TechSpot

System affected with google redirect problem

By poolside
Jan 6, 2011
  1. Microsoft Security Essentials reports my computer is infected with Alureon but we can't clean up. Ran the steps outlined in your forum and need help analyzing and suggesting next steps cause we have no clue. Here are the logs from the various tools:



    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5466

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/5/2011 8:21:12 PM
    mbam-log-2011-01-05 (20-21-12).txt

    Scan type: Quick scan
    Objects scanned: 188409
    Time elapsed: 5 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\CMDOW.EXE (Malware.Tool) -> Quarantined and deleted successfully.

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-06 04:56:00
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000032 WDC_WD2500JS-00MHB0 rev.02.01C03
    Running: do8jyos1.exe; Driver: C:\DOCUME~1\Bill\LOCALS~1\Temp\pwtdqpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT spje.sys ZwCreateKey [0xB9EB50E0]
    SSDT spje.sys ZwEnumerateKey [0xB9ECDDA4]
    SSDT spje.sys ZwEnumerateValueKey [0xB9ECE132]
    SSDT spje.sys ZwOpenKey [0xB9EB50C0]
    SSDT spje.sys ZwQueryKey [0xB9ECE20A]
    SSDT spje.sys ZwQueryValueKey [0xB9ECE08A]
    SSDT spje.sys ZwSetValueKey [0xB9ECE29C]

    INT 0x63 ? 8A75BBF8
    INT 0x73 ? 8A75BBF8
    INT 0x82 ? 8A7CDBF8
    INT 0xA4 ? 8A75ABF8
    INT 0xB4 ? 8A75EBF8

    ---- Kernel code sections - GMER 1.0.15 ----

    ? vvdka.sys The system cannot find the file specified. !
    ? spje.sys The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7F38360, 0x3441C7, 0xE8000020]
    .text USBPORT.SYS!DllUnload B7AFD8AC 5 Bytes JMP 8A75A1D8
    .text anp8ur1n.SYS B4E56386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
    .text anp8ur1n.SYS B4E563AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text anp8ur1n.SYS B4E563C4 3 Bytes [00, 80, 02]
    .text anp8ur1n.SYS B4E563C9 1 Byte [30]
    .text anp8ur1n.SYS B4E563C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\Program Files\palmOne\HOTSYNC.EXE[2784] MSVCRT.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\palmOne\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
    .text C:\WINDOWS\system32\SearchIndexer.exe[3800] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spje.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spje.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spje.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spje.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spje.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spje.sys
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!KfRaiseIrql] 00001CB1
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!KfLowerIrql] 0E798366
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
    IAT \SystemRoot\System32\Drivers\anp8ur1n.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8A7591F8

    AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)

    Device \FileSystem\Fastfat \FatCdrom 8A1721F8
    Device \Driver\PCI_PNP2086 \Device\00000050 spje.sys
    Device \Driver\usbohci \Device\USBPDO-0 8A0E71F8
    Device \Driver\usbehci \Device\USBPDO-1 8A1B91F8
    Device \Driver\sptd \Device\2364933336 spje.sys
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A75C1F8
    Device \Driver\Cdrom \Device\CdRom0 8A1AC1F8
    Device \Driver\Cdrom \Device\CdRom1 8A1AC1F8
    Device \Driver\atapi \Device\Ide\IdePort0 [B9E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [B9E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e [B9E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-6 [B9E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\Cdrom \Device\CdRom2 8A1AC1F8
    Device \Driver\USBSTOR \Device\00000080 88FF7500
    Device \Driver\NetBT \Device\NetBT_Tcpip_{F632EB72-5F24-4857-9CAC-2CD818D553EB} 8A0F9370
    Device \Driver\USBSTOR \Device\00000082 88FF7500
    Device \Driver\USBSTOR \Device\00000083 88FF7500
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8A0F9370
    Device \Driver\USBSTOR \Device\00000084 88FF7500
    Device \Driver\USBSTOR \Device\00000085 88FF7500
    Device \Driver\NetBT \Device\NetbiosSmb 8A0F9370
    Device \Driver\NetBT \Device\NetBT_Tcpip_{767326F4-2F70-44EA-903C-93F0AEBD7A06} 8A0F9370
    Device \Driver\usbohci \Device\USBFDO-0 8A0E71F8
    Device \Driver\usbehci \Device\USBFDO-1 8A1B91F8
    Device \Driver\nvata -> DriverStartIo \Device\NvAta0 8A64CAEA
    Device \Driver\nvata \Device\NvAta0 8A75B1F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 890251F8
    Device \Driver\nvata -> DriverStartIo \Device\NvAta1 8A64CAEA
    Device \Driver\nvata \Device\NvAta1 8A75B1F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 890251F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{9549B990-F415-4B24-A552-C28EC8E7EDBE} 8A0F9370
    Device \Driver\Ftdisk \Device\FtControl 8A75C1F8
    Device \Driver\Si3132r5 \Device\Scsi\Si3132r51 8A7CC1F8
    Device \Driver\anp8ur1n \Device\Scsi\anp8ur1n1Port5Path0Target0Lun0 8A08B1F8
    Device \Driver\anp8ur1n \Device\Scsi\anp8ur1n1 8A08B1F8
    Device \Driver\Si3132r5 \Device\Scsi\Si3132r51Port4Path1Target1fLun0 8A7CC1F8
    Device \FileSystem\Fastfat \Fat 8A1721F8

    AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs 88EE6500
    Device \Device\00000078 -> \??\IDE#DiskWDC_WD2500JS-00MHB0_____________________02.01C03#2020202057202D4443574E41314B363131383230#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

    ---- EOF - GMER 1.0.15 ----

    dds logs in next post -
     
  2. poolside

    poolside TS Rookie Topic Starter Posts: 16

    Google Redirect problem - DDS logs follow

    Couldn't fit all the logs in the first post - here are the dds logs:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)


    ==== Disk Partitions =========================


    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    7-Zip 9.15 beta
    Action Replay DSi Code Manager
    ActivePerl 5.8.8 Build 817
    Ad-Aware SE Personal
    Adobe Common File Installer
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Center 2.1
    Adobe Premiere Elements 3.0
    Adobe Premiere Elements 3.0 Templates
    Adobe Reader 7.1.0
    Adobe Reader for Palm OS, 3.05
    Advanced Video FX Engine
    AiO_Scan
    Apache Tomcat 6.0.14
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArtRage 2 Starter Edition
    AutoUpdate
    AVIcodec (remove only)
    AviSynth 2.5
    Bonjour
    BUFFALO NAS Navigator
    CamStudio
    Chessmaster 9000
    Compatibility Pack for the 2007 Office system
    Copy
    Coupon Printer for Windows
    Creative Live! Cam Center
    Creative Live! Cam FX Creator
    Creative Live! Cam Manager
    Creative Live! Cam Video IM Pro Driver (1.02.02.1018)
    Creative Live! Cam Video IM Pro User's Guide (English)
    Creative Photo Calendar
    Creative Photo Manager
    Creative Software AutoUpdate
    Creative System Information
    CreativeProjects
    CutePDF Writer 2.6
    Deal Info
    DebugMode Wax 2.0
    Dev-C++ 5 beta 9 release (4.9.9.2)
    Disney Pirates of the Caribbean Online
    DivX Player
    DivX Pro
    DocProc
    doPDF 7.1 printer
    DVD Architect Pro 5.0
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    EarthLink MDAC
    Event Log Explorer 2.0 beta
    FileZilla Client 3.3.5.1
    Flock 1.1
    FreeMind
    FWTools 1.0.0
    Garmin ANT Agent 2.1.7
    Garmin Communicator Plugin
    Garmin Training Center 3.4.3
    Garmin USB Drivers
    GCalc 3
    GdiplusUpgrade
    Get Yahoo! Messenger
    Google Chrome
    Google Earth
    Google SketchUp
    Google Update Helper
    Google Video Player
    GUN (TM)
    HanDBas Professional for Palm OS v3.5
    Handbrake 0.9.4
    Handmark Oxford American Desk Dictionary and Thesaurus for Palm OS
    Hitman Pro 3.5
    Hollywood FX Pack 26 - Extra FX
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Color LaserJet CP2020 Series 2.0
    HP Image Zone 4.2
    HP PSC & OfficeJet 4.2
    HP Update
    hpmdtab
    hppFonts
    hppManualsCP2020
    hppPQVideoCP2020
    hppQFolderCP2020
    hppTLBXFXCP2020
    HPSSupply
    HPSystemDiagnostics
    hpzTLBXFX
    Hy-Tek's MEET MANAGER 2.0 for Swimming
    IC Card Reader Driver v1.9e
    Inkscape 0.47
    InstantShare
    iPod for Windows 2005-09-23
    irrGardener
    IsoBuster 2.7
    iTunes
    J2ME Wireless Toolkit 1.0.4_02
    J2ME Wireless Toolkit 2.2
    J2SE Development Kit 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Jasc Paint Shop Pro 8
    Java 2 Runtime Environment, SE v1.4.1_02
    Java Auto Updater
    Java DB 10.4.2.1
    Java EE 5 Tools Bundle
    Java Web Start
    Java(TM) 6 Update 2
    Java(TM) 6 Update 23
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 11
    Java(TM) SE Development Kit 6 Update 16
    Java(TM) SE Development Kit 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    JFreeChart 1.0.13 Demo
    KeePass Password Safe 1.16
    LightScribe Applications
    LightScribe System Software
    Linux MultiMedia Studio (LMMS)
    LiveUpdate 1.80 (Symantec Corporation)
    Log-a-Jog
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Marvell Miniport Driver
    McAfee Security Scan Plus
    MDB2CSV
    Media Player Classic - Home Cinema v. 1.3.1249.0
    Memories Disc Creator 2.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 97, Professional Edition
    Microsoft Office PowerPoint 2003 Template Pack 1
    Microsoft Office PowerPoint 2003 Template Pack 2
    Microsoft Office PowerPoint 2003 Template Pack 3
    Microsoft Office Publisher 2003
    Microsoft Office Standard Edition 2003
    Microsoft Producer for Microsoft Office PowerPoint 2003
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft XML Parser
    Mirage Driver 1.1
    MotionBased Agent
    Mozilla Firefox (3.6.13)
    Mozilla Thunderbird (1.5)
    MSN
    MSN Music Assistant
    MSSoap
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB925673)
    muvee autoProducer 4.1
    MWSnap 3
    MySQL Server 5.1
    MySQL Tools for 5.0
    Need For Speed Hot Pursuit 2
    Nero 7 Ultra Edition
    neroxml
    NetBeans IDE 6.7.1
    NetGear PS121v2
    Netscape (7.2)
    Netscape Browser (remove only)
    NVIDIA Drivers
    Opanda IExif 2.26
    OpenCV SDK
    OpenOffice.org 3.0
    Oracle VM VirtualBox 3.2.8
    overland
    Palm Desktop
    Pando
    PhotoGallery
    Physicus 07
    Picasa 3
    PixiePack Codec Pack
    Pocket Tanks v1.3
    PowerDVD
    QFolder
    QuickProjects
    QuickTime
    RealPlayer
    Remove Hidden Data Tool
    Road Runner Medic 6.0.0.6
    RoadRunner
    RollerCoaster Tycoon
    RollerCoaster Tycoon 3
    Scan
    Screen Print 32
    ScreenPrint32 v3.5
    ScreenPrint32 v3.5 (C:\Program Files\ScreenPrint32 v3\)
    SeaWorld Adventure Parks Tycoon 3D
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Shop for HP Supplies
    SightSpeed (remove only)
    SkinsHP1
    SkinsHP2
    Skype Toolbars
    Skype 4.2
    SmartSound Quicktracks Plugin
    Sony ACID Music Studio 7.0
    Sony ACID XPress 5.0a
    Sony DVD Architect Studio 4.5
    Sony Media Manager for PSP 2.5
    Sony Preset Manager 2.0e
    Sony Vegas Movie Studio 8.0
    Sqirlz Morph
    Sun Java Wireless Toolkit 2.3 Beta
    Sun Java Wireless Toolkit 2.5 Beta
    Symantec AntiVirus Client
    TBS WMP Plug-in
    TI Connect 1.6
    TightVNC 1.3.10
    TrayApp
    Typing Instructor Deluxe
    ubi.com
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB Sharing
    Videora iPod classic Converter 3.03
    Viewpoint Media Player
    ViewSonic Monitor Drivers
    Vim 6.4 (self-installing)
    WebFldrs XP
    WebReg
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Search 4.0
    Windows XP Service Pack 3
    WinMorp 3.01
    WinZip
    XBMC Media Center
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! Messenger
    Yahoo! Toolbar
    Zoo Tycoon: Complete Collection

    ==== End Of File ===========================


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Bill at 5:10:51.06 on Thu 01/06/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

    ============== Running Processes ===============


    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} -
    c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -
    c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497}
    - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -
    c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
    c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} -
    c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live!
    cam\live! cam manager\CTLCMgr.exe"
    uRun: [ANT Agent] c:\garmin\ant agent\ANT Agent.exe
    uRun: [LightScribe Control Panel] c:\program files\common
    files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE
    c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [HPDJ Taskbar Utility]
    c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
    mRun: [AVFX Engine] c:\program files\creative\creative live!
    cam\videofx\StartFX.exe
    mRun: [PS121v2] "c:\program files\netgear\ps121v2\PS121v2.exe" /hide
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"
    -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:eek:n
    /alerts:eek:n /notifications:eek:n /fl:eek:n /fr:eek:n /appData:eek:n /tmcp:eek:n
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe
    -startup
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java
    update\jusched.exe"
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
    -runkey
    StartupFolder: c:\docume~1\bill\startm~1\programs\startup\adobeg~1.lnk -
    c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\bill\startm~1\programs\startup\hotsyn~1.lnk -
    c:\program files\palmone\HOTSYNC.EXE
    StartupFolder: c:\docume~1\bill\startm~1\programs\startup\motion~1.lnk -
    c:\program files\motionbased\agent\MBAgent.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk -
    c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk -
    c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\usbsha~1.lnk -
    c:\program files\usb sharing\usbshare.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk -
    c:\program files\windows desktop search\WindowsSearch.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.26\IExifMap.htm
    IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif
    2.26\IExifCom.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
    Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program
    files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
    {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program
    files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -
    c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: pinnaclesys.com\apps
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {01113300-3E00-11D2-8470-0060089874ED} -
    hxxp://activation.rr.com/install/downloads/tgctlcm.cab
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/window
    supdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144891611740
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
    hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
    DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} -
    hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
    hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -
    c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
    c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
    c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager:
    {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop
    search\MSNLNamespaceMgr.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common
    files\lightscribe\LSRunOnce.exe"
    mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack
    codec pack\InstallerHelper.exe

    ================= FIREFOX ===================

    FF - ProfilePath -
    c:\docume~1\bill\applic~1\mozilla\firefox\profiles\yy8a5w25.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
    FF - component: c:\documents and settings\bill\application data\mozilla\firefox\
    profiles\yy8a5w25.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\comp
    onents\FFExternalAlert.dll
    FF - component: c:\documents and settings\bill\application data\mozilla\firefox\
    profiles\yy8a5w25.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\comp
    onents\RadioWMPCore.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-
    94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\bill\application data\mozilla\firefox\pro
    files\yy8a5w25.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins
    \npGarmin.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} -
    %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Walnut for Firefox: {5A170DD3-63CA-4c58-93B7-DE9FF536C2FF} -
    %profile%\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
    FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} -
    %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} -
    %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program
    files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} -
    c:\program files\mozilla
    firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program
    files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program
    files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant:
    {20a82645-c095-46ed-80e3-08825760534b} -
    c:\windows\microsoft.net\framework\v3.5\windows presentation
    foundation\DotNetAssistantExtension

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2011-01-06 10:56:42 6273872 ----a-w-
    c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition
    updates\{fca68fe3-ccf4-4397-a54c-be7a1c9b5c77}\mpengine.dll
    2011-01-06 02:14:59 -------- d-----w- c:\docume~1\bill\applic~1\Malwarebytes
    2011-01-06 02:14:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-06 02:14:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-06 02:14:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-06 02:14:47 -------- d-----w- c:\program files\Malwarebytes'
    Anti-Malware
    2011-01-05 14:05:27 -------- d-sha-r- C:\cmdcons
    2011-01-05 13:58:31 98816 ----a-w- c:\windows\sed.exe
    2011-01-05 13:58:31 89088 ----a-w- c:\windows\MBR.exe
    2011-01-05 13:58:31 256512 ----a-w- c:\windows\PEV.exe
    2011-01-05 13:58:31 161792 ----a-w- c:\windows\SWREG.exe
    2011-01-05 13:48:53 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-01-05 03:28:20 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-01-05 03:28:13 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-01-05 03:27:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-12-31 19:01:42 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2010-12-31 19:01:34 -------- d-----w- c:\docume~1\bill\applic~1\Windows Desktop
    Search
    2010-12-31 19:01:08 -------- d-----w- c:\windows\system32\GroupPolicy
    2010-12-31 19:01:08 -------- d-----w- c:\program files\Windows Desktop Search
    2010-12-31 19:00:24 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
    2010-12-31 19:00:24 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
    2010-12-31 19:00:24 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
    2010-12-31 18:13:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-12-31 18:13:22 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-31 02:32:28 -------- d-----w- C:\Netgear
    2010-12-27 12:38:14 16856 ----a-w- c:\program files\mozilla
    firefox\plugin-container.exe
    2010-12-27 12:38:13 719832 ----a-w- c:\program files\mozilla
    firefox\mozcpp19.dll
    2010-12-19 17:47:43 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-12-19 08:02:13 23040 ----a-w- c:\windows\system32\drivers\MOUCLASS.SYS
    2010-12-16 02:32:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Driver Boost
    2010-12-15 17:51:48 23040 ----a-w- c:\windows\system32\drivers\oqeunamr.sys
    2010-12-15 01:11:25 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 00:50:51 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-12 08:05:28 23040 ----a-w- c:\windows\system32\drivers\bnucdcpm.sys
    2010-12-07 17:11:46 23040 ----a-w- c:\windows\system32\drivers\jovmherp.sys

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 22:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-24 17:13:49 60416 ----a-w- c:\windows\ALCFDRTM.VER
    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
    http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500JS-00MHB0 rev.02.01C03 -> Harddisk0\DR0 ->
    \Device\00000032

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN
    [0x8A657EC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD
    [EBP-0x4], 0x87b0a872; SUB DWORD [EBP-0x4], 0x87b0a12e; PUSH EDI; CALL
    0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A716A68]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] ->
    \Device\00000079[0x8A710AC0]
    5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A642030]
    [0x8A34D2C0] -> IRP_MJ_CREATE -> 0x8A657EC5
    error: Read Incorrect function.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX;
    POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5;
    REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ
    0x3a; }
    detected disk devices:
    \Device\00000078 -> \??\IDE#DiskWDC_WD2500JS-00MHB0_____________________02.01C03
    #2020202057202D4443574E41314B363131383230#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

    device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 5:17:15.10 ===============




    We are away from the infected computer till 6pm CST.
    Thanks for your help.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll wait until the additional logs have been posted to check for malware.

    But I wanted to mention the entry found in Malwarebuyes:
    Files Infected:
    c:\WINDOWS\system32\CMDOW.EXE (Malware.Tool) -> Quarantined and deleted successfully.


    CMDOW.EXE is the Commandline Window Utility. It allows manipulation of open windows. It is a standalone executable, no installation required. Non-system processes like cmdow.exe originate from software you installed on your system. The process is considered safe and offers no harm to the system. All it does is hide a window- something done frequently when there is an unattended download or installation. It's detected because an occasional software program could use it maliciously so you don't see what's happening to your computer. But since malware can hide using name of almost any legitimate process, I'll have to see additional logs to determine the nature of this entry.
    ===================================
    When you have finished DDS, please run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ============================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Include all logs (2 from DDS, 1 from Eset scan, 1 from Combofix) in next reply. OK to use multiple posts if needed.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. poolside

    poolside TS Rookie Topic Starter Posts: 16

    DDS logs

    Thanks for the quick reply here are the DDS Logs - won't be able to run the other tools till 6pm CST as I am away from the infected computer at this time.


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)


    ==== Disk Partitions =========================


    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    7-Zip 9.15 beta
    Action Replay DSi Code Manager
    ActivePerl 5.8.8 Build 817
    Ad-Aware SE Personal
    Adobe Common File Installer
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Center 2.1
    Adobe Premiere Elements 3.0
    Adobe Premiere Elements 3.0 Templates
    Adobe Reader 7.1.0
    Adobe Reader for Palm OS, 3.05
    Advanced Video FX Engine
    AiO_Scan
    Apache Tomcat 6.0.14
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArtRage 2 Starter Edition
    AutoUpdate
    AVIcodec (remove only)
    AviSynth 2.5
    Bonjour
    BUFFALO NAS Navigator
    CamStudio
    Chessmaster 9000
    Compatibility Pack for the 2007 Office system
    Copy
    Coupon Printer for Windows
    Creative Live! Cam Center
    Creative Live! Cam FX Creator
    Creative Live! Cam Manager
    Creative Live! Cam Video IM Pro Driver (1.02.02.1018)
    Creative Live! Cam Video IM Pro User's Guide (English)
    Creative Photo Calendar
    Creative Photo Manager
    Creative Software AutoUpdate
    Creative System Information
    CreativeProjects
    CutePDF Writer 2.6
    Deal Info
    DebugMode Wax 2.0
    Dev-C++ 5 beta 9 release (4.9.9.2)
    Disney Pirates of the Caribbean Online
    DivX Player
    DivX Pro
    DocProc
    doPDF 7.1 printer
    DVD Architect Pro 5.0
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    EarthLink MDAC
    Event Log Explorer 2.0 beta
    FileZilla Client 3.3.5.1
    Flock 1.1
    FreeMind
    FWTools 1.0.0
    Garmin ANT Agent 2.1.7
    Garmin Communicator Plugin
    Garmin Training Center 3.4.3
    Garmin USB Drivers
    GCalc 3
    GdiplusUpgrade
    Get Yahoo! Messenger
    Google Chrome
    Google Earth
    Google SketchUp
    Google Update Helper
    Google Video Player
    GUN (TM)
    HanDBase� Professional for Palm OS v3.5
    Handbrake 0.9.4
    Handmark� Oxford American Desk Dictionary and Thesaurus for Palm OS
    Hitman Pro 3.5
    Hollywood FX Pack 26 - Extra FX
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Color LaserJet CP2020 Series 2.0
    HP Image Zone 4.2
    HP PSC & OfficeJet 4.2
    HP Update
    hpmdtab
    hppFonts
    hppManualsCP2020
    hppPQVideoCP2020
    hppQFolderCP2020
    hppTLBXFXCP2020
    HPSSupply
    HPSystemDiagnostics
    hpzTLBXFX
    Hy-Tek's MEET MANAGER 2.0 for Swimming
    IC Card Reader Driver v1.9e
    Inkscape 0.47
    InstantShare
    iPod for Windows 2005-09-23
    irrGardener
    IsoBuster 2.7
    iTunes
    J2ME Wireless Toolkit 1.0.4_02
    J2ME Wireless Toolkit 2.2
    J2SE Development Kit 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Jasc Paint Shop Pro 8
    Java 2 Runtime Environment, SE v1.4.1_02
    Java Auto Updater
    Java DB 10.4.2.1
    Java EE 5 Tools Bundle
    Java Web Start
    Java(TM) 6 Update 2
    Java(TM) 6 Update 23
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Development Kit 6 Update 11
    Java(TM) SE Development Kit 6 Update 16
    Java(TM) SE Development Kit 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    JFreeChart 1.0.13 Demo
    KeePass Password Safe 1.16
    LightScribe Applications
    LightScribe System Software
    Linux MultiMedia Studio (LMMS)
    LiveUpdate 1.80 (Symantec Corporation)
    Log-a-Jog
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    Marvell Miniport Driver
    McAfee Security Scan Plus
    MDB2CSV
    Media Player Classic - Home Cinema v. 1.3.1249.0
    Memories Disc Creator 2.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 97, Professional Edition
    Microsoft Office PowerPoint 2003 Template Pack 1
    Microsoft Office PowerPoint 2003 Template Pack 2
    Microsoft Office PowerPoint 2003 Template Pack 3
    Microsoft Office Publisher 2003
    Microsoft Office Standard Edition 2003
    Microsoft Producer for Microsoft Office PowerPoint 2003
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft XML Parser
    Mirage Driver 1.1
    MotionBased Agent
    Mozilla Firefox (3.6.13)
    Mozilla Thunderbird (1.5)
    MSN
    MSN Music Assistant
    MSSoap
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6.0 Parser (KB925673)
    muvee autoProducer 4.1
    MWSnap 3
    MySQL Server 5.1
    MySQL Tools for 5.0
    Need For Speed Hot Pursuit 2
    Nero 7 Ultra Edition
    neroxml
    NetBeans IDE 6.7.1
    NetGear PS121v2
    Netscape (7.2)
    Netscape Browser (remove only)
    NVIDIA Drivers
    Opanda IExif 2.26
    OpenCV SDK
    OpenOffice.org 3.0
    Oracle VM VirtualBox 3.2.8
    overland
    Palm Desktop
    Pando
    PhotoGallery
    Physicus �07
    Picasa 3
    PixiePack Codec Pack
    Pocket Tanks v1.3
    PowerDVD
    QFolder
    QuickProjects
    QuickTime
    RealPlayer
    Remove Hidden Data Tool
    Road Runner Medic 6.0.0.6
    RoadRunner
    RollerCoaster Tycoon
    RollerCoaster Tycoon 3
    Scan
    Screen Print 32
    ScreenPrint32 v3.5
    ScreenPrint32 v3.5 (C:\Program Files\ScreenPrint32 v3\)
    SeaWorld Adventure Parks Tycoon 3D
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Shop for HP Supplies
    SightSpeed (remove only)
    SkinsHP1
    SkinsHP2
    Skype Toolbars
    Skype� 4.2
    SmartSound Quicktracks Plugin
    Sony ACID Music Studio 7.0
    Sony ACID XPress 5.0a
    Sony DVD Architect Studio 4.5
    Sony Media Manager for PSP 2.5
    Sony Preset Manager 2.0e
    Sony Vegas Movie Studio 8.0
    Sqirlz Morph
    Sun Java Wireless Toolkit 2.3 Beta
    Sun Java Wireless Toolkit 2.5 Beta
    Symantec AntiVirus Client
    TBS WMP Plug-in
    TI Connect 1.6
    TightVNC 1.3.10
    TrayApp
    Typing Instructor Deluxe
    ubi.com
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB Sharing
    Videora iPod classic Converter 3.03
    Viewpoint Media Player
    ViewSonic Monitor Drivers
    Vim 6.4 (self-installing)
    WebFldrs XP
    WebReg
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Search 4.0
    Windows XP Service Pack 3
    WinMorph� 3.01
    WinZip
    XBMC Media Center
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! Messenger
    Yahoo! Toolbar
    Zoo Tycoon: Complete Collection

    ==== End Of File ===========================


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Bill at 5:10:51.06 on Thu 01/06/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

    ============== Running Processes ===============


    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} -
    c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -
    c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497}
    - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -
    c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -
    c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} -
    c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live!
    cam\live! cam manager\CTLCMgr.exe"
    uRun: [ANT Agent] c:\garmin\ant agent\ANT Agent.exe
    uRun: [LightScribe Control Panel] c:\program files\common
    files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE
    c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [HPDJ Taskbar Utility]
    c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
    mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
    mRun: [AVFX Engine] c:\program files\creative\creative live!
    cam\videofx\StartFX.exe
    mRun: [PS121v2] "c:\program files\netgear\ps121v2\PS121v2.exe" /hide
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"
    -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:eek:n
    /alerts:eek:n /notifications:eek:n /fl:eek:n /fr:eek:n /appData:eek:n /tmcp:eek:n
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe
    -startup
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java
    update\jusched.exe"
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
    -runkey
    StartupFolder: c:\docume~1\bill\startm~1\programs\startup\adobeg~1.lnk -
    c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\bill\startm~1\programs\startup\hotsyn~1.lnk -
    c:\program files\palmone\HOTSYNC.EXE
    StartupFolder: c:\docume~1\bill\startm~1\programs\startup\motion~1.lnk -
    c:\program files\motionbased\agent\MBAgent.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk -
    c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk -
    c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\usbsha~1.lnk -
    c:\program files\usb sharing\usbshare.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk -
    c:\program files\windows desktop search\WindowsSearch.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.26\IExifMap.htm
    IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif
    2.26\IExifCom.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
    Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program
    files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} -
    {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program
    files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -
    c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: pinnaclesys.com\apps
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {01113300-3E00-11D2-8470-0060089874ED} -
    hxxp://activation.rr.com/install/downloads/tgctlcm.cab
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/window
    supdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144891611740
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
    hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
    DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} -
    hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
    hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
    hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -
    c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
    c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
    c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager:
    {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop
    search\MSNLNamespaceMgr.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common
    files\lightscribe\LSRunOnce.exe"
    mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack
    codec pack\InstallerHelper.exe

    ================= FIREFOX ===================

    FF - ProfilePath -
    c:\docume~1\bill\applic~1\mozilla\firefox\profiles\yy8a5w25.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
    FF - component: c:\documents and settings\bill\application data\mozilla\firefox\
    profiles\yy8a5w25.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\comp
    onents\FFExternalAlert.dll
    FF - component: c:\documents and settings\bill\application data\mozilla\firefox\
    profiles\yy8a5w25.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\comp
    onents\RadioWMPCore.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-
    94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\bill\application data\mozilla\firefox\pro
    files\yy8a5w25.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins
    \npGarmin.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} -
    %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Walnut for Firefox: {5A170DD3-63CA-4c58-93B7-DE9FF536C2FF} -
    %profile%\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
    FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} -
    %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} -
    %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program
    files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} -
    c:\program files\mozilla
    firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program
    files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program
    files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant:
    {20a82645-c095-46ed-80e3-08825760534b} -
    c:\windows\microsoft.net\framework\v3.5\windows presentation
    foundation\DotNetAssistantExtension

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2011-01-06 10:56:42 6273872 ----a-w-
    c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition
    updates\{fca68fe3-ccf4-4397-a54c-be7a1c9b5c77}\mpengine.dll
    2011-01-06 02:14:59 -------- d-----w- c:\docume~1\bill\applic~1\Malwarebytes
    2011-01-06 02:14:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-06 02:14:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-06 02:14:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-06 02:14:47 -------- d-----w- c:\program files\Malwarebytes'
    Anti-Malware
    2011-01-05 14:05:27 -------- d-sha-r- C:\cmdcons
    2011-01-05 13:58:31 98816 ----a-w- c:\windows\sed.exe
    2011-01-05 13:58:31 89088 ----a-w- c:\windows\MBR.exe
    2011-01-05 13:58:31 256512 ----a-w- c:\windows\PEV.exe
    2011-01-05 13:58:31 161792 ----a-w- c:\windows\SWREG.exe
    2011-01-05 13:48:53 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-01-05 03:28:20 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-01-05 03:28:13 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-01-05 03:27:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-12-31 19:01:42 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2010-12-31 19:01:34 -------- d-----w- c:\docume~1\bill\applic~1\Windows Desktop
    Search
    2010-12-31 19:01:08 -------- d-----w- c:\windows\system32\GroupPolicy
    2010-12-31 19:01:08 -------- d-----w- c:\program files\Windows Desktop Search
    2010-12-31 19:00:24 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
    2010-12-31 19:00:24 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
    2010-12-31 19:00:24 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
    2010-12-31 18:13:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-12-31 18:13:22 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-31 02:32:28 -------- d-----w- C:\Netgear
    2010-12-27 12:38:14 16856 ----a-w- c:\program files\mozilla
    firefox\plugin-container.exe
    2010-12-27 12:38:13 719832 ----a-w- c:\program files\mozilla
    firefox\mozcpp19.dll
    2010-12-19 17:47:43 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-12-19 08:02:13 23040 ----a-w- c:\windows\system32\drivers\MOUCLASS.SYS
    2010-12-16 02:32:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Driver Boost
    2010-12-15 17:51:48 23040 ----a-w- c:\windows\system32\drivers\oqeunamr.sys
    2010-12-15 01:11:25 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 00:50:51 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-12 08:05:28 23040 ----a-w- c:\windows\system32\drivers\bnucdcpm.sys
    2010-12-07 17:11:46 23040 ----a-w- c:\windows\system32\drivers\jovmherp.sys

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 22:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-24 17:13:49 60416 ----a-w- c:\windows\ALCFDRTM.VER
    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
    http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500JS-00MHB0 rev.02.01C03 -> Harddisk0\DR0 ->
    \Device\00000032

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN
    [0x8A657EC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD
    [EBP-0x4], 0x87b0a872; SUB DWORD [EBP-0x4], 0x87b0a12e; PUSH EDI; CALL
    0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A716A68]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] ->
    \Device\00000079[0x8A710AC0]
    5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A642030]
    [0x8A34D2C0] -> IRP_MJ_CREATE -> 0x8A657EC5
    error: Read Incorrect function.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX;
    POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5;
    REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ
    0x3a; }
    detected disk devices:
    \Device\00000078 -> \??\IDE#DiskWDC_WD2500JS-00MHB0_____________________02.01C03
    #2020202057202D4443574E41314B363131383230#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

    device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 5:17:15.10 ===============
     
  5. poolside

    poolside TS Rookie Topic Starter Posts: 16

    ESET and ComboFix logs as requested

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=92aa1233dd6fcd4b9199979007bed0c9
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-01-07 02:02:58
    # local_time=2011-01-06 08:02:58 (-0600, Central Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=crash
    # scanned=209502
    # found=2
    # cleaned=0
    # scan_time=6001
    C:\Documents and Settings\Bill\Desktop\Bill's stuff\Nero-7.10.1.2_all_update.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\Bill\Desktop\Bill's stuff\Nero-7.8.5.0_eng_update.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I

    ComboFix 11-01-06.03 - Bill 01/06/2011 20:23:26.2.2 - x86
    Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Temp

    c:\windows\system32\DRIVERS\ftdisk.sys . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
    .

    2011-01-07 02:05 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2E095360-1AB3-48C9-88F3-89BF9AE556E5}\mpengine.dll
    2011-01-07 00:16 . 2011-01-07 00:16 -------- d-----w- c:\program files\ESET
    2011-01-06 02:14 . 2011-01-06 02:14 -------- d-----w- c:\documents and settings\Bill\Application Data\Malwarebytes
    2011-01-06 02:14 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-06 02:14 . 2011-01-06 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-06 02:14 . 2011-01-06 02:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-06 02:14 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-05 13:48 . 2011-01-05 13:48 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-01-05 03:28 . 2011-01-06 00:38 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-01-05 03:28 . 2011-01-05 03:28 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-01-05 03:27 . 2011-01-05 03:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-12-31 19:01 . 2008-07-08 14:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2010-12-31 19:01 . 2010-12-31 19:01 -------- d-----w- c:\documents and settings\Bill\Application Data\Windows Desktop Search
    2010-12-31 19:01 . 2011-01-01 14:22 -------- d-----w- c:\program files\Windows Desktop Search
    2010-12-31 19:01 . 2010-12-31 19:01 -------- d-----w- c:\windows\system32\GroupPolicy
    2010-12-31 19:00 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
    2010-12-31 19:00 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
    2010-12-31 19:00 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
    2010-12-31 18:13 . 2010-12-31 18:13 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-31 02:32 . 2010-12-31 02:35 -------- d-----w- C:\Netgear
    2010-12-27 12:38 . 2010-12-27 12:38 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-12-27 12:38 . 2010-12-27 12:38 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-12-19 17:47 . 2011-01-04 11:40 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-12-19 08:02 . 2010-12-19 08:02 23040 ----a-w- c:\windows\system32\drivers\MOUCLASS.SYS
    2010-12-16 02:32 . 2010-12-16 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost
    2010-12-15 17:51 . 2010-12-15 17:51 23040 ----a-w- c:\windows\system32\drivers\oqeunamr.sys
    2010-12-15 01:11 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 00:50 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-12 08:05 . 2010-12-12 08:05 23040 ----a-w- c:\windows\system32\drivers\bnucdcpm.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-07 17:11 . 2010-12-07 17:11 23040 ----a-w- c:\windows\system32\drivers\jovmherp.sys
    2010-11-18 18:12 . 2006-04-04 17:09 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-13 00:53 . 2010-09-02 03:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 22:34 . 2007-06-02 14:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-10 04:33 . 2010-09-11 01:49 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-11-06 00:26 . 2004-10-08 12:01 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-10-08 12:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-10-08 12:01 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-10-08 12:01 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-10-08 12:01 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-10-08 12:01 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-10-08 12:01 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-24 17:13 . 2006-04-18 02:49 60416 ----a-w- c:\windows\ALCFDRTM.VER
    2010-10-19 20:51 . 2010-09-09 01:34 222080 ------w- c:\windows\system32\MpSigStub.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 143360]
    "ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2008-09-02 8203352]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-01-22 2363392]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-20 26192680]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
    "nwiz"="nwiz.exe" [2007-11-07 1626112]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
    "SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-22 172032]
    "V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
    "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-09 20480]
    "PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2007-05-23 696320]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-16 198160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-02-20 53248]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
    "ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-16 446464]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

    c:\documents and settings\Bill\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]
    MotionBased Agent.lnk - c:\program files\MotionBased\Agent\MBAgent.exe [2006-5-6 905216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
    USB Sharing.lnk - c:\program files\USB Sharing\usbshare.exe [2006-5-19 139264]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^BUFFALO NAS Navigator.lnk]
    path=c:\documents and settings\Bill\Start Menu\Programs\Startup\BUFFALO NAS Navigator.lnk
    backup=c:\windows\pss\BUFFALO NAS Navigator.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Norton AntiVirus Server"=3 (0x3)
    "McComponentHostService"=3 (0x3)
    "Apache2.2"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "medic"="c:\program files\MEDIC\bin\sprtcmd.exe" /P MEDIC

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 133104]
    R3 dsiarhwprog;dsiarhwprog;c:\windows\system32\Drivers\dsiarhwprog.sys [2007-02-08 29184]
    R3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\DRIVERS\NETGEARUCOMP.sys [2007-03-08 12672]
    R3 STV102;WWL 102;c:\windows\system32\drivers\STV102.sys [2002-09-12 145996]
    R3 STV102m;WWL 102m;c:\windows\system32\drivers\STV102m.sys [2002-09-12 9170]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2009-12-20 29416]
    R4 ApacheWebServer;Apache Web Server;c:\ms4w\Apache\bin\Apache.exe [2005-10-10 20541]
    R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-02 691696]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2010-08-05 143184]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2010-08-05 41936]
    S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [2005-11-25 31896]
    S3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [2007-03-08 12032]
    S3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [2007-03-08 39424]
    S3 V0230Vfx;V0230Vfx;c:\windows\system32\DRIVERS\V0230Vfx.sys [2006-03-24 6272]
    S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\DRIVERS\V0230VID.sys [2006-11-20 500608]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2010-08-05 100496]
    S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2010-08-05 111312]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-01-22 17:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
    2010-02-17 00:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

    2011-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 12:05]

    2011-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 12:05]

    2011-01-06 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.26\IExifMap.htm
    IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.26\IExifCom.htm
    Trusted Zone: pinnaclesys.com\apps
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\yy8a5w25.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Walnut for Firefox: {5A170DD3-63CA-4c58-93B7-DE9FF536C2FF} - %profile%\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
    FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-06 20:55
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500JS-00MHB0 rev.02.01C03 -> Harddisk0\DR0 -> \Device\00000032

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A657EC5]<<
    c:\docume~1\Bill\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87b0a872; SUB DWORD [EBP-0x4], 0x87b0a12e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A716A68]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000079[0x8A710AC0]
    5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A642030]
    [0x8A34D2C0] -> IRP_MJ_CREATE -> 0x8A657EC5
    error: Read Incorrect function.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\00000078 -> \??\IDE#DiskWDC_WD2500JS-00MHB0_____________________02.01C03#2020202057202D4443574E41314B363131383230#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1123561945-162531612-839522115-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-1123561945-162531612-839522115-1005\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
    "FRT"="FMP+l+SnjSSE6pm3pLE4M0Yh3hCYkbTBiN+Z4xwtAzCasGWKGj2WWQ=="
    "PLCK"="QiwoMTwbH10oSmKD/uecQziNOiLMT08V"
    "Percents"="0 0.0906 0.2512 0.5257 0.7031 0.7815 0.7824 "
    "Increment"=".003817"
    "PHSH"=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4048)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-01-06 21:03:44
    ComboFix-quarantined-files.txt 2011-01-07 03:03
    ComboFix2.txt 2011-01-05 15:27

    Pre-Run: 86,710,247,424 bytes free
    Post-Run: 86,701,395,968 bytes free

    - - End Of File - - 016CEE2A12FB8A14321097C540DD3666
     
  6. poolside

    poolside TS Rookie Topic Starter Posts: 16

    all logs posted

    Looks like there is some juicy stuff in these logs. What would you suggest next?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay- internet was down most of day.
    You have multiple AV programs running. This will make your system more vulnerable, not less:
    McAfee Security Scan Plus
    Microsoft Security Essentials
    Symantec AntiVirus Client

    Please decide which you want to keep and remove the others, Here are tools to help:
    Norton Removal Tool
    McAfee Removal
    MSE removal Please check their support site.
    Please reboot the system when through.
    =======================================
    Please note: when you open Notepad to copy a log, it is important the you click on Format first and uncheck Word Wrap. This will allow the logs entries to display on a full line instead of 'wrapping' and putting piece on multiple lines. Example: See = Pseudo HJT Report = in DDS log. It is also very difficult for me to read the logs displaying this way.
    =========================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ======================================
    Please uninstall HitmanPro. This is nothing but a bundle of programs that are free on the internet. Removal of entries is only allowed during trial period or if paid. Removal of the entries using the free programs is free. Some of the programs in the bundle have been used without the authors' permissions.
    ======================================
    You have 10 outdated versions of Java on the system. All of these are vulnerabilities.
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java 2 Runtime Environment, SE v1.4.1_02

    The following program will remove them all, including the current v6u23. Please download that again after JavaRA.
    ========================================
    Please download JavaRa and unzip it to your desktop.

    Important!
    ***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.
    Then download and install then most current version and update of Java Runtime
    Environment (JRE)
    HERE.
    ====================================
    Then please check these multiple versions of developers tools. I suspect you will only need the most current versions:
    J2ME Wireless Toolkit 1.0.4_02
    J2ME Wireless Toolkit 2.2
    -------------------
    J2SE Development Kit 5.0 Update 6
    Java(TM) SE Development Kit 6 Update 11
    Java(TM) SE Development Kit 6 Update 16
    Java(TM) SE Development Kit 6 Update 3
    --------------------
    Java DB 10.4.2.1
    Java EE 5 Tools Bundle

    Unfortunately, updates of Java don't overwrite the old versions, so you have to uninstall them in Add/Remove Programs. Once a new version has been issued, the old version becomes a vulnerability.
    ======================================
    We will continue after the above has been handled. Please be sure not to do any other scans unless I direct you to. They could change the logs I am working with.
     
  8. poolside

    poolside TS Rookie Topic Starter Posts: 16

    tdsskiller logs

    here are the log from tdsskiller -

    2011/01/07 19:41:37.0875 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
    2011/01/07 19:41:37.0875 ================================================================================
    2011/01/07 19:41:37.0875 SystemInfo:
    2011/01/07 19:41:37.0875
    2011/01/07 19:41:37.0875 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/07 19:41:37.0875 Product type: Workstation
    2011/01/07 19:41:37.0875 ComputerName: CASE_64
    2011/01/07 19:41:37.0875 UserName: Bill
    2011/01/07 19:41:37.0875 Windows directory: C:\WINDOWS
    2011/01/07 19:41:37.0875 System windows directory: C:\WINDOWS
    2011/01/07 19:41:37.0875 Processor architecture: Intel x86
    2011/01/07 19:41:37.0875 Number of processors: 2
    2011/01/07 19:41:37.0875 Page size: 0x1000
    2011/01/07 19:41:37.0875 Boot type: Normal boot
    2011/01/07 19:41:37.0875 ================================================================================
    2011/01/07 19:41:38.0828 Initialize success
    2011/01/07 19:42:12.0500 ================================================================================
    2011/01/07 19:42:12.0500 Scan started
    2011/01/07 19:42:12.0500 Mode: Manual;
    2011/01/07 19:42:12.0500 ================================================================================
    2011/01/07 19:42:12.0703 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
    2011/01/07 19:42:12.0796 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/07 19:42:12.0843 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/01/07 19:42:12.0906 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/07 19:42:12.0937 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/07 19:42:13.0000 AFS2K (c685cc27a2e637f0dcb5a45e67cc6f74) C:\WINDOWS\system32\drivers\AFS2K.sys
    2011/01/07 19:42:13.0203 ALCXWDM (92ae420be14b0d97d14dac4aba22a702) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2011/01/07 19:42:13.0406 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
    2011/01/07 19:42:13.0484 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/01/07 19:42:13.0562 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/07 19:42:13.0593 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/07 19:42:13.0640 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/07 19:42:13.0687 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/07 19:42:13.0781 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
    2011/01/07 19:42:13.0828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/07 19:42:14.0000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/07 19:42:14.0031 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/01/07 19:42:14.0046 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/07 19:42:14.0078 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/07 19:42:14.0125 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/07 19:42:14.0250 dfmirage (d8cd6a2a94f545858eec6117f0d5dff4) C:\WINDOWS\system32\DRIVERS\dfmirage.sys
    2011/01/07 19:42:14.0296 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/07 19:42:14.0343 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/07 19:42:14.0390 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/07 19:42:14.0421 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/07 19:42:14.0468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/07 19:42:14.0515 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
    2011/01/07 19:42:14.0578 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    2011/01/07 19:42:14.0625 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/07 19:42:14.0687 dsiarhwprog (f35b5d0cc142b87e687fc504baa69d82) C:\WINDOWS\system32\Drivers\dsiarhwprog.sys
    2011/01/07 19:42:14.0750 DSI_SiUSBXp_3_1 (bc9c2ef22ee0320c079e3ff9b4d29951) C:\WINDOWS\system32\drivers\DSI_SiUSBXp_3_1.sys
    2011/01/07 19:42:14.0796 ENTECH (bdd170fecb0e496a914318009d85b819) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
    2011/01/07 19:42:14.0875 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/07 19:42:14.0921 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/01/07 19:42:14.0953 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/07 19:42:14.0984 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/01/07 19:42:15.0031 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/01/07 19:42:15.0078 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/07 19:42:15.0093 Ftdisk (54e9f528a0997f84fc800ac76b5cc141) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/07 19:42:15.0093 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftdisk.sys. Real md5: 54e9f528a0997f84fc800ac76b5cc141, Fake md5: ff837a7a6f88cbc975f3055947ce35d8
    2011/01/07 19:42:15.0109 Ftdisk - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/01/07 19:42:15.0109 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
    2011/01/07 19:42:15.0156 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/01/07 19:42:15.0203 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/07 19:42:15.0250 grmnusb (cd007d03a9284bfe67d49c01213132bf) C:\WINDOWS\system32\drivers\grmnusb.sys
    2011/01/07 19:42:15.0312 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/01/07 19:42:15.0375 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/01/07 19:42:15.0421 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/01/07 19:42:15.0468 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/01/07 19:42:15.0531 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/07 19:42:15.0593 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/07 19:42:15.0640 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/07 19:42:15.0734 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/01/07 19:42:15.0781 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/07 19:42:15.0796 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/07 19:42:15.0843 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/07 19:42:15.0875 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/07 19:42:15.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/07 19:42:15.0953 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/07 19:42:15.0984 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/07 19:42:16.0015 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/07 19:42:16.0046 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/07 19:42:16.0140 MarvinBus (7584ffb07305d2e9e3823059a9310b0f) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
    2011/01/07 19:42:16.0187 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/07 19:42:16.0203 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/07 19:42:16.0250 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\MOUCLASS.SYS
    2011/01/07 19:42:16.0312 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/01/07 19:42:16.0328 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/07 19:42:16.0359 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
    2011/01/07 19:42:16.0421 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/07 19:42:16.0468 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/07 19:42:16.0531 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
    2011/01/07 19:42:16.0531 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/07 19:42:16.0593 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/07 19:42:16.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/07 19:42:16.0625 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/07 19:42:16.0671 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/07 19:42:16.0703 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/01/07 19:42:16.0750 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
    2011/01/07 19:42:16.0843 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
    2011/01/07 19:42:16.0859 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/07 19:42:16.0890 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/01/07 19:42:17.0031 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/07 19:42:17.0046 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/01/07 19:42:17.0078 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/07 19:42:17.0093 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/07 19:42:17.0125 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/07 19:42:17.0171 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/07 19:42:17.0187 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/07 19:42:17.0218 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/07 19:42:17.0265 NETGEARUCOMP (784312f3933c733007f9567c5f9449ce) C:\WINDOWS\system32\DRIVERS\NETGEARUCOMP.sys
    2011/01/07 19:42:17.0312 NETGEARUHOST (2f8c08da27c36ba0d8506e062dbc6881) C:\WINDOWS\system32\DRIVERS\NETGEARUHOST.sys
    2011/01/07 19:42:17.0343 NETGEARUHUB (8ea0b4092932b6ebc7614052e71fdc88) C:\WINDOWS\system32\DRIVERS\NETGEARUHUB.sys
    2011/01/07 19:42:17.0390 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/01/07 19:42:17.0421 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/07 19:42:17.0453 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/07 19:42:17.0515 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/07 19:42:17.0796 nv (3712d332633b853101ab786380c969ec) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/01/07 19:42:18.0140 nvata (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvata.sys
    2011/01/07 19:42:18.0171 nvatabus (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\drivers\nvatabus.sys
    2011/01/07 19:42:18.0250 NVENETFD (7d275ecda4628318912f6c945d5cf963) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    2011/01/07 19:42:18.0296 nvnetbus (b64aacefad2be5bff5353fe681253c67) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    2011/01/07 19:42:18.0359 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/07 19:42:18.0375 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/07 19:42:18.0406 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/01/07 19:42:18.0453 PalmUSBD (803cf09c795290825607505d37819135) C:\WINDOWS\system32\drivers\PalmUSBD.sys
    2011/01/07 19:42:18.0500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/01/07 19:42:18.0515 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/07 19:42:18.0562 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/07 19:42:18.0593 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/07 19:42:18.0625 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/07 19:42:18.0656 PCLEPCI (1bebe7de8508a02650cdce45c664c2a2) C:\WINDOWS\system32\drivers\pclepci.sys
    2011/01/07 19:42:18.0703 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/01/07 19:42:18.0750 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
    2011/01/07 19:42:18.0937 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/07 19:42:18.0953 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/01/07 19:42:18.0968 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/07 19:42:19.0000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/07 19:42:19.0031 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
    2011/01/07 19:42:19.0125 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/07 19:42:19.0156 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/07 19:42:19.0171 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/07 19:42:19.0187 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/07 19:42:19.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/07 19:42:19.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/07 19:42:19.0312 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/07 19:42:19.0343 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/07 19:42:19.0437 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/07 19:42:19.0484 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/01/07 19:42:19.0515 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/01/07 19:42:19.0546 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/01/07 19:42:19.0593 Si3132r5 (227e56633d6423e1f7d869618ac8404f) C:\WINDOWS\system32\DRIVERS\Si3132r5.sys
    2011/01/07 19:42:19.0609 SiFilter (dbdee2a96f2f616726817373516cb0bd) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
    2011/01/07 19:42:19.0656 SiRemFil (3e6b438e5cb674a1382b2955aa98f637) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
    2011/01/07 19:42:19.0703 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/01/07 19:42:19.0765 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/07 19:42:19.0828 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/01/07 19:42:19.0828 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/01/07 19:42:19.0843 sptd - detected Locked file (1)
    2011/01/07 19:42:19.0859 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/07 19:42:19.0906 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/07 19:42:19.0968 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/01/07 19:42:20.0000 STV102 (6ff4c9485ba4d38b32bf14db75edd766) C:\WINDOWS\system32\drivers\STV102.sys
    2011/01/07 19:42:20.0031 STV102m (2ad42758b5e529ca65701623d8dfb123) C:\WINDOWS\system32\drivers\STV102m.sys
    2011/01/07 19:42:20.0062 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/07 19:42:20.0093 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/07 19:42:20.0187 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/07 19:42:20.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/07 19:42:20.0296 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/07 19:42:20.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/07 19:42:20.0343 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/07 19:42:20.0437 TIEHDUSB (a1124ebc672aa3ae1b327096c1dcc346) C:\WINDOWS\system32\drivers\tiehdusb.sys
    2011/01/07 19:42:20.0515 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/07 19:42:20.0593 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/07 19:42:20.0656 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/01/07 19:42:20.0703 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/07 19:42:20.0750 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/07 19:42:20.0781 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/07 19:42:20.0812 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/01/07 19:42:20.0859 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/07 19:42:20.0875 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/01/07 19:42:20.0906 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/07 19:42:20.0953 V0230Vfx (a0c643d5f8c60f12faa6e3454dfe9c32) C:\WINDOWS\system32\DRIVERS\V0230Vfx.sys
    2011/01/07 19:42:21.0000 V0230VID (5a2d30399a114fc4863539f02c484b11) C:\WINDOWS\system32\DRIVERS\V0230VID.sys
    2011/01/07 19:42:21.0062 VBoxDrv (3e4b3de332634151d10bca5c0f3dd226) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
    2011/01/07 19:42:21.0109 VBoxNetAdp (02cf071ee8cad9667ec0736c57360b70) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
    2011/01/07 19:42:21.0156 VBoxNetFlt (9200e34447dd628c0080f41b15378e83) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
    2011/01/07 19:42:21.0187 VBoxUSBMon (be71306e451c5f9de9a64b32038314ee) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
    2011/01/07 19:42:21.0218 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/07 19:42:21.0250 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/07 19:42:21.0359 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/07 19:42:21.0390 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/07 19:42:21.0468 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
    2011/01/07 19:42:21.0531 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/01/07 19:42:21.0578 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/01/07 19:42:21.0609 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/01/07 19:42:21.0671 yukonwxp (4322c32ced8c4772e039616dcbf01d3f) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
    2011/01/07 19:42:21.0781 ================================================================================
    2011/01/07 19:42:21.0781 Scan finished
    2011/01/07 19:42:21.0781 ================================================================================
    2011/01/07 19:42:21.0796 Detected object count: 2
    2011/01/07 19:43:59.0609 Ftdisk (54e9f528a0997f84fc800ac76b5cc141) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/07 19:43:59.0609 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftdisk.sys. Real md5: 54e9f528a0997f84fc800ac76b5cc141, Fake md5: ff837a7a6f88cbc975f3055947ce35d8
    2011/01/07 19:43:59.0625 C:\WINDOWS\system32\DRIVERS\ftdisk.sys - copied to quarantine
    2011/01/07 19:43:59.0734 \HardDisk0\TDLFS\config.ini - copied to quarantine
    2011/01/07 19:43:59.0781 \HardDisk0\TDLFS\tdl - copied to quarantine
    2011/01/07 19:43:59.0781 \HardDisk0\TDLFS\rsrc.dat - copied to quarantine
    2011/01/07 19:44:00.0093 \HardDisk0\TDLFS\tdlcmd.dll - copied to quarantine
    2011/01/07 19:44:00.0328 \HardDisk0\TDLFS\data.db - copied to quarantine
    2011/01/07 19:44:00.0484 \HardDisk0\TDLFS\data.js - copied to quarantine
    2011/01/07 19:44:02.0843 \HardDisk0\TDLFS\tdlmpl - copied to quarantine
    2011/01/07 19:44:05.0453 Rootkit.Win32.TDSS.tdl3(Ftdisk) - User select action: Quarantine
    2011/01/07 19:44:05.0578 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/01/07 19:44:05.0578 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/01/07 19:44:05.0593 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
    2011/01/07 19:44:05.0703 Locked file(sptd) - User select action: Quarantine
    2011/01/07 19:44:56.0546 Deinitialize success


    we removed Symantec and McAfee and kept Microsoft essentials.
     
  9. poolside

    poolside TS Rookie Topic Starter Posts: 16

    question

    Do we need to turn off realtime protection on Microsoft essentials while we are working this issue?

    thanks
     
  10. poolside

    poolside TS Rookie Topic Starter Posts: 16

    Hi Bobbye

    I appreciate your help. Followed your instructions in your last post and posted the tdskiller logs - are you waiting for anything else from me - just let me know.

    thanks
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please rescan with Combofix- the security should be off before running the scan. Please remember to take Word Wrap off before posting in Notepad.

    Lets do this boot check also:
    Download bootkitremover.rar and save it to your desktop.
    • Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • Double-click on the remover.exe file to run the program.
    • Paste the output in your next reply.
     
  12. poolside

    poolside TS Rookie Topic Starter Posts: 16

    ComboFix log

    Ran ComboFix again. During stage_3, popup said PEV.cfxxe stopped unexpectedly. Didn't send the report to Microsoft. Remainder of run continued.

    Log shows ftdisk.sys is still infected. I thought TDSKiller put that file in quarantine according to its log.

    Here is combofix log. Bootkitremover log in the next post.

    ComboFix 11-01-10.04 - Bill 01/10/2011 20:02:21.3.2 - x86
    Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Bill\Local Settings\Application Data\{7E48E588-650C-4C37-B884-01719E0DAE10}
    c:\documents and settings\Bill\Local Settings\Application Data\{7E48E588-650C-4C37-B884-01719E0DAE10}\chrome.manifest
    c:\documents and settings\Bill\Local Settings\Application Data\{7E48E588-650C-4C37-B884-01719E0DAE10}\chrome\content\_cfg.js
    c:\documents and settings\Bill\Local Settings\Application Data\{7E48E588-650C-4C37-B884-01719E0DAE10}\chrome\content\overlay.xul
    c:\documents and settings\Bill\Local Settings\Application Data\{7E48E588-650C-4C37-B884-01719E0DAE10}\install.rdf

    c:\windows\system32\DRIVERS\ftdisk.sys . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-11 to 2011-01-11 )))))))))))))))))))))))))))))))
    .

    2011-01-10 17:00 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B17E210B-170D-429D-A553-07320240E07E}\mpengine.dll
    2011-01-06 02:14 . 2011-01-06 02:14 -------- d-----w- c:\documents and settings\Bill\Application Data\Malwarebytes
    2011-01-06 02:14 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-06 02:14 . 2011-01-06 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-06 02:14 . 2011-01-06 02:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-06 02:14 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-05 13:48 . 2011-01-08 01:43 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-01-05 03:28 . 2011-01-06 00:38 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-01-05 03:28 . 2011-01-05 03:28 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-01-05 03:27 . 2011-01-05 03:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-12-31 19:01 . 2008-07-08 14:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2010-12-31 19:01 . 2010-12-31 19:01 -------- d-----w- c:\documents and settings\Bill\Application Data\Windows Desktop Search
    2010-12-31 19:01 . 2011-01-01 14:22 -------- d-----w- c:\program files\Windows Desktop Search
    2010-12-31 19:01 . 2010-12-31 19:01 -------- d-----w- c:\windows\system32\GroupPolicy
    2010-12-31 19:00 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
    2010-12-31 19:00 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
    2010-12-31 19:00 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
    2010-12-31 18:13 . 2010-12-31 18:13 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-12-31 02:32 . 2010-12-31 02:35 -------- d-----w- C:\Netgear
    2010-12-27 12:38 . 2010-12-27 12:38 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2010-12-27 12:38 . 2010-12-27 12:38 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2010-12-19 17:47 . 2011-01-04 11:40 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-12-19 08:02 . 2010-12-19 08:02 23040 ----a-w- c:\windows\system32\drivers\MOUCLASS.SYS
    2010-12-16 02:32 . 2010-12-16 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost
    2010-12-15 17:51 . 2010-12-15 17:51 23040 ----a-w- c:\windows\system32\drivers\oqeunamr.sys
    2010-12-15 01:11 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 00:50 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2010-12-12 08:05 . 2010-12-12 08:05 23040 ----a-w- c:\windows\system32\drivers\bnucdcpm.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-07 17:11 . 2010-12-07 17:11 23040 ----a-w- c:\windows\system32\drivers\jovmherp.sys
    2010-11-18 18:12 . 2006-04-04 17:09 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-13 00:53 . 2010-09-02 03:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 22:34 . 2007-06-02 14:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-10 04:33 . 2010-09-11 01:49 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-11-06 00:26 . 2004-10-08 12:01 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-10-08 12:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-10-08 12:01 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-10-08 12:01 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-10-08 12:01 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-10-08 12:01 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-10-08 12:01 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-24 17:13 . 2006-04-18 02:49 60416 ----a-w- c:\windows\ALCFDRTM.VER
    2010-10-19 20:51 . 2010-09-09 01:34 222080 ------w- c:\windows\system32\MpSigStub.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2011-01-07_02.57.33 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-09 16:54 . 2011-01-09 16:54 16384 c:\windows\TEMP\Perflib_Perfdata_610.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2006-05-31 143360]
    "ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2008-09-02 8203352]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-01-22 2363392]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-20 26192680]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
    "nwiz"="nwiz.exe" [2007-11-07 1626112]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
    "SoundMan"="SOUNDMAN.EXE" [2005-08-17 90112]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-22 172032]
    "V0230Mon.exe"="c:\windows\V0230Mon.exe" [2006-09-07 32768]
    "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-10-09 20480]
    "PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2007-05-23 696320]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-16 198160]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-02-20 53248]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
    "ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-16 446464]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

    c:\documents and settings\Bill\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]
    MotionBased Agent.lnk - c:\program files\MotionBased\Agent\MBAgent.exe [2006-5-6 905216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-7-7 233472]
    USB Sharing.lnk - c:\program files\USB Sharing\usbshare.exe [2006-5-19 139264]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
    backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Bill^Start Menu^Programs^Startup^BUFFALO NAS Navigator.lnk]
    path=c:\documents and settings\Bill\Start Menu\Programs\Startup\BUFFALO NAS Navigator.lnk
    backup=c:\windows\pss\BUFFALO NAS Navigator.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Norton AntiVirus Server"=3 (0x3)
    "McComponentHostService"=3 (0x3)
    "Apache2.2"=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "medic"="c:\program files\MEDIC\bin\sprtcmd.exe" /P MEDIC

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 133104]
    R3 dsiarhwprog;dsiarhwprog;c:\windows\system32\Drivers\dsiarhwprog.sys [2007-02-08 29184]
    R3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\DRIVERS\NETGEARUCOMP.sys [2007-03-08 12672]
    R3 STV102;WWL 102;c:\windows\system32\drivers\STV102.sys [2002-09-12 145996]
    R3 STV102m;WWL 102m;c:\windows\system32\drivers\STV102m.sys [2002-09-12 9170]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2009-12-20 29416]
    R4 ApacheWebServer;Apache Web Server;c:\ms4w\Apache\bin\Apache.exe [2005-10-10 20541]
    R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [x]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-11-02 691696]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [2010-08-05 143184]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [2010-08-05 41936]
    S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [2005-11-25 31896]
    S3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\DRIVERS\NETGEARUHOST.sys [2007-03-08 12032]
    S3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\DRIVERS\NETGEARUHUB.sys [2007-03-08 39424]
    S3 V0230Vfx;V0230Vfx;c:\windows\system32\DRIVERS\V0230Vfx.sys [2006-03-24 6272]
    S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\DRIVERS\V0230VID.sys [2006-11-20 500608]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [2010-08-05 100496]
    S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [2010-08-05 111312]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-01-22 17:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
    2010-02-17 00:02 114688 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

    2011-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 12:05]

    2011-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 12:05]

    2011-01-09 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 02:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.26\IExifMap.htm
    IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.26\IExifCom.htm
    Trusted Zone: pinnaclesys.com\apps
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\yy8a5w25.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Walnut for Firefox: {5A170DD3-63CA-4c58-93B7-DE9FF536C2FF} - %profile%\extensions\{5A170DD3-63CA-4c58-93B7-DE9FF536C2FF}
    FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
    FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-10 20:21
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500JS-00MHB0 rev.02.01C03 -> Harddisk0\DR0 -> \Device\00000032

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A65DEC5]<<
    c:\docume~1\Bill\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x87b0a872; SUB DWORD [EBP-0x4], 0x87b0a12e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A659878]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000078[0x8A649AC0]
    5 ACPI[0xB9E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A641030]
    [0x8A3668F0] -> IRP_MJ_CREATE -> 0x8A65DEC5
    error: Read The request is not supported.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\00000077 -> \??\IDE#DiskWDC_WD2500JS-00MHB0_____________________02.01C03#2020202057202D4443574E41314B363131383230#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1123561945-162531612-839522115-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-1123561945-162531612-839522115-1005\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
    "FRT"="FMP+l+SnjSSE6pm3pLE4M0Yh3hCYkbTBiN+Z4xwtAzCasGWKGj2WWQ=="
    "PLCK"="QiwoMTwbH10oSmKD/uecQziNOiLMT08V"
    "Percents"="0 0.0906 0.2512 0.5257 0.7031 0.7815 0.7824 "
    "Increment"=".003817"
    "PHSH"=""
    .
    Completion time: 2011-01-10 20:30:04
    ComboFix-quarantined-files.txt 2011-01-11 02:29
    ComboFix2.txt 2011-01-07 03:03
    ComboFix3.txt 2011-01-05 15:27

    Pre-Run: 88,234,512,384 bytes free
    Post-Run: 88,229,031,936 bytes free

    - - End Of File - - 17C67707282AD9FCE788FFD8C077932E
     
  13. poolside

    poolside TS Rookie Topic Starter Posts: 16

    bootkitremover log

    .\debug.cpp(238) : Debug log started at 11.01.2011 - 02:46:48
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x0020d000 "\WINDOWS\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x806e4000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xba5a8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xba4b8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xb9eb4000 0x000f3000 "spir.sys"
    .\debug.cpp(256) : 0xba5aa000 0x00002000 "\WINDOWS\System32\Drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0xb9e9c000 0x00018000 "\WINDOWS\System32\Drivers\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xb9e6e000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xb9e5d000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xba0a8000 0x00010000 "ohci1394.sys"
    .\debug.cpp(256) : 0xba0b8000 0x0000e000 "\WINDOWS\system32\DRIVERS\1394BUS.SYS"
    .\debug.cpp(256) : 0xba0c8000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xba670000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xba328000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xba0d8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xb9e3e000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xba330000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xba0e8000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xb9e26000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xb9e0f000 0x00017000 "nvata.sys"
    .\debug.cpp(256) : 0xb9dd8000 0x00037000 "Si3132r5.sys"
    .\debug.cpp(256) : 0xb9dc1000 0x00017000 "nvatabus.sys"
    .\debug.cpp(256) : 0xba0f8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xba108000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xb9da1000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xb9d8f000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xba118000 0x00009000 "PxHelp20.sys"
    .\debug.cpp(256) : 0xba4bc000 0x00003000 "SiWinAcc.sys"
    .\debug.cpp(256) : 0xb9d78000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xb9ceb000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xb9cbe000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xba5ac000 0x00002000 "SiRemFil.sys"
    .\debug.cpp(256) : 0xb9ca4000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xba158000 0x00010000 "\SystemRoot\system32\DRIVERS\nic1394.sys"
    .\debug.cpp(256) : 0xb8a36000 0x00046000 "\SystemRoot\system32\DRIVERS\yk51x86.sys"
    .\debug.cpp(256) : 0xb8320000 0x00716000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xb830c000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xba428000 0x00007000 "\SystemRoot\system32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xb9c78000 0x00003000 "\SystemRoot\system32\DRIVERS\gameenum.sys"
    .\debug.cpp(256) : 0xba6f5000 0x00001000 "\SystemRoot\system32\drivers\msmpu401.sys"
    .\debug.cpp(256) : 0xb82e8000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xba298000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xb82c5000 0x00023000 "\SystemRoot\system32\drivers\ks.sys"
    .\debug.cpp(256) : 0xba600000 0x00002000 "\SystemRoot\system32\DRIVERS\ASACPI.sys"
    .\debug.cpp(256) : 0xba2a8000 0x0000d000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
    .\debug.cpp(256) : 0xba430000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xba2b8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xb9c74000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xba438000 0x00005000 "\SystemRoot\system32\DRIVERS\usbohci.sys"
    .\debug.cpp(256) : 0xb82a1000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xba440000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xb7f27000 0x0037a000 "\SystemRoot\system32\drivers\ALCXWDM.SYS"
    .\debug.cpp(256) : 0xba2c8000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xba2d8000 0x0000a000 "\SystemRoot\System32\Drivers\AFS2K.SYS"
    .\debug.cpp(256) : 0xba2e8000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xb98bb000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xba448000 0x00006000 "\SystemRoot\System32\Drivers\GEARAspiWDM.sys"
    .\debug.cpp(256) : 0xb98cb000 0x0000a000 "\SystemRoot\system32\DRIVERS\nvnetbus.sys"
    .\debug.cpp(256) : 0xb7e3d000 0x000ea000 "\SystemRoot\system32\DRIVERS\NVNRM.SYS"
    .\debug.cpp(256) : 0xb7e04000 0x00039000 "\SystemRoot\System32\Drivers\aitc3pj9.SYS"
    .\debug.cpp(256) : 0xb98ab000 0x0000d000 "\SystemRoot\system32\DRIVERS\AmdPPM.sys"
    .\debug.cpp(256) : 0xb989b000 0x0000c000 "\SystemRoot\system32\DRIVERS\dfmirage.sys"
    .\debug.cpp(256) : 0xba750000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xb988b000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xb9c5c000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xb7ded000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xb8b0c000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xb8afc000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xba4b0000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xb7ddc000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xb8aec000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xba340000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xba348000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xb7dc5000 0x00017000 "\SystemRoot\system32\DRIVERS\VBoxNetAdp.sys"
    .\debug.cpp(256) : 0xb8adc000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xba378000 0x00006000 "\SystemRoot\SYSTEM32\DRIVERS\MOUCLASS.SYS"
    .\debug.cpp(256) : 0xb7dab000 0x0001a000 "\SystemRoot\system32\DRIVERS\VBoxNetFlt.sys"
    .\debug.cpp(256) : 0xba606000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xb7d4d000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xb9a31000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xb9a2d000 0x00003000 "\SystemRoot\system32\DRIVERS\NETGEARUHOST.sys"
    .\debug.cpp(256) : 0xb8acc000 0x0000a000 "\SystemRoot\System32\Drivers\wpdusb.sys"
    .\debug.cpp(256) : 0xba608000 0x00002000 "\SystemRoot\System32\Drivers\USBD.SYS"
    .\debug.cpp(256) : 0xba318000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xba168000 0x0000a000 "\SystemRoot\system32\DRIVERS\NETGEARUHUB.sys"
    .\debug.cpp(256) : 0xba1d8000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xba238000 0x0000e000 "\SystemRoot\system32\DRIVERS\NVENETFD.sys"
    .\debug.cpp(256) : 0xba498000 0x00005000 "\SystemRoot\system32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xb250c000 0x00023000 "\SystemRoot\system32\DRIVERS\MpFilter.sys"
    .\debug.cpp(256) : 0xb3493000 0x00003000 "\SystemRoot\system32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xb33e2000 0x00009000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xb50fc000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xba5d0000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xba72a000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xba5d2000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xb3862000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xba5d4000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xba5d6000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xb385a000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xb384a000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xb348b000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xafc7b000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xaf939000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xaf69e000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xaee94000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xb154d000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xb026e000 0x00009000 "\SystemRoot\system32\DRIVERS\VBoxUSBMon.sys"
    .\debug.cpp(256) : 0xaeae6000 0x00022000 "\SystemRoot\system32\DRIVERS\VBoxDrv.sys"
    .\debug.cpp(256) : 0xae9b5000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xb9a25000 0x00004000 "\??\C:\WINDOWS\system32\drivers\pclepci.sys"
    .\debug.cpp(256) : 0xae7d0000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xb987b000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xae62d000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xb983b000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xba1c8000 0x0000f000 "\SystemRoot\system32\DRIVERS\arp1394.sys"
    .\debug.cpp(256) : 0xabfee000 0x0007b000 "\SystemRoot\system32\DRIVERS\V0230VID.sys"
    .\debug.cpp(256) : 0xba63c000 0x00002000 "\SystemRoot\system32\DRIVERS\V0230Vfx.sys"
    .\debug.cpp(256) : 0xad8b6000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xad974000 0x00003000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xacb5b000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xad30b000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xad89e000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xb0218000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbf012000 0x00581000 "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xbffa0000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xad323000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xabc48000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xabc24000 0x00024000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
    .\debug.cpp(256) : 0xabb54000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xb8a9c000 0x0000a000 "\SystemRoot\system32\DRIVERS\secdrv.sys"
    .\debug.cpp(256) : 0xab847000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xab8f4000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0xabd09000 0x00004000 "\SystemRoot\system32\DRIVERS\asyncmac.sys"
    .\debug.cpp(256) : 0xba60a000 0x00002000 "\??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS"
    .\debug.cpp(256) : 0xb1dc4000 0x00008000 "\??\C:\DOCUME~1\Bill\LOCALS~1\Temp\catchme.sys"
    .\debug.cpp(256) : 0xa9188000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(256) : 0x10000000 0x00246000 "\Program Files\DAEMON Tools Lite\Engine.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f92975c2-ca96-11da-904a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPB006#4&f36d2e&0#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4055#5&269429fc&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
    .\debug.cpp(400) : Destination "\Device\NvAta1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_005A&SUBSYS_815A1043&REV_A2#3&267a616a&0&58#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0014"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_00C0&SUBSYS_033910DE&REV_A2#4&a70d623&0&0020#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0031"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskWDC_WD2500JS-00MHB0_____________________02.01C03#2020202057202D4443574E41314B363131383230#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000077"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000034"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_054c&Pid_01bd#5000000A3256#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\OAKAFSUI"
    .\debug.cpp(400) : Destination "\Device\OAKAFSUI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&2f2ef6ee&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&b8c841c&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000033"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{F632EB72-5F24-4857-9CAC-2CD818D553EB}"
    .\debug.cpp(400) : Destination "\Device\{F632EB72-5F24-4857-9CAC-2CD818D553EB}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_046d&Pid_c01e#5&2cc2a6de&0&3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{B2A34490-D3C7-4782-8166-5ACD8CB91349}"
    .\debug.cpp(400) : Destination "\Device\{B2A34490-D3C7-4782-8166-5ACD8CB91349}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ATKACPI"
    .\debug.cpp(400) : Destination "\Device\ATKACPI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#0000000d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi4:"
    .\debug.cpp(400) : Destination "\Device\Scsi\Si3132r51"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY5"
    .\debug.cpp(400) : Destination "\Device\Video4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#WPD#0000#{14480d3f-7a47-4a75-aaef-b14f56397153}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E8F1EE4A-6992-4C5B-843F-78DAC076A8AB}"
    .\debug.cpp(400) : Destination "\Device\{E8F1EE4A-6992-4C5B-843F-78DAC076A8AB}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi5:"
    .\debug.cpp(400) : Destination "\Device\Scsi\aitc3pj91"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2#3&267a616a&0&68#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0016"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#WPD#0000#{6ac27878-a6fa-4155-ba85-f98f491d4f33}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f92975c4-ca96-11da-904a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{3662262e-70bc-11df-9ae9-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10A________________JL02____#3246364143333644353933312020202020202020#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
    .\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0057&SUBSYS_81411043&REV_A3#3&267a616a&0&98#{c4f6eed3-1c5e-4f43-a768-83ecba42fcc1}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0021"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-SD&Rev_1.30#5000000A3256&2#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000083"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&b8c841c&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4055#5&269429fc&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2#3&267a616a&0&68#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0016"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{36622630-70bc-11df-9ae9-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\H:"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c01e#6&1971417&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000080"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPB006#4&f36d2e&0#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{36622631-70bc-11df-9ae9-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{3662262f-70bc-11df-9ae9-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive2"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DR3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCLEPCIDevice0"
    .\debug.cpp(400) : Destination "\Device\PCLEPCIDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-SM#xD&Rev_1.30#5000000A3256&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000082"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2#3&267a616a&0&68#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0016"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive3"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DR4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VBoxUSBMon"
    .\debug.cpp(400) : Destination "\Device\VBoxUSBMon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom2"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#aa#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&4f6dc7f&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f92975c0-ca96-11da-904a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I:"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive4"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DR5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6"
    .\debug.cpp(400) : Destination "\Device\NGNUSBHOST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Secdrv"
    .\debug.cpp(400) : Destination "\Device\Secdrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#AuthenticAMD_-_x86_Family_15_Model_35#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000049"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#NET#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&16edd79e&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPA000#4&5d18f2df&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\0000004f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{7f593670-4a35-11de-9989-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{36E0EF3A-F2E8-4FEE-B4CD-3988CA977F76}"
    .\debug.cpp(400) : Destination "\Device\{36E0EF3A-F2E8-4FEE-B4CD-3988CA977F76}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2#3&267a616a&0&68#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0016"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ARP1394"
    .\debug.cpp(400) : Destination "\Device\ARP1394"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{78EE52A8-53F3-41CD-A23F-259BB59E4FB6}"
    .\debug.cpp(400) : Destination "\Device\{78EE52A8-53F3-41CD-A23F-259BB59E4FB6}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DISPLAY#0000#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&69f14b9&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\FloppyPDO0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\J:"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\catchme"
    .\debug.cpp(400) : Destination "\Device\catchme"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QBOR&Prod_416J8LUNC9&Rev_1.03#5&36e5972&0&000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\aitc3pj91Port5Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{24D1619E-4B8A-4C10-9211-69C222A70A4F}"
    .\debug.cpp(400) : Destination "\Device\{24D1619E-4B8A-4C10-9211-69C222A70A4F}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&f36d2e&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&16a89ebb&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature88FC88FCOffset7E00Length3A380D0200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLITE-ON_DVDRW_SHM-165H6S________________HS06____#5&d073337&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLITE-ON_DVDRW_SHM-165H6S________________HS06____#5&d073337&0&0.1.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&f36d2e&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPB02F#4&f36d2e&0#{cae56030-684a-11d0-d6f6-00a0c90f57da}"
    .\debug.cpp(400) : Destination "\Device\0000006a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10A________________JL02____#3246364143333644353933312020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_11AB&DEV_4362&SUBSYS_81421043&REV_15#4&23e04d34&0&0018#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0030"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&4f6dc7f&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLITE-ON_DVDRW_SHM-165H6S________________HS06____#5&d073337&0&0.1.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#1&2d12bed1&0&01#{10282b1c-5d76-432c-9bdb-d3d62ebd836c}"
    .\debug.cpp(400) : Destination "\Device\0000007b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QBOR&Prod_416J8LUNC9&Rev_1.03#5&36e5972&0&000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\aitc3pj91Port5Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ASYNCMAC"
    .\debug.cpp(400) : Destination "\Device\ASYNCMAC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{9549B990-F415-4B24-A552-C28EC8E7EDBE}"
    .\debug.cpp(400) : Destination "\Device\{9549B990-F415-4B24-A552-C28EC8E7EDBE}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPB006#4&f36d2e&0#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10A________________JL02____#3246364143333644353933312020202020202020#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c01e#6&1971417&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000080"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&23555a2c&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\1394BUS0"
    .\debug.cpp(400) : Destination "\Device\1394BUS0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4055#5&269429fc&0&1#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-MS&Rev_1.30#5000000A3256&3#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000084"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000035"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4055#5&269429fc&0&1#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VBoxNetAdp"
    .\debug.cpp(400) : Destination "\Device\VBoxNetAdp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#AuthenticAMD_-_x86_Family_15_Model_35#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000004a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AscKmd"
    .\debug.cpp(400) : Destination "\Device\AscKmd"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1095&DEV_3132&SUBSYS_81771043&REV_01#4&e2974d5&0&0010#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0029"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-CF&Rev_1.30#5000000A3256&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000081"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f92975c3-ca96-11da-904a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{1a3e09be-1e45-494b-9174-d7385b45bbf5}#NVNET_DEV0057#4&1def4cc4&0&00#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000007e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{767326F4-2F70-44EA-903C-93F0AEBD7A06}"
    .\debug.cpp(400) : Destination "\Device\{767326F4-2F70-44EA-903C-93F0AEBD7A06}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\NvAta0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VBoxDrv"
    .\debug.cpp(400) : Destination "\Device\VBoxDrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_005B&SUBSYS_815A1043&REV_A4#3&267a616a&0&59#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0015"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{A9F90BD6-0AA8-4EF6-B602-52A03816F9DF}"
    .\debug.cpp(400) : Destination "\Device\{A9F90BD6-0AA8-4EF6-B602-52A03816F9DF}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&23555a2c&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&16edd79e&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#WPD#0000#{f33fdc04-d1ac-4e8e-9a30-19bbd4b108ae}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PROCEXP113"
    .\debug.cpp(400) : Destination "\Device\PROCEXP113"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_104C&DEV_8023&SUBSYS_808B1043&REV_00#4&2411f011&0&5890#{6bdd1fc1-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0028"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 1
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      
      @ECHO OFF
      START 
      remover.exe fix   \\.\PhysicalDrive0   
      EXIT
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output.

    Do NOT reboot computer!
     
  15. poolside

    poolside TS Rookie Topic Starter Posts: 16

    Quick question where do I obtain remover.exe ?
     
  16. poolside

    poolside TS Rookie Topic Starter Posts: 16

    never mind - just realized it was downloaded earlier.

    thanks
     
  17. poolside

    poolside TS Rookie Topic Starter Posts: 16

    remover log file

    .\debug.cpp(238) : Debug log started at 14.01.2011 - 00:37:10
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x0020d000 "\WINDOWS\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x806e4000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xba5a8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xba4b8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xb9eb4000 0x000f3000 "spng.sys"
    .\debug.cpp(256) : 0xba5aa000 0x00002000 "\WINDOWS\System32\Drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0xb9e9c000 0x00018000 "\WINDOWS\System32\Drivers\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xb9e6e000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xb9e5d000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xba0a8000 0x00010000 "ohci1394.sys"
    .\debug.cpp(256) : 0xba0b8000 0x0000e000 "\WINDOWS\system32\DRIVERS\1394BUS.SYS"
    .\debug.cpp(256) : 0xba0c8000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xba670000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xba328000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xba0d8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xb9e3e000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xba330000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xba0e8000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xb9e26000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xb9e0f000 0x00017000 "nvata.sys"
    .\debug.cpp(256) : 0xb9dd8000 0x00037000 "Si3132r5.sys"
    .\debug.cpp(256) : 0xb9dc1000 0x00017000 "nvatabus.sys"
    .\debug.cpp(256) : 0xba0f8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xba108000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xb9da1000 0x00020000 "fltmgr.sys"
    .\debug.cpp(256) : 0xb9d8f000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xba118000 0x00009000 "PxHelp20.sys"
    .\debug.cpp(256) : 0xba4bc000 0x00003000 "SiWinAcc.sys"
    .\debug.cpp(256) : 0xb9d78000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xb9ceb000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xb9cbe000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xba5ac000 0x00002000 "SiRemFil.sys"
    .\debug.cpp(256) : 0xb9ca4000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xba158000 0x00010000 "\SystemRoot\system32\DRIVERS\nic1394.sys"
    .\debug.cpp(256) : 0xb89a2000 0x00046000 "\SystemRoot\system32\DRIVERS\yk51x86.sys"
    .\debug.cpp(256) : 0xb828c000 0x00716000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xb8278000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xba448000 0x00007000 "\SystemRoot\system32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xb9c74000 0x00003000 "\SystemRoot\system32\DRIVERS\gameenum.sys"
    .\debug.cpp(256) : 0xba78e000 0x00001000 "\SystemRoot\system32\drivers\msmpu401.sys"
    .\debug.cpp(256) : 0xb8254000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xba2b8000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xb8231000 0x00023000 "\SystemRoot\system32\drivers\ks.sys"
    .\debug.cpp(256) : 0xba5f4000 0x00002000 "\SystemRoot\system32\DRIVERS\ASACPI.sys"
    .\debug.cpp(256) : 0xba2c8000 0x0000d000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
    .\debug.cpp(256) : 0xba450000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xba2d8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xb9c70000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xba458000 0x00005000 "\SystemRoot\system32\DRIVERS\usbohci.sys"
    .\debug.cpp(256) : 0xb820d000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xba460000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xb7e93000 0x0037a000 "\SystemRoot\system32\drivers\ALCXWDM.SYS"
    .\debug.cpp(256) : 0xba2e8000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xba2f8000 0x0000a000 "\SystemRoot\System32\Drivers\AFS2K.SYS"
    .\debug.cpp(256) : 0xba308000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xb9837000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xba468000 0x00006000 "\SystemRoot\System32\Drivers\GEARAspiWDM.sys"
    .\debug.cpp(256) : 0xb9827000 0x0000a000 "\SystemRoot\system32\DRIVERS\nvnetbus.sys"
    .\debug.cpp(256) : 0xb7da9000 0x000ea000 "\SystemRoot\system32\DRIVERS\NVNRM.SYS"
    .\debug.cpp(256) : 0xb7d70000 0x00039000 "\SystemRoot\System32\Drivers\autwr0ew.SYS"
    .\debug.cpp(256) : 0xb9817000 0x0000d000 "\SystemRoot\system32\DRIVERS\AmdPPM.sys"
    .\debug.cpp(256) : 0xb9807000 0x0000c000 "\SystemRoot\system32\DRIVERS\dfmirage.sys"
    .\debug.cpp(256) : 0xba6a9000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xb97f7000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xb9a51000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xb7d59000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xb8a78000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xb8a68000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xba380000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xb7d48000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xb8a58000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xba388000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xba390000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xb7d31000 0x00017000 "\SystemRoot\system32\DRIVERS\VBoxNetAdp.sys"
    .\debug.cpp(256) : 0xb8a48000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xba398000 0x00006000 "\SystemRoot\SYSTEM32\DRIVERS\MOUCLASS.SYS"
    .\debug.cpp(256) : 0xb7d17000 0x0001a000 "\SystemRoot\system32\DRIVERS\VBoxNetFlt.sys"
    .\debug.cpp(256) : 0xba5fe000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xb7cb9000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xb9a3d000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xb9a39000 0x00003000 "\SystemRoot\system32\DRIVERS\NETGEARUHOST.sys"
    .\debug.cpp(256) : 0xb8a38000 0x0000a000 "\SystemRoot\System32\Drivers\wpdusb.sys"
    .\debug.cpp(256) : 0xba600000 0x00002000 "\SystemRoot\System32\Drivers\USBD.SYS"
    .\debug.cpp(256) : 0xba168000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xba178000 0x0000a000 "\SystemRoot\system32\DRIVERS\NETGEARUHUB.sys"
    .\debug.cpp(256) : 0xba1f8000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xba278000 0x0000e000 "\SystemRoot\system32\DRIVERS\NVENETFD.sys"
    .\debug.cpp(256) : 0xba348000 0x00005000 "\SystemRoot\system32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xb23e6000 0x00023000 "\SystemRoot\system32\DRIVERS\MpFilter.sys"
    .\debug.cpp(256) : 0xb3758000 0x00003000 "\SystemRoot\system32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xb01ee000 0x00009000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xb37c0000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xba5ce000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xba7da000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xba5d0000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xb37b0000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xba5d2000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xba5d4000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xb37a8000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xb37a0000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xb9a55000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xafac3000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xaf6ff000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xaf457000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xaec30000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xaff9c000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xaff08000 0x00009000 "\SystemRoot\system32\DRIVERS\VBoxUSBMon.sys"
    .\debug.cpp(256) : 0xae8ca000 0x00022000 "\SystemRoot\system32\DRIVERS\VBoxDrv.sys"
    .\debug.cpp(256) : 0xae76b000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xba558000 0x00004000 "\??\C:\WINDOWS\system32\drivers\pclepci.sys"
    .\debug.cpp(256) : 0xae56c000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xb97c7000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xae3c9000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xba198000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xba238000 0x0000f000 "\SystemRoot\system32\DRIVERS\arp1394.sys"
    .\debug.cpp(256) : 0xabede000 0x0007b000 "\SystemRoot\system32\DRIVERS\V0230VID.sys"
    .\debug.cpp(256) : 0xba620000 0x00002000 "\SystemRoot\system32\DRIVERS\V0230Vfx.sys"
    .\debug.cpp(256) : 0xad818000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xad877000 0x00003000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xaca5d000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xace9b000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xad7f8000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xba77c000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbf012000 0x00581000 "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xbffa0000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xaceaf000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xabb78000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xb3399000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0xabade000 0x00024000 "\SystemRoot\System32\Drivers\Fastfat.SYS"
    .\debug.cpp(256) : 0xabab1000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xab9e1000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xba1c8000 0x0000a000 "\SystemRoot\system32\DRIVERS\secdrv.sys"
    .\debug.cpp(256) : 0xab779000 0x00004000 "\SystemRoot\system32\DRIVERS\asyncmac.sys"
    .\debug.cpp(256) : 0xa98fa000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(256) : 0x10000000 0x00246000 "\Program Files\DAEMON Tools Lite\Engine.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPB006#4&f36d2e&0#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4055#5&269429fc&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
    .\debug.cpp(400) : Destination "\Device\NvAta1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_005A&SUBSYS_815A1043&REV_A2#3&267a616a&0&58#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0014"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_00C0&SUBSYS_033910DE&REV_A2#4&a70d623&0&0020#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0031"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f92975c2-ca96-11da-904a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskWDC_WD2500JS-00MHB0_____________________02.01C03#2020202057202D4443574E41314B363131383230#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000077"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_054c&Pid_01bd#5000000A3256#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\OAKAFSUI"
    .\debug.cpp(400) : Destination "\Device\OAKAFSUI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000034"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&2f2ef6ee&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{F632EB72-5F24-4857-9CAC-2CD818D553EB}"
    .\debug.cpp(400) : Destination "\Device\{F632EB72-5F24-4857-9CAC-2CD818D553EB}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_046d&Pid_c01e#5&2cc2a6de&0&3#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{B2A34490-D3C7-4782-8166-5ACD8CB91349}"
    .\debug.cpp(400) : Destination "\Device\{B2A34490-D3C7-4782-8166-5ACD8CB91349}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ATKACPI"
    .\debug.cpp(400) : Destination "\Device\ATKACPI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000033"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&b8c841c&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi4:"
    .\debug.cpp(400) : Destination "\Device\Scsi\Si3132r51"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY5"
    .\debug.cpp(400) : Destination "\Device\Video4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#0000001a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#WPD#0000#{14480d3f-7a47-4a75-aaef-b14f56397153}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E8F1EE4A-6992-4C5B-843F-78DAC076A8AB}"
    .\debug.cpp(400) : Destination "\Device\{E8F1EE4A-6992-4C5B-843F-78DAC076A8AB}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi5:"
    .\debug.cpp(400) : Destination "\Device\Scsi\autwr0ew1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2#3&267a616a&0&68#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0016"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#WPD#0000#{6ac27878-a6fa-4155-ba85-f98f491d4f33}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f92975c4-ca96-11da-904a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10A________________JL02____#3246364143333644353933312020202020202020#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
    .\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{3662262e-70bc-11df-9ae9-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0057&SUBSYS_81411043&REV_A3#3&267a616a&0&98#{c4f6eed3-1c5e-4f43-a768-83ecba42fcc1}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0021"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-SD&Rev_1.30#5000000A3256&2#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000083"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&b8c841c&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4055#5&269429fc&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2#3&267a616a&0&68#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0016"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c01e#6&1971417&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000080"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\H:"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{36622630-70bc-11df-9ae9-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPB006#4&f36d2e&0#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCLEPCIDevice0"
    .\debug.cpp(400) : Destination "\Device\PCLEPCIDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive2"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DR3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{3662262f-70bc-11df-9ae9-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{36622631-70bc-11df-9ae9-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2#3&267a616a&0&68#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0016"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VBoxUSBMon"
    .\debug.cpp(400) : Destination "\Device\VBoxUSBMon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom2"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#aa#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000004c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive3"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DR4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-SM#xD&Rev_1.30#5000000A3256&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000082"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD6"
    .\debug.cpp(400) : Destination "\Device\NGNUSBHOST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive4"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DR5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I:"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f92975c0-ca96-11da-904a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&4f6dc7f&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Secdrv"
    .\debug.cpp(400) : Destination "\Device\Secdrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#AuthenticAMD_-_x86_Family_15_Model_35#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000049"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&16edd79e&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPA000#4&5d18f2df&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\0000004f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#NET#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0059&SUBSYS_812A1043&REV_A2#3&267a616a&0&68#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0016"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ARP1394"
    .\debug.cpp(400) : Destination "\Device\ARP1394"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{78EE52A8-53F3-41CD-A23F-259BB59E4FB6}"
    .\debug.cpp(400) : Destination "\Device\{78EE52A8-53F3-41CD-A23F-259BB59E4FB6}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#DISPLAY#0000#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{36E0EF3A-F2E8-4FEE-B4CD-3988CA977F76}"
    .\debug.cpp(400) : Destination "\Device\{36E0EF3A-F2E8-4FEE-B4CD-3988CA977F76}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{7f593670-4a35-11de-9989-0015f2d29b9b}"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QBOR&Prod_416J8LUNC9&Rev_1.03#5&36e5972&0&000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\autwr0ew1Port5Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{24D1619E-4B8A-4C10-9211-69C222A70A4F}"
    .\debug.cpp(400) : Destination "\Device\{24D1619E-4B8A-4C10-9211-69C222A70A4F}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\J:"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&69f14b9&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\FloppyPDO0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&f36d2e&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&16a89ebb&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLITE-ON_DVDRW_SHM-165H6S________________HS06____#5&d073337&0&0.1.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&f36d2e&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000006f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPB02F#4&f36d2e&0#{cae56030-684a-11d0-d6f6-00a0c90f57da}"
    .\debug.cpp(400) : Destination "\Device\0000006a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLITE-ON_DVDRW_SHM-165H6S________________HS06____#5&d073337&0&0.1.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature88FC88FCOffset7E00Length3A380D0200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&4f6dc7f&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_11AB&DEV_4362&SUBSYS_81421043&REV_15#4&23e04d34&0&0018#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0030"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10A________________JL02____#3246364143333644353933312020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomLITE-ON_DVDRW_SHM-165H6S________________HS06____#5&d073337&0&0.1.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#1&2d12bed1&0&01#{10282b1c-5d76-432c-9bdb-d3d62ebd836c}"
    .\debug.cpp(400) : Destination "\Device\0000007b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{9549B990-F415-4B24-A552-C28EC8E7EDBE}"
    .\debug.cpp(400) : Destination "\Device\{9549B990-F415-4B24-A552-C28EC8E7EDBE}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPB006#4&f36d2e&0#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000006b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ASYNCMAC"
    .\debug.cpp(400) : Destination "\Device\ASYNCMAC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QBOR&Prod_416J8LUNC9&Rev_1.03#5&36e5972&0&000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\autwr0ew1Port5Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c01e#6&1971417&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000080"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10A________________JL02____#3246364143333644353933312020202020202020#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T0L0-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&23555a2c&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\1394BUS0"
    .\debug.cpp(400) : Destination "\Device\1394BUS0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4055#5&269429fc&0&1#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4055#5&269429fc&0&1#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VBoxNetAdp"
    .\debug.cpp(400) : Destination "\Device\VBoxNetAdp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#AuthenticAMD_-_x86_Family_15_Model_35#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000004a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000035"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-MS&Rev_1.30#5000000A3256&3#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000084"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AscKmd"
    .\debug.cpp(400) : Destination "\Device\AscKmd"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1095&DEV_3132&SUBSYS_81771043&REV_01#4&e2974d5&0&0010#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0029"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Sony&Prod_Card_R#W__-CF&Rev_1.30#5000000A3256&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000081"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{767326F4-2F70-44EA-903C-93F0AEBD7A06}"
    .\debug.cpp(400) : Destination "\Device\{767326F4-2F70-44EA-903C-93F0AEBD7A06}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\NvAta0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\VBoxDrv"
    .\debug.cpp(400) : Destination "\Device\VBoxDrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_005B&SUBSYS_815A1043&REV_A4#3&267a616a&0&59#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0015"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{A9F90BD6-0AA8-4EF6-B602-52A03816F9DF}"
    .\debug.cpp(400) : Destination "\Device\{A9F90BD6-0AA8-4EF6-B602-52A03816F9DF}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{1a3e09be-1e45-494b-9174-d7385b45bbf5}#NVNET_DEV0057#4&1def4cc4&0&00#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000007e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{f92975c3-ca96-11da-904a-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#WPD#0000#{f33fdc04-d1ac-4e8e-9a30-19bbd4b108ae}"
    .\debug.cpp(400) : Destination "\Device\00000045"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&16edd79e&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&23555a2c&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_104C&DEV_8023&SUBSYS_808B1043&REV_00#4&2411f011&0&5890#{6bdd1fc1-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0028"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 1
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm going to set up some script for you to run through Combofix. Entries remain that should have been moved: I also need to replace a file so please run this first so we can find a good copy to include in the script:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      ftdisk.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    =============================================
    I'll just add the file to the script if there is a clean one.
     
  19. poolside

    poolside TS Rookie Topic Starter Posts: 16

    SystemLook logfile

    Looks like three copies were found. I don't recongnise the first direcory, but the other two make sense to me. hope you have a chksum so you know which one may be valid. I'm sure we have Windows XP SP3 loaded.

    Thanks for taking time out from football Sunday to help us out.

    Log following:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 19:19 on 16/01/2011 by Bill
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "ftdisk.*"
    C:\cmdcons\FTDISK.SY_ --a---- 60791 bytes [19:52 17/08/2001] [19:52 17/08/2001] 345CA06DF0C008EA223F924391B4C205
    C:\pebuilder3110a\BartPE\I386\SYSTEM32\DRIVERS\FTDISK.SYS --a---- 125056 bytes [05:55 06/03/2010] [12:00 23/08/2001] 6AC26732762483366C3969C9E4D2259D
    C:\WINDOWS\system32\drivers\ftdisk.sys --a---- 125056 bytes [12:01 08/10/2004] [12:01 08/10/2004] FF837A7A6F88CBC975F3055947CE35D8

    -= EOF =-
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's see if this will clean things up:
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    c:\windows\system32\drivers\jovmherp.sys
    c:\windows\system32\drivers\oqeunamr.sys
    c:\windows\system32\drivers\bnucdcpm.sys
    c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus
    c:\windows\pss\McAfee Security Scan Plus
    
    Folder::
    c:\program files\Hitman Pro 3.5
    c:\documents and settings\All Users\Application Data\Hitman Pro
    c:\documents and settings\All Users\Application Data\Driver Boost
    
    Registry::
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Norton AntiVirus Server"=-
    "McComponentHostService"=-
    
    RegLock::
    [HKEY_USERS\S-1-5-21-1123561945-162531612-839522115-1005\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
    
    FCopy::
    C:\pebuilder3110a\BartPE\I386\SYSTEM32\DRIVERS\FTDISK.SYS | C:\WINDOWS\system32\drivers\ftdisk.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Consider removing the Firefox add-on:
    Zynga Toolbar - a Conduit "Community Toolbar" - modifies the default IE URL search hook. Conduit toolbars are reputed to have a certain trackware functionality.

    Update acrobat 7.0 to V9.xx: Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    ========================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  21. poolside

    poolside TS Rookie Topic Starter Posts: 16

    node is a rebooting maniac

    While ConbofFix script was running, node beeped and rebooted. No virus programs were running, nor were any windows displayed.Not able to get back to Windows XP in Safe Mode or in Normal, Windows XP screen banner shows up, then another reboot.
    Was able to look at disk with Ubuntu and it appears the ComboFix script did remove and replace files as requested. Windows directory structure appears intact.
    No joy using the original XP disk to identify a Windows installation on the disk in either Setup or Repair mode.
    Going to try and look at it with a slipstreamed SP2 disk I made last year.
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- so you ran the script, but now can't get back into the system? It could be that the FCopy I did for the fdsk either didn't work, was not a good copy or was too corrupt to replace.

    I know you said you couldn't get into Safe Mode, but did you try booting into it?

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    If you can get in at all, try to pick up the Restore Point that Combofix created
    ComboFix 11-01-10.04 - Bill 01/10/2011 20:02:21.3.2 - x86
    Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
    * Created a new restore point
     
  23. poolside

    poolside TS Rookie Topic Starter Posts: 16

    Windows restored

    Earlier, there was no way to get into Safe mode, even in via F8 on boot. It always just rebooted again halfway thru Windows initailazation.

    I revived the Windows system via an earlier SP2 SlipStream disk I had made last year. Applied the SP3 installation via exe provided form mother microsoft (couldn't ever get latest windows updater 3.1 to install with my sp2 installation).

    I can find no indication of the earlier Alerion virus or malware on the system. Ran Microsoft Essentials virus scan, nothing found. Ran Malwarebytes scan, nothing found. Running GMER currently, but sofar alot cleaner when comparing their logs.

    Unless there is something else you want me to try, I believe my problems have been resolved and you can mark the is thread as closed/resolved.

    Thanks for your help, directions, and insight into resolving my issue. I feel more safety aware now, and I will make a better attempt to keep products updated and remove old versions of programs that have been superseded.
    Cheers and Beers
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Glad you got back in. I think we cleaned whatever was on the system already. You should remove those cleaning programs though- we give you a free URL for our scan, but some will require you to pay to keep the full program and remove what is found. So whatever you ran again, remove as follows:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ===========================================
    To help keep you safe:
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]Replace the Host Files
      MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Use a Site Adviser> I recommend this:
    The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

    If you want to link to another site from the page you're on o another, WOT will give you an Alert that the site is known for fraudulent entries, unreliable or other and the site won't load. Don't worry- those Alerts don't happen if you still to the green rating.

    Give it a try- http://www.mywot.com/en/download
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...