TechSpot

Rootkit/Trojans; antivirus realtime protection won't run

By Barturo
Feb 17, 2012
  1. Hello TechSpot members!

    I am trying to clean up an XP Pro SP3 system that has/had a number of trojans on it. I ran Malwarebytes and found several trojans, which were then removed. However, I tried to install AVG Internet Security and it wouldn't load. I also tried to reinstall Symantec Endpoint Protection and it wouldn't load either. I was able to load Microsoft Security Essentials, but the antivirus realtime protection won't activate.

    I ran a scan with Microsoft Security Essentials and it found a potential hidden rootkit.

    I read the post on the Updated 5 Step Viruses/Spyware/Malware Preliminary Removal Instructions and created the Malwarebytes, GMER, and DDS logs. Here are the results:

    Malwarebytes
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.16.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 6.0.2900.5512
    Friedrich :: COMPBarturo

    16.02.2012 12:46:27
    mbam-log-2012-02-16 (12-46-27).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 331948
    Time elapsed: 32 minute(s), 14 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\System Volume Information\_restore{A3C523B0-EC59-4D62-8E57-A0A4F452EA0B}\RP109\A0065983.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.

    (end)


    GMER
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-02-17 08:53:00
    Windows 5.1.2600 Service Pack 3
    Running: i8d65jei.exe


    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\System32\Drivers\11aa006c6c0ad6db.sys (*** hidden *** ) [BOOT] 11aa006c6c0ad6db <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----


    DDS
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
    Run by Barturo at 9:46:14 on 2012-02-17
    Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3033.2438 [GMT 1:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Programme\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Programme\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Programme\Option\Driver Installer\GtDetectSc.exe
    C:\Programme\Gemeinsame Dateien\Fujitsu\Manageability\HaMDevMg.exe\1.01\HaMDevMg.exe
    C:\Programme\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Programme\Java\jre6\bin\jqs.exe
    C:\Notes\nsd.exe
    C:\Notes\nslsvice.exe
    C:\Notes\ntmulti.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Programme\Fujitsu\Mobile Software Suite\Common\UiMdmTip\UiMdmTip.exe
    C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Programme\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Programme\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
    C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    C:\Programme\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Gemeinsame Dateien\Fujitsu\Manageability\CnMdKHkH.exe\1.01\CnMdKHkH.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Programme\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.de/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [COMImpersonator] c:\programme\fujitsu\mobile software suite\common\uimdmtip\UiMdmTip.exe
    mRun: [IAAnotif] c:\programme\intel\intel matrix storage manager\iaanotif.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [SynTPEnh] c:\programme\synaptics\syntp\SynTPEnh.exe
    mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [NBAgent] "c:\programme\nero\nero backitup & burn\nero backitup\NBAgent.exe" /WinStart
    mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
    mRun: [APSDaemon] "c:\programme\gemeinsame dateien\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
    mRun: [MSC] "c:\programme\microsoft security client\msseces.exe" -hide -runkey
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [BrowserChoice] "c:\windows\system32\browserchoice.exe" /run
    mPolicies-system: EnableLinkedConnections = 1 (0x1)
    IE: Nach Microsoft E&xel exportieren - c:\progra~1\office\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\office\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 12.127.16.68
    TCP: Interfaces\{DBFD8E5B-72D0-4542-9EEC-BA5C6134178C} : DhcpNameServer = 12.127.16.68
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2011-8-23 210736]
    R2 GtDetectSc;GtDetectSc;c:\programme\option\driver installer\GtDetectSc.exe [2009-5-4 545792]
    R2 HaMDevMg.1.01;Fujitsu HaMDevMg.1.01;c:\programme\gemeinsame dateien\fujitsu\manageability\hamdevmg.exe\1.01\HaMDevMg.exe [2009-5-20 557056]
    R2 Lotus Notes Diagnostics;Lotus Notes-Diagnose;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
    R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [2011-8-23 13312]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2011-8-23 244368]
    R3 FscGabi;FscGabi;c:\windows\system32\drivers\FscGabi.sys [2009-5-5 12288]
    R3 FSCSLII;FSCSLII;c:\windows\system32\drivers\FSCSLII.sys [2009-3-10 15360]
    R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [2009-5-13 66560]
    R3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [2009-5-13 8064]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2011-8-23 41216]
    S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    S2 OS Selector;Acronis OS Selector activator;c:\oss\reinstall_svc.exe --> c:\oss\reinstall_svc.exe [?]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programme\gemeinsame dateien\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-1 106104]
    S3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [2012-1-13 107776]
    .
    =============== Created Last 30 ================
    .
    2012-02-17 08:45:23 -------- d-----w- c:\windows\ms
    2012-02-16 14:54:52 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-16 14:52:40 6557240 ------w- c:\dokumente und einstellungen\all users\anwendungsdaten\microsoft\microsoft antimalware\definition updates\{2ef7e0f3-7a63-4856-8fc8-fd49052a564b}\mpengine.dll
    2012-02-16 14:47:22 -------- d-----w- c:\programme\Microsoft Security Client
    2012-02-16 13:13:18 -------- d-----w- c:\dokumente und einstellungen\friedrich\lokale einstellungen\anwendungsdaten\Apple Computer
    2012-02-16 13:04:04 76768 ----a-w- c:\windows\system32\drivers\fltsrv.sys
    2012-02-16 12:34:42 -------- d-----w- c:\windows\system32\NtmsData
    2012-02-16 11:46:07 -------- d-----w- c:\dokumente und einstellungen\friedrich\anwendungsdaten\Malwarebytes
    2012-02-16 11:34:22 388096 ----a-r- c:\dokumente und einstellungen\friedrich\anwendungsdaten\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2012-02-16 11:34:22 -------- d-----w- c:\programme\Trend Micro
    2012-02-16 11:24:13 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2012-02-16 11:02:24 -------- d--h--w- c:\dokumente und einstellungen\all users\anwendungsdaten\Common Files
    2012-02-16 11:01:52 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\AVG2012
    2012-02-16 10:55:31 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\MFAData
    2012-02-16 10:25:12 -------- d-----w- c:\dokumente und einstellungen\friedrich\lokale einstellungen\anwendungsdaten\Symantec
    2012-02-16 09:42:12 -------- d-----w- c:\dokumente und einstellungen\friedrich\lokale einstellungen\anwendungsdaten\WMTools Downloaded Files
    2012-02-16 09:06:00 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\Malwarebytes
    2012-02-16 09:05:59 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-16 09:05:59 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
    .
    ==================== Find3M ====================
    .
    2012-01-19 15:49:40 90112 ----a-w- c:\windows\DUMP53ad.tmp
    2012-01-03 15:59:41 90112 ----a-w- c:\windows\DUMP4a09.tmp
    2012-01-03 15:58:33 90112 ----a-w- c:\windows\DUMP4a58.tmp
    2012-01-03 14:55:17 90112 ----a-w- c:\windows\DUMP45e2.tmp
    2012-01-03 14:54:14 90112 ----a-w- c:\windows\DUMP47c7.tmp
    2012-01-03 14:53:19 90112 ----a-w- c:\windows\DUMP470b.tmp
    2012-01-02 14:02:06 90112 ----a-w- c:\windows\DUMP4b60.tmp
    2012-01-02 13:58:01 90112 ----a-w- c:\windows\DUMP4d16.tmp
    2012-01-02 13:57:03 90112 ----a-w- c:\windows\DUMP4e10.tmp
    2012-01-02 13:54:13 90112 ----a-w- c:\windows\DUMP4c1c.tmp
    2012-01-02 13:49:57 90112 ----a-w- c:\windows\DUMP5052.tmp
    2012-01-02 13:48:57 90112 ----a-w- c:\windows\DUMP4b80.tmp
    2012-01-02 13:47:57 90112 ----a-w- c:\windows\DUMP4baf.tmp
    2012-01-02 13:47:01 90112 ----a-w- c:\windows\DUMP4e9d.tmp
    2012-01-02 09:25:48 90112 ----a-w- c:\windows\DUMP4b12.tmp
    2012-01-02 09:24:25 90112 ----a-w- c:\windows\DUMP4a57.tmp
    2012-01-02 09:23:02 90112 ----a-w- c:\windows\DUMP4b22.tmp
    2012-01-02 09:21:39 90112 ----a-w- c:\windows\DUMP4cf7.tmp
    2012-01-02 09:20:43 90112 ----a-w- c:\windows\DUMP4da3.tmp
    2011-12-29 14:56:04 90112 ----a-w- c:\windows\DUMP443d.tmp
    2011-12-29 14:53:15 90112 ----a-w- c:\windows\DUMP43ee.tmp
    2011-12-29 14:52:19 90112 ----a-w- c:\windows\DUMP44e9.tmp
    2011-12-29 14:50:56 90112 ----a-w- c:\windows\DUMP445d.tmp
    2011-12-29 14:49:33 90112 ----a-w- c:\windows\DUMP43ff.tmp
    2011-12-29 14:48:38 90112 ----a-w- c:\windows\DUMP44e8.tmp
    2011-12-29 14:47:41 90112 ----a-w- c:\windows\DUMP447c.tmp
    2011-12-29 14:46:19 90112 ----a-w- c:\windows\DUMP46ec.tmp
    2011-12-29 14:45:23 90112 ----a-w- c:\windows\DUMP440d.tmp
    2011-12-29 14:41:46 90112 ----a-w- c:\windows\DUMP443c.tmp
    2011-12-29 14:40:52 90112 ----a-w- c:\windows\DUMP445c.tmp
    2011-12-29 14:33:55 90112 ----a-w- c:\windows\DUMP44c9.tmp
    2011-12-29 14:28:13 90112 ----a-w- c:\windows\DUMP4507.tmp
    2011-12-29 14:24:51 90112 ----a-w- c:\windows\DUMP449a.tmp
    2011-12-29 14:23:28 90112 ----a-w- c:\windows\DUMP447b.tmp
    2011-12-29 14:16:38 90112 ----a-w- c:\windows\DUMP469e.tmp
    2011-12-29 14:15:42 90112 ----a-w- c:\windows\DUMP43fe.tmp
    2011-12-23 13:58:28 44160 ----a-w- c:\windows\system32\drivers\11aa006c6c0ad6db.sys
    .
    ============= FINISH: 9:46:39,67 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 23.08.2011 16:52:39
    System Uptime: 17.02.2012 08:50:39 (1 hours ago)
    .
    Motherboard: FUJITSU SIEMENS | | S118DB
    Processor: Intel Pentium III Xeon-Prozessor | U2E1 | 2526/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 466 GiB total, 404,245 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: GlobeTrotter MO40x - Network Interface
    Device ID: OPTIONBUS\GTHSM_NET\6&249E3588&0&1
    Manufacturer: Option
    Name: GlobeTrotter MO40x - Network Interface
    PNP Device ID: OPTIONBUS\GTHSM_NET\6&249E3588&0&1
    Service: GTUHSNDISIPXP
    .
    ==== System Restore Points ===================
    .
    RP80: 19.11.2011 15:36:59 - Systemprüfpunkt
    RP81: 21.11.2011 07:30:12 - Systemprüfpunkt
    RP82: 22.11.2011 10:37:01 - Systemprüfpunkt
    RP83: 24.11.2011 12:03:16 - Systemprüfpunkt
    RP84: 28.11.2011 09:25:23 - Systemprüfpunkt
    RP85: 29.11.2011 14:17:35 - Systemprüfpunkt
    RP86: 01.12.2011 15:52:55 - Systemprüfpunkt
    RP87: 05.12.2011 07:43:01 - Systemprüfpunkt
    RP88: 06.12.2011 07:59:49 - Systemprüfpunkt
    RP89: 08.12.2011 09:30:37 - Systemprüfpunkt
    RP90: 09.12.2011 10:02:58 - Systemprüfpunkt
    RP91: 11.12.2011 18:51:46 - Systemprüfpunkt
    RP92: 13.12.2011 07:59:39 - Systemprüfpunkt
    RP93: 15.12.2011 16:09:39 - Systemprüfpunkt
    RP94: 16.12.2011 16:54:08 - Systemprüfpunkt
    RP95: 19.12.2011 13:30:16 - Systemprüfpunkt
    RP96: 21.12.2011 14:14:15 - Systemprüfpunkt
    RP97: 22.12.2011 19:30:18 - Systemprüfpunkt
    RP98: 24.12.2011 12:04:16 - Systemprüfpunkt
    RP99: 27.12.2011 09:57:29 - Systemprüfpunkt
    RP100: 28.12.2011 18:47:21 - Systemprüfpunkt
    RP101: 02.01.2012 12:48:15 - Systemprüfpunkt
    RP102: 03.01.2012 13:52:09 - Systemprüfpunkt
    RP103: 04.01.2012 14:24:13 - Systemprüfpunkt
    RP104: 05.01.2012 15:30:50 - Systemprüfpunkt
    RP105: 09.01.2012 12:51:13 - Systemprüfpunkt
    RP106: 12.01.2012 17:14:54 - Removed Vodafone Mobile Connect.
    RP107: 18.01.2012 16:21:56 - Removed Symantec Endpoint Protection.
    RP108: 18.01.2012 16:32:47 - Removed Adobe Acrobat 8 Professional - English, Français, Deutsch
    RP109: 16.02.2012 09:51:20 - Removed Lotus Notes 8.5 Deployment Patch.
    RP110: 16.02.2012 11:21:47 - Installed Symantec Endpoint Protection.
    RP111: 16.02.2012 11:43:26 - Removed Symantec Endpoint Protection.
    RP112: 16.02.2012 12:01:14 - AVG 2012 wurde installiert
    RP113: 16.02.2012 12:02:20 - AVG 2012 wurde installiert
    RP114: 16.02.2012 12:02:22 - AVG 2012 wurde entfernt
    RP115: 16.02.2012 12:34:21 - Installed HiJackThis
    RP116: 16.02.2012 14:04:06 - Installed Acronis*Disk*Director*11*Home
    RP117: 16.02.2012 14:06:29 - Installed Acronis*Disk*Director*11*Home
    RP118: 16.02.2012 14:08:24 - Installed Acronis*Disk*Director*11*Home
    RP119: 16.02.2012 14:10:28 - Installed Acronis*Disk*Director*11*Home
    RP120: 16.02.2012 14:11:35 - Skype™ 5.6 wird entfernt
    RP121: 16.02.2012 14:13:11 - iTunes wird entfernt
    .
    ==== Installed Programs ======================
    .
    2007 Microsoft Office Suite Service Pack 1 (SP1)
    2007 Microsoft Office system
    7-Zip 4.65
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 9.0.1 - Deutsch
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Brother HL-5240
    CFiles Backup
    Configuration Manager Client
    CorelDRAW Graphics Suite 12
    Driver Installer
    Driver Installer
    FreeMind
    HiJackThis
    Hotfix für Windows XP (KB2443685)
    Hotfix für Windows XP (KB942288-v3)
    Hotfix für Windows XP (KB952287)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB976002-v5)
    Intel(R) Graphics Media Accelerator Driver
    Intel® Matrix Storage Manager
    Java Auto Updater
    Java(TM) 6 Update 22
    JDE ActiveX Controls
    JDEShortcuts
    Kalender-Excel-8.8
    Lotus Notes 8.5 de
    Malwarebytes Anti-Malware version 1.60.1.1000
    Media Player Codec Pack 4.1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 German Language Pack
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - DEU
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Antimalware Service DE-DE Language Pack
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office Access MUI (German) 2007
    Microsoft Office Excel MUI (German) 2007
    Microsoft Office Outlook MUI (German) 2007
    Microsoft Office PowerPoint MUI (German) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Italian) 2007
    Microsoft Office Proofing (German) 2007
    Microsoft Office Publisher MUI (German) 2007
    Microsoft Office Shared MUI (German) 2007
    Microsoft Office Word MUI (German) 2007
    Microsoft Primary Interoperability Assemblies 2005
    Microsoft Security Client
    Microsoft Security Client DE-DE Language Pack
    Microsoft Security Essentials
    Microsoft Software Update for Web Folders (German) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MobileSoftwareSuite
    Mozilla Firefox 6.0 (x86 de)
    MSXML 4.0 SP2 Parser und SDK
    Nero BackItUp
    Nero BackItUp and Burn
    Nero BurnRights
    Nero Express
    Nero RescueAgent
    OZ776 SCR Driver V1.1.4.204
    Pointofix
    Print Server Utilities
    QuickTime
    RDC
    Realtek High Definition Audio Driver
    Safari
    Sicherheitsupdate für Step by Step Interactive Training (KB923723)
    Sicherheitsupdate für Windows Media Player (KB2378111)
    Sicherheitsupdate für Windows Media Player (KB952069)
    Sicherheitsupdate für Windows Media Player (KB954155)
    Sicherheitsupdate für Windows Media Player (KB973540)
    Sicherheitsupdate für Windows Media Player (KB975558)
    Sicherheitsupdate für Windows Media Player (KB978695)
    Sicherheitsupdate für Windows XP (KB2079403)
    Sicherheitsupdate für Windows XP (KB2229593)
    Sicherheitsupdate für Windows XP (KB2296011)
    Sicherheitsupdate für Windows XP (KB2360937)
    Sicherheitsupdate für Windows XP (KB2387149)
    Sicherheitsupdate für Windows XP (KB2393802)
    Sicherheitsupdate für Windows XP (KB2412687)
    Sicherheitsupdate für Windows XP (KB2419632)
    Sicherheitsupdate für Windows XP (KB2423089)
    Sicherheitsupdate für Windows XP (KB2440591)
    Sicherheitsupdate für Windows XP (KB2443105)
    Sicherheitsupdate für Windows XP (KB2476490)
    Sicherheitsupdate für Windows XP (KB2478960)
    Sicherheitsupdate für Windows XP (KB2478971)
    Sicherheitsupdate für Windows XP (KB2479943)
    Sicherheitsupdate für Windows XP (KB2483185)
    Sicherheitsupdate für Windows XP (KB2485663)
    Sicherheitsupdate für Windows XP (KB2503665)
    Sicherheitsupdate für Windows XP (KB2507938)
    Sicherheitsupdate für Windows XP (KB2508272)
    Sicherheitsupdate für Windows XP (KB2524375)
    Sicherheitsupdate für Windows XP (KB2535512)
    Sicherheitsupdate für Windows XP (KB2536276-v2)
    Sicherheitsupdate für Windows XP (KB2544521)
    Sicherheitsupdate für Windows XP (KB2544893)
    Sicherheitsupdate für Windows XP (KB2555917)
    Sicherheitsupdate für Windows XP (KB2562937)
    Sicherheitsupdate für Windows XP (KB2566454)
    Sicherheitsupdate für Windows XP (KB2570222)
    Sicherheitsupdate für Windows XP (KB923561)
    Sicherheitsupdate für Windows XP (KB950762)
    Sicherheitsupdate für Windows XP (KB950974)
    Sicherheitsupdate für Windows XP (KB951376-v2)
    Sicherheitsupdate für Windows XP (KB956572)
    Sicherheitsupdate für Windows XP (KB956744)
    Sicherheitsupdate für Windows XP (KB956802)
    Sicherheitsupdate für Windows XP (KB956844)
    Sicherheitsupdate für Windows XP (KB958644)
    Sicherheitsupdate für Windows XP (KB959426)
    Sicherheitsupdate für Windows XP (KB960803)
    Sicherheitsupdate für Windows XP (KB971657)
    Sicherheitsupdate für Windows XP (KB972270)
    Sicherheitsupdate für Windows XP (KB973869)
    Sicherheitsupdate für Windows XP (KB973904)
    Sicherheitsupdate für Windows XP (KB974112)
    Sicherheitsupdate für Windows XP (KB974392)
    Sicherheitsupdate für Windows XP (KB974571)
    Sicherheitsupdate für Windows XP (KB975025)
    Sicherheitsupdate für Windows XP (KB975560)
    Sicherheitsupdate für Windows XP (KB975562)
    Sicherheitsupdate für Windows XP (KB975713)
    Sicherheitsupdate für Windows XP (KB977816)
    Sicherheitsupdate für Windows XP (KB977914)
    Sicherheitsupdate für Windows XP (KB978601)
    Sicherheitsupdate für Windows XP (KB979309)
    Sicherheitsupdate für Windows XP (KB979482)
    Sicherheitsupdate für Windows XP (KB981322)
    Sicherheitsupdate für Windows XP (KB981997)
    Sicherheitsupdate für Windows XP (KB982665)
    Synaptics Pointing Device Driver
    Tinypic 3.18
    Update für Windows XP (KB898461)
    Update für Windows XP (KB951978)
    Update für Windows XP (KB955759)
    Update für Windows XP (KB971029)
    Update für Windows XP (KB973687)
    WebFldrs XP
    WIMGAPI
    Windows Media Format 11 runtime
    Windows Media Player 11
    .
    ==== End Of File ===========================


    Thanks in advance for your assistance!
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================================

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\WINDOWS\System32\Drivers\11aa006c6c0ad6db.sys
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  3. Barturo

    Barturo TS Rookie Topic Starter

    VirusTotal Scan Results

    Broni...thank you for your assistance with this problem. I have scanned the suspicious file using VirusTotal and the results were Detection Ratio: 0/43
     
  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==================================================================

    Download BTKR_RunBox to your desktop.

    Double click on downloaded BTKR_RunBox.exe file.
    Small RunBox DOS window will open.
    Press any key to continue.
    Press "1" to select "Run a scan with Bootkit Remover" option.
    Press "Enter".
    Press "Enter" one more time to generate log.
    Click OK, IF any "Warning" message pops up.
    Notepad will open with Bootkit Remover log.
    Copy the content and post it in your next reply.
    In RunBox press "4" then Enter to exit it.

    NOTE. In case you lost the log it's also located on your desktop as "scan.txt"
     
  5. Barturo

    Barturo TS Rookie Topic Starter

    Scans Completed--aswMBR and BTKR_Runbox

    Broni,

    I ran the scans as directed. Here are the results:

    ASWMBR:
    aswMBR version 0.9.9.1618 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-21 08:39:56
    -----------------------------
    08:39:56.750 OS Version: Windows 5.1.2600 Service Pack 3
    08:39:56.750 Number of processors: 2 586 0x170A
    08:39:56.750 ComputerName: COMPBarturo UserName: Barturo
    08:39:57.984 Initialze error C0000001 - driver not loaded
    08:41:18.718 AVAST engine defs: 12022002
    08:41:25.953 Service scanning
    08:41:26.359 Service 11aa006c6c0ad6db C:\WINDOWS\System32\Drivers\11aa006c6c0ad6db.sys **HIDDEN**
    08:41:40.296 Modules scanning
    08:41:40.296 Disk 0 trace - called modules:
    08:41:40.296
    08:41:41.671 AVAST engine scan C:\WINDOWS
    08:41:49.890 AVAST engine scan C:\WINDOWS\system32
    08:43:16.437 AVAST engine scan C:\WINDOWS\system32\drivers
    08:43:16.640 File: C:\WINDOWS\system32\drivers\11aa006c6c0ad6db.sys **INFECTED** Win32:Rootkit-gen [Rtk]
    08:43:23.593 AVAST engine scan C:\Dokumente und Einstellungen\Barturo
    08:43:47.531 AVAST engine scan C:\Dokumente und Einstellungen\All Users
    08:44:11.937 Scan finished successfully
    08:49:30.531 The log file has been saved successfully to "C:\Dokumente und Einstellungen\Barturo\Desktop\aswMBR.txt"

    BTKR_RunBox:
    .\debug.cpp(238) : Debug log started at 21.02.2012 - 08:06:09
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x0020f000 "\WINDOWS\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x806e6000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xba5a8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xba4b8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0x8aac8000 0x0000c000 "11aa006c6c0ad6db.sys"
    .\debug.cpp(256) : 0xb9f78000 0x0002f000 "ACPI.sys"
    .\debug.cpp(256) : 0xba5aa000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
    .\debug.cpp(256) : 0xb9f67000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xba0b8000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xba4bc000 0x00003000 "compbatt.sys"
    .\debug.cpp(256) : 0xba4c0000 0x00004000 "\WINDOWS\system32\DRIVERS\BATTC.SYS"
    .\debug.cpp(256) : 0xb9f49000 0x0001e000 "pcmcia.sys"
    .\debug.cpp(256) : 0xba0c8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xb9f2a000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xba5ac000 0x00002000 "dmload.sys"
    .\debug.cpp(256) : 0xb9f04000 0x00026000 "dmio.sys"
    .\debug.cpp(256) : 0xba4c4000 0x00003000 "ACPIEC.sys"
    .\debug.cpp(256) : 0xba670000 0x00001000 "\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS"
    .\debug.cpp(256) : 0xba328000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xba0d8000 0x0000e000 "VolSnap.sys"
    .\debug.cpp(256) : 0xb9e34000 0x000d0000 "iaStor.sys"
    .\debug.cpp(256) : 0xb9dfe000 0x00036000 "Si3531.sys"
    .\debug.cpp(256) : 0xb9de6000 0x00018000 "\WINDOWS\system32\DRIVERS\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xba0e8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xba0f8000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xb9dc6000 0x00020000 "fltMgr.sys"
    .\debug.cpp(256) : 0xb9db4000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xba4c8000 0x00003000 "SiWinAcc.sys"
    .\debug.cpp(256) : 0xb9d9d000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xb9d10000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xb9ce3000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xba5ae000 0x00002000 "SiRemFil.sys"
    .\debug.cpp(256) : 0xb9cc9000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xba7db000 0x00001000 "\SystemRoot\system32\DRIVERS\smsmdm.sys"
    .\debug.cpp(256) : 0xb88a7000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xb82e2000 0x005c5000 "\SystemRoot\system32\DRIVERS\igxpmp32.sys"
    .\debug.cpp(256) : 0xad743000 0x0003e000 "\SystemRoot\system32\DRIVERS\e1y5132.sys"
    .\debug.cpp(256) : 0xaf15f000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xad71f000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xadf8b000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xad6f7000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
    .\debug.cpp(256) : 0xad37f000 0x00378000 "\SystemRoot\system32\DRIVERS\NETw5x32.sys"
    .\debug.cpp(256) : 0xaf1ab000 0x00004000 "\SystemRoot\system32\DRIVERS\CmBatt.sys"
    .\debug.cpp(256) : 0xadbc8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xae8ef000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xad36b000 0x00014000 "\SystemRoot\system32\DRIVERS\parport.sys"
    .\debug.cpp(256) : 0xb47b3000 0x0000d000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
    .\debug.cpp(256) : 0xadf73000 0x00007000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xad334000 0x00037000 "\SystemRoot\system32\DRIVERS\SynTP.sys"
    .\debug.cpp(256) : 0xba62e000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xadf5b000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xba128000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xb88bb000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xb303d000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xad311000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xadf4b000 0x00008000 "\SystemRoot\system32\DRIVERS\Acceler.sys"
    .\debug.cpp(256) : 0xae8d7000 0x00004000 "\SystemRoot\system32\DRIVERS\FSCSLII.sys"
    .\debug.cpp(256) : 0xae8cf000 0x00003000 "\SystemRoot\system32\DRIVERS\FscGabi.sys"
    .\debug.cpp(256) : 0xb2ffd000 0x0000b000 "\SystemRoot\system32\DRIVERS\IFXTPM.SYS"
    .\debug.cpp(256) : 0xb2fdd000 0x0000a000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
    .\debug.cpp(256) : 0xadecd000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xb2fad000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xade65000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xad2fa000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xba2c8000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xba2e8000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xadcc8000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xad2e9000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xba318000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xadcb8000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xadca8000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xad2b9000 0x00030000 "\SystemRoot\system32\DRIVERS\rdpdr.sys"
    .\debug.cpp(256) : 0xba178000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xba632000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xad25b000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xade45000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xb4d44000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xb47f3000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0x9caea000 0x004b1000 "\SystemRoot\system32\drivers\RtkHDAud.sys"
    .\debug.cpp(256) : 0x9cac6000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xba1f8000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xb4de8000 0x00003000 "\SystemRoot\System32\Drivers\i2omgmt.SYS"
    .\debug.cpp(256) : 0xaf0bb000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xad982000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xaf0b7000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xba468000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xba478000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xaf0b3000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xaf0af000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xb4043000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xb4033000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xb3069000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0x9ca93000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0x9ca3a000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0x9ca12000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0x9c9ec000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xb4db4000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0x9c9ca000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xb4d54000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0x9c99f000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0x9c92f000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xadfee000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xadfbe000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xb23a4000 0x00008000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0x9c911000 0x0001e000 "\SystemRoot\System32\Drivers\usbvideo.sys"
    .\debug.cpp(256) : 0x9c900000 0x00011000 "\SystemRoot\system32\DRIVERS\gtuhsbus.sys"
    .\debug.cpp(256) : 0xadc18000 0x00010000 "\SystemRoot\System32\Drivers\oz776.sys"
    .\debug.cpp(256) : 0xb9c5c000 0x00004000 "\SystemRoot\System32\Drivers\SMCLIB.SYS"
    .\debug.cpp(256) : 0xae1dd000 0x00002000 "\SystemRoot\system32\DRIVERS\gtuhsser.sys"
    .\debug.cpp(256) : 0xb2394000 0x00008000 "\SystemRoot\System32\Drivers\Modem.SYS"
    .\debug.cpp(256) : 0x9c830000 0x000d0000 "\SystemRoot\System32\Drivers\dump_iaStor.sys"
    .\debug.cpp(256) : 0xbf800000 0x001c6000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xb9478000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xba488000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xb2fa6000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbf024000 0x00034000 "\SystemRoot\System32\igxpgd32.dll"
    .\debug.cpp(256) : 0xbf012000 0x00012000 "\SystemRoot\System32\igxprd32.dll"
    .\debug.cpp(256) : 0xbf058000 0x0023f000 "\SystemRoot\System32\igxpdv32.DLL"
    .\debug.cpp(256) : 0xbf297000 0x0034d000 "\SystemRoot\System32\igxpdx32.DLL"
    .\debug.cpp(256) : 0xbffa0000 0x00046000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xba588000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0x9c69b000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xaf157000 0x00005000 "\SystemRoot\System32\drivers\BrPar.sys"
    .\debug.cpp(256) : 0x9c5a1000 0x00052000 "\SystemRoot\system32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0x9c26c000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0x9c3e1000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0x9be93000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
    .\debug.cpp(256) : 0x9ae9b000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
    .\debug.cpp(256) : 0x7c910000 0x000b9000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#TZ00#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000048"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0262&SUBSYS_17341141&REV_1002#4&195b76e8&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
    .\debug.cpp(400) : Destination "\Device\00000090"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{d40214f8-cd94-11e0-b8a6-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000044"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000031"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&ff861e6&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0b97&Pid_7772#6&2b98534c&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-12"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0D#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000043"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000030"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&3a74505e&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1fc407&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0400#5&33643bb5&0#{97f76ef0-f883-11d0-af1f-0000f800845c}"
    .\debug.cpp(400) : Destination "\Device\00000072"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{2AAC6AF7-74BE-4CBF-A7BC-E047F11FAC51}"
    .\debug.cpp(400) : Destination "\Device\{2AAC6AF7-74BE-4CBF-A7BC-E047F11FAC51}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY5"
    .\debug.cpp(400) : Destination "\Device\Video4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\gtuhsbus0"
    .\debug.cpp(400) : Destination "\Device\GTUHSBus0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0262&SUBSYS_17341141&REV_1002#4&195b76e8&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\00000090"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
    .\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2939&SUBSYS_11411734&REV_03#3&11583659&0&D2#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0006"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY6"
    .\debug.cpp(400) : Destination "\Device\Video5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CompositeBattery"
    .\debug.cpp(400) : Destination "\Device\CompositeBattery"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0A#1#{72631e54-78a4-11d0-bcf7-00aa00b7b32a}"
    .\debug.cpp(400) : Destination "\Device\00000084"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&18233f59&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2934&SUBSYS_11411734&REV_03#3&11583659&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0012"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#*CM_RCDISPLAY#0000#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\00000001"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2938&SUBSYS_11411734&REV_03#3&11583659&0&D1#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_10f1&Pid_1a0c&MI_00#6&3530c56d&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000009c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{FA6E66E1-ABB8-4F73-AD0D-67DA95866504}"
    .\debug.cpp(400) : Destination "\Device\{FA6E66E1-ABB8-4F73-AD0D-67DA95866504}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM3"
    .\debug.cpp(400) : Destination "\Device\VCSerial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{B931CA48-AD20-4204-B98C-EF63ECA396CE}"
    .\debug.cpp(400) : Destination "\Device\{B931CA48-AD20-4204-B98C-EF63ECA396CE}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_10f1&Pid_1a0c#5&227c9467&0&6#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\OPTIONBUS#GTHSM_DBG#6&249e3588&0&1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\000000a2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM4"
    .\debug.cpp(400) : Destination "\Device\VCSerial1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
    .\debug.cpp(400) : Destination "\Device\PSched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{9D0436AD-04A5-47C1-8CF8-1474EDBA5192}"
    .\debug.cpp(400) : Destination "\Device\{9D0436AD-04A5-47C1-8CF8-1474EDBA5192}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_4235&SUBSYS_10018086&REV_00#4&492937f&0&00E2#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0021"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I2OExec"
    .\debug.cpp(400) : Destination "\Device\I2OExec"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM5"
    .\debug.cpp(400) : Destination "\Device\VCSerial2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0b97&Pid_7772#6&2b98534c&0&2#{50dd5230-ba8a-11d1-bf5d-0000f805f530}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-12"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000037"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&243ccaa3&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#SYN1907#4&ff861e6&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000034"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_293C&SUBSYS_11411734&REV_03#3&11583659&0&D7#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0007"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1f201478&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0af0&Pid_7601#5&24c4855f&0&5#{a5f7788b-ea01-4bf1-9741-03c687a7b26c}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0262&SUBSYS_17341141&REV_1002#4&195b76e8&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000090"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1095&DEV_3531&SUBSYS_35311095&REV_01#4&b04cce1&0&00E1#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0020"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2A43&SUBSYS_11411734&REV_07#3&11583659&0&11#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000033"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0002#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000035"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskSAMSUNG_HM500JI_________________________2AC101C4#4&2a49a281&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IAAStorageDevice-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#IFX0102#1#{c3fa81c6-2299-48f4-bd45-915e62b4db92}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{B429AA3C-CD85-41CE-BBD3-686B5DAF5E31}"
    .\debug.cpp(400) : Destination "\Device\{B429AA3C-CD85-41CE-BBD3-686B5DAF5E31}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
    .\debug.cpp(400) : Destination "\Device\USBFDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\gtmdiag0"
    .\debug.cpp(400) : Destination "\Device\VCSerial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000049"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0A#2#{72631e54-78a4-11d0-bcf7-00aa00b7b32a}"
    .\debug.cpp(400) : Destination "\Device\00000085"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD5"
    .\debug.cpp(400) : Destination "\Device\USBFDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&38e6d321&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6"
    .\debug.cpp(400) : Destination "\Device\USBFDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\00000071"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\INTELPRO_{E75A234C-2BFC-41FF-A965-503F4D5C85C3}"
    .\debug.cpp(400) : Destination "\Device\INTELPRO_{E75A234C-2BFC-41FF-A965-503F4D5C85C3}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD7"
    .\debug.cpp(400) : Destination "\Device\USBFDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\OPTIONBUS#GTHSM_MDM#6&249e3588&0&1#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
    .\debug.cpp(400) : Destination "\Device\000000a5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E75A234C-2BFC-41FF-A965-503F4D5C85C3}"
    .\debug.cpp(400) : Destination "\Device\{E75A234C-2BFC-41FF-A965-503F4D5C85C3}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#6&356ff5e0&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\BRLPT1"
    .\debug.cpp(400) : Destination "\Device\BrPar0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomOptiarc_DVD_RW_AD-7700S_________________1.44____#4&2a49a281&0&0.1.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IAAStorageDevice-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NtSecureSys"
    .\debug.cpp(400) : Destination "\Device\NtSecureSys"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&ae90394&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
    .\debug.cpp(400) : Destination "\Device\00000071"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_05e3&Pid_0607#5&24c4855f&0&6#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-11"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FSC_GABI"
    .\debug.cpp(400) : Destination "\Device\FSC_GABI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&SignatureB4C319CEOffset7E00Length74701A8200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\gtmmdm0"
    .\debug.cpp(400) : Destination "\Device\VCSerial2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0E#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_293A&SUBSYS_11411734&REV_03#3&11583659&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0015"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomOptiarc_DVD_RW_AD-7700S_________________1.44____#4&2a49a281&0&0.1.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IAAStorageDevice-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0af0&Pid_7601#5&24c4855f&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2A42&SUBSYS_11411734&REV_07#3&11583659&0&10#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0001"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DBFD8E5B-72D0-4542-9EEC-BA5C6134178C}"
    .\debug.cpp(400) : Destination "\Device\{DBFD8E5B-72D0-4542-9EEC-BA5C6134178C}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{d40214f9-cd94-11e0-b8a6-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2935&SUBSYS_11411734&REV_03#3&11583659&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0013"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\iaStor0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0b97&Pid_7761#5&18197702&0&2#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FSC_SLII"
    .\debug.cpp(400) : Destination "\Device\FSC_SLII"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Acceler"
    .\debug.cpp(400) : Destination "\Device\Acceler"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomOptiarc_DVD_RW_AD-7700S_________________1.44____#4&2a49a281&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IAAStorageDevice-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{D878B185-F9B0-484F-B1F8-DC0E8E5E4457}"
    .\debug.cpp(400) : Destination "\Device\{D878B185-F9B0-484F-B1F8-DC0E8E5E4457}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2937&SUBSYS_11411734&REV_03#3&11583659&0&D0#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0004"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&ff861e6&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
    .\debug.cpp(400) : Destination "\Device\DmLoader"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{5C1183E3-7DBE-44B4-A097-705FD241DB6E}"
    .\debug.cpp(400) : Destination "\Device\{5C1183E3-7DBE-44B4-A097-705FD241DB6E}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Scsi\Si35311"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GlobeTrotter MO40x - Modem Interface"
    .\debug.cpp(400) : Destination "\Device\000000a5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0262&SUBSYS_17341141&REV_1002#4&195b76e8&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000090"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_2936&SUBSYS_11411734&REV_03#3&11583659&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0014"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\OPTIONBUS#GTHSM_MDM#6&249e3588&0&1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\000000a5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\OPTIONBUS#GTHSM_APP#6&249e3588&0&1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\000000a3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0262&SUBSYS_17341141&REV_1002#4&195b76e8&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000090"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&158f0c7a&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\gtmapp0"
    .\debug.cpp(400) : Destination "\Device\VCSerial1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000039"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SYNTP"
    .\debug.cpp(400) : Destination "\Device\SynTP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_10BF&SUBSYS_11411734&REV_03#3&11583659&0&C8#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_10f1&Pid_1a0c&MI_00#6&3530c56d&0&0000#{6994ad05-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000009c"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;

    Thanks again for the assistance!!
     
  6. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. Barturo

    Barturo TS Rookie Topic Starter

    ComboFix Scan Completed

    Broni,

    I ran the ComboFix scan as directed. Here are the results. I have a German operating system, so some of the info is in German.

    ComboFix 12-02-22.01 - Barturo 22.02.2012 12:21:50.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.3033.2351 [GMT 1:00]
    ausgeführt von:: c:\dokumente und einstellungen\Barturo\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    (((((((((((((((((((((((((((((((((((( Further Deletions ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\config.ini
    c:\windows\EventSystem.log
    c:\windows\IsUn0407.exe
    c:\windows\system32\drivers\11aa006c6c0ad6db.sys
    c:\windows\system32\SET62.tmp
    c:\windows\system32\SET66.tmp
    c:\windows\system32\SET6E.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_11aa006c6c0ad6db
    -------\Service_11aa006c6c0ad6db
    .
    .
    ((((((((((((((((((((((( Files created from 2012-01-22 to 2012-02-22 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-22 11:26 . 2012-02-22 11:26 -------- d-----w- c:\windows\ms
    2012-02-21 07:09 . 2012-02-21 07:09 -------- d-----w- c:\dokumente und einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\PCHealth
    2012-02-20 10:44 . 2012-02-20 10:44 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2012-02-20 10:43 . 2012-02-20 10:45 -------- d-----w- c:\dokumente und einstellungen\Barturo
    2012-02-20 10:41 . 2012-02-20 10:41 -------- dc-h--w- c:\windows\ie8
    2012-02-16 14:54 . 2012-01-29 04:10 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-02-16 14:52 . 2012-01-17 03:39 6557240 ------w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Microsoft Antimalware\Definition Updates\{2EF7E0F3-7A63-4856-8FC8-FD49052A564B}\mpengine.dll
    2012-02-16 14:47 . 2012-02-16 14:47 -------- d-----w- c:\programme\Microsoft Security Client
    2012-02-16 13:04 . 2012-02-16 13:10 76768 ----a-w- c:\windows\system32\drivers\fltsrv.sys
    2012-02-16 12:34 . 2012-02-16 12:35 -------- d-----w- c:\windows\system32\NtmsData
    2012-02-16 11:34 . 2012-02-16 11:34 -------- d-----w- c:\programme\Trend Micro
    2012-02-16 11:24 . 2012-02-16 11:33 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2012-02-16 11:02 . 2012-02-16 11:02 -------- d--h--w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Common Files
    2012-02-16 11:01 . 2012-02-16 11:02 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\AVG2012
    2012-02-16 10:55 . 2012-02-16 11:02 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\MFAData
    2012-02-16 09:40 . 2012-02-16 09:40 -------- d-----w- c:\dokumente und einstellungen\Friedrich
    2012-02-16 09:06 . 2012-02-16 09:06 -------- d-----w- c:\dokumente und einstellungen\Markus\Anwendungsdaten\Malwarebytes
    2012-02-16 09:06 . 2012-02-16 09:06 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
    2012-02-16 09:05 . 2012-02-16 09:06 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
    2012-02-16 09:05 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Ready ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-19 15:49 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP53ad.tmp
    2012-01-03 15:59 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4a09.tmp
    2012-01-03 15:58 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4a58.tmp
    2012-01-03 14:55 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP45e2.tmp
    2012-01-03 14:54 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP47c7.tmp
    2012-01-03 14:53 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP470b.tmp
    2012-01-02 14:02 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4b60.tmp
    2012-01-02 13:58 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4d16.tmp
    2012-01-02 13:57 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4e10.tmp
    2012-01-02 13:54 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4c1c.tmp
    2012-01-02 13:49 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP5052.tmp
    2012-01-02 13:48 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4b80.tmp
    2012-01-02 13:47 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4baf.tmp
    2012-01-02 13:47 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4e9d.tmp
    2012-01-02 09:25 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4b12.tmp
    2012-01-02 09:24 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4a57.tmp
    2012-01-02 09:23 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4b22.tmp
    2012-01-02 09:21 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4cf7.tmp
    2012-01-02 09:20 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4da3.tmp
    2011-12-29 14:56 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP443d.tmp
    2011-12-29 14:53 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP43ee.tmp
    2011-12-29 14:52 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP44e9.tmp
    2011-12-29 14:50 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP445d.tmp
    2011-12-29 14:49 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP43ff.tmp
    2011-12-29 14:48 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP44e8.tmp
    2011-12-29 14:47 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP447c.tmp
    2011-12-29 14:46 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP46ec.tmp
    2011-12-29 14:45 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP440d.tmp
    2011-12-29 14:41 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP443c.tmp
    2011-12-29 14:40 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP445c.tmp
    2011-12-29 14:33 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP44c9.tmp
    2011-12-29 14:28 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP4507.tmp
    2011-12-29 14:24 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP449a.tmp
    2011-12-29 14:23 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP447b.tmp
    2011-12-29 14:16 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP469e.tmp
    2011-12-29 14:15 . 2011-08-23 14:28 90112 ----a-w- c:\windows\DUMP43fe.tmp
    2011-08-12 06:20 . 2011-08-25 07:26 134104 ----a-w- c:\programme\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((( Auto start points of registering ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries and legit default entries are not shown.
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-16 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-16 178712]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-16 150040]
    "COMImpersonator"="c:\programme\Fujitsu\Mobile Software Suite\Common\UiMdmTip\UiMdmTip.exe" [2009-05-20 176128]
    "IAAnotif"="c:\programme\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
    "RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
    "SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2008-03-06 1036288]
    "Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-12-03 35184]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "NBAgent"="c:\programme\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe" [2010-06-08 1086760]
    "SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "APSDaemon"="c:\programme\Gemeinsame Dateien\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2011-10-24 421888]
    "MSC"="c:\programme\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "BrowserChoice"="c:\windows\system32\browserchoice.exe" [2010-02-12 293376]
    "DWQueuedReporting"="c:\progra~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Programme\\Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Notes\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.200811140851\\win32\\x86\\notes2.exe"=
    "c:\\Programme\\Gemeinsame Dateien\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Programme\\Bonjour\\mDNSResponder.exe"=
    "%windir%\explorer.exe"= %windir%\explorer.exe
    .
    R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [23.08.2011 15:31 210736]
    R2 GtDetectSc;GtDetectSc;c:\programme\Option\Driver Installer\GtDetectSc.exe [04.05.2009 15:49 545792]
    R2 HaMDevMg.1.01;Fujitsu HaMDevMg.1.01;c:\programme\Gemeinsame Dateien\Fujitsu\Manageability\HaMDevMg.exe\1.01\HaMDevMg.exe [20.05.2009 08:57 557056]
    R2 Lotus Notes Diagnostics;Lotus Notes-Diagnose;c:\notes\nsd.exe -svcinvoke -ini "c:\notes\notes.ini" --> c:\notes\nsd.exe -svcinvoke -ini c:\notes\notes.ini [?]
    R2 Registry;Sage Registrierungsdienst;c:\programme\Gemeinsame Dateien\Sage KHK Shared\REGISTRY.EXE [25.08.2011 09:35 86016]
    R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Acceler.sys [23.08.2011 15:31 13312]
    R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [23.08.2011 15:30 244368]
    R3 FscGabi;FscGabi;c:\windows\system32\drivers\FscGabi.sys [05.05.2009 11:09 12288]
    R3 FSCSLII;FSCSLII;c:\windows\system32\drivers\FSCSLII.sys [10.03.2009 11:51 15360]
    R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\drivers\gtuhsbus.sys [13.05.2009 14:57 66560]
    R3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\drivers\gtuhs51.sys [13.01.2012 08:26 107776]
    R3 GTUHSSER;GT UHS SER;c:\windows\system32\drivers\gtuhsser.sys [13.05.2009 14:56 8064]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [23.08.2011 15:31 41216]
    S2 OS Selector;Acronis OS Selector activator;c:\oss\reinstall_svc.exe --> c:\oss\reinstall_svc.exe [?]
    S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01.12.2011 11:17 106104]
    .
    --- Other Services/Drivers in Memory---
    .
    *NewlyCreated* - MPFILTER
    .
    Contents of the 'Scheduled Tasks Folder'
    .
    2011-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\programme\Apple Software Update\SoftwareUpdate.exe [2011-06-01 15:57]
    .
    2012-02-22 c:\windows\Tasks\Markus Local Autobackup.job
    - c:\programme\Nero\Nero BackItUp & Burn\Nero BackItUp\NBCore.exe [2010-06-08 06:45]
    .
    2011-12-29 c:\windows\Tasks\Markus NBAgent.job
    - c:\programme\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe [2010-06-08 06:45]
    .
    2012-02-22 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\programme\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
    .
    .
    .
    - - - - Removed Orphan Registry Entries - - - -
    .
    AddRemove-Microsoft Interactive Training - c:\windows\IsUn0407.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-22 12:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    Scanne versteckte Prozesse...
    .
    Scanne versteckte Autostarteinträge...
    .
    Scanne versteckte Dateien...
    .
    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0
    .
    **************************************************************************
    .
    --------------------- DLL's Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2128)
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Ongoing Processes ------------------------
    .
    c:\programme\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\windows\System32\SCardSvr.exe
    c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\programme\Bonjour\mDNSResponder.exe
    c:\programme\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\programme\Java\jre6\bin\jqs.exe
    c:\notes\nsd.exe
    c:\notes\nslsvice.exe
    c:\notes\ntmulti.exe
    c:\windows\system32\CCM\CcmExec.exe
    c:\windows\system32\wbem\wmiapsrv.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\rundll32.exe
    c:\programme\Gemeinsame Dateien\Fujitsu\Manageability\CnMdKHkH.exe\1.01\CnMdKHkH.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2012-02-22 12:30:57 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2012-02-22 11:30
    .
    Vor Suchlauf: 15 Verzeichnis(se), 433.804.505.088 Bytes frei
    Nach Suchlauf: 17 Verzeichnis(se), 434.423.795.712 Bytes frei
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 146377AB7CF27C8E9004B5361C9A46F8
     
  8. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Looks good.

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  9. Barturo

    Barturo TS Rookie Topic Starter

    OTL Scan Completed

    Broni,

    I have completed the OTL Scan. Here are the results for the OTL Text File. I will have to post the OTL Extras in another post as the number of characters exceeded 50000.

    OTL text file:
    OTL logfile created on: 23.02.2012 08:07:16 - Run 1
    OTL by OldTimer - Version 3.2.33.2 Folder = C:\Dokumente und Einstellungen\Barturo\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

    2,96 Gb Total Physical Memory | 2,39 Gb Available Physical Memory | 80,63% Memory free
    4,80 Gb Paging File | 4,34 Gb Available in Paging File | 90,45% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
    Drive C: | 465,75 Gb Total Space | 404,44 Gb Free Space | 86,84% Space Free | Partition Type: NTFS

    Computer Name: COMPBarturo | User Name: Barturo | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2012.02.23 08:06:23 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Barturo\Desktop\OTL.exe
    PRC - [2011.10.09 16:02:32 | 000,055,144 | ---- | M] (Apple Inc.) -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    PRC - [2011.06.15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Security Client\msseces.exe
    PRC - [2011.04.27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Programme\Microsoft Security Client\Antimalware\MsMpEng.exe
    PRC - [2010.06.08 07:45:38 | 001,086,760 | ---- | M] (Nero AG) -- C:\Programme\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
    PRC - [2010.05.14 10:44:46 | 000,248,552 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    PRC - [2009.09.18 03:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
    PRC - [2009.05.20 09:04:32 | 000,176,128 | ---- | M] (Fujitsu Technology Solutions) -- C:\Programme\Fujitsu\Mobile Software Suite\Common\UiMdmTip\UIMdmTip.exe
    PRC - [2009.05.20 08:57:14 | 000,557,056 | ---- | M] (Fujitsu Technology Solutions) -- C:\Programme\Gemeinsame Dateien\Fujitsu\Manageability\HaMDevMg.exe\1.01\HaMDevMg.exe
    PRC - [2009.05.20 08:56:04 | 000,335,872 | ---- | M] (Fujitsu Technology Solutions) -- C:\Programme\Gemeinsame Dateien\Fujitsu\Manageability\CnMdKHkH.exe\1.01\CnMdKHkH.exe
    PRC - [2009.05.04 15:49:20 | 000,545,792 | ---- | M] (OptionNV) -- C:\Programme\Option\Driver Installer\GtDetectSc.exe
    PRC - [2008.12.06 07:37:30 | 000,058,760 | ---- | M] (IBM Corp) -- C:\Notes\ntmulti.exe
    PRC - [2008.12.06 07:36:56 | 000,031,624 | ---- | M] (IBM Corp) -- C:\Notes\nslsvice.exe
    PRC - [2008.12.06 07:36:38 | 003,315,080 | ---- | M] (IBM) -- C:\Notes\nsd.exe
    PRC - [2008.05.07 16:41:14 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    PRC - [2008.05.07 16:41:12 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    PRC - [2008.04.14 13:00:00 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2003.02.13 12:28:36 | 000,086,016 | ---- | M] (Sage KHK Software) -- C:\Programme\Gemeinsame Dateien\Sage KHK Shared\REGISTRY.EXE


    ========== Modules (No Company Name) ==========

    MOD - [2011.09.27 07:23:00 | 000,087,912 | ---- | M] () -- C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\zlib1.dll
    MOD - [2011.09.27 07:22:40 | 001,242,472 | ---- | M] () -- C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\libxml2.dll
    MOD - [2011.08.30 08:02:10 | 005,449,728 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\36f3953f24d4f0b767bf172331ad6f3e\System.Xml.ni.dll
    MOD - [2011.08.30 08:02:06 | 012,428,800 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\9a254c455892c02355ab0ab0f0727c5b\System.Windows.Forms.ni.dll
    MOD - [2011.08.30 08:01:57 | 001,587,200 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\6978f2e90f13bc720d57fa6895c911e2\System.Drawing.ni.dll
    MOD - [2011.08.30 08:01:07 | 007,867,392 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aa7926460a336408c8041330ad90929d\System.ni.dll
    MOD - [2011.08.30 08:01:02 | 011,485,184 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\9adb89fa22fd5b4ce433b5aca7fb1b07\mscorlib.ni.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (OS Selector)
    SRV - [2011.10.09 16:02:32 | 000,055,144 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2011.09.19 15:53:27 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2011.04.27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Programme\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
    SRV - [2009.09.18 03:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
    SRV - [2009.09.18 03:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
    SRV - [2009.05.20 08:57:14 | 000,557,056 | ---- | M] (Fujitsu Technology Solutions) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Fujitsu\Manageability\HaMDevMg.exe\1.01\HaMDevMg.exe -- (HaMDevMg.1.01)
    SRV - [2009.05.04 15:49:20 | 000,545,792 | ---- | M] (OptionNV) [Auto | Running] -- C:\Programme\Option\Driver Installer\GtDetectSc.exe -- (GtDetectSc)
    SRV - [2008.12.06 07:37:30 | 000,058,760 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\ntmulti.exe -- (Multi-user Cleanup Service)
    SRV - [2008.12.06 07:36:56 | 000,031,624 | ---- | M] (IBM Corp) [Auto | Running] -- C:\Notes\nslsvice.exe -- (Lotus Notes Single Logon)
    SRV - [2008.12.06 07:36:38 | 003,315,080 | ---- | M] (IBM) [Auto | Running] -- C:\Notes\nsd.exe -- (Lotus Notes Diagnostics)
    SRV - [2008.05.07 16:41:14 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
    SRV - [2007.08.24 02:19:12 | 000,443,776 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
    SRV - [2006.10.26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
    SRV - [2003.02.13 12:28:36 | 000,086,016 | ---- | M] (Sage KHK Software) [Auto | Running] -- C:\Programme\Gemeinsame Dateien\Sage KHK Shared\REGISTRY.EXE -- (Registry)


    ========== Driver Services (SafeList) ==========

    DRV - [2012.02.13 11:48:14 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2011.11.09 09:17:42 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Programme\Gemeinsame Dateien\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2009.09.18 03:00:00 | 000,020,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
    DRV - [2009.08.18 11:06:58 | 000,107,776 | R--- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhs51.sys -- (GTUHSNDISIPXP)
    DRV - [2009.05.13 14:57:46 | 000,066,560 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsbus.sys -- (GTUHSBUS)
    DRV - [2009.05.13 14:56:46 | 000,008,064 | ---- | M] (Option N.V.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtuhsser.sys -- (GTUHSSER)
    DRV - [2009.05.05 11:09:08 | 000,012,288 | ---- | M] (Fujitsu Technology Solutions) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\FscGabi.sys -- (FscGabi)
    DRV - [2009.03.10 11:51:06 | 000,015,360 | ---- | M] (Fujitsu) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\FSCSLII.sys -- (FSCSLII)
    DRV - [2008.11.16 20:23:16 | 003,636,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel(R)
    DRV - [2008.10.20 19:08:06 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
    DRV - [2008.09.24 23:38:32 | 000,069,408 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
    DRV - [2008.07.24 07:02:44 | 004,749,824 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2008.04.22 13:00:00 | 000,244,368 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) Intel(R)
    DRV - [2008.04.13 22:04:34 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3SavageNB)
    DRV - [2007.05.31 23:29:04 | 000,210,736 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Si3531.sys -- (Si3531)
    DRV - [2007.05.24 22:41:00 | 000,017,328 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter)
    DRV - [2007.05.24 22:40:58 | 000,012,464 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SiRemFil.sys -- (SiRemFil)
    DRV - [2007.04.04 08:16:20 | 000,041,216 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
    DRV - [2000.07.24 00:01:00 | 000,019,537 | ---- | M] (Brother Industries Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3091123333-3705974054-2978810523-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
    IE - HKU\S-1-5-21-3091123333-3705974054-2978810523-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Programme\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Components: C:\Programme\Mozilla Firefox\components [2011.10.30 13:13:30 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Plugins: C:\Programme\Mozilla Firefox\plugins

    [2011.09.07 15:11:49 | 000,000,000 | ---D | M] (No name found) -- C:\Programme\Mozilla Firefox\extensions
    [2011.09.07 15:11:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    [2011.08.12 07:20:49 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Programme\mozilla firefox\components\browsercomps.dll
    [2011.08.12 05:19:37 | 000,001,392 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\amazondotcom-de.xml
    [2011.08.12 05:14:12 | 000,002,252 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\bing.xml
    [2011.08.12 05:19:37 | 000,001,153 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\eBay-de.xml
    [2011.08.12 05:19:37 | 000,006,805 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\leo_ende_de.xml
    [2011.08.12 05:19:37 | 000,001,178 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\wikipedia-de.xml
    [2011.08.12 05:19:37 | 000,001,105 | ---- | M] () -- C:\Programme\mozilla firefox\searchplugins\yahoo-de.xml

    O1 HOSTS File: ([2012.02.22 12:28:26 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [APSDaemon] C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
    O4 - HKLM..\Run: [COMImpersonator] C:\Programme\Fujitsu\Mobile Software Suite\Common\UiMdmTip\UIMdmTip.exe (Fujitsu Technology Solutions)
    O4 - HKLM..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [MSC] c:\Programme\Microsoft Security Client\msseces.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [NBAgent] C:\Programme\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe (Nero AG)
    O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
    O4 - HKU\.DEFAULT..\Run: [BrowserChoice] C:\WINDOWS\System32\browserchoice.exe (Microsoft Corporation)
    O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] c:\Programme\Gemeinsame Dateien\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
    O4 - HKU\S-1-5-18..\Run: [BrowserChoice] C:\WINDOWS\System32\browserchoice.exe (Microsoft Corporation)
    O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] c:\Programme\Gemeinsame Dateien\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3091123333-3705974054-2978810523-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3091123333-3705974054-2978810523-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-3091123333-3705974054-2978810523-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-21-3091123333-3705974054-2978810523-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 12.127.16.68
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DBFD8E5B-72D0-4542-9EEC-BA5C6134178C}: DhcpNameServer = 12.127.16.68
    O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Fujitsu.BMP
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Fujitsu.BMP
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009.05.20 05:45:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
    Drivers32: msacm.divxa32 - C:\WINDOWS\System32\DivXa32.acm (Packed With Joy !)
    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.ffds - C:\WINDOWS\System32\ff_vfw.dll ()
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax ()
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll ()
    Drivers32: vidc.xvid - C:\WINDOWS\System32\xvidvfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012.02.23 08:08:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\ms
    [2012.02.23 08:08:32 | 000,000,000 | -HSD | C] -- C:\Config.Msi
    [2012.02.23 08:06:14 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Barturo\Desktop\OTL.exe
    [2012.02.22 12:20:08 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012.02.22 12:16:38 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012.02.22 12:16:38 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012.02.22 12:16:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012.02.22 12:16:38 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012.02.22 12:16:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012.02.22 12:16:29 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012.02.22 12:16:26 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Startmenü\Programme\Verwaltung
    [2012.02.22 12:16:26 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Eigene Dateien\Eigene Videos
    [2012.02.22 11:39:20 | 004,417,295 | R--- | C] (Swearware) -- C:\Dokumente und Einstellungen\Barturo\Desktop\ComboFix.exe
    [2012.02.21 09:04:09 | 000,083,968 | -H-- | C] (eSage Lab) -- C:\Dokumente und Einstellungen\Barturo\Desktop\remover.exe
    [2012.02.21 08:39:36 | 004,729,344 | ---- | C] (AVAST Software) -- C:\Dokumente und Einstellungen\Barturo\Desktop\aswMBR.exe
    [2012.02.21 08:09:58 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\PCHealth
    [2012.02.20 13:31:15 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Sun
    [2012.02.20 12:52:06 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Malwarebytes
    [2012.02.20 11:45:45 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Macromedia
    [2012.02.20 11:45:42 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Adobe
    [2012.02.20 11:45:40 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Barturo\PrivacIE
    [2012.02.20 11:44:05 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Nero
    [2012.02.20 11:44:04 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Apple Computer
    [2012.02.20 11:43:53 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Startmenü\Programme\Accessories
    [2012.02.20 11:43:45 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Barturo\IETldCache
    [2012.02.20 11:43:41 | 000,000,000 | --SD | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Microsoft
    [2012.02.20 11:43:41 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Barturo\SendTo
    [2012.02.20 11:43:41 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Barturo\Recent
    [2012.02.20 11:43:41 | 000,000,000 | RH-D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten
    [2012.02.20 11:43:41 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Startmenü\Programme\Zubehör
    [2012.02.20 11:43:41 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Startmenü
    [2012.02.20 11:43:41 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Favoriten
    [2012.02.20 11:43:41 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Eigene Dateien\Eigene Musik
    [2012.02.20 11:43:41 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Eigene Dateien
    [2012.02.20 11:43:41 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Eigene Dateien\Eigene Bilder
    [2012.02.20 11:43:41 | 000,000,000 | R--D | C] -- C:\Dokumente und Einstellungen\Barturo\Startmenü\Programme\Autostart
    [2012.02.20 11:43:41 | 000,000,000 | -HSD | C] -- C:\Dokumente und Einstellungen\Barturo\Cookies
    [2012.02.20 11:43:41 | 000,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\Barturo\Vorlagen
    [2012.02.20 11:43:41 | 000,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\Barturo\Netzwerkumgebung
    [2012.02.20 11:43:41 | 000,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen
    [2012.02.20 11:43:41 | 000,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\Barturo\Druckumgebung
    [2012.02.20 11:43:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Anwendungsdaten\Seven Zip
    [2012.02.20 11:43:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Anwendungsdaten\Microsoft Help
    [2012.02.20 11:43:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Anwendungsdaten\Microsoft
    [2012.02.20 11:43:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\InstallShield
    [2012.02.20 11:43:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Identities
    [2012.02.20 11:43:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Desktop
    [2012.02.20 11:43:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Anwendungsdaten\ApplicationHistory
    [2012.02.20 11:43:41 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Anwendungsdaten\Adobe
    [2012.02.20 11:41:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
    [2012.02.20 11:41:31 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
    [2012.02.16 15:47:22 | 000,000,000 | ---D | C] -- C:\Programme\Microsoft Security Client
    [2012.02.16 13:34:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
    [2012.02.16 12:34:22 | 000,000,000 | ---D | C] -- C:\Programme\Trend Micro
    [2012.02.16 12:24:13 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
    [2012.02.16 12:02:24 | 000,000,000 | -H-D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Common Files
    [2012.02.16 12:01:52 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AVG2012
    [2012.02.16 11:55:31 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MFAData
    [2012.02.16 10:06:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Malwarebytes' Anti-Malware
    [2012.02.16 10:06:00 | 000,000,000 | ---D | C] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
    [2012.02.16 10:05:59 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2012.02.16 10:05:59 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
    [36 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012.02.23 08:08:44 | 000,000,475 | ---- | M] () -- C:\WINDOWS\smscfg.ini
    [2012.02.23 08:07:57 | 000,000,416 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012.02.23 08:06:23 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Barturo\Desktop\OTL.exe
    [2012.02.23 08:03:00 | 000,000,202 | ---- | M] () -- C:\WINDOWS\System32\PSLOG
    [2012.02.23 08:02:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012.02.23 08:02:51 | 3179,995,136 | -HS- | M] () -- C:\hiberfil.sys
    [2012.02.22 17:01:57 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
    [2012.02.22 16:00:00 | 000,000,608 | ---- | M] () -- C:\WINDOWS\tasks\markus Local Autobackup.job
    [2012.02.22 12:28:26 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012.02.22 11:39:31 | 004,417,295 | R--- | M] (Swearware) -- C:\Dokumente und Einstellungen\Barturo\Desktop\ComboFix.exe
    [2012.02.21 09:04:13 | 000,401,408 | -H-- | M] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\wget.exe
    [2012.02.21 09:04:13 | 000,004,096 | -H-- | M] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\paste.exe
    [2012.02.21 09:03:43 | 000,568,832 | ---- | M] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\BTKR_RunBox.exe
    [2012.02.21 08:39:40 | 004,729,344 | ---- | M] (AVAST Software) -- C:\Dokumente und Einstellungen\Barturo\Desktop\aswMBR.exe
    [2012.02.20 11:54:25 | 003,072,054 | ---- | M] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\VirusTotal Scan Results.bmp
    [2012.02.20 11:43:49 | 000,000,768 | ---- | M] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\Windows Media Player.lnk
    [2012.02.20 11:33:51 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012.02.16 15:50:17 | 000,001,912 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
    [2012.02.16 12:33:28 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
    [2012.02.16 10:06:00 | 000,000,762 | ---- | M] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012.02.16 09:41:14 | 000,276,560 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [36 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012.02.22 12:20:08 | 000,262,448 | RHS- | C] () -- C:\cmldr
    [2012.02.22 12:16:38 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012.02.22 12:16:38 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012.02.22 12:16:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012.02.22 12:16:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012.02.22 12:16:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012.02.21 09:04:09 | 000,401,408 | -H-- | C] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\wget.exe
    [2012.02.21 09:04:09 | 000,004,096 | -H-- | C] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\paste.exe
    [2012.02.21 09:03:39 | 000,568,832 | ---- | C] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\BTKR_RunBox.exe
    [2012.02.20 11:54:24 | 003,072,054 | ---- | C] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\VirusTotal Scan Results.bmp
    [2012.02.20 11:43:49 | 000,000,774 | ---- | C] () -- C:\Dokumente und Einstellungen\Barturo\Startmenü\Programme\Windows Media Player.lnk
    [2012.02.20 11:43:49 | 000,000,768 | ---- | C] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\Windows Media Player.lnk
    [2012.02.20 11:43:42 | 000,001,599 | ---- | C] () -- C:\Dokumente und Einstellungen\Barturo\Startmenü\Programme\Remoteunterstützung.lnk
    [2012.02.20 11:43:42 | 000,000,789 | ---- | C] () -- C:\Dokumente und Einstellungen\Barturo\Startmenü\Programme\Internet Explorer.lnk
    [2012.02.20 11:43:42 | 000,000,724 | ---- | C] () -- C:\Dokumente und Einstellungen\Barturo\Startmenü\Programme\Outlook Express.lnk
    [2012.02.20 11:43:42 | 000,000,146 | ---- | C] () -- C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
    [2012.02.17 08:51:01 | 3179,995,136 | -HS- | C] () -- C:\hiberfil.sys
    [2012.02.16 15:52:47 | 000,000,416 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012.02.16 15:50:17 | 000,001,912 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
    [2012.02.16 15:47:29 | 000,001,658 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Microsoft Security Essentials.lnk
    [2012.02.16 10:06:00 | 000,000,762 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2011.12.01 14:18:28 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011.09.22 18:08:56 | 003,902,976 | ---- | C] () -- C:\WINDOWS\System32\ffmpeg.dll
    [2011.08.30 08:00:21 | 000,664,416 | ---- | C] () -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
    [2011.08.30 07:06:50 | 000,000,394 | ---- | C] () -- C:\WINDOWS\capture.ini
    [2011.08.25 09:36:14 | 000,000,163 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2011.08.25 09:36:00 | 000,382,976 | ---- | C] () -- C:\WINDOWS\System32\c4dll.dll
    [2011.08.25 08:41:47 | 000,000,141 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
    [2011.08.25 08:41:47 | 000,000,026 | ---- | C] () -- C:\WINDOWS\Brownie.ini
    [2011.08.25 08:41:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
    [2011.08.25 08:41:36 | 000,014,441 | ---- | C] () -- C:\WINDOWS\HL-5240.INI
    [2011.08.25 08:41:15 | 000,000,432 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
    [2011.08.25 08:41:15 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\BD5240.DAT
    [2011.08.25 08:39:19 | 000,000,012 | ---- | C] () -- C:\WINDOWS\bthservsdp.dat
    [2011.08.25 08:37:56 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\Bot.dll
    [2011.08.25 08:37:56 | 000,000,101 | ---- | C] () -- C:\WINDOWS\PSXLPR.INI
    [2011.08.23 15:31:37 | 000,000,475 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2011.08.23 15:30:33 | 000,000,206 | ---- | C] () -- C:\WINDOWS\hbcikrnl.ini
    [2011.08.23 15:29:26 | 002,026,604 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
    [2011.08.23 15:29:25 | 000,442,964 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
    [2011.08.23 15:29:25 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4990.dll
    [2011.08.22 20:07:48 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
    [2011.08.22 20:07:02 | 000,158,208 | ---- | C] () -- C:\WINDOWS\System32\ff_unrar.dll
    [2011.08.22 20:07:00 | 000,259,584 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
    [2011.08.22 20:06:30 | 001,524,224 | ---- | C] () -- C:\WINDOWS\System32\ff_samplerate.dll
    [2011.08.22 20:06:30 | 000,211,456 | ---- | C] () -- C:\WINDOWS\System32\ff_libdts.dll
    [2011.08.22 20:06:30 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
    [2011.08.22 20:06:28 | 000,327,680 | ---- | C] () -- C:\WINDOWS\System32\ff_libfaad2.dll
    [2011.08.22 20:06:28 | 000,113,664 | ---- | C] () -- C:\WINDOWS\System32\ff_liba52.dll
    [2011.08.22 20:06:26 | 000,145,920 | ---- | C] () -- C:\WINDOWS\System32\ff_libmad.dll
    [2011.08.22 20:06:26 | 000,136,704 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
    [2011.05.30 14:42:50 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2011.05.23 08:46:30 | 000,645,632 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2011.03.03 12:40:08 | 000,150,528 | ---- | C] () -- C:\WINDOWS\System32\mkx.dll
    [2011.03.03 12:39:56 | 000,109,568 | ---- | C] () -- C:\WINDOWS\System32\avi.dll
    [2011.03.03 12:39:46 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\mp4.dll
    [2011.03.03 12:39:34 | 000,123,392 | ---- | C] () -- C:\WINDOWS\System32\ogm.dll
    [2011.03.03 12:39:02 | 000,113,152 | ---- | C] () -- C:\WINDOWS\System32\dsmux.exe
    [2011.03.03 12:38:54 | 000,154,112 | ---- | C] () -- C:\WINDOWS\System32\ts.dll
    [2011.03.03 12:38:40 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\dxr.dll
    [2011.03.03 12:38:10 | 000,097,792 | ---- | C] () -- C:\WINDOWS\System32\avs.dll
    [2011.03.03 12:38:04 | 000,137,728 | ---- | C] () -- C:\WINDOWS\System32\mkv2vfr.exe
    [2011.03.03 12:37:50 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\avss.dll
    [2011.03.03 12:37:40 | 000,358,400 | ---- | C] () -- C:\WINDOWS\System32\gdsmux.exe
    [2011.03.03 12:35:32 | 000,080,384 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
    [2011.03.03 12:35:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
    [2010.08.18 20:56:38 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\Registration.ini

    ========== LOP Check ==========

    [2012.02.16 12:02:17 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AVG2012
    [2012.02.16 12:02:24 | 000,000,000 | -H-D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Common Files
    [2012.02.16 12:02:45 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MFAData
    [2012.01.12 17:15:03 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Vodafone
    [2011.08.30 18:28:28 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2009.05.20 16:21:02 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{623D32E9-0C62-4453-AD44-98B31F52A5E1}
    [2011.08.25 10:09:58 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Vodafone
    [2011.08.25 10:10:34 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Bytemobile
    [2011.11.29 10:23:54 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Ogheuzn
    [2011.08.30 18:39:20 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Thunderbird
    [2011.08.25 10:13:00 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Vodafone
    [2011.09.15 06:56:15 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Vodafone Mobile Connect
    [2012.02.16 10:32:06 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Xiabat
    [2012.01.03 16:33:09 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\Markus\Anwendungsdaten\Vodafone
    [2011.08.25 10:12:00 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Bytemobile
    [2012.02.22 16:00:00 | 000,000,608 | ---- | M] () -- C:\WINDOWS\Tasks\markus Local Autobackup.job
    [2011.12.29 16:28:46 | 000,000,384 | ---- | M] () -- C:\WINDOWS\Tasks\Markus NBAgent.job
    [2012.02.23 08:07:57 | 000,000,416 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010.01.27 15:38:14 | 000,000,937 | ---- | M] () -- C:\2000XP.bat
    [2009.05.20 05:45:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2011.08.23 15:52:02 | 000,000,211 | RHS- | M] () -- C:\boot.ini
    [2008.04.14 13:00:00 | 000,004,952 | RHS- | M] () -- C:\bootfont.bin
    [2004.08.03 23:00:10 | 000,262,448 | RHS- | M] () -- C:\cmldr
    [2012.02.22 12:30:57 | 000,013,732 | ---- | M] () -- C:\ComboFix.txt
    [2009.05.20 05:45:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2011.08.25 10:10:50 | 000,031,608 | ---- | M] () -- C:\debug1214.txt
    [2012.02.23 08:02:51 | 3179,995,136 | -HS- | M] () -- C:\hiberfil.sys
    [2011.08.24 14:14:39 | 007,348,586 | ---- | M] () -- C:\Install.LOG
    [2009.05.20 05:45:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2008.02.14 01:30:00 | 000,319,488 | ---- | M] (J.D. Edwards) -- C:\jdeexpimpU.ocx
    [2010.09.30 09:21:02 | 000,434,176 | ---- | M] (J.D. Edwards) -- C:\jdewebctlsU.ocx
    [2011.08.23 16:13:30 | 000,004,861 | ---- | M] () -- C:\Lang.txt
    [2011.08.23 15:31:17 | 000,061,359 | ---- | M] () -- C:\LogVBS.LOG
    [2009.05.20 05:45:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2008.04.14 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2008.04.14 13:00:00 | 000,251,712 | RHS- | M] () -- C:\ntldr
    [2012.02.23 08:02:50 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2011.08.25 08:05:58 | 000,000,000 | ---- | M] () -- C:\ROBOCOPY.EXE

    < %systemroot%\Fonts\*.com >
    [2006.04.18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006.06.29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006.04.18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006.06.29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009.05.20 05:44:26 | 000,000,067 | ---- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008.07.06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2008.07.06 11:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2009.05.20 07:33:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
    [2009.05.20 07:33:48 | 001,089,536 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2009.05.20 07:33:47 | 000,425,984 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009.05.20 05:51:10 | 000,000,079 | ---- | M] () -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Desktop anzeigen.scf
    [2012.02.20 11:43:53 | 000,000,124 | -HS- | M] () -- C:\Dokumente und Einstellungen\Barturo\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2012.02.21 08:39:40 | 004,729,344 | ---- | M] (AVAST Software) -- C:\Dokumente und Einstellungen\Barturo\Desktop\aswMBR.exe
    [2012.02.21 09:03:43 | 000,568,832 | ---- | M] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\BTKR_RunBox.exe
    [2012.02.21 09:04:13 | 000,026,624 | -H-- | M] (Microsoft Corporation) -- C:\Dokumente und Einstellungen\Barturo\Desktop\clip.exe
    [2012.02.22 11:39:31 | 004,417,295 | R--- | M] (Swearware) -- C:\Dokumente und Einstellungen\Barturo\Desktop\ComboFix.exe
    [2012.02.23 08:06:23 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Dokumente und Einstellungen\Barturo\Desktop\OTL.exe
    [2012.02.21 09:04:13 | 000,004,096 | -H-- | M] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\paste.exe
    [2010.09.21 20:40:19 | 000,083,968 | -H-- | M] (eSage Lab) -- C:\Dokumente und Einstellungen\Barturo\Desktop\remover.exe
    [2012.02.21 09:04:13 | 000,401,408 | -H-- | M] () -- C:\Dokumente und Einstellungen\Barturo\Desktop\wget.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2012.01.03 16:42:12 | 000,003,254 | RHS- | M] () -- C:\Dokumente und Einstellungen\All Users\ntuser.pol

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2012.02.23 08:05:58 | 000,049,152 | ---- | M] () -- C:\Dokumente und Einstellungen\Barturo\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2006.10.24 19:04:18 | 000,316,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008.04.14 13:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\custsat.dll
    [2007.04.02 22:37:24 | 000,004,821 | ---- | M] () -- C:\Programme\Messenger\logowin.gif
    [2007.04.02 22:37:24 | 000,007,047 | ---- | M] () -- C:\Programme\Messenger\lvback.gif
    [2008.04.14 06:52:18 | 000,082,944 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\msgsc.dll
    [2008.04.13 22:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\msgslang.dll
    [2008.04.14 06:52:56 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Programme\Messenger\msmsgs.exe
    [2007.04.02 22:37:24 | 000,002,882 | ---- | M] () -- C:\Programme\Messenger\newalert.wav
    [2007.04.02 22:37:24 | 000,006,156 | ---- | M] () -- C:\Programme\Messenger\newemail.wav
    [2007.04.02 22:37:26 | 000,006,160 | ---- | M] () -- C:\Programme\Messenger\online.wav
    [2007.04.02 22:37:28 | 000,004,454 | ---- | M] () -- C:\Programme\Messenger\type.wav
    [2007.02.21 09:36:38 | 000,120,389 | ---- | M] () -- C:\Programme\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
    "UseWUServer" = 1

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < >

    < End of report >

    Thanks, Barturo
     
  10. Barturo

    Barturo TS Rookie Topic Starter

    OTL Extras

    Broni,

    Here is the OTL Extras file. The computer is running well, but I have not attempted to work on the antivirus issues yet.

    OTL Extras
    OTL Extras logfile created on: 23.02.2012 08:07:16 - Run 1
    OTL by OldTimer - Version 3.2.33.2 Folder = C:\Dokumente und Einstellungen\Barturo\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

    2,96 Gb Total Physical Memory | 2,39 Gb Available Physical Memory | 80,63% Memory free
    4,80 Gb Paging File | 4,34 Gb Available in Paging File | 90,45% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
    Drive C: | 465,75 Gb Total Space | 404,44 Gb Free Space | 86,84% Space Free | Partition Type: NTFS

    Computer Name: COMPBarturo | User Name: Barturo | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "c:\Programme\Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DisableNotifications" = 0
    "DoNotAllowExceptions" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "C:\Programme\Symantec\Symantec Endpoint Protection\Smc.exe" = C:\Programme\Symantec\Symantec Endpoint Protection\Smc.exe:*:Enabled:SMC Service
    "C:\Programme\Symantec\Symantec Endpoint Protection\SNAC.EXE" = C:\Programme\Symantec\Symantec Endpoint Protection\SNAC.EXE:*:Enabled:SNAC Service
    "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" = C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email
    "%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Programme\Office\Office12\OUTLOOK.EXE" = C:\Programme\Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
    "C:\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.0.200811140851\win32\x86\notes2.exe" = C:\Notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.0.200811140851\win32\x86\notes2.exe:*:Enabled:Lotus Notes -- (IBM)
    "C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Programme\Gemeinsame Dateien\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
    "%windir%\explorer.exe" = %windir%\explorer.exe -- (Microsoft Corporation)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0420F95C-11FF-4E02-B967-6CC22B188F9F}" = Nero BackItUp
    "{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
    "{10DCCF52-2650-40BE-98CE-F3781782FA8A}" = Lotus Notes 8.5 de
    "{1280E900-35DA-4E08-A700-B79A5B2B8532}" = Microsoft Antimalware Service DE-DE Language Pack
    "{1E1760C2-6561-4546-BB77-91D072895E1B}" = Brother HL-5240
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2609EDF1-34C4-4B03-B634-55F3B3BC4931}" = Configuration Manager Client
    "{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 22
    "{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{38697498-F4AA-4A8A-81F6-C09446AD020D}" = Print Server Utilities
    "{397516AE-7DFE-4F90-84E0-BD616D559434}" = Nero BurnRights
    "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{505AFDC0-5E72-4928-8368-5DEA385E3647}" = CorelDRAW Graphics Suite 12
    "{50779A29-834E-4E36-BBEB-B7CABC67A825}" = Microsoft Security Client DE-DE Language Pack
    "{51E2F9B3-A972-4F58-B4EF-4D9676D9F5D1}" = Nero RescueAgent
    "{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Essentials
    "{5E453519-60F6-4A4D-A0BF-16663F9B3536}" = Safari
    "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
    "{6C3CF7AC-5AB0-42D9-93C0-68166A57AFB6}" = Nero Express
    "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser und SDK
    "{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{884BB5CC-108E-41a9-936D-955C999C06A1}_x" = Driver Installer
    "{8B129CA6-44E2-455F-A743-E21116220A26}" = JDEShortcuts
    "{90120000-0010-0407-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (German) 12
    "{90120000-0015-0407-0000-0000000FF1CE}" = Microsoft Office Access MUI (German) 2007
    "{90120000-0015-0407-0000-0000000FF1CE}_PROHYBRIDR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0016-0407-0000-0000000FF1CE}" = Microsoft Office Excel MUI (German) 2007
    "{90120000-0016-0407-0000-0000000FF1CE}_PROHYBRIDR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0018-0407-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (German) 2007
    "{90120000-0018-0407-0000-0000000FF1CE}_PROHYBRIDR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-0019-0407-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (German) 2007
    "{90120000-0019-0407-0000-0000000FF1CE}_PROHYBRIDR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001A-0407-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (German) 2007
    "{90120000-001A-0407-0000-0000000FF1CE}_PROHYBRIDR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001B-0407-0000-0000000FF1CE}" = Microsoft Office Word MUI (German) 2007
    "{90120000-001B-0407-0000-0000000FF1CE}_PROHYBRIDR_{DCBECE36-8F23-4B33-925E-A1C6183C0DBD}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
    "{90120000-001F-0407-0000-0000000FF1CE}_PROHYBRIDR_{2AB528A5-BB1B-4EBE-8E51-AD0C4CD33CA9}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-001F-0410-0000-0000000FF1CE}" = Microsoft Office Proof (Italian) 2007
    "{90120000-001F-0410-0000-0000000FF1CE}_PROHYBRIDR_{58FC5E37-DD28-4D4A-A549-125744C6763C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{90120000-002C-0407-0000-0000000FF1CE}" = Microsoft Office Proofing (German) 2007
    "{90120000-006E-0407-0000-0000000FF1CE}" = Microsoft Office Shared MUI (German) 2007
    "{90120000-006E-0407-0000-0000000FF1CE}_PROHYBRIDR_{888B9AC7-8F5C-456B-A27A-157A6C310E52}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
    "{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
    "{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
    "{9309DD7E-EBFE-3C95-8B47-30D3A012F606}" = Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - DEU
    "{937B1F15-1E40-4FFD-B117-04811B59761A}" = JDE ActiveX Controls
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{99AA7E28-EE0F-4CB2-8C5B-3DD8FF42DD29}" = OZ776 SCR Driver V1.1.4.204
    "{9CBDEE77-EE60-4B9D-BCE9-3FD67A7B5D4D}" = Driver Installer
    "{A00B9A50-3090-4CFF-9CDA-82DA0BEDAA21}" = Apple Mobile Device Support
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
    "{AC76BA86-7AD7-1031-7B44-A90100000001}" = Adobe Reader 9.0.1 - Deutsch
    "{BA2740A7-E05E-41F2-9036-C9D9C56EF06F}" = CFiles Backup
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
    "{E08CC458-41FB-4BB5-9B08-2C83DB55A5B9}" = Nero BackItUp and Burn
    "{E0BD191D-8B19-47FC-9D61-A8076C3F7D32}" = MobileSoftwareSuite
    "{E3723A04-A894-4036-A78E-282E18F43C0A}_is1" = Tinypic 3.18
    "{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F3B31ACE-1DB6-448A-924E-49648609F3AF}" = Sage Classic Line 2008 Workstation
    "7-Zip" = 7-Zip 4.65
    "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "B991B020-2968-11D8-AF23-444553540000_is1" = FreeMind
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{99AA7E28-EE0F-4CB2-8C5B-3DD8FF42DD29}" = OZ776 SCR Driver V1.1.4.204
    "Kalender-Excel-8.8_is1" = Kalender-Excel-8.8
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
    "Media Player - Codec Pack" = Media Player Codec Pack 4.1.1
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft Security Client" = Microsoft Security Essentials
    "Mozilla Firefox 6.0 (x86 de)" = Mozilla Firefox 6.0 (x86 de)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "Pointofix_is1" = Pointofix
    "PROHYBRIDR" = 2007 Microsoft Office system
    "RDC" = RDC
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 19.12.2011 12:18:40 | Computer Name = COMPBarturo | Source = MsiInstaller | ID = 10005
    Description = Product: Configuration Manager Client -- Error 25100. Setup was unable
    to create the WMI namespace CCM\DataTransferService The error code is 80041002

    Error - 19.12.2011 12:24:11 | Computer Name = COMPBarturo | Source = MsiInstaller | ID = 10005
    Description = Product: Configuration Manager Client -- Error 25100. Setup was unable
    to create the WMI namespace CCM\DataTransferService The error code is 80041002

    Error - 19.12.2011 12:29:42 | Computer Name = COMPBarturo | Source = MsiInstaller | ID = 10005
    Description = Product: Configuration Manager Client -- Error 25100. Setup was unable
    to create the WMI namespace CCM\DataTransferService The error code is 80041002

    Error - 19.12.2011 12:35:11 | Computer Name = COMPBarturo | Source = MsiInstaller | ID = 10005
    Description = Product: Configuration Manager Client -- Error 25100. Setup was unable
    to create the WMI namespace CCM\DataTransferService The error code is 80041002

    Error - 19.12.2011 12:40:42 | Computer Name = COMPBarturo | Source = MsiInstaller | ID = 10005
    Description = Product: Configuration Manager Client -- Error 25100. Setup was unable
    to create the WMI namespace CCM\DataTransferService The error code is 80041002

    Error - 19.12.2011 12:46:10 | Computer Name = COMPBarturo | Source = MsiInstaller | ID = 10005
    Description = Product: Configuration Manager Client -- Error 25100. Setup was unable
    to create the WMI namespace CCM\DataTransferService The error code is 80041002

    Error - 19.12.2011 12:51:38 | Computer Name = COMPBarturo | Source = MsiInstaller | ID = 10005
    Description = Product: Configuration Manager Client -- Error 25100. Setup was unable
    to create the WMI namespace CCM\DataTransferService The error code is 80041002

    Error - 19.12.2011 12:57:06 | Computer Name = COMPBarturo | Source = MsiInstaller | ID = 10005
    Description = Product: Configuration Manager Client -- Error 25100. Setup was unable
    to create the WMI namespace CCM\DataTransferService The error code is 80041002

    Error - 19.12.2011 13:00:31 | Computer Name = COMPBarturo | Source = BackItUp5 | ID = 6277
    Description = Job execution failed because the selected target for job does not
    exist.

    Error - 19.12.2011 13:00:31 | Computer Name = COMPBarturo | Source = BackItUp5 | ID = 3374
    Description = Backup process failed.

    [ System Events ]
    Error - 03.01.2012 09:33:31 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:41 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:41 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:41 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:41 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:41 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:51 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:51 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:51 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31

    Error - 03.01.2012 09:33:51 | Computer Name = COMPBarturo | Source = Service Control Manager | ID = 7000
    Description = Der Dienst "SYMTDI" wurde aufgrund folgenden Fehlers nicht gestartet:
    %%31


    < End of report >
     
  11. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    OTL log is clean.

    I need you to figure out your AV program situation.

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ==================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  12. Barturo

    Barturo TS Rookie Topic Starter

    Additional tests completed

    Broni,

    I have updated Java and run the additional tests. Here are the results:

    SecurityCheck:
    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Microsoft Security Essentials
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Java(TM) 6 Update 31
    Adobe Flash Player ( 10.3.183.10) Flash Player Out of Date!
    Mozilla Firefox (x86 de..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    Microsoft Security Client Antimalware MsMpEng.exe
    ``````````End of Log````````````

    Farber:
    Farbar Service Scanner Version: 22-02-2012
    Ran by Barturo 24-02-2012 at 08:16:45
    Running from "C:\Dokumente und Einstellungen\Barturo\Desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll
    [2009-05-20 05:26] - [2008-04-14 13:00] - 0127488 ____N (Microsoft Corporation) C29A1C9B75BA38FA37F8C44405DEC360

    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll
    [2009-05-20 05:26] - [2008-04-14 13:00] - 0045568 ____N (Microsoft Corporation) 8C9ED3B2834AAE63081AB2DA831C6FE9

    C:\WINDOWS\system32\ipnathlp.dll
    [2009-05-20 05:26] - [2008-04-14 13:00] - 0334336 ____N (Microsoft Corporation) CAD058D5F8B889A87CA3EB3CF624DCEF

    C:\WINDOWS\system32\netman.dll
    [2009-05-20 05:26] - [2008-04-14 13:00] - 0198144 ____N (Microsoft Corporation) E6D88F1F6745BF00B57E7855A2AB696C

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2009-05-20 05:40] - [2008-04-14 13:00] - 0145408 ____N (Microsoft Corporation) 6F3F3973D97714CC5F906A19FE883729

    C:\WINDOWS\system32\srsvc.dll
    [2009-05-20 05:42] - [2008-04-14 13:00] - 0171520 ____N (Microsoft Corporation) FE77A85495065F3AD59C5C65B6C54182

    C:\WINDOWS\system32\Drivers\sr.sys
    [2009-05-20 05:42] - [2008-04-14 13:00] - 0073472 ____N (Microsoft Corporation) 50FA898F8C032796D3B1B9951BB5A90F

    C:\WINDOWS\system32\wscsvc.dll
    [2009-05-20 05:27] - [2008-04-14 13:00] - 0080896 ____N (Microsoft Corporation) 300B3E84FAF1A5C1F791C159BA28035D

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2009-05-20 05:40] - [2008-04-14 13:00] - 0145408 ____N (Microsoft Corporation) 6F3F3973D97714CC5F906A19FE883729

    C:\WINDOWS\system32\wuauserv.dll
    [2009-05-20 05:42] - [2008-04-14 13:00] - 0006656 ____N (Microsoft Corporation) 7B4FE05202AA6BF9F4DFD0E6A0D8A085

    C:\WINDOWS\system32\qmgr.dll
    [2009-05-20 05:42] - [2008-04-14 13:00] - 0409088 ____N (Microsoft Corporation) D6F603772A789BB3228F310D650B8BD1

    C:\WINDOWS\system32\es.dll
    [2009-05-20 05:26] - [2008-07-07 21:26] - 0253952 ____N (Microsoft Corporation) AF4F6B5739D18CA7972AB53E091CBC74

    C:\WINDOWS\system32\cryptsvc.dll
    [2009-05-20 05:26] - [2008-04-14 13:00] - 0062464 ____N (Microsoft Corporation) 611F824E5C703A5A899F84C5F1699E4D

    C:\WINDOWS\system32\svchost.exe
    [2009-05-20 05:27] - [2008-04-14 13:00] - 0014336 ____N (Microsoft Corporation) 4FBC75B74479C7A6F829E0CA19DF3366

    C:\WINDOWS\system32\rpcss.dll
    [2009-05-20 05:27] - [2009-02-09 11:51] - 0401408 ____N (Microsoft Corporation) 3127AFBF2C1ED0AB14A1BBB7AAECB85B

    C:\WINDOWS\system32\services.exe
    [2009-05-20 05:27] - [2009-02-09 12:21] - 0111104 ____N (Microsoft Corporation) A3EDBE9053889FB24AB22492472B39DC


    Extra List:
    =======
    Gpc(6) IPSec(4) NetBT(5) PSched(7) RFCOMM(10) Tcpip(3)
    0x0A000000040000000100000002000000030000000500000006000000070000000A0000000800000009000000
    IpSec Tag value is correct.

    **** End of log ****

    ESET:
    C:\Files\Downloads\media.player.codec.pack.v4.1.1.setup.exe probably a variant of Win32/Toolbar.Widgi application
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_11aa006c6c0ad6db_.sys.zip probably a variant of Win32/AutoRun.Spy.Banker.N worm

    Thanks,
    Barturo
     
  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Update Adobe Flash Player
    Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

    ==================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  14. Barturo

    Barturo TS Rookie Topic Starter

    Computer Running Well

    Broni,

    Thanks for all of your help. The computer is running well.

    Here is the result of the OTL scan:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Barturo
    ->Temp folder emptied: 711300 bytes
    ->Temporary Internet Files folder emptied: 12913111 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Friedrich
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Markus
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Markus
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 11910 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 24908 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 13,00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Barturo
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: Friedrich
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: Markus
    ->Flash cache emptied: 0 bytes

    User: Markus
    ->Flash cache emptied: 0 bytes

    User: NetworkService

    Total Flash Files Cleaned = 0,00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Barturo
    ->Java cache emptied: 0 bytes

    User: Default User

    User: Friedrich
    ->Java cache emptied: 0 bytes

    User: LocalService

    User: Markus
    ->Java cache emptied: 0 bytes

    User: Markus
    ->Java cache emptied: 0 bytes

    User: NetworkService

    Total Java Files Cleaned = 0,00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.33.2 log created on 02272012_184706

    Files\Folders moved on Reboot...
    File\Folder C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temp\~DFE547.tmp not found!
    File\Folder C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temp\~DFE597.tmp not found!
    File\Folder C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temp\~DFEB7C.tmp not found!
    File\Folder C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temp\~DFEB88.tmp not found!
    File\Folder C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temp\~DFED3B.tmp not found!
    File\Folder C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temp\~DFED47.tmp not found!
    C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\LYV9OXFK\partner[1].htm moved successfully.
    C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\AN8HEEPK\partner[1].htm moved successfully.
    C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\AN8HEEPK\topic177663[1].html moved successfully.
    C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\4EMJZCZF\918[1].htm moved successfully.
    C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\4EMJZCZF\partner[1].htm moved successfully.
    C:\Dokumente und Einstellungen\Barturo\Lokale Einstellungen\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

    Registry entries deleted on Reboot...

    Many thanks,

    Barturo
     
  15. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...