESET Scan Results

    C:\TDSSKiller_Quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0004.dta a variant of Win32/Olmarik.AOV trojan
    C:\TDSSKiller_Quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0006.dta probably a variant of Win32/TrojanClicker.Agent.NNO trojan
    C:\Users\c.clan\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\5d136e51-49d23cc8 multiple threats
    C:\Windows\System32\drivers\partmgr.sys Win32/Olmarik.ZC trojan
    C:\Windows\winsxs\x86_microsoft-windows-partitionmanager_31bf3856ad364e35_6.0.6002.18005_none_e3878c97b7915bdf\partmgr.sys Win32/Olmarik.ZC trojan
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run the following for the entries found in the Eset scan:

    First: To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =========================================
    Second: Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\TDSSKiller_Quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0004.dta 
      C:\TDSSKiller_Quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0006.dta 
      C:\Windows\System32\drivers\partmgr.sys 
      C:\Windows\winsxs\x86_microsoft-windows partitionmanager_31bf3856ad364e35_6.0.6002.18005_none_e3878c97b7915bdf\part mgr.sys 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =====================================
    There are infected files from Partition Manager. What site did you download that from?
    =======================================================
    I need to check your security since you are actively still getting malware. Please run this: Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===============================
    I'll be checking the Combofix log while you do the above.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this: Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      NOTE: The tool should be run from a command line with Administrator privileges.
    3. Scanning should be completed quickly
    4. Paste the output in your next reply.
    =====================================
    Follow with this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys
    FileLook::
    c:\windows\system32\drivers\partmgr.sys
    Folder::
    c:\users\c.clan\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    c:\users\CFEB2~1~CLA\AppData\Local\temp
    C:\TDSSKiller_Quarantine
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PPort11reminder"=-
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    Driver::
    Lavasoft Kernexplorer
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Both logs in next reply.
     
  11. anxious

    anxious TS Rookie Topic Starter

    Here are the OTM and Security Check logs.

    Regarding your question about the Partition Manager, I have no idea. Honestly, I had to look it up and just read the brief descriptions that came up in the search results. Is that kind of like defragmenting?

    OTM

    All processes killed
    ========== FILES ==========
    C:\TDSSKiller_Quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0004.dta moved successfully.
    C:\TDSSKiller_Quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0006.dta moved successfully.
    File move failed. C:\Windows\System32\drivers\partmgr.sys scheduled to be moved on reboot.
    File/Folder C:\Windows\winsxs\x86_microsoft-windows partitionmanager_31bf3856ad364e35_6.0.6002.18005_none_e3878c97b7915bdf\part mgr.sys not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: c.clan
    ->Temp folder emptied: 10973791 bytes
    ->Temporary Internet Files folder emptied: 83327742 bytes
    ->Java cache emptied: 973663 bytes
    ->Flash cache emptied: 591203 bytes

    User: CFEB2~1~CLA
    ->Temp folder emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Gallia
    ->Temp folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 2048 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 34114041 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 124.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 06222011_143906

    Files moved on Reboot...
    File move failed. C:\Windows\System32\drivers\partmgr.sys scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    ***Note: Right after the application said it needed to reboot, a message came up saying that it stopped working and Windows had to shut it down. I just turned the computer off and restarted it. The log came up fine, so I assumed it worked okay and continued.****

    Security Check Log

    Results of screen317's Security Check version 0.99.15
    Windows Vista Service Pack 2 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Disabled!
    ESET Online Scanner v3
    McAfee AntiVirus Plus
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) SE Runtime Environment 6
    Adobe Flash Player
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````

    I will go on with the ComboFix instructions next and then edit this post. I just wanted to get this on here already to make sure I keep everything straight.

    Thank you for your patience!
     
  12. anxious

    anxious TS Rookie Topic Starter

    I messed up again, I think. When I turned off McAfee, I set it to start up again at reboot .... I wasn't expecting ComboFix to reboot the computer. When ComboFix completed it's log, a warning came up from McAfee. It says:

    Potentially Unwanted Program Blocked

    About This Potentially Unwanted Program
    Name: Tool-NirCmd
    Quarantined From: C:\ComboFix\NIRKMD.cfxxe​

    I have the options to remove, allow or close. I'm hoping to leave it alone until I get instructions on what is best to do.

    Bootkit Remover

    .\debug.cpp(238) : Debug log started at 22.06.2011 - 20:11:56
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6002), 32-bit
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x82239000 0x003ba000 "\SystemRoot\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x82206000 0x00033000 "\SystemRoot\system32\hal.dll"
    .\debug.cpp(256) : 0x8040a000 0x00007000 "\SystemRoot\system32\kdcom.dll"
    .\debug.cpp(256) : 0x80411000 0x00011000 "\SystemRoot\system32\PSHED.dll"
    .\debug.cpp(256) : 0x80422000 0x00008000 "\SystemRoot\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0x8042a000 0x00041000 "\SystemRoot\system32\CLFS.SYS"
    .\debug.cpp(256) : 0x8046b000 0x000e0000 "\SystemRoot\system32\CI.dll"
    .\debug.cpp(256) : 0x8054b000 0x00071000 "\SystemRoot\system32\drivers\Wdf01000.sys"
    .\debug.cpp(256) : 0x805bc000 0x0000e000 "\SystemRoot\system32\drivers\WDFLDR.SYS"
    .\debug.cpp(256) : 0x8060e000 0x00046000 "\SystemRoot\system32\drivers\acpi.sys"
    .\debug.cpp(256) : 0x80654000 0x00009000 "\SystemRoot\system32\drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0x8065d000 0x00008000 "\SystemRoot\system32\drivers\msisadrv.sys"
    .\debug.cpp(256) : 0x80665000 0x00027000 "\SystemRoot\system32\drivers\pci.sys"
    .\debug.cpp(256) : 0x8068c000 0x0000f000 "\SystemRoot\System32\drivers\partmgr.sy@"
    .\debug.cpp(256) : 0x8069b000 0x0000f000 "\SystemRoot\system32\drivers\volmgr.sys"
    .\debug.cpp(256) : 0x806aa000 0x0004a000 "\SystemRoot\System32\drivers\volmgrx.sys"
    .\debug.cpp(256) : 0x806f4000 0x00007000 "\SystemRoot\system32\drivers\pciide.sys"
    .\debug.cpp(256) : 0x806fb000 0x0000e000 "\SystemRoot\system32\drivers\PCIIDEX.SYS"
    .\debug.cpp(256) : 0x80709000 0x00010000 "\SystemRoot\System32\drivers\mountmgr.sys"
    .\debug.cpp(256) : 0x80719000 0x00008000 "\SystemRoot\system32\drivers\atapi.sys"
    .\debug.cpp(256) : 0x80721000 0x0001e000 "\SystemRoot\system32\drivers\ataport.SYS"
    .\debug.cpp(256) : 0x8073f000 0x0000d000 "\SystemRoot\system32\drivers\nvstor.sys"
    .\debug.cpp(256) : 0x8074c000 0x00041000 "\SystemRoot\system32\drivers\storport.sys"
    .\debug.cpp(256) : 0x8078d000 0x0001d000 "\SystemRoot\system32\DRIVERS\nvstor32.sys"
    .\debug.cpp(256) : 0x807aa000 0x00032000 "\SystemRoot\system32\drivers\fltmgr.sys"
    .\debug.cpp(256) : 0x807dc000 0x00010000 "\SystemRoot\system32\drivers\fileinfo.sys"
    .\debug.cpp(256) : 0x82c07000 0x0006e000 "\SystemRoot\system32\drivers\mfehidk.sys"
    .\debug.cpp(256) : 0x82c75000 0x0000b000 "\SystemRoot\system32\drivers\BsecFltr.sys"
    .\debug.cpp(256) : 0x82c80000 0x00009000 "\SystemRoot\System32\Drivers\PxHelp20.sys"
    .\debug.cpp(256) : 0x82c89000 0x00071000 "\SystemRoot\System32\Drivers\ksecdd.sys"
    .\debug.cpp(256) : 0x82e0d000 0x0010b000 "\SystemRoot\system32\drivers\ndis.sys"
    .\debug.cpp(256) : 0x82f18000 0x0002b000 "\SystemRoot\system32\drivers\msrpc.sys"
    .\debug.cpp(256) : 0x82f43000 0x0003b000 "\SystemRoot\system32\drivers\NETIO.SYS"
    .\debug.cpp(256) : 0x82cfa000 0x000ea000 "\SystemRoot\System32\drivers\tcpip.sys"
    .\debug.cpp(256) : 0x82f7e000 0x0001b000 "\SystemRoot\System32\drivers\fwpkclnt.sys"
    .\debug.cpp(256) : 0x8820c000 0x00110000 "\SystemRoot\System32\Drivers\Ntfs.sys"
    .\debug.cpp(256) : 0x8831c000 0x00039000 "\SystemRoot\system32\drivers\volsnap.sys"
    .\debug.cpp(256) : 0x88355000 0x00008000 "\SystemRoot\System32\Drivers\spldr.sys"
    .\debug.cpp(256) : 0x8835d000 0x0000f000 "\SystemRoot\System32\Drivers\mup.sys"
    .\debug.cpp(256) : 0x8836c000 0x00027000 "\SystemRoot\System32\drivers\ecache.sys"
    .\debug.cpp(256) : 0x88393000 0x00011000 "\SystemRoot\system32\drivers\disk.sys"
    .\debug.cpp(256) : 0x883a4000 0x00021000 "\SystemRoot\system32\drivers\CLASSPNP.SYS"
    .\debug.cpp(256) : 0x883c5000 0x00009000 "\SystemRoot\system32\drivers\crcdisk.sys"
    .\debug.cpp(256) : 0x883ce000 0x00007000 "\SystemRoot\system32\DRIVERS\null.sys"
    .\debug.cpp(256) : 0x883ec000 0x0000b000 "\SystemRoot\system32\DRIVERS\tunnel.sys"
    .\debug.cpp(256) : 0x883f7000 0x00009000 "\SystemRoot\system32\DRIVERS\tunmp.sys"
    .\debug.cpp(256) : 0x82fb6000 0x00010000 "\SystemRoot\system32\DRIVERS\amdk8.sys"
    .\debug.cpp(256) : 0x88200000 0x0000a000 "\SystemRoot\system32\DRIVERS\usbohci.sys"
    .\debug.cpp(256) : 0x8be08000 0x0003e000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0x8be46000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0x8be55000 0x0004a000 "\SystemRoot\system32\DRIVERS\HSXHWBS2.sys"
    .\debug.cpp(256) : 0x8be9f000 0x0002a000 "\SystemRoot\system32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0x8bec9000 0x00103000 "\SystemRoot\system32\DRIVERS\HSX_DPV.sys"
    .\debug.cpp(256) : 0x8c201000 0x000b4000 "\SystemRoot\system32\DRIVERS\HSX_CNXT.sys"
    .\debug.cpp(256) : 0x8c2b5000 0x0000d000 "\SystemRoot\system32\drivers\modem.sys"
    .\debug.cpp(256) : 0x8c2c2000 0x0008d000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
    .\debug.cpp(256) : 0x8c34f000 0x00046000 "\SystemRoot\system32\DRIVERS\nvmfdx32.sys"
    .\debug.cpp(256) : 0x8c395000 0x00018000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0x8c3ad000 0x0003f000 "\SystemRoot\system32\DRIVERS\atikmpag.sys"
    .\debug.cpp(256) : 0x8c409000 0x00786000 "\SystemRoot\system32\DRIVERS\atikmdag.sys"
    .\debug.cpp(256) : 0x8cc03000 0x000a0000 "\SystemRoot\System32\drivers\dxgkrnl.sys"
    .\debug.cpp(256) : 0x8cca3000 0x0000c000 "\SystemRoot\System32\drivers\watchdog.sys"
    .\debug.cpp(256) : 0x8ccaf000 0x0002f000 "\SystemRoot\system32\DRIVERS\msiscsi.sys"
    .\debug.cpp(256) : 0x8ccde000 0x0000b000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0x8cce9000 0x00017000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0x8cd00000 0x0000b000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0x8cd0b000 0x00023000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0x8cd2e000 0x0000f000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0x8cd3d000 0x00014000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0x8cd51000 0x00015000 "\SystemRoot\system32\DRIVERS\rassstp.sys"
    .\debug.cpp(256) : 0x8cd66000 0x00010000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0x8cd76000 0x0000b000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0x8cd81000 0x0000b000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0x8cd8c000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0x8cd8e000 0x00010000 "\SystemRoot\system32\DRIVERS\amdiox86.sys"
    .\debug.cpp(256) : 0x8cd9e000 0x0000a000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0x8cda8000 0x0000d000 "\SystemRoot\system32\DRIVERS\umbus.sys"
    .\debug.cpp(256) : 0x8cdb5000 0x00035000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0x8cdea000 0x00011000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0x8d000000 0x001f5000 "\SystemRoot\system32\drivers\RTKVHDA.sys"
    .\debug.cpp(256) : 0x8cb8f000 0x0002d000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0x8cbbc000 0x00025000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0x8d1f5000 0x00009000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0x8cbe1000 0x00007000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0x8cbf1000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0x8c3ec000 0x0000c000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0x8bfcc000 0x00021000 "\SystemRoot\System32\drivers\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0x8cbf8000 0x00008000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0x8c400000 0x00008000 "\SystemRoot\system32\drivers\rdpencdd.sys"
    .\debug.cpp(256) : 0x8bfed000 0x0000b000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0x82fc6000 0x0000e000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0x8cbe8000 0x00009000 "\SystemRoot\System32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0x82fd4000 0x00027000 "\SystemRoot\system32\drivers\mfewfpk.sys"
    .\debug.cpp(256) : 0x82de4000 0x00016000 "\SystemRoot\system32\DRIVERS\tdx.sys"
    .\debug.cpp(256) : 0x807ec000 0x00014000 "\SystemRoot\system32\DRIVERS\smb.sys"
    .\debug.cpp(256) : 0x805ca000 0x00032000 "\SystemRoot\System32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0x8d40c000 0x00048000 "\SystemRoot\system32\drivers\afd.sys"
    .\debug.cpp(256) : 0x8d454000 0x00009000 "\SystemRoot\system32\drivers\ws2ifsl.sys"
    .\debug.cpp(256) : 0x8d45d000 0x00016000 "\SystemRoot\system32\DRIVERS\pacer.sys"
    .\debug.cpp(256) : 0x8d473000 0x0000f000 "\SystemRoot\system32\DRIVERS\mfenlfk.sys"
    .\debug.cpp(256) : 0x8d482000 0x0000e000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0x8d490000 0x00013000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0x8d4a3000 0x0003c000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0x8d4df000 0x0000a000 "\SystemRoot\system32\drivers\nsiproxy.sys"
    .\debug.cpp(256) : 0x8d4e9000 0x00017000 "\SystemRoot\System32\Drivers\dfsc.sys"
    .\debug.cpp(256) : 0x8d500000 0x0002a000 "\SystemRoot\system32\drivers\mfeavfk.sys"
    .\debug.cpp(256) : 0x8d52a000 0x00051000 "\SystemRoot\system32\drivers\mfefirek.sys"
    .\debug.cpp(256) : 0x8d57b000 0x00009000 "\SystemRoot\system32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0x8d584000 0x00010000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0x8d594000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0x8d596000 0x00009000 "\SystemRoot\system32\DRIVERS\kbdhid.sys"
    .\debug.cpp(256) : 0x8d59f000 0x00017000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0x8d5b6000 0x00008000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0x8d5be000 0x0003b000 "\SystemRoot\system32\DRIVERS\udfs.sys"
    .\debug.cpp(256) : 0x883d5000 0x0000d000 "\SystemRoot\System32\Drivers\crashdmp.sys"
    .\debug.cpp(256) : 0x8d400000 0x0000a000 "\SystemRoot\System32\Drivers\dump_diskdump.sys"
    .\debug.cpp(256) : 0x82f99000 0x0001d000 "\SystemRoot\System32\Drivers\dump_nvstor32.sys"
    .\debug.cpp(256) : 0x93eb0000 0x00204000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0x883e2000 0x0000a000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0x95c02000 0x0000f000 "\SystemRoot\system32\DRIVERS\monitor.sys"
    .\debug.cpp(256) : 0x940d0000 0x00009000 "\SystemRoot\System32\TSDDD.dll"
    .\debug.cpp(256) : 0x940f0000 0x0004d000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0x95c11000 0x0001b000 "\SystemRoot\system32\drivers\luafv.sys"
    .\debug.cpp(256) : 0x94140000 0x0000e000 "\SystemRoot\System32\cdd.dll"
    .\debug.cpp(256) : 0x95c34000 0x00007000 "\SystemRoot\system32\DRIVERS\elagopro.sys"
    .\debug.cpp(256) : 0x95c3b000 0x00010000 "\SystemRoot\system32\DRIVERS\lltdio.sys"
    .\debug.cpp(256) : 0x95c4b000 0x000b0000 "\SystemRoot\system32\drivers\spsys.sys"
    .\debug.cpp(256) : 0x95cfb000 0x00013000 "\SystemRoot\system32\DRIVERS\rspndr.sys"
    .\debug.cpp(256) : 0x95d0e000 0x0006d000 "\SystemRoot\system32\drivers\HTTP.sys"
    .\debug.cpp(256) : 0x95d7b000 0x0001d000 "\SystemRoot\System32\DRIVERS\srvnet.sys"
    .\debug.cpp(256) : 0x95d98000 0x00019000 "\SystemRoot\system32\DRIVERS\bowser.sys"
    .\debug.cpp(256) : 0x95db1000 0x00015000 "\SystemRoot\System32\drivers\mpsdrv.sys"
    .\debug.cpp(256) : 0x95dc6000 0x00021000 "\SystemRoot\system32\drivers\mrxdav.sys"
    .\debug.cpp(256) : 0x9a603000 0x0001f000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0x9a622000 0x00039000 "\SystemRoot\system32\DRIVERS\mrxsmb10.sys"
    .\debug.cpp(256) : 0x9a65b000 0x00018000 "\SystemRoot\system32\DRIVERS\mrxsmb20.sys"
    .\debug.cpp(256) : 0x9a673000 0x00028000 "\SystemRoot\System32\DRIVERS\srv2.sys"
    .\debug.cpp(256) : 0x9a69b000 0x0004f000 "\SystemRoot\System32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0x9a702000 0x00002000 "\SystemRoot\system32\DRIVERS\elaunidr.sys"
    .\debug.cpp(256) : 0x9a704000 0x00004000 "\SystemRoot\system32\DRIVERS\mdmxsdk.sys"
    .\debug.cpp(256) : 0x9a708000 0x000de000 "\SystemRoot\system32\drivers\peauth.sys"
    .\debug.cpp(256) : 0x9a7e6000 0x0000a000 "\SystemRoot\System32\Drivers\secdrv.SYS"
    .\debug.cpp(256) : 0x9a7f0000 0x0000c000 "\SystemRoot\System32\drivers\tcpipreg.sys"
    .\debug.cpp(256) : 0x9a6ea000 0x00008000 "\SystemRoot\system32\DRIVERS\xaudio.sys"
    .\debug.cpp(256) : 0x9c607000 0x00028000 "\SystemRoot\System32\Drivers\fastfat.SYS"
    .\debug.cpp(256) : 0x9c659000 0x0001c000 "\SystemRoot\system32\drivers\mfeapfk.sys"
    .\debug.cpp(256) : 0x9c675000 0x0000d000 "\SystemRoot\system32\drivers\mfebopk.sys"
    .\debug.cpp(256) : 0x9c682000 0x0000d000 "\SystemRoot\system32\drivers\cfwids.sys"
    .\debug.cpp(256) : 0x9c68f000 0x00004000 "\SystemRoot\system32\DRIVERS\BSecACFltr.sys"
    .\debug.cpp(256) : 0x76e10000 0x00128000 "\Windows\System32\ntdll.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C52F&MI_00#7&363edb49&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000006c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
    .\debug.cpp(400) : Destination "\Device\RaidPort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIPV6#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#*ISATAP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000001"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#Disk&Ven_SAMSUNG&Prod_HD321KJ#4&228bd848&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\0000005f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANBH#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{0abc945d-49a1-11e0-b073-806e6f6e6963}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1002&DEV_94C3&SUBSYS_03021028&REV_00#4&24956fea&0&0048#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0018"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HarddiskVolumeShadowCopy1"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolumeShadowCopy1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E3FE0F52-6729-43AC-8488-5AC1FB2AE7A9}"
    .\debug.cpp(400) : Destination "\Device\NDMP8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_03EF&SUBSYS_020E1028&REV_A2#3&2411e6fe&0&38#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0009"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_03EF&SUBSYS_020E1028&REV_A2#3&2411e6fe&0&38#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0009"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIAdminDevice"
    .\debug.cpp(400) : Destination "\Device\WMIAdminDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{6EA11ADB-6FEB-425D-A3CB-3CB73F334E62}"
    .\debug.cpp(400) : Destination "\Device\NDMP4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tun0"
    .\debug.cpp(400) : Destination "\Device\Tun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WGUARDNT"
    .\debug.cpp(400) : Destination "\Device\mfehidk"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C52F&MI_01&Col01#7&2eb452e7&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000006d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY5"
    .\debug.cpp(400) : Destination "\Device\Video4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#VID_046D&PID_C315#5&1a4d149c&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00#4&4544209&0&4820#{adb44c00-1b8d-11d4-8d5e-00a0c90d1c42}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0017"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VolMgrControl"
    .\debug.cpp(400) : Destination "\Device\VolMgrControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{94EE6A8B-5BB2-470C-B334-7DA00E445979}"
    .\debug.cpp(400) : Destination "\Device\NDMP3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C52F&MI_00#7&363edb49&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000006c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#AuthenticAMD_-_x86_Family_15_Model_107#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000004d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_PBDS&Prod_DVD+-RW_DH-16W1S#4&228bd848&0&010100#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000060"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SpDevice"
    .\debug.cpp(400) : Destination "\Device\SpDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#*TUNMP#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCIIDE#IDEChannel#4&bc256b9&0&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\PciIde0Channel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UMB#UMB#1&841921d&0&ActiveSyncWPDEnumerator#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}"
    .\debug.cpp(400) : Destination "\Device\00000073"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\XAudio"
    .\debug.cpp(400) : Destination "\Device\XAudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PEAuth"
    .\debug.cpp(400) : Destination "\Device\PEAuth"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\elaunidr_GTKUniDriver"
    .\debug.cpp(400) : Destination "\Device\elaunidr_GTKUniDriver"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&19f7e59c&0&Signature18000000Offset283000000Length4802C00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY#DELF004#5&15f336be&0&UID257#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM3"
    .\debug.cpp(400) : Destination "\Device\Winachsf0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&19f7e59c&0&Signature18000000Offset3000000Length280000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&19f7e59c&0&Signature18000000Offset7E00Length2F08E00#{7f108a28-9833-4b3b-b780-2c6b5fa5c062}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Psched"
    .\debug.cpp(400) : Destination "\Device\Psched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&2#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&377ad94d&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&2#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000054"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ConexantDiagnosticsServer"
    .\debug.cpp(400) : Destination "\Device\ConexantDiagnosticsServer"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_03F2&SUBSYS_020E1028&REV_A3#3&2411e6fe&0&11#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_03F1&SUBSYS_020E1028&REV_A3#3&2411e6fe&0&10#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#*TUNMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RKSAMPLE0"
    .\debug.cpp(400) : Destination "\Device\RKSAMPLE0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{0A5AD48D-AF28-46D7-83EC-10490984A7F4}"
    .\debug.cpp(400) : Destination "\Device\NDMP10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\mfehidk"
    .\debug.cpp(400) : Destination "\Device\mfehidk"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#UMBUS#0000#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}"
    .\debug.cpp(400) : Destination "\Device\00000049"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C52F&MI_01&Col02#7&2eb452e7&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000006e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_03F6&SUBSYS_020E1028&REV_A2#3&2411e6fe&0&40#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0010"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#volmgr#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\0000004a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\elaunidr_GTKCMOS"
    .\debug.cpp(400) : Destination "\Device\elaunidr_GTKCMOS"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANBH#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ISCSIPRT#0000#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LOG:"
    .\debug.cpp(400) : Destination "\clfs"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_SSTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000043"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Secdrv"
    .\debug.cpp(400) : Destination "\Device\Secdrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020E&REV_1000#4&249065e1&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
    .\debug.cpp(400) : Destination "\Device\00000066"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#*ISATAP#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000001"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCIIDE#IDEChannel#4&bc256b9&0&1#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\PciIde0Channel1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#THRM#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000053"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{0da7fec6-c73f-11dc-9630-806e6f6e6963}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020E&REV_1000#4&249065e1&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\00000066"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HSF_MDMDevice0"
    .\debug.cpp(400) : Destination "\Device\HSF_MDMDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{0da7fec7-c73f-11dc-9630-806e6f6e6963}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{475AAFD1-557C-4618-B1E6-32ADDB7E7CB4}"
    .\debug.cpp(400) : Destination "\Device\NDMP2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C315#6&1627de14&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000068"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020E&REV_1000#4&249065e1&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000066"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&220b90da&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C52F&MI_01&Col03#7&2eb452e7&0&0002#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020E&REV_1000#4&249065e1&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}"
    .\debug.cpp(400) : Destination "\Device\00000066"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_SSTPMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\00000043"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Conexant D850 PCI V.92 Modem"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0017"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Nsi"
    .\debug.cpp(400) : Destination "\Device\Nsi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY#DELF003#5&15f336be&0&UID258#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7}"
    .\debug.cpp(400) : Destination "\Device\00000071"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#VID_046D&PID_C52F#5&1a4d149c&0&8#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PartmgrControl"
    .\debug.cpp(400) : Destination "\Device\PartmgrControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{54950694-33A2-408C-9E06-ABBEB791E26F}"
    .\debug.cpp(400) : Destination "\Device\NDMP9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NXTIPSECDevice"
    .\debug.cpp(400) : Destination "\Device\NXTIPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C315#6&1627de14&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000068"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY#DELF003#5&15f336be&0&UID258#{866519b5-3f07-4c97-b7df-24c5d8a8ccb8}"
    .\debug.cpp(400) : Destination "\Device\00000071"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020E&REV_1000#4&249065e1&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000066"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{cac88484-7515-4c03-82e6-71a87abac361}"
    .\debug.cpp(400) : Destination "\Device\0000003d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\BSFilter"
    .\debug.cpp(400) : Destination "\Device\BSFilter"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\elaunidr_SDDMI2"
    .\debug.cpp(400) : Destination "\Device\elaunidr_SDDMI2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WFPDev"
    .\debug.cpp(400) : Destination "\Device\WFP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\elagopro"
    .\debug.cpp(400) : Destination "\Device\elagopro"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NDMP6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1002&DEV_94C3&SUBSYS_03021028&REV_00#4&24956fea&0&0048#{1ca05180-a699-450a-9a0c-de4fbe3ddd89}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0018"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArpV6"
    .\debug.cpp(400) : Destination "\Device\WANARPV6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UMB#UMB#1&841921d&0&PrinterBusEnumerator#{65a9a6cf-64cd-480b-843e-32c86e1ba19f}"
    .\debug.cpp(400) : Destination "\Device\00000072"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0001#{1e54ece4-34e9-4761-b176-0e98c94784b2}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AscKmd"
    .\debug.cpp(400) : Destination "\Device\AscKmd"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\elaunidr_GPCIEnu1"
    .\debug.cpp(400) : Destination "\Device\elaunidr_GPCIEnu1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#AuthenticAMD_-_x86_Family_15_Model_107#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000004c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANBH"
    .\debug.cpp(400) : Destination "\Device\NDMP5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MpsDevice"
    .\debug.cpp(400) : Destination "\Device\MPS"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{8226A886-E85C-4698-9C14-4A5CD50C45BD}"
    .\debug.cpp(400) : Destination "\Device\NDMP1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_1028020E&REV_1000#4&249065e1&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000066"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\VolMgrControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIPV6"
    .\debug.cpp(400) : Destination "\Device\NDMP7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SstpDrv"
    .\debug.cpp(400) : Destination "\Device\SstpDrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY#DELF004#5&15f336be&0&UID257#{e6f07b5f-ee97-4a90-b076-33f57bf4eaa7}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\RaidPort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_PBDS&Prod_DVD+-RW_DH-16W1S#4&228bd848&0&010100#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000060"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WfpAle"
    .\debug.cpp(400) : Destination "\Device\WfpAle"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIPV6#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00#4&4544209&0&4820#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0017"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000002`83000000
    .\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 1
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;

    *****Msg was too long, so I'm putting the ComboFix in another one.*****
     
  13. anxious

    anxious TS Rookie Topic Starter

    ComboFix Log (I ran into difficulty because when I tried to drag the txt file over it, it said that ComboFix was expired or something. I ended up uninstalling and reinstalling it. I hope it all still worked okay.)

    ComboFix 11-06-22.02 - c.clan 06/22/2011 15:43:43.4.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1164 [GMT -5:00]
    Running from: c:\users\c.clan\Desktop\ComboFix.exe
    Command switches used :: c:\users\c.clan\Desktop\CFScript.txt
    AV: CloudCare *Disabled/Updated* {567F6DDD-22AE-6081-DE6F-F28A4699C7E6}
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: CloudCare AntiSpyware *Disabled/Updated* {ED1E8C39-0494-6F0F-E4DF-C9F83D1E8D5B}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    .
    FILE ::
    "c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\object.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\svc0000\object.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\svc0000\tsk0000.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\svc0000\tsk0001.dta
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\svc0000\tsk0001.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0003.dta
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0005.dta
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\17.06.2011_04.09.43\rtkt0000\tdlfs0000\tsk0006.ini
    c:\users\c.clan\AppData\Local\temp
    c:\users\CFEB2~1~CLA\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_LAVASOFT_KERNEXPLORER
    -------\Service_Lavasoft Kernexplorer
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-22 20:55 . 2011-06-22 20:56 -------- d-----w- c:\users\c.clan\AppData\Local\Temp
    2011-06-22 20:10 . 2011-06-22 20:10 -------- d-----w- c:\program files\7-Zip
    2011-06-22 19:39 . 2011-06-22 19:39 -------- d-----w- C:\_OTM
    2011-06-20 01:06 . 2011-06-20 01:06 -------- d-----w- c:\program files\ESET
    2011-06-15 01:00 . 2011-05-02 12:02 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-06-15 01:00 . 2010-12-20 16:35 563712 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-15 01:00 . 2011-05-02 17:16 739328 ----a-w- c:\windows\system32\inetcomm.dll
    2011-06-15 01:00 . 2011-04-14 14:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-06-15 01:00 . 2011-04-21 13:58 273408 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-15 01:00 . 2011-04-29 13:25 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-15 01:00 . 2011-04-29 13:25 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-15 01:00 . 2011-04-29 13:24 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-15 00:59 . 2011-04-29 13:24 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-15 00:59 . 2011-04-29 13:24 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-14 23:33 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-06-14 23:33 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-06-14 22:09 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
    2011-06-14 22:09 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-06-14 22:09 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-06-14 22:09 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-06-14 22:09 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-06-14 22:09 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-06-14 22:08 . 2011-03-02 15:44 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
    2011-06-14 22:08 . 2009-05-04 09:59 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
    2011-06-14 22:08 . 2011-03-03 13:25 2041856 ----a-w- c:\windows\system32\win32k.sys
    2011-06-14 22:08 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-06-14 22:08 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
    2011-06-14 22:08 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-06-14 22:08 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-06-14 20:48 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 20:48 . 2011-06-14 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-14 20:48 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-11 04:46 . 2011-06-11 04:46 -------- d-----w- c:\users\c.clan\AppData\Roaming\Malwarebytes
    2011-06-11 04:46 . 2011-06-11 04:46 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-07 17:35 . 2011-06-07 17:35 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-20 06:54 . 2011-03-08 20:28 54248 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2011-04-19 02:26 . 2011-04-19 02:25 624640 ----a-w- c:\windows\screensaver_ksbj.scr
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\system32\drivers\partmgr.sys ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 54248
    Created time: 2011-03-08 20:28
    Modified time: 2011-06-22 21:02
    MD5: 1C55C6BA3B3D1423F78692907E1C7881
    SHA1: 7AFC7826F7D1B0BC7C2E32CB9A69DCDAD68C8ECD
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-20 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-06-04 822384]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-20 1838592]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "FaxCenterServer"="c:\program files\Dell PC Fax\fm3032.exe" [2006-11-03 312200]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-02 1306216]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
    "Bsecure"="c:\program files\Bsecure\BsecTray.exe" [2010-12-02 74592]
    "ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe" [2011-04-04 235168]
    .
    c:\users\c.clan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    CurseClientStartup.ccip [2010-12-5 0]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Camera Monitor SD.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2011-5-21 541976]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-20 50688]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 135664]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2010-07-21 44432]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-03-13 85984]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-10-14 84072]
    S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-03-13 64648]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-03-13 163400]
    S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-01-26 176128]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-27 284672]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 140224]
    S2 Bsecure;CloudCare;c:\program files\Bsecure\InetCtrl.exe [2010-12-02 55136]
    S2 BsecureAV;CloudCare AntiVirus;c:\program files\Bsecure\BsecAV.exe [2010-12-02 135080]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-03-13 159832]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-03-13 148520]
    S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [2010-02-18 37944]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-01-26 7566848]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-01-26 238592]
    S3 BSecACFltr;BSecACFltr;c:\windows\system32\DRIVERS\BSecACFltr.sys [2010-02-05 21624]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-03-13 57432]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-03-13 337912]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - BsecureFilter
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 05:50]
    .
    2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-12 05:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080120
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    LSP: %ProgramFiles%\Bsecure\InetCtrl43.dll
    TCP: DhcpNameServer = 192.168.1.254
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-22 15:55
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr]
    "ImagePath"="System32\drivers\partmgr.sy@"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
    c:\program files\Bsecure\BSecAMX.exe
    c:\program files\Kodak\KODAK Share Button App\Listener.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    c:\windows\RtHDVCpl.exe
    c:\program files\Brother\ControlCenter3\brccMCtl.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-22 16:05:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-22 21:05
    .
    Pre-Run: 237,737,926,656 bytes free
    Post-Run: 237,289,324,544 bytes free
    .
    - - End Of File - - 65A44AE9C4E871EEF69C36B1F617B0F7
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, looks good. I am just a bit concerned about C:\Windows\System32\drivers\partmgr.sys Malware on this was removed so I'm wondering if you have to replace the file and used a torrent site?

    Tel me how the system is doing- have the redirects been resolved?
     
  15. anxious

    anxious TS Rookie Topic Starter

    Yes, the computer has been behaving just fine! No more redirection or problems with IE shutting down for quite a while. I'm still putting off doing much online until I get the "all clear" from you, though. Better safe than sorry. lol

    I can't say I know what a torrent site is, but usually anytime we need to download something (like lavasoft's ad-aware), I use CNet. We get our music from Wal-Mart online. The only other thing I can think of right now, is that we used to play a game online, and we used Curse to get add-ons for that game.

    If we need to replace that file, please let me know where it is best to get it from and any special directions.

    Thank you so much for your help!!!
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My apology- I thought I had finished you up! One of the mysterious of the internet. But I had a very nice weekend spening time with my family.

    Torrent sites are file sharing sites> Bit Torrent, uTorrent are common ones. The partmgr.sys file is from the MS Operating system. One of the Eset entries was on this file, but it was removed.

    Your system is clean. The MBR check came back clean. You should be able to resume your safe surfing.
    ======================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ====================================
    To help keep the system clean:
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o] [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
  17. anxious

    anxious TS Rookie Topic Starter

    Done, done and done! :) Thank you so much!!! I really appreciate you including safety tips; I have copied the links so I can go through each of them.

    PS: Glad you had a nice weekend! I hope you and your family follow it up with a great week, too! Take care!
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome. Stay safe!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...