TDL3 rootkit infection plus google redirect

Solved
By Asimov
Apr 14, 2011
Topic Status:
Not open for further replies.
  1. plus recurring HTML script virus (Gerico.ffd) and WIN32 errors - help ! Avira and Malwarebytes have quarantined numerous trojan spywares and one of the programs used in the 8 point checklist suggest a rootkit infection. Firewall automatically turned off and Internet explorer closes after a few minutes of use.

    Here are the logs of the downloaded programs, any help gratefully received:

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-04-14 19:13:38
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 STM3250318AS rev.CC37
    Running: dyn1rppi.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\kwroipob.sys


    ---- System - GMER 1.0.15 ----

    SSDT spwt.sys ZwEnumerateKey [0xB7ECDDA4]
    SSDT spwt.sys ZwEnumerateValueKey [0xB7ECE132]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A2B827F
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A2B827F
    Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A2B827F
    Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A2B827F
    Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\a0ibbuzp \Device\Scsi\a0ibbuzp1Port3Path0Target1Lun0 8A0891F8
    Device \Driver\a0ibbuzp \Device\Scsi\a0ibbuzp1 8A0891F8
    Device \Driver\a0ibbuzp \Device\Scsi\a0ibbuzp1Port3Path0Target0Lun0 8A0891F8
    Device \FileSystem\Ntfs \Ntfs 8A4121F8

    AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
    AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

    Device \Device\Ide\IdeDeviceP1T1L0-e -> \??\IDE#DiskSTM3250318AS____________________________CC37____#5&18134b26&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----

    #######################

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6351

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/13/2011 5:15:41 PM
    mbam-log-2011-04-13 (17-15-41).txt

    Scan type: Quick scan
    Objects scanned: 184340
    Time elapsed: 3 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\winntse.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
    c:\ksdfghk.Bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\Dan\local settings\Temp\0.5326623992007813.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    c:\documents and settings\Dan\local settings\Temp\jar_cache6136635655882958112.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\0.6587413872770643.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\0.9674578634173698.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    c:\winntse.bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
    c:\ksdfghk.Bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6351

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/13/2011 6:21:28 PM
    mbam-log-2011-04-13 (18-21-28).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 268532
    Time elapsed: 55 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\networkservice\application data\Sun\Java\deployment\cache\6.0\12\1e3ae18c-2bbcf9b9 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\application data\Sun\Java\deployment\cache\6.0\12\1e3ae18c-6c53a5b7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6351

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/14/2011 6:47:28 PM
    mbam-log-2011-04-14 (18-47-28).txt

    Scan type: Quick scan
    Objects scanned: 181953
    Time elapsed: 2 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\ksdfghk.Bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

    Files Infected:
    c:\ksdfghk.Bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

    #########################

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Dan at 19:16:47.04 on Thu 04/14/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1476 [GMT 1:00]
    .
    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    c:\program files\avira\antivir desktop\avcenter.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Dan\Desktop\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Connection Wizard,ShellNext = iexplore
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTuner.exe" /S
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
    mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\dan\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\heroes of might and magic v\registration\RegistrationReminder.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\dan\desktop\PartyPoker.lnk
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {E12A03E0-357A-4D08-9D38-720A10A03941} = 217.171.132.1 217.171.135.1
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-7 11608]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-8-11 2855440]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-7 108289]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-7 185089]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-7 56816]
    R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-9-27 1737464]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-12 135664]
    S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]
    S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-8-11 73728]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-9-27 9216]
    S3 U400bus;LGE U400 driver (WDM);c:\windows\system32\drivers\U400bus.sys [2010-8-27 61440]
    S3 U400mdfl;LGE U400 USB WMC Modem Filter;c:\windows\system32\drivers\U400mdfl.sys [2010-8-27 9264]
    S3 U400mdm;LGE U400 USB WMC Modem Driver;c:\windows\system32\drivers\U400mdm.sys [2010-8-27 96960]
    S3 U400mgmt;LGE U400 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\U400mgmt.sys [2010-8-27 88528]
    S3 U400obex;LGE U400 USB WMC OBEX Interface;c:\windows\system32\drivers\U400obex.sys [2010-8-27 86336]
    S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?]
    .
    =============== Created Last 30 ================
    .
    2011-04-13 21:39:00 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-13 21:39:00 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-13 16:10:06 -------- d-----w- c:\docume~1\dan\applic~1\Malwarebytes
    2011-04-13 16:10:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-13 16:10:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-04-13 16:09:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-13 16:09:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-07 19:00:14 -------- d-----w- c:\program files\DivX
    2011-04-07 18:57:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
    2011-03-24 23:17:09 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc48.tmp
    .
    ==================== Find3M ====================
    .
    2011-01-24 20:00:48 1 ----a-w- c:\windows\system32\SI.bin
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: STM3250318AS rev.CC37 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T1L0-e
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2B8439]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2be7d0]; MOV EAX, [0x8a2be84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A32FAB8]
    3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006e[0x8A3319E8]
    5 ACPI[0xB7E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A357940]
    \Driver\atapi[0x8A2D3A08] -> IRP_MJ_CREATE -> 0x8A2B8439
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP1T1L0-e -> \??\IDE#DiskSTM3250318AS____________________________CC37____#5&18134b26&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A2B827F
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 19:17:52.35 ===============

    ##############

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/25/2009 6:45:04 PM
    System Uptime: 4/14/2011 7:00:17 PM (0 hours ago)
    .
    Motherboard: Foxconn | | G31MV/G31MV-K
    Processor: Intel Pentium III Xeon processor | Socket 775 | 2599/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 233 GiB total, 173.592 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is CDROM ()
    G: is CDROM (CDFS)
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Realtek PCIe FE Family Controller
    Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_0DF2105B&REV_01\4&2AD917F4&0&00E1
    Manufacturer: Realtek Semiconductor Corp.
    Name: Realtek PCIe FE Family Controller
    PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_0DF2105B&REV_01\4&2AD917F4&0&00E1
    Service: RTLE8023xp
    .
    ==== System Restore Points ===================
    .
    RP383: 1/12/2011 8:30:52 PM - System Checkpoint
    RP384: 1/12/2011 11:44:05 PM - Software Distribution Service 3.0
    RP385: 1/14/2011 8:35:05 PM - System Checkpoint
    RP386: 1/16/2011 5:53:16 PM - System Checkpoint
    RP387: 1/17/2011 8:18:20 PM - System Checkpoint
    RP388: 1/19/2011 9:48:51 PM - System Checkpoint
    RP389: 1/20/2011 10:31:40 PM - System Checkpoint
    RP390: 1/22/2011 7:15:04 PM - System Checkpoint
    RP391: 1/23/2011 7:28:26 PM - System Checkpoint
    RP392: 1/24/2011 8:01:22 PM - Installed Heroes of Might and Magic V
    RP393: 1/25/2011 9:04:18 PM - System Checkpoint
    RP394: 1/26/2011 11:32:43 PM - System Checkpoint
    RP395: 1/28/2011 9:18:03 PM - System Checkpoint
    RP396: 1/30/2011 12:46:01 AM - System Checkpoint
    RP397: 2/4/2011 8:09:54 PM - System Checkpoint
    RP398: 2/7/2011 8:12:59 PM - System Checkpoint
    RP399: 2/9/2011 12:19:57 AM - Software Distribution Service 3.0
    RP400: 2/10/2011 7:23:57 PM - System Checkpoint
    RP401: 2/11/2011 9:24:03 PM - System Checkpoint
    RP402: 2/13/2011 1:29:21 AM - System Checkpoint
    RP403: 2/15/2011 4:31:02 PM - Removed SAGEM Wi-Fi 11g USB adapter LAN Utility
    RP404: 2/16/2011 8:47:41 PM - System Checkpoint
    RP405: 2/18/2011 2:12:40 AM - Software Distribution Service 3.0
    RP406: 2/20/2011 10:23:35 PM - System Checkpoint
    RP407: 2/24/2011 7:48:51 PM - System Checkpoint
    RP408: 2/26/2011 4:11:50 PM - System Checkpoint
    RP409: 2/26/2011 7:35:40 PM - Restore Operation
    RP410: 3/3/2011 10:17:48 PM - Software Distribution Service 3.0
    RP411: 3/5/2011 10:21:11 PM - System Checkpoint
    RP412: 3/9/2011 8:30:07 PM - System Checkpoint
    RP413: 3/9/2011 11:33:23 PM - Software Distribution Service 3.0
    RP414: 3/11/2011 7:41:05 PM - System Checkpoint
    RP415: 3/12/2011 10:08:28 PM - System Checkpoint
    RP416: 3/14/2011 7:49:07 PM - System Checkpoint
    RP417: 3/17/2011 8:47:35 PM - System Checkpoint
    RP418: 3/20/2011 12:51:40 PM - System Checkpoint
    RP419: 3/21/2011 9:08:11 PM - System Checkpoint
    RP420: 3/24/2011 12:05:01 AM - Software Distribution Service 3.0
    RP421: 3/24/2011 11:19:21 PM - Installed DirectX
    RP422: 3/27/2011 7:15:01 PM - System Checkpoint
    RP423: 3/28/2011 10:54:53 PM - System Checkpoint
    RP424: 3/30/2011 5:24:13 PM - System Checkpoint
    RP425: 3/31/2011 9:27:20 PM - System Checkpoint
    RP426: 4/2/2011 7:50:31 PM - System Checkpoint
    RP427: 4/5/2011 6:48:03 PM - System Checkpoint
    RP428: 4/7/2011 7:24:02 PM - System Checkpoint
    RP429: 4/9/2011 6:28:16 PM - System Checkpoint
    RP430: 4/11/2011 8:17:47 PM - Restore Operation
    RP431: 4/12/2011 6:05:17 PM - Restore Operation
    RP432: 4/12/2011 8:09:31 PM - Removed Java(TM) 6 Update 17
    RP433: 4/12/2011 8:23:21 PM - Installed Java(TM) 6 Update 24
    RP434: 4/12/2011 11:06:16 PM - Restore Operation
    RP435: 4/12/2011 11:08:14 PM - Restore Operation
    RP436: 4/13/2011 7:25:26 PM - reg edit
    RP437: 4/13/2011 9:13:20 PM - Removed PostgreSQL 8.3
    RP438: 4/13/2011 10:36:56 PM - Restore Operation
    .
    ==== Installed Programs ======================
    .
    3Connect
    Acrobat.com
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.3.3
    Advanced Video FX Utility
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    Broken Sword Trilogy
    Canon iP1900 series Printer Driver
    Canon iP1900 series User Registration
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    CCleaner
    Celestia 1.6.0
    Creative Photo Manager
    Creative WebCam Center
    Creative WebCam Instant Driver (1.03.02.0425)
    Creative WebCam Instant User's Guide (English)
    Diablo II
    DiRT2
    EA SPORTS™ Rugby 08
    Emsisoft Anti-Malware 5.0
    Football Manager 2010
    FOX ONE
    Free M4a to MP3 Converter 6.2
    Get Yahoo! Messenger
    Google Update Helper
    Heroes of Might and Magic V
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    InterActual Player
    iTunes
    Java(TM) 6 Update 17
    Junk Mail filter update
    K-Lite Codec Pack 5.5.1 (Full)
    LG PhoneManager
    LG SyncManager
    LG USB Modem driver-U400
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Xbox 360 Accessories 1.2
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 7 Ultra Edition
    neroxml
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    OpenAL
    PartyPoker
    PKR
    PokerStars
    PokerTracker 3 (remove only)
    PostgreSQL 8.3
    PowerISO
    Quick Startup 2.8.0.718
    QuickTime
    Rapture3D 2.3.22 Game
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    Revo Uninstaller 1.85
    RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    SightSpeed
    Spotify
    System Requirements Lab
    Unreal Tournament 2003
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.0.3
    WebCam Instant Product Registration
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver
    World Championship Snooker 2004
    XP Codec Pack
    ZTE_1.2059.0.8
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/14/2011 7:09:13 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    4/14/2011 6:37:37 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    4/14/2011 6:37:37 PM, error: Service Control Manager [7034] - The BecHelperService service terminated unexpectedly. It has done this 1 time(s).
    4/14/2011 6:37:36 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    4/14/2011 6:37:36 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/13/2011 6:44:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu sptd ssmdrv Tcpip
    4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/13/2011 6:00:32 PM, error: Service Control Manager [7031] - The Emsisoft Anti-Malware 5.0 - Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    4/12/2011 8:38:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SCDEmu ssmdrv
    4/12/2011 8:09:47 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    4/12/2011 6:01:05 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/12/2011 11:13:19 PM, error: Service Control Manager [7024] - The Java Quick Starter service terminated with service-specific error 1 (0x1).
    4/11/2011 9:45:29 PM, error: sptd [4] - Driver detected an internal error in its data structures for .
    4/11/2011 8:17:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SCDEmu sptd ssmdrv
    4/11/2011 11:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    4/11/2011 11:14:33 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/11/2011 11:08:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/11/2011 10:01:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! Please run the following while I finish checking these logs. Paste the log into your next reply:

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.

    Note: Please don't act on any 'errors' or 'alerts' you might get. Malwarebytes removed some rogue programs and some entries may be left.

    Another note: I noticed you ran several scans with Mbam- I think attempting to also remove Trojan.SpyEyes. Although the removal and containment are easy, you should understand that the system may have been compromised already due to the Backdoor it installed and the chance that information may already ave been stolen. You are advised to change all of your passwords and keep close look to any financial transactions you do on the internet.

    Description of Trojan.SpyEyes:
    • Payload: Opens a back door.
    • Releases Confidential Info: Attempts to steal information from the compromised computer.
    A
  3. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Thanks for your reply - one rootkit detected and cured/ quarantined as per the below report. There was however a locked file detected which only gave the option to skip / copy to quarantine or delete. Should I go ahead and delete this or leave it as it is? When I reboot I still get a message stating my firewall is disabled, however the google redirects appear to have stopped (touch wood!)

    2011/04/14 23:12:17.0796 2936 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
    2011/04/14 23:12:19.0750 2936 ================================================================================
    2011/04/14 23:12:19.0750 2936 SystemInfo:
    2011/04/14 23:12:19.0750 2936
    2011/04/14 23:12:19.0750 2936 OS Version: 5.1.2600 ServicePack: 3.0
    2011/04/14 23:12:19.0750 2936 Product type: Workstation
    2011/04/14 23:12:19.0750 2936 ComputerName: DANCREATION4
    2011/04/14 23:12:19.0750 2936 UserName: Dan
    2011/04/14 23:12:19.0750 2936 Windows directory: C:\WINDOWS
    2011/04/14 23:12:19.0750 2936 System windows directory: C:\WINDOWS
    2011/04/14 23:12:19.0750 2936 Processor architecture: Intel x86
    2011/04/14 23:12:19.0750 2936 Number of processors: 2
    2011/04/14 23:12:19.0750 2936 Page size: 0x1000
    2011/04/14 23:12:19.0750 2936 Boot type: Normal boot
    2011/04/14 23:12:19.0750 2936 ================================================================================
    2011/04/14 23:12:20.0203 2936 Initialize success
    2011/04/14 23:12:26.0406 0276 ================================================================================
    2011/04/14 23:12:26.0406 0276 Scan started
    2011/04/14 23:12:26.0406 0276 Mode: Manual;
    2011/04/14 23:12:26.0406 0276 ================================================================================
    2011/04/14 23:12:26.0937 0276 a2acc (71574a98093d94bdbb3cb74e272d29a5) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
    2011/04/14 23:12:27.0062 0276 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/04/14 23:12:27.0109 0276 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/04/14 23:12:27.0156 0276 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/04/14 23:12:27.0203 0276 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/04/14 23:12:27.0343 0276 AR5416 (2f9a4beb4163590b78e26cdedc789ed4) C:\WINDOWS\system32\DRIVERS\athw.sys
    2011/04/14 23:12:27.0531 0276 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/04/14 23:12:27.0578 0276 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/04/14 23:12:27.0625 0276 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/04/14 23:12:27.0703 0276 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/04/14 23:12:27.0750 0276 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/04/14 23:12:27.0843 0276 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/04/14 23:12:27.0890 0276 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/04/14 23:12:27.0937 0276 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/04/14 23:12:27.0968 0276 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/04/14 23:12:28.0015 0276 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/04/14 23:12:28.0046 0276 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/04/14 23:12:28.0093 0276 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/04/14 23:12:28.0125 0276 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/04/14 23:12:28.0250 0276 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/04/14 23:12:28.0328 0276 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/04/14 23:12:28.0390 0276 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/04/14 23:12:28.0437 0276 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/04/14 23:12:28.0484 0276 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/04/14 23:12:28.0531 0276 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/04/14 23:12:28.0578 0276 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
    2011/04/14 23:12:28.0640 0276 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/04/14 23:12:28.0687 0276 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/04/14 23:12:28.0718 0276 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/04/14 23:12:28.0734 0276 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/04/14 23:12:28.0750 0276 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/04/14 23:12:28.0781 0276 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/04/14 23:12:28.0812 0276 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/04/14 23:12:28.0859 0276 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/04/14 23:12:28.0890 0276 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/04/14 23:12:28.0937 0276 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/04/14 23:12:28.0984 0276 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/04/14 23:12:29.0046 0276 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/04/14 23:12:29.0140 0276 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/04/14 23:12:29.0187 0276 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/04/14 23:12:29.0312 0276 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/04/14 23:12:29.0375 0276 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/04/14 23:12:29.0437 0276 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/04/14 23:12:29.0468 0276 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/04/14 23:12:29.0484 0276 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/04/14 23:12:29.0515 0276 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/04/14 23:12:29.0593 0276 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/04/14 23:12:29.0640 0276 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
    2011/04/14 23:12:29.0687 0276 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/04/14 23:12:29.0703 0276 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
    2011/04/14 23:12:29.0734 0276 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/04/14 23:12:29.0781 0276 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/04/14 23:12:29.0812 0276 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/04/14 23:12:29.0875 0276 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/04/14 23:12:29.0953 0276 massfilter (09721f2c56681a83c93ecdfab8b102a9) C:\WINDOWS\system32\drivers\massfilter.sys
    2011/04/14 23:12:30.0000 0276 mdvrmng (4e10e84320a8ec1c12bd0d00973b22ab) C:\WINDOWS\system32\drivers\mdvrmng.sys
    2011/04/14 23:12:30.0046 0276 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/04/14 23:12:30.0093 0276 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/04/14 23:12:30.0125 0276 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/04/14 23:12:30.0171 0276 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/04/14 23:12:30.0203 0276 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/04/14 23:12:30.0250 0276 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/04/14 23:12:30.0296 0276 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/04/14 23:12:30.0343 0276 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/04/14 23:12:30.0390 0276 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/04/14 23:12:30.0390 0276 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/04/14 23:12:30.0406 0276 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/04/14 23:12:30.0437 0276 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/04/14 23:12:30.0484 0276 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/04/14 23:12:30.0531 0276 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/04/14 23:12:30.0562 0276 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/04/14 23:12:30.0625 0276 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/04/14 23:12:30.0656 0276 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/04/14 23:12:30.0703 0276 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/04/14 23:12:30.0734 0276 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/04/14 23:12:30.0750 0276 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/04/14 23:12:30.0781 0276 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/04/14 23:12:30.0812 0276 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/04/14 23:12:30.0828 0276 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/04/14 23:12:30.0875 0276 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/04/14 23:12:30.0937 0276 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/04/14 23:12:31.0015 0276 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/04/14 23:12:31.0203 0276 nv (a05d99cbf55eb493c9e82b4bca848ef5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/04/14 23:12:31.0390 0276 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/04/14 23:12:31.0437 0276 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/04/14 23:12:31.0484 0276 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/04/14 23:12:31.0500 0276 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/04/14 23:12:31.0546 0276 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/04/14 23:12:31.0593 0276 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/04/14 23:12:31.0625 0276 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/04/14 23:12:31.0656 0276 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/04/14 23:12:31.0687 0276 PD0620VID (ea296b87ba381c640b441d95f90785f8) C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
    2011/04/14 23:12:31.0812 0276 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/04/14 23:12:31.0843 0276 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/04/14 23:12:31.0890 0276 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/04/14 23:12:31.0984 0276 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/04/14 23:12:32.0031 0276 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2011/04/14 23:12:32.0046 0276 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/04/14 23:12:32.0078 0276 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/04/14 23:12:32.0109 0276 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/04/14 23:12:32.0125 0276 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/04/14 23:12:32.0171 0276 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/04/14 23:12:32.0203 0276 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/04/14 23:12:32.0250 0276 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/04/14 23:12:32.0296 0276 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/04/14 23:12:32.0343 0276 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
    2011/04/14 23:12:32.0453 0276 RTLE8023xp (6fc7ddf3b8d94fba7ac664452d6478d4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2011/04/14 23:12:32.0500 0276 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
    2011/04/14 23:12:32.0546 0276 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/04/14 23:12:32.0578 0276 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/04/14 23:12:32.0671 0276 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/04/14 23:12:32.0718 0276 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/04/14 23:12:32.0796 0276 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/04/14 23:12:32.0843 0276 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/04/14 23:12:32.0890 0276 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/04/14 23:12:32.0890 0276 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/04/14 23:12:32.0906 0276 sptd - detected Locked file (1)
    2011/04/14 23:12:32.0906 0276 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/04/14 23:12:32.0953 0276 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/04/14 23:12:33.0031 0276 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/04/14 23:12:33.0078 0276 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/04/14 23:12:33.0140 0276 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/04/14 23:12:33.0171 0276 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/04/14 23:12:33.0265 0276 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/04/14 23:12:33.0312 0276 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/04/14 23:12:33.0359 0276 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/04/14 23:12:33.0390 0276 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/04/14 23:12:33.0437 0276 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/04/14 23:12:33.0515 0276 U400bus (e2dba4238cea4a707ecf232b0a18285b) C:\WINDOWS\system32\DRIVERS\U400bus.sys
    2011/04/14 23:12:33.0562 0276 U400mdfl (7024be4e5db0278f902d8f8168c21a1e) C:\WINDOWS\system32\DRIVERS\U400mdfl.sys
    2011/04/14 23:12:33.0578 0276 U400mdm (f81b907b5d826c52be70becfa8d061e3) C:\WINDOWS\system32\DRIVERS\U400mdm.sys
    2011/04/14 23:12:33.0593 0276 U400mgmt (1ae1765623c8e58349b89bc1dc7ffd52) C:\WINDOWS\system32\DRIVERS\U400mgmt.sys
    2011/04/14 23:12:33.0625 0276 U400obex (780c0b1655008e38d7e6ba631f17fbb8) C:\WINDOWS\system32\DRIVERS\U400obex.sys
    2011/04/14 23:12:33.0687 0276 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/04/14 23:12:33.0750 0276 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/04/14 23:12:33.0796 0276 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/04/14 23:12:33.0828 0276 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/04/14 23:12:33.0859 0276 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/04/14 23:12:33.0906 0276 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/04/14 23:12:33.0953 0276 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/04/14 23:12:34.0000 0276 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/04/14 23:12:34.0031 0276 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/04/14 23:12:34.0078 0276 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/04/14 23:12:34.0109 0276 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/04/14 23:12:34.0171 0276 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2011/04/14 23:12:34.0218 0276 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/04/14 23:12:34.0312 0276 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/04/14 23:12:34.0359 0276 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/04/14 23:12:34.0390 0276 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/04/14 23:12:34.0437 0276 xusb21 (09e5340bd9b2cb730bf4dc6be7721291) C:\WINDOWS\system32\DRIVERS\xusb21.sys
    2011/04/14 23:12:34.0515 0276 ZTEusbmdm6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
    2011/04/14 23:12:34.0531 0276 ZTEusbnmea (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
    2011/04/14 23:12:34.0546 0276 ZTEusbser6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
    2011/04/14 23:12:34.0578 0276 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/04/14 23:12:34.0593 0276 ================================================================================
    2011/04/14 23:12:34.0593 0276 Scan finished
    2011/04/14 23:12:34.0593 0276 ================================================================================
    2011/04/14 23:12:34.0593 0680 Detected object count: 2
    2011/04/14 23:14:59.0984 0680 Locked file(sptd) - User select action: Skip
    2011/04/14 23:15:00.0000 0680 \HardDisk0 - copied to quarantine
    2011/04/14 23:15:00.0000 0680 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
    2011/04/14 23:15:00.0031 0680 \HardDisk0\TDLFS\mbr - copied to quarantine
    2011/04/14 23:15:00.0031 0680 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
    2011/04/14 23:15:00.0046 0680 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
    2011/04/14 23:15:00.0046 0680 \HardDisk0\TDLFS\ldr16 - copied to quarantine
    2011/04/14 23:15:00.0046 0680 \HardDisk0\TDLFS\ldr32 - copied to quarantine
    2011/04/14 23:15:00.0046 0680 \HardDisk0\TDLFS\ldr64 - copied to quarantine
    2011/04/14 23:15:00.0062 0680 \HardDisk0\TDLFS\drv64 - copied to quarantine
    2011/04/14 23:15:00.0062 0680 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
    2011/04/14 23:15:00.0078 0680 \HardDisk0\TDLFS\drv32 - copied to quarantine
    2011/04/14 23:15:00.0078 0680 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine

    ############################

    SUSPICIOUS OBJECT

    2011/04/14 23:30:54.0828 3788 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
    2011/04/14 23:30:54.0843 3788 ================================================================================
    2011/04/14 23:30:54.0843 3788 SystemInfo:
    2011/04/14 23:30:54.0843 3788
    2011/04/14 23:30:54.0843 3788 OS Version: 5.1.2600 ServicePack: 3.0
    2011/04/14 23:30:54.0843 3788 Product type: Workstation
    2011/04/14 23:30:54.0843 3788 ComputerName: DANCREATION4
    2011/04/14 23:30:54.0843 3788 UserName: Dan
    2011/04/14 23:30:54.0843 3788 Windows directory: C:\WINDOWS
    2011/04/14 23:30:54.0843 3788 System windows directory: C:\WINDOWS
    2011/04/14 23:30:54.0843 3788 Processor architecture: Intel x86
    2011/04/14 23:30:54.0843 3788 Number of processors: 2
    2011/04/14 23:30:54.0843 3788 Page size: 0x1000
    2011/04/14 23:30:54.0843 3788 Boot type: Normal boot
    2011/04/14 23:30:54.0843 3788 ================================================================================
    2011/04/14 23:30:54.0953 3788 Initialize success
    2011/04/14 23:30:56.0515 3820 ================================================================================
    2011/04/14 23:30:56.0515 3820 Scan started
    2011/04/14 23:30:56.0515 3820 Mode: Manual;
    2011/04/14 23:30:56.0515 3820 ================================================================================
    2011/04/14 23:30:58.0781 3820 a2acc (71574a98093d94bdbb3cb74e272d29a5) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
    2011/04/14 23:30:58.0953 3820 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/04/14 23:30:59.0000 3820 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/04/14 23:30:59.0062 3820 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/04/14 23:30:59.0109 3820 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/04/14 23:30:59.0421 3820 AR5416 (2f9a4beb4163590b78e26cdedc789ed4) C:\WINDOWS\system32\DRIVERS\athw.sys
    2011/04/14 23:30:59.0640 3820 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/04/14 23:30:59.0687 3820 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/04/14 23:30:59.0750 3820 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/04/14 23:30:59.0796 3820 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/04/14 23:30:59.0859 3820 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/04/14 23:30:59.0953 3820 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/04/14 23:30:59.0984 3820 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/04/14 23:31:00.0031 3820 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/04/14 23:31:00.0062 3820 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/04/14 23:31:00.0093 3820 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/04/14 23:31:00.0140 3820 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/04/14 23:31:00.0187 3820 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/04/14 23:31:00.0218 3820 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/04/14 23:31:00.0343 3820 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/04/14 23:31:00.0484 3820 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/04/14 23:31:00.0546 3820 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/04/14 23:31:00.0593 3820 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/04/14 23:31:00.0656 3820 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/04/14 23:31:00.0718 3820 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/04/14 23:31:00.0796 3820 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
    2011/04/14 23:31:00.0875 3820 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/04/14 23:31:00.0921 3820 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/04/14 23:31:00.0953 3820 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/04/14 23:31:00.0968 3820 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/04/14 23:31:01.0000 3820 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/04/14 23:31:01.0046 3820 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/04/14 23:31:01.0078 3820 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/04/14 23:31:01.0125 3820 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/04/14 23:31:01.0156 3820 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/04/14 23:31:01.0187 3820 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/04/14 23:31:01.0250 3820 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/04/14 23:31:01.0296 3820 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/04/14 23:31:01.0390 3820 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/04/14 23:31:01.0437 3820 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/04/14 23:31:01.0546 3820 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/04/14 23:31:01.0625 3820 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/04/14 23:31:01.0671 3820 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/04/14 23:31:01.0687 3820 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/04/14 23:31:01.0703 3820 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/04/14 23:31:01.0734 3820 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/04/14 23:31:01.0765 3820 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/04/14 23:31:01.0812 3820 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
    2011/04/14 23:31:01.0843 3820 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/04/14 23:31:01.0859 3820 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
    2011/04/14 23:31:01.0890 3820 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/04/14 23:31:01.0921 3820 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/04/14 23:31:01.0968 3820 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/04/14 23:31:02.0000 3820 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/04/14 23:31:02.0062 3820 massfilter (09721f2c56681a83c93ecdfab8b102a9) C:\WINDOWS\system32\drivers\massfilter.sys
    2011/04/14 23:31:02.0109 3820 mdvrmng (4e10e84320a8ec1c12bd0d00973b22ab) C:\WINDOWS\system32\drivers\mdvrmng.sys
    2011/04/14 23:31:02.0156 3820 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/04/14 23:31:02.0187 3820 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/04/14 23:31:02.0234 3820 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/04/14 23:31:02.0296 3820 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/04/14 23:31:02.0328 3820 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/04/14 23:31:02.0375 3820 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/04/14 23:31:02.0421 3820 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/04/14 23:31:02.0468 3820 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/04/14 23:31:02.0531 3820 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/04/14 23:31:02.0546 3820 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/04/14 23:31:02.0562 3820 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/04/14 23:31:02.0593 3820 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/04/14 23:31:02.0640 3820 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/04/14 23:31:02.0687 3820 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/04/14 23:31:02.0718 3820 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/04/14 23:31:02.0765 3820 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/04/14 23:31:02.0796 3820 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/04/14 23:31:02.0843 3820 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/04/14 23:31:02.0859 3820 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/04/14 23:31:02.0875 3820 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/04/14 23:31:02.0906 3820 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/04/14 23:31:02.0937 3820 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/04/14 23:31:02.0953 3820 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/04/14 23:31:03.0000 3820 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/04/14 23:31:03.0046 3820 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/04/14 23:31:03.0109 3820 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/04/14 23:31:03.0296 3820 nv (a05d99cbf55eb493c9e82b4bca848ef5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/04/14 23:31:03.0703 3820 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/04/14 23:31:03.0750 3820 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/04/14 23:31:03.0812 3820 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/04/14 23:31:03.0828 3820 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/04/14 23:31:03.0875 3820 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/04/14 23:31:03.0921 3820 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/04/14 23:31:03.0937 3820 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/04/14 23:31:03.0968 3820 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/04/14 23:31:04.0093 3820 PD0620VID (ea296b87ba381c640b441d95f90785f8) C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
    2011/04/14 23:31:04.0218 3820 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/04/14 23:31:04.0234 3820 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/04/14 23:31:04.0265 3820 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/04/14 23:31:04.0328 3820 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/04/14 23:31:04.0375 3820 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2011/04/14 23:31:04.0390 3820 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/04/14 23:31:04.0421 3820 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/04/14 23:31:04.0453 3820 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/04/14 23:31:04.0484 3820 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/04/14 23:31:04.0500 3820 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/04/14 23:31:04.0531 3820 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/04/14 23:31:04.0593 3820 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/04/14 23:31:04.0703 3820 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/04/14 23:31:04.0781 3820 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
    2011/04/14 23:31:04.0890 3820 RTLE8023xp (6fc7ddf3b8d94fba7ac664452d6478d4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2011/04/14 23:31:05.0046 3820 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
    2011/04/14 23:31:05.0078 3820 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/04/14 23:31:05.0093 3820 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/04/14 23:31:05.0140 3820 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/04/14 23:31:05.0187 3820 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/04/14 23:31:05.0281 3820 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/04/14 23:31:05.0390 3820 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/04/14 23:31:05.0453 3820 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/04/14 23:31:05.0453 3820 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/04/14 23:31:05.0468 3820 sptd - detected Locked file (1)
    2011/04/14 23:31:05.0468 3820 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/04/14 23:31:05.0500 3820 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/04/14 23:31:05.0578 3820 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/04/14 23:31:05.0656 3820 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/04/14 23:31:05.0734 3820 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/04/14 23:31:05.0765 3820 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/04/14 23:31:05.0843 3820 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/04/14 23:31:05.0906 3820 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/04/14 23:31:05.0953 3820 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/04/14 23:31:06.0000 3820 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/04/14 23:31:06.0046 3820 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/04/14 23:31:06.0109 3820 U400bus (e2dba4238cea4a707ecf232b0a18285b) C:\WINDOWS\system32\DRIVERS\U400bus.sys
    2011/04/14 23:31:06.0187 3820 U400mdfl (7024be4e5db0278f902d8f8168c21a1e) C:\WINDOWS\system32\DRIVERS\U400mdfl.sys
    2011/04/14 23:31:06.0234 3820 U400mdm (f81b907b5d826c52be70becfa8d061e3) C:\WINDOWS\system32\DRIVERS\U400mdm.sys
    2011/04/14 23:31:06.0281 3820 U400mgmt (1ae1765623c8e58349b89bc1dc7ffd52) C:\WINDOWS\system32\DRIVERS\U400mgmt.sys
    2011/04/14 23:31:06.0312 3820 U400obex (780c0b1655008e38d7e6ba631f17fbb8) C:\WINDOWS\system32\DRIVERS\U400obex.sys
    2011/04/14 23:31:06.0375 3820 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/04/14 23:31:06.0406 3820 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/04/14 23:31:06.0468 3820 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/04/14 23:31:06.0500 3820 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/04/14 23:31:06.0531 3820 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/04/14 23:31:06.0609 3820 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/04/14 23:31:06.0750 3820 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/04/14 23:31:06.0781 3820 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/04/14 23:31:06.0828 3820 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/04/14 23:31:06.0890 3820 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/04/14 23:31:06.0921 3820 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/04/14 23:31:06.0968 3820 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2011/04/14 23:31:07.0031 3820 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/04/14 23:31:07.0156 3820 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/04/14 23:31:07.0203 3820 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/04/14 23:31:07.0250 3820 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/04/14 23:31:07.0390 3820 xusb21 (09e5340bd9b2cb730bf4dc6be7721291) C:\WINDOWS\system32\DRIVERS\xusb21.sys
    2011/04/14 23:31:07.0468 3820 ZTEusbmdm6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
    2011/04/14 23:31:07.0500 3820 ZTEusbnmea (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
    2011/04/14 23:31:07.0515 3820 ZTEusbser6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
    2011/04/14 23:31:07.0640 3820 ================================================================================
    2011/04/14 23:31:07.0640 3820 Scan finished
    2011/04/14 23:31:07.0640 3820 ================================================================================
    2011/04/14 23:31:07.0671 3812 Detected object count: 1
    2011/04/14 23:31:30.0640 3812 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/04/14 23:31:30.0640 3812 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/04/14 23:31:30.0640 3812 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
    2011/04/14 23:31:30.0640 3812 Locked file(sptd) - User select action: Quarantine
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please run this:
    Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      NOTE: The tool should be run from a command line with Administrator privileges.
    3. Scanning should be completed quickly
    4. Paste the output in your next reply.
    ======================================
    You can also go ahead with this: Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    We will work through these first.
  5. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Thank you - bootkit remover and Combofix logs below in separate threads due to size - only remaining problem is that windows firewall is temporarily disabled when I attempt to connect to the internet - however it is enabled again once I am actually connected:

    .\debug.cpp(238) : Debug log started at 15.04.2011 - 13:44:17
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x0020e000 "\WINDOWS\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x806e5000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0xb85a8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xb84b8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xb7eb4000 0x000f3000 "spsl.sys"
    .\debug.cpp(256) : 0xb85aa000 0x00002000 "\WINDOWS\System32\Drivers\WMILIB.SYS"
    .\debug.cpp(256) : 0xb7e9c000 0x00018000 "\WINDOWS\System32\Drivers\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xb7e6e000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xb7e5d000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xb80a8000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xb8670000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xb8328000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xb80b8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xb7e3e000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xb85ac000 0x00002000 "dmload.sys"
    .\debug.cpp(256) : 0xb7e18000 0x00026000 "dmio.sys"
    .\debug.cpp(256) : 0xb8330000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xb80c8000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xb7e00000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xb80d8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xb80e8000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xb7de0000 0x00020000 "fltMgr.sys"
    .\debug.cpp(256) : 0xb7dce000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xb7db7000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xb7d2a000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xb7cfd000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xb7ce3000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xb81a8000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
    .\debug.cpp(256) : 0xb7250000 0x009c4000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xb723c000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xb7214000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
    .\debug.cpp(256) : 0xb8468000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
    .\debug.cpp(256) : 0xb71f0000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xb8470000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xb8478000 0x00007000 "\SystemRoot\system32\DRIVERS\fdc.sys"
    .\debug.cpp(256) : 0xb81b8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xb7c2c000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xb8480000 0x00005000 "\SystemRoot\system32\DRIVERS\irsir.sys"
    .\debug.cpp(256) : 0xb7c28000 0x00003000 "\SystemRoot\system32\DRIVERS\irenum.sys"
    .\debug.cpp(256) : 0xb81c8000 0x0000d000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
    .\debug.cpp(256) : 0xb8488000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xb8490000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xb81d8000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xb81e8000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xb81f8000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xb71cd000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xb8498000 0x00006000 "\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys"
    .\debug.cpp(256) : 0xb7194000 0x00039000 "\SystemRoot\System32\Drivers\asnlvldr.SYS"
    .\debug.cpp(256) : 0xb8731000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xb83a8000 0x00005000 "\SystemRoot\system32\DRIVERS\rasirda.sys"
    .\debug.cpp(256) : 0xb83b0000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xb8208000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xb8558000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xb717d000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xb8218000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xb8228000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xb716c000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xb8238000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xb83b8000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xb83c0000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xb713c000 0x00030000 "\SystemRoot\system32\DRIVERS\rdpdr.sys"
    .\debug.cpp(256) : 0xb8248000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xb85ea000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xb70b6000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xb8578000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xb8258000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xb4a53000 0x004a6000 "\SystemRoot\system32\drivers\RtkHDAud.sys"
    .\debug.cpp(256) : 0xb4a2f000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xb8288000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xb8298000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xb85f0000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xb83d8000 0x00005000 "\SystemRoot\system32\DRIVERS\flpydisk.sys"
    .\debug.cpp(256) : 0xb85f4000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xb8696000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xb85f6000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xb83e8000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xb85f8000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xb85fa000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xb83f0000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xb83f8000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xb7c1c000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xb49ac000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xb4953000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xb492d000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xb4905000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xb82b8000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xb48e3000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xb82c8000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xb8400000 0x00006000 "\SystemRoot\system32\DRIVERS\ssmdrv.sys"
    .\debug.cpp(256) : 0xb82d8000 0x0000e000 "\SystemRoot\System32\Drivers\SCDEmu.SYS"
    .\debug.cpp(256) : 0xb4868000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xb47d0000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xb82e8000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xb47b4000 0x0001c000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
    .\debug.cpp(256) : 0xb479d000 0x00017000 "\SystemRoot\system32\DRIVERS\P0620Vid.sys"
    .\debug.cpp(256) : 0xb8138000 0x0000d000 "\SystemRoot\system32\DRIVERS\STREAM.SYS"
    .\debug.cpp(256) : 0xb8606000 0x00002000 "\??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys"
    .\debug.cpp(256) : 0xb4764000 0x00011000 "\SystemRoot\System32\Drivers\Udfs.SYS"
    .\debug.cpp(256) : 0xb474c000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
    .\debug.cpp(256) : 0xb8630000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
    .\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xb485c000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xb8448000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xb8450000 0x00008000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0xbd000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xb879e000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xb4732000 0x0001a000 "\SystemRoot\system32\DRIVERS\ZTEusbser6k.sys"
    .\debug.cpp(256) : 0xb4718000 0x0001a000 "\SystemRoot\system32\DRIVERS\ZTEusbnmea.sys"
    .\debug.cpp(256) : 0xb8460000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xb46fe000 0x0001a000 "\SystemRoot\system32\DRIVERS\ZTEusbmdm6k.sys"
    .\debug.cpp(256) : 0xb84a0000 0x00008000 "\SystemRoot\System32\Drivers\Modem.SYS"
    .\debug.cpp(256) : 0xbd012000 0x005fe000 "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xbd610000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
    .\debug.cpp(256) : 0xb43aa000 0x00014000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
    .\debug.cpp(256) : 0xb427c000 0x00016000 "\SystemRoot\system32\DRIVERS\irda.sys"
    .\debug.cpp(256) : 0xb4240000 0x00014000 "\??\C:\WINDOWS\system32\drivers\mdvrmng.sys"
    .\debug.cpp(256) : 0xb437a000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xb4033000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xb3e73000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xb41b8000 0x0000a000 "\SystemRoot\system32\DRIVERS\secdrv.sys"
    .\debug.cpp(256) : 0xb3c56000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xb3d23000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0xb38d6000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xb200f000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
    .\debug.cpp(256) : 0xb3e33000 0x00003000 "\??\C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys"
    .\debug.cpp(256) : 0xb1ef2000 0x00004000 "\SystemRoot\system32\DRIVERS\asyncmac.sys"
    .\debug.cpp(256) : 0xb1bca000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(256) : 0x10000000 0x00246000 "\Program Files\DAEMON Tools Lite\Engine.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
    .\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{F2786CDC-3D5F-41F5-AEA7-1B2C5F80F558}"
    .\debug.cpp(400) : Destination "\Device\{F2786CDC-3D5F-41F5-AEA7-1B2C5F80F558}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{95F3E431-4118-4346-87C2-556B28BC457C}"
    .\debug.cpp(400) : Destination "\Device\{95F3E431-4118-4346-87C2-556B28BC457C}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000042"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F13#4&1e5e1293&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000064"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QFK&Prod_MZOHAJ4HE&Rev_1.03#5&36e5972&0&010#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1Port3Path0Target1Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_01#6&28dd5ef7&0&0001#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgio"
    .\debug.cpp(400) : Destination "\Device\avgio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&97309fc&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000031"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{98d80fc2-f183-11de-93d6-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#0000000a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QFK&Prod_MZOHAJ4HE&Rev_1.03#5&36e5972&0&010#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1Port3Path0Target1Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_01#6&28dd5ef7&0&0001#{c88e99de-6905-47d6-ae7e-a110aa903b98}"
    .\debug.cpp(400) : Destination "\Device\0000007c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27C9&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0006"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DB7D22B0-B0B3-4C85-B18D-EFD86309BC96}"
    .\debug.cpp(400) : Destination "\Device\{DB7D22B0-B0B3-4C85-B18D-EFD86309BC96}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
    .\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{0d40596c-f9f9-11de-93f2-00226861af02}"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&37bf52fa&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#8&2942c0c1&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_200j______________________1.36____#5&210095b5&0&0.0.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&1e5e1293&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000065"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev0"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev1"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
    .\debug.cpp(400) : Destination "\Device\CdRom3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
    .\debug.cpp(400) : Destination "\Device\PSched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_03#6&28dd5ef7&0&0003#{c88e99de-6905-47d6-ae7e-a110aa903b98}"
    .\debug.cpp(400) : Destination "\Device\0000007e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev2"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0622&SUBSYS_00000000&REV_A1#4&b5a4e3&0&0008#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0015"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DF1210A4-888C-493B-9A6C-295CAA888F3A}"
    .\debug.cpp(400) : Destination "\Device\{DF1210A4-888C-493B-9A6C-295CAA888F3A}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
    .\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_03#6&28dd5ef7&0&0003#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
    .\debug.cpp(400) : Destination "\Device\0000007e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev3"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0510#4&1e5e1293&0#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000063"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_ZTE&Prod_MMC_Storage&Rev_2.31#7&a37a6e2&0&P673A3H3GD010000&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000082"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM6"
    .\debug.cpp(400) : Destination "\Device\QCUSB_COM6_1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031#P673A3H3GD010000#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev4"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CA&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0007"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000037"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM7"
    .\debug.cpp(400) : Destination "\Device\QCUSB_COM7_1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\RivaTuner32"
    .\debug.cpp(400) : Destination "\Device\RivaTuner32"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev5"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{CFBB1CE9-9D90-48E1-8F64-1D73673E738B}"
    .\debug.cpp(400) : Destination "\Device\{CFBB1CE9-9D90-48E1-8F64-1D73673E738B}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
    .\debug.cpp(400) : Destination "\Device\USBFDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\H:"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM8"
    .\debug.cpp(400) : Destination "\Device\QCUSB_COM8_1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev6"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
    .\debug.cpp(400) : Destination "\Device\USBFDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000034"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{ba33b750-f182-11de-918d-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&278ba93&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\FloppyPDO0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev7"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
    .\debug.cpp(400) : Destination "\Device\USBFDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MipIrpFlt"
    .\debug.cpp(400) : Destination "\Device\MipIrpFlt"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature41524151Offset7E00Length3A380D0200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_200j______________________1.36____#5&210095b5&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev8"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom2"
    .\debug.cpp(400) : Destination "\Device\CdRom2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000047"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{EA2CEE46-255E-4BE2-AF5F-C5BDE4BC7CFF}"
    .\debug.cpp(400) : Destination "\Device\{EA2CEE46-255E-4BE2-AF5F-C5BDE4BC7CFF}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QFK&Prod_MZOHAJ4HE&Rev_1.03#5&36e5972&0&000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1Port3Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom3"
    .\debug.cpp(400) : Destination "\Device\CdRom3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev9"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\00000062"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Secdrv"
    .\debug.cpp(400) : Destination "\Device\Secdrv"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#THRM#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000046"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#CdRom&Ven_HSPA&Prod_USB_SCSI_CD-ROM&Rev_2.31#7&a37a6e2&0&P673A3H3GD010000&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000081"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#CdRom&Ven_HSPA&Prod_USB_SCSI_CD-ROM&Rev_2.31#7&a37a6e2&0&P673A3H3GD010000&0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000081"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CC&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0009"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{3EA2FF8F-D427-479B-BAF6-28167CFC1A36}"
    .\debug.cpp(400) : Destination "\Device\{3EA2FF8F-D427-479B-BAF6-28167CFC1A36}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPA000#4&5d18f2df&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000049"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E7E2FA0E-4EC8-496C-9943-1ADE7DF4566F}"
    .\debug.cpp(400) : Destination "\Device\{E7E2FA0E-4EC8-496C-9943-1ADE7DF4566F}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#8&2942c0c1&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
    .\debug.cpp(400) : Destination "\Device\00000062"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{98d80fc3-f183-11de-93d6-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_00#6&28dd5ef7&0&0000#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\0000007b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CB&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&EB#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0008"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1119f944&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ssmctl"
    .\debug.cpp(400) : Destination "\Device\ssmctl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&4554f2f&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27C8&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000030"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QFK&Prod_MZOHAJ4HE&Rev_1.03#5&36e5972&0&000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1Port3Path0Target0Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_200j______________________1.36____#5&210095b5&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev10"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd10"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000003"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{fb6c428a-0353-11d1-905f-0000c0cc16ba}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev11"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd11"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
    .\debug.cpp(400) : Destination "\Device\Floppy0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev12"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd12"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&22500a87&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ASYNCMAC"
    .\debug.cpp(400) : Destination "\Device\ASYNCMAC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_00#6&28dd5ef7&0&0000#{c88e99de-6905-47d6-ae7e-a110aa903b98}"
    .\debug.cpp(400) : Destination "\Device\0000007b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev20"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd20"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev13"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd13"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev21"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd21"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev14"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd14"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev22"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd22"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev15"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd15"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000033"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{2706c302-f212-11de-93db-00226861af02}"
    .\debug.cpp(400) : Destination "\Device\CdRom1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AscKmd"
    .\debug.cpp(400) : Destination "\Device\AscKmd"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskSTM3250318AS____________________________CC37____#5&18134b26&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev16"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd16"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
    .\debug.cpp(400) : Destination "\Device\DmLoader"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev17"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd17"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ZTE Proprietary USB Modem"
    .\debug.cpp(400) : Destination "\Device\0000007e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev18"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd18"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_IRDAMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev19"
    .\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd19"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{d6b3fad6-ca65-11df-958e-9db6baff5083}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{d6b3fad5-ca65-11df-958e-9db6baff5083}"
    .\debug.cpp(400) : Destination "\Device\CdRom3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000003a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000039"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
    .\debug.cpp(400) : Destination "\Device\avipbb"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
    .\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;

    ###########################
  6. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Combofix log:

    ComboFix 11-04-14.03 - Dan 04/15/2011 14:52:29.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1595 [GMT 1:00]
    Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-15 13:39 . 2011-04-15 13:39 -------- d-----w- c:\windows\LastGood
    2011-04-14 22:14 . 2011-04-14 22:31 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-04-13 21:39 . 2011-04-13 21:39 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-13 16:14 . 2011-04-13 16:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2011-04-13 16:10 . 2011-04-13 16:10 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes
    2011-04-13 16:10 . 2011-04-13 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-13 16:10 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-13 16:09 . 2011-04-13 16:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-13 16:09 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-12 19:38 . 2011-04-12 19:38 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
    2011-04-12 19:25 . 2011-04-12 19:25 -------- d-----w- c:\program files\Common Files\Java
    2011-04-07 19:12 . 2011-04-12 22:10 -------- d-----w- c:\documents and settings\Dan\Application Data\DivX
    2011-04-07 19:00 . 2011-04-12 22:10 -------- d-----w- c:\program files\DivX
    2011-04-07 18:57 . 2011-04-12 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    2011-03-24 23:17 . 2011-03-24 23:17 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc48.tmp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2008-04-14 04:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    .
    c:\documents and settings\Dan\Start Menu\Programs\Startup\
    Registration Heroes of Might & Magic 5.LNK - c:\program files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe [2011-1-24 868352]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "nwiz"=nwiz.exe /installquiet
    "RTHDCPL"=RTHDCPL.EXE
    "Alcmtr"=ALCMTR.EXE
    "PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
    "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "DXDllRegExe"=c:\windows\system32\dxdllreg.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Codemasters\\DiRT2\\dirt2_game.exe"=
    "c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/26/2009 12:13 AM 691696]
    R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [8/11/2010 10:28 PM 2855440]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/7/2010 8:09 PM 108289]
    R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [9/27/2010 7:35 PM 1737464]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/12/2010 8:23 PM 135664]
    S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
    S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [8/11/2010 10:28 PM 73728]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [9/27/2010 7:34 PM 9216]
    S3 U400bus;LGE U400 driver (WDM);c:\windows\system32\drivers\U400bus.sys [8/27/2010 10:45 PM 61440]
    S3 U400mdfl;LGE U400 USB WMC Modem Filter;c:\windows\system32\drivers\U400mdfl.sys [8/27/2010 10:45 PM 9264]
    S3 U400mdm;LGE U400 USB WMC Modem Driver;c:\windows\system32\drivers\U400mdm.sys [8/27/2010 10:45 PM 96960]
    S3 U400mgmt;LGE U400 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\U400mgmt.sys [8/27/2010 10:45 PM 88528]
    S3 U400obex;LGE U400 USB WMC OBEX Interface;c:\windows\system32\drivers\U400obex.sys [8/27/2010 10:45 PM 86336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-12 19:23]
    .
    2011-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-12 19:23]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Connection Wizard,ShellNext = iexplore
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-15 14:54
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1390067357-220523388-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:5e,be,06,e1,95,12,f8,54,06,63,69,4f,cd,7e,b9,7a,98,6c,e1,29,a9,a1,ee,
    e9,17,1a,81,b1,c2,31,d1,0a,4a,a5,ec,89,33,a4,23,24,17,95,54,5f,de,1a,43,d9,\
    "??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
    .
    [HKEY_USERS\S-1-5-21-1390067357-220523388-725345543-1003\Software\SecuROM\License information*]
    "datasecu"=hex:02,28,6a,1f,6d,8a,15,98,a4,3d,3a,e4,5f,85,f2,7d,c2,d0,1d,cc,91,
    f0,8c,34,7d,71,13,c0,79,3c,e1,ce,47,5f,43,73,62,8b,e5,7f,2c,d2,08,31,dd,5e,\
    "rkeysecu"=hex:8f,e6,f9,2e,39,4a,ee,29,f1,5e,3d,dd,32,c3,d0,1b
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2736)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-04-15 14:55:59
    ComboFix-quarantined-files.txt 2011-04-15 13:55
    .
    Pre-Run: 185,935,450,112 bytes free
    Post-Run: 185,939,931,136 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 66CA4282347E4FEE68A4A12100913CBA
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Question: Have you or the Administrator intentionally disabled the startup of some programs using a Registry Edit?
  8. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Not intentionally no. Before finding this site I did do a registry check through CCLeaner, however I did a system restore after reading the 8 point checklist.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    My suggestion is to remove CCleaner. You don't need a program that cleans the Registry! It is safer to have a program like TFC.

    I would also like to recommend that you uninstall Emsisoft Anti-Malware 5.0 It is reviewed to find malware well but fails in the removal of it. It also erroneously flagged several valid programs as specific, named malware, and its behavior-based detection kills both good and bad programs.

    I will be glad to give you recommendations for other security programs.
    =====================================
    The processes below are what I'm referring to as being disabled to start:
    It you don't want programs to start on boot, they can be unchecked on the Startup menu using msconfig. The above would appear to stop the programs from running at all.
    ======================================
    Please update Java: Check this site .Java Updates Uninstall Java v6u17 and any other earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    I'll be back in the morning with script to run in Combofix. Let me know about those disabled programs.
  10. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    I've removed Emisoft Anti malware and the old version of Java as recommended. However.. following automatic updates installed last night, I now have a windows validation error which says my version of windows did not pass genuine Windows Validation. I have the blue star in my task bar and a microsoft logo on my desktop.

    I've run a microsoft genuine advantage diagnostic tool and it's confirmed that my product key is now blocked.

    Is there anything I can do about this?

    Also with reference to the disabled programs I can confirm I've never used msconfig to prevent programs from starting on boot.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Well, it is still morning by 2 minutes!

    Do you know what the update was that installed last night? Did the validation error show up before or after the install? Check the Add/Remove Programs in the Control Panel. be sure 'show updates' at the top is checked. Find the last update and give me the number.
    ====================================
    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you don't want to start on boot.f
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    ====================================
    Please run this scan:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
    =====================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\zdcndis5.sys
    c:\program files\common files\windows live\.cache\wlc48.tmp
    c:\program files\emsisoft anti-malware\a2service.exe 
    Folder::
    C:\TDSSKiller_Quarantine
    DDS::
    StartupFolder: c:\docume~1\dan\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\heroes of might and magic v\registration\RegistrationReminder.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1390067357-220523388-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    [HKEY_USERS\S-1-5-21-1390067357-220523388-725345543-1003\Software\SecuROM\License information*]
    Driver::
    ZDCndis5
    a2AntiMalware
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    You might want to read up on this in Google News: Internet poker houses charged with fraud. PokerStars is included:
    http://www.bloomberg.com/news/2011-...rged-with-fraud-money-laundering-by-u-s-.html
     
  12. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Logs from CKScanner and ComboFix are below.

    There were 21 updates installed, from the Microsoft website it appears 20 of them were security updates to prevent remote attacks - I wonder if the rootkit had been preventing these from being downloaded. The one relevant to the verification issue is the following:

    "Update for Windows XP (KB2524375) Brief Description

    --------------------------------------------------------------------------------
    Install this update to resolve an issue which requires an update to the certificate revocation list on Windows systems and to keep your systems certificate list up to date."

    This has resulted in WfaTray.exe being run on startup which pastes a 'genuine microsoft logo' permanently on my desktop and pop ups at regular intervals.

    The good news is that there are no further signs of any infection and firewall + antivirus are on as normal at startup.

    Thanks for the info on the poker sites by the way, very interesting.

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\program files\partygaming\partycasino\language\en_us\images\flashlobby\lobby\safecrackerkeno.swf
    c:\program files\partygaming\partycasino\language\en_us\images\flashlobby\lobby\safecrackerkeno_popup.swf
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack3x2_1
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack3x2_2
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack3x2_3
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack3x2_4
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack5x3_1
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack5x3_2
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack5x3_3
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack5x3_4
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack7x2_1
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack7x4_1
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack7x5_1
    c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmaptile\mapobjects\_(advmaptile)\sand\sand_cracked
    scanner sequence 3.IE.11
    ----- EOF -----

    ####################

    ComboFix 11-04-15.06 - Dan 04/16/2011 18:28:58.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1564 [GMT 1:00]
    Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    FILE ::
    "c:\program files\common files\windows live\.cache\wlc48.tmp"
    "c:\program files\emsisoft anti-malware\a2service.exe"
    "c:\windows\system32\zdcndis5.sys"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\dan\startm~1\programs\startup\regist~1.lnk
    c:\program files\common files\windows live\.cache\wlc48.tmp
    c:\program files\ubisoft\heroes of might and magic v\registration\RegistrationReminder.exe
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\object.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0003.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0004.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0005.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0006.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0007.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0007.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0008.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0008.ini
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0009.dta
    c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0009.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\object.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0003.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0004.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0005.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0006.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0007.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0007.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0008.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0008.ini
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0009.dta
    c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0009.ini
    c:\tdsskiller_quarantine\14.04.2011_23.30.54\susp0000\object.ini
    c:\tdsskiller_quarantine\14.04.2011_23.30.54\susp0000\svc0000\object.ini
    c:\tdsskiller_quarantine\14.04.2011_23.30.54\susp0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\14.04.2011_23.30.54\susp0000\svc0000\tsk0000.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_ZDCndis5
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-16 15:13 . 2011-04-16 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
    2011-04-16 14:49 . 2011-04-16 14:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-04-16 14:49 . 2011-04-16 14:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-04-16 14:13 . 2011-04-16 14:13 -------- d-----w- c:\windows\LastGood.Tmp
    2011-04-16 13:57 . 2011-04-16 13:57 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-15 19:12 . 2011-04-16 13:56 -------- d-----w- c:\program files\Mozilla Firefox(2)
    2011-04-13 16:14 . 2011-04-13 16:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
    2011-04-13 16:10 . 2011-04-13 16:10 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes
    2011-04-13 16:10 . 2011-04-13 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-04-13 16:10 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-13 16:09 . 2011-04-13 16:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-13 16:09 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-12 19:38 . 2011-04-12 19:38 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
    2011-04-12 19:25 . 2011-04-12 19:25 -------- d-----w- c:\program files\Common Files\Java
    2011-04-07 19:12 . 2011-04-12 22:10 -------- d-----w- c:\documents and settings\Dan\Application Data\DivX
    2011-04-07 19:00 . 2011-04-12 22:10 -------- d-----w- c:\program files\DivX
    2011-04-07 18:57 . 2011-04-12 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-22 11:41 . 2008-04-13 23:07 385024 ----a-w- c:\windows\system32\html.iec
    2011-01-21 14:44 . 2008-04-14 04:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-04-16_17.24.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-04-16 17:32 . 2011-04-16 17:32 16384 c:\windows\temp\Perflib_Perfdata_694.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "nwiz"=nwiz.exe /installquiet
    "RTHDCPL"=RTHDCPL.EXE
    "Alcmtr"=ALCMTR.EXE
    "PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
    "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "DXDllRegExe"=c:\windows\system32\dxdllreg.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Codemasters\\DiRT2\\dirt2_game.exe"=
    "c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Spotify\\spotify.exe"=
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/26/2009 12:13 AM 691696]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/7/2010 8:09 PM 108289]
    R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [9/27/2010 7:35 PM 1737464]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/12/2010 8:23 PM 135664]
    S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [9/27/2010 7:34 PM 9216]
    S3 U400bus;LGE U400 driver (WDM);c:\windows\system32\drivers\U400bus.sys [8/27/2010 10:45 PM 61440]
    S3 U400mdfl;LGE U400 USB WMC Modem Filter;c:\windows\system32\drivers\U400mdfl.sys [8/27/2010 10:45 PM 9264]
    S3 U400mdm;LGE U400 USB WMC Modem Driver;c:\windows\system32\drivers\U400mdm.sys [8/27/2010 10:45 PM 96960]
    S3 U400mgmt;LGE U400 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\U400mgmt.sys [8/27/2010 10:45 PM 88528]
    S3 U400obex;LGE U400 USB WMC OBEX Interface;c:\windows\system32\drivers\U400obex.sys [8/27/2010 10:45 PM 86336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-12 19:23]
    .
    2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-12 19:23]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-16 18:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3180)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\WgaTray.exe
    c:\windows\system32\RunDLL32.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-04-16 18:35:23 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-16 17:35
    ComboFix2.txt 2011-04-16 17:25
    ComboFix3.txt 2011-04-15 13:55
    .
    Pre-Run: 184,860,106,752 bytes free
    Post-Run: 184,764,891,136 bytes free
    .
    - - End Of File - - 80DFF680AEB283DA1761B0E3A0A77714
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Ha! I can't begin to relate how interesting some of my searches are! For instance, anything with the word 'crack', 'cracked' or 'keygen' is automatically suspect. But how to enter the search word isn't always easy:
    For instance: 'lavacracks', single word, will only give me an image someone left in image shack of- guess what> cracks in lava! But Google suggests I search for Lava Cracks, a bit better because I find it's a photoshop plugin to make the textures of lava cracks. Imagine that!

    Continuing on this same line, I look for 'sand cracks'- depending entirely on which site I choose, I am told:
    1.It's the horn of the foot (Horse site)
    2. A rum/coconut drink named 'Sand in the Crack.'

    So it appears that I need to drastically modify my search> so I try this "ubisoft\heroes of might and magic v\editor\iconcache" which is what I should have started with! Please tell me you came by all of these honestly!
    ============================================
    Regarding Update for Windows XP (KB2524375): You meant you got WgaTray.exe on the Taskbar, right> I note many other had a problem with this update. You may have gotten off easy! See this thread:
    Microsoft Social TechNet
    ===========================================
    Regarding the list of run-disabled programs: Please do the following:
    1. Make sure you can open/start any of the programs.
    2. Make sure 1 or 2 are on the Start Menu. Reboot the computer. Do the programs start?
    If there is a problem starting them, I will then make a registry change with script.
    ==========================================
    Hope you don't mind my dabbling in the ridiculous! Every once in a while I have to make sure I have a sense of humor buried somewhere!
  14. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    No not at all it's interesting to see how much detective work is involved !

    Thanks for the link to the WgaTray thread, it was quite an easy fix in the end to prevent it from running at start up, however I guess it'll mean turning off automatic updates to prevent it reinstalling itself. Compared to problems other people have had I definitely got off lightly !

    I did what you suggested with the list of run disabled programs, making sure a couple of them were on start menu after rebooting, and they started fine.

    No other issues - however I'd be grateful for any advice on how to prevent this kind of infection in future
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A better suggestion is one of the following:
    1. Choose 'download but don't install'- notify me first
    or
    2. Don't download OR install- notify me.

    In either of the above choices, you can check each update and decide which you want.
    The only auto-update I allow is the AV program. Nothing else is 'automatic.' I don't like programs slipping updates on to my system. It puts a bit more responsibility on the user to check, but it also stops the programs from contacting the internet every day, several times a day, looking for an update that may come only every few months! And in some cases, such as Java and the Adobe Reader, it helps you remember to uninstall the old version because the programs don't overwrite.
    =========================================
    Maybe this will remove the try icon- but you will also have to uncheck it on the Startup menu:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\WgaTray.exe
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt. I do not need to see this log:
    ===================================
    Back to this group again> I did not make any change with the Registry entry, but an FYI to you>> none of these need to start on boot!
    =================================
    Looks like you may have inadvertently downloaded and installed twice:(2)
    2011-04-16 13:56 -------- d-----w- c:\program files\Mozilla Firefox.
    ===============================
    Run this last scan. After I check the log, I'll have your remove the cleaning tools. Then I will give you some security tips:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  16. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Sorted, the annoying wgatray has disappeared. I've changed the automatic updates to notify me first and also noticed an HOURLY google toolbar update which was in scheduled updates - explains why my bandwidth would drop suddenly for a few minutes every hour.. surely hourly updates are a bit excessive?!

    Hijackthis log is below.

    With reference to those programs which you advised were not required on startup, would it be best to remove these from booting via ms config, or would you prefer to do a registry edit?

    "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    "nwiz"=nwiz.exe /installquiet
    "RTHDCPL"=RTHDCPL.EXE
    "Alcmtr"=ALCMTR.EXE
    "PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
    "NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    "KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
    "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    "DXDllRegExe"=c:\windows\system32\dxdllreg.exe

    --------------------------------

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:10:15 PM, on 4/18/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Dan\LOCALS~1\Temp\Rar$EX02.734\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Dan\Desktop\PartyPoker.lnk
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Dan\Desktop\PartyPoker.lnk
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E12A03E0-357A-4D08-9D38-720A10A03941}: NameServer = 217.171.132.1 217.171.135.1
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: BecHelperService - Unknown owner - C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

    --
    End of file - 7040 bytes
  17. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Aaaargh Avira has just identified the following virus:

    Virus or unwanted program 'JS/Dldr.FakeAV.D [virus]'
    detected in file 'C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\lu58s0aq.default\Cache\9\39\0FE7Ed01.
    Action performed: Move file to quarantine

    I don't know if it's related, but Windows Firewall is temporarily disabled at startup for about a minute, at which point it then turns itself back on.

    Stubborn little infection isn't it...
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    About the Google Toolbar Notifier. I can't count how many times I've killed that updater! The very idea that a search toolbar needs to be in constant contact with the internet looking for updates is beyond me! I've seriously even considered removing it at times!

    About Avast finding the JS 'virus': This is no biggie- you do have an antivirus program to both prevent and remove viruses. Please do the following for this:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      There are three options on this window to clear the cache.Check all.
    • . Delete Files
    • .View Applications
    • .View Applets
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
    =======================================
    Some help here, you finish with msconfig.
    ======================================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Dan\Desktop\PartyPoker.lnk
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Dan\Desktop\PartyPoker.lnk
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe


    Close all Windows except HijackThis and click on "Fix Checked."
    =====================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Start> run type in services.msc> enter> Find each of the following and set Startup Type as given:
    • gupdate> Disable> Stop Service
    • iPod> Manual
    • Java Quick Start (jqs)> Disable> Stop Service
    • NMIIndexing> Disable> Stop Service
    • nvsvc> Manual
    • pgsql-8.3> Manual
      When finished, exit Services
      Reboot into Normal Mode.
    ==============================================
    To keep the processes you checked above in HijackThis from starting on boot, use msconfig to uncheck the entries on the Startup Menu. Then rescan with Combofix and if there are any entries still loading on boot, I'll remove them.
    ===============================================
    Take auto-startups off programs as follows:
    Use Windows Explorer> Windows key + E> My computer> Double click on Local Drive(C)> Programs> find the following and change as given:
    ADOBE READER:
    [1]. Use msconfig to UNCHECK all; Adobe Reader entries> Apply> OK
    [2]. Open the Adobe Reader and Disable all Toolbars-unless you use the PDF feature frequently.
    [3]. Change the Adobe LM Service to Manual Startup.
    JAVA:
    [1] UNCHECK all Java entries on the Startup menu: Start> Run> msconfig> enter> Selective Startup Startup tab.
    [2] Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start.
    [3] Stop auto update:. Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Apply> Click YES when asked to confirm> OK
    QUICK TIME
    [1]. Use msconfig to UNCHECK any QuickTime entries on Startup> Apply> OK
    [2]. Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
    [3]. Rename the qttask.exe file: Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.
    ITUNES Big resource user!
    iTunesHelper.exe
    Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
    1. UNCHECK on Startup menu using msconfig. It uses nearly 6MB of memory.
  19. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Excellent that's done the trick, Firewall is now on straight away on start up, Google update, itunes helper and all their memory hogging friends have all disappeared too, confirmed by Combofix - notable decrease in time taken to start up as well.

    Thank you for all your help Bobbye you've been a massive help. Any last steps I should be taking now everything's sorted?
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You are very welcome! Last steps- you bet!
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.[/img]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
    ================================
    And to help keep it clean: Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast Free Version
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
  21. Asimov

    Asimov Newcomer, in training Topic Starter Posts: 22

    Excellent! Job done.

    Just one little issue with the [o]Spybot Search & Destroy link, in that it was the April update rather than the full program, but everything else spot on.

    Once again thanks for all your help Bobbye, much appreciated !
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.