also @ TechSpot: Exploit allows command prompt to launch at Windows 7 login screen

TechSpot

TechSpot News Products Downloads Forums

Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] TDL3 rootkit infection plus google redirect

Discussion in 'Virus and Malware Removal' started by Asimov, Apr 14, 2011.

Thread Status:: Not open for further replies.

Page 1 of 2

Asimov Newcomer, in training

plus recurring HTML script virus (Gerico.ffd) and WIN32 errors - help ! Avira and Malwarebytes have quarantined numerous trojan spywares and one of the programs used in the 8 point checklist suggest a rootkit infection. Firewall automatically turned off and Internet explorer closes after a few minutes of use.

Here are the logs of the downloaded programs, any help gratefully received:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-04-14 19:13:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 STM3250318AS rev.CC37
Running: dyn1rppi.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\kwroipob.sys

---- System - GMER 1.0.15 ----

SSDT spwt.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spwt.sys ZwEnumerateValueKey [0xB7ECE132]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A2B827F
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A2B827F
Device \Driver\atapi \Device\Ide\IdePort0 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A2B827F
Device \Driver\atapi \Device\Ide\IdePort1 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A2B827F
Device \Driver\atapi \Device\Ide\IdePort2 [B7E09B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\a0ibbuzp \Device\Scsi\a0ibbuzp1Port3Path0Target1Lun0 8A0891F8
Device \Driver\a0ibbuzp \Device\Scsi\a0ibbuzp1 8A0891F8
Device \Driver\a0ibbuzp \Device\Scsi\a0ibbuzp1Port3Path0Target0Lun0 8A0891F8
Device \FileSystem\Ntfs \Ntfs 8A4121F8

AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

Device \Device\Ide\IdeDeviceP1T1L0-e -> \??\IDE#DiskSTM3250318AS____________________________CC37____#5&18134b26&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

#######################

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6351

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/13/2011 5:15:41 PM
mbam-log-2011-04-13 (17-15-41).txt

Scan type: Quick scan
Objects scanned: 184340
Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\winntse.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\ksdfghk.Bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Dan\local settings\Temp\0.5326623992007813.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\Dan\local settings\Temp\jar_cache6136635655882958112.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.6587413872770643.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\0.9674578634173698.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\winntse.bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\ksdfghk.Bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6351

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/13/2011 6:21:28 PM
mbam-log-2011-04-13 (18-21-28).txt

Scan type: Full scan (C:\|)
Objects scanned: 268532
Time elapsed: 55 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\networkservice\application data\Sun\Java\deployment\cache\6.0\12\1e3ae18c-2bbcf9b9 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\Sun\Java\deployment\cache\6.0\12\1e3ae18c-6c53a5b7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6351

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/14/2011 6:47:28 PM
mbam-log-2011-04-14 (18-47-28).txt

Scan type: Quick scan
Objects scanned: 181953
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\ksdfghk.Bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

Files Infected:
c:\ksdfghk.Bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

#########################

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dan at 19:16:47.04 on Thu 04/14/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1476 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dan\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTuner.exe" /S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\dan\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\heroes of might and magic v\registration\RegistrationReminder.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\dan\desktop\PartyPoker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {E12A03E0-357A-4D08-9D38-720A10A03941} = 217.171.132.1 217.171.135.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-7 11608]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-8-11 2855440]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-7 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-7 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-7 56816]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-9-27 1737464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-12 135664]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-12-10 65536]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-8-11 73728]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-9-27 9216]
S3 U400bus;LGE U400 driver (WDM);c:\windows\system32\drivers\U400bus.sys [2010-8-27 61440]
S3 U400mdfl;LGE U400 USB WMC Modem Filter;c:\windows\system32\drivers\U400mdfl.sys [2010-8-27 9264]
S3 U400mdm;LGE U400 USB WMC Modem Driver;c:\windows\system32\drivers\U400mdm.sys [2010-8-27 96960]
S3 U400mgmt;LGE U400 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\U400mgmt.sys [2010-8-27 88528]
S3 U400obex;LGE U400 USB WMC OBEX Interface;c:\windows\system32\drivers\U400obex.sys [2010-8-27 86336]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?]
.
=============== Created Last 30 ================
.
2011-04-13 21:39:00 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-13 21:39:00 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-13 16:10:06 -------- d-----w- c:\docume~1\dan\applic~1\Malwarebytes
2011-04-13 16:10:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-13 16:10:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-13 16:09:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-13 16:09:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-07 19:00:14 -------- d-----w- c:\program files\DivX
2011-04-07 18:57:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-03-24 23:17:09 83249512 ----a-w- c:\program files\common files\windows live\.cache\wlc48.tmp
.
==================== Find3M ====================
.
2011-01-24 20:00:48 1 ----a-w- c:\windows\system32\SI.bin
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: STM3250318AS rev.CC37 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T1L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2B8439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2be7d0]; MOV EAX, [0x8a2be84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A32FAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006e[0x8A3319E8]
5 ACPI[0xB7E74620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A357940]
\Driver\atapi[0x8A2D3A08] -> IRP_MJ_CREATE -> 0x8A2B8439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T1L0-e -> \??\IDE#DiskSTM3250318AS____________________________CC37____#5&18134b26&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A2B827F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:17:52.35 ===============

##############

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/25/2009 6:45:04 PM
System Uptime: 4/14/2011 7:00:17 PM (0 hours ago)
.
Motherboard: Foxconn | | G31MV/G31MV-K
Processor: Intel Pentium III Xeon processor | Socket 775 | 2599/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 173.592 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()
G: is CDROM (CDFS)
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek PCIe FE Family Controller
Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_0DF2105B&REV_01\4&2AD917F4&0&00E1
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek PCIe FE Family Controller
PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_0DF2105B&REV_01\4&2AD917F4&0&00E1
Service: RTLE8023xp
.
==== System Restore Points ===================
.
RP383: 1/12/2011 8:30:52 PM - System Checkpoint
RP384: 1/12/2011 11:44:05 PM - Software Distribution Service 3.0
RP385: 1/14/2011 8:35:05 PM - System Checkpoint
RP386: 1/16/2011 5:53:16 PM - System Checkpoint
RP387: 1/17/2011 8:18:20 PM - System Checkpoint
RP388: 1/19/2011 9:48:51 PM - System Checkpoint
RP389: 1/20/2011 10:31:40 PM - System Checkpoint
RP390: 1/22/2011 7:15:04 PM - System Checkpoint
RP391: 1/23/2011 7:28:26 PM - System Checkpoint
RP392: 1/24/2011 8:01:22 PM - Installed Heroes of Might and Magic V
RP393: 1/25/2011 9:04:18 PM - System Checkpoint
RP394: 1/26/2011 11:32:43 PM - System Checkpoint
RP395: 1/28/2011 9:18:03 PM - System Checkpoint
RP396: 1/30/2011 12:46:01 AM - System Checkpoint
RP397: 2/4/2011 8:09:54 PM - System Checkpoint
RP398: 2/7/2011 8:12:59 PM - System Checkpoint
RP399: 2/9/2011 12:19:57 AM - Software Distribution Service 3.0
RP400: 2/10/2011 7:23:57 PM - System Checkpoint
RP401: 2/11/2011 9:24:03 PM - System Checkpoint
RP402: 2/13/2011 1:29:21 AM - System Checkpoint
RP403: 2/15/2011 4:31:02 PM - Removed SAGEM Wi-Fi 11g USB adapter LAN Utility
RP404: 2/16/2011 8:47:41 PM - System Checkpoint
RP405: 2/18/2011 2:12:40 AM - Software Distribution Service 3.0
RP406: 2/20/2011 10:23:35 PM - System Checkpoint
RP407: 2/24/2011 7:48:51 PM - System Checkpoint
RP408: 2/26/2011 4:11:50 PM - System Checkpoint
RP409: 2/26/2011 7:35:40 PM - Restore Operation
RP410: 3/3/2011 10:17:48 PM - Software Distribution Service 3.0
RP411: 3/5/2011 10:21:11 PM - System Checkpoint
RP412: 3/9/2011 8:30:07 PM - System Checkpoint
RP413: 3/9/2011 11:33:23 PM - Software Distribution Service 3.0
RP414: 3/11/2011 7:41:05 PM - System Checkpoint
RP415: 3/12/2011 10:08:28 PM - System Checkpoint
RP416: 3/14/2011 7:49:07 PM - System Checkpoint
RP417: 3/17/2011 8:47:35 PM - System Checkpoint
RP418: 3/20/2011 12:51:40 PM - System Checkpoint
RP419: 3/21/2011 9:08:11 PM - System Checkpoint
RP420: 3/24/2011 12:05:01 AM - Software Distribution Service 3.0
RP421: 3/24/2011 11:19:21 PM - Installed DirectX
RP422: 3/27/2011 7:15:01 PM - System Checkpoint
RP423: 3/28/2011 10:54:53 PM - System Checkpoint
RP424: 3/30/2011 5:24:13 PM - System Checkpoint
RP425: 3/31/2011 9:27:20 PM - System Checkpoint
RP426: 4/2/2011 7:50:31 PM - System Checkpoint
RP427: 4/5/2011 6:48:03 PM - System Checkpoint
RP428: 4/7/2011 7:24:02 PM - System Checkpoint
RP429: 4/9/2011 6:28:16 PM - System Checkpoint
RP430: 4/11/2011 8:17:47 PM - Restore Operation
RP431: 4/12/2011 6:05:17 PM - Restore Operation
RP432: 4/12/2011 8:09:31 PM - Removed Java(TM) 6 Update 17
RP433: 4/12/2011 8:23:21 PM - Installed Java(TM) 6 Update 24
RP434: 4/12/2011 11:06:16 PM - Restore Operation
RP435: 4/12/2011 11:08:14 PM - Restore Operation
RP436: 4/13/2011 7:25:26 PM - reg edit
RP437: 4/13/2011 9:13:20 PM - Removed PostgreSQL 8.3
RP438: 4/13/2011 10:36:56 PM - Restore Operation
.
==== Installed Programs ======================
.
3Connect
Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
Advanced Video FX Utility
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
Broken Sword Trilogy
Canon iP1900 series Printer Driver
Canon iP1900 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CCleaner
Celestia 1.6.0
Creative Photo Manager
Creative WebCam Center
Creative WebCam Instant Driver (1.03.02.0425)
Creative WebCam Instant User's Guide (English)
Diablo II
DiRT2
EA SPORTS™ Rugby 08
Emsisoft Anti-Malware 5.0
Football Manager 2010
FOX ONE
Free M4a to MP3 Converter 6.2
Get Yahoo! Messenger
Google Update Helper
Heroes of Might and Magic V
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InterActual Player
iTunes
Java(TM) 6 Update 17
Junk Mail filter update
K-Lite Codec Pack 5.5.1 (Full)
LG PhoneManager
LG SyncManager
LG USB Modem driver-U400
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Xbox 360 Accessories 1.2
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Ultra Edition
neroxml
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OpenAL
PartyPoker
PKR
PokerStars
PokerTracker 3 (remove only)
PostgreSQL 8.3
PowerISO
Quick Startup 2.8.0.718
QuickTime
Rapture3D 2.3.22 Game
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Revo Uninstaller 1.85
RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SightSpeed
Spotify
System Requirements Lab
Unreal Tournament 2003
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.3
WebCam Instant Product Registration
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
World Championship Snooker 2004
XP Codec Pack
ZTE_1.2059.0.8
.
==== Event Viewer Messages From Past Week ========
.
4/14/2011 7:09:13 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
4/14/2011 6:37:37 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
4/14/2011 6:37:37 PM, error: Service Control Manager [7034] - The BecHelperService service terminated unexpectedly. It has done this 1 time(s).
4/14/2011 6:37:36 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
4/14/2011 6:37:36 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/13/2011 6:44:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu sptd ssmdrv Tcpip
4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 6:44:54 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/13/2011 6:00:32 PM, error: Service Control Manager [7031] - The Emsisoft Anti-Malware 5.0 - Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
4/12/2011 8:38:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SCDEmu ssmdrv
4/12/2011 8:09:47 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
4/12/2011 6:01:05 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/12/2011 11:13:19 PM, error: Service Control Manager [7024] - The Java Quick Starter service terminated with service-specific error 1 (0x1).
4/11/2011 9:45:29 PM, error: sptd [4] - Driver detected an internal error in its data structures for .
4/11/2011 8:17:19 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avgio avipbb Fips intelppm SCDEmu sptd ssmdrv
4/11/2011 11:14:33 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/11/2011 11:14:33 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/11/2011 11:08:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/11/2011 10:01:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
.
==== End Of File ===========================

Asimov, Apr 14, 2011

#1
Bobbye Helper on the Fringe
Welcome to TechSpot! Please run the following while I finish checking these logs. Paste the log into your next reply:

Download the file TDSSKiller.zip and save to the desktop.
(If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)

Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.

Double click on TDSSKiller.exe. to run the scan

When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).

Select the action Quarantine to quarantine detected objects.
The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43

After clicking Next, the utility applies selected actions and outputs the result.

A reboot is required after disinfection.

Note: Please don't act on any 'errors' or 'alerts' you might get. Malwarebytes removed some rogue programs and some entries may be left.

Another note: I noticed you ran several scans with Mbam- I think attempting to also remove Trojan.SpyEyes. Although the removal and containment are easy, you should understand that the system may have been compromised already due to the Backdoor it installed and the chance that information may already ave been stolen. You are advised to change all of your passwords and keep close look to any financial transactions you do on the internet.

Description of Trojan.SpyEyes:

Payload: Opens a back door.

Releases Confidential Info: Attempts to steal information from the compromised computer.

A
Bobbye, Apr 14, 2011

#2
Asimov Newcomer, in training

Thanks for your reply - one rootkit detected and cured/ quarantined as per the below report. There was however a locked file detected which only gave the option to skip / copy to quarantine or delete. Should I go ahead and delete this or leave it as it is? When I reboot I still get a message stating my firewall is disabled, however the google redirects appear to have stopped (touch wood!)

2011/04/14 23:12:17.0796 2936 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/14 23:12:19.0750 2936 ================================================================================
2011/04/14 23:12:19.0750 2936 SystemInfo:
2011/04/14 23:12:19.0750 2936
2011/04/14 23:12:19.0750 2936 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/14 23:12:19.0750 2936 Product type: Workstation
2011/04/14 23:12:19.0750 2936 ComputerName: DANCREATION4
2011/04/14 23:12:19.0750 2936 UserName: Dan
2011/04/14 23:12:19.0750 2936 Windows directory: C:\WINDOWS
2011/04/14 23:12:19.0750 2936 System windows directory: C:\WINDOWS
2011/04/14 23:12:19.0750 2936 Processor architecture: Intel x86
2011/04/14 23:12:19.0750 2936 Number of processors: 2
2011/04/14 23:12:19.0750 2936 Page size: 0x1000
2011/04/14 23:12:19.0750 2936 Boot type: Normal boot
2011/04/14 23:12:19.0750 2936 ================================================================================
2011/04/14 23:12:20.0203 2936 Initialize success
2011/04/14 23:12:26.0406 0276 ================================================================================
2011/04/14 23:12:26.0406 0276 Scan started
2011/04/14 23:12:26.0406 0276 Mode: Manual;
2011/04/14 23:12:26.0406 0276 ================================================================================
2011/04/14 23:12:26.0937 0276 a2acc (71574a98093d94bdbb3cb74e272d29a5) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
2011/04/14 23:12:27.0062 0276 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/14 23:12:27.0109 0276 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/14 23:12:27.0156 0276 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/14 23:12:27.0203 0276 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/14 23:12:27.0343 0276 AR5416 (2f9a4beb4163590b78e26cdedc789ed4) C:\WINDOWS\system32\DRIVERS\athw.sys
2011/04/14 23:12:27.0531 0276 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/14 23:12:27.0578 0276 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/14 23:12:27.0625 0276 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/14 23:12:27.0703 0276 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/14 23:12:27.0750 0276 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/04/14 23:12:27.0843 0276 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/04/14 23:12:27.0890 0276 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/04/14 23:12:27.0937 0276 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/14 23:12:27.0968 0276 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/14 23:12:28.0015 0276 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/14 23:12:28.0046 0276 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/14 23:12:28.0093 0276 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/14 23:12:28.0125 0276 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/14 23:12:28.0250 0276 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/14 23:12:28.0328 0276 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/14 23:12:28.0390 0276 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/14 23:12:28.0437 0276 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/14 23:12:28.0484 0276 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/14 23:12:28.0531 0276 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/14 23:12:28.0578 0276 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/04/14 23:12:28.0640 0276 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/14 23:12:28.0687 0276 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/14 23:12:28.0718 0276 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/14 23:12:28.0734 0276 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/14 23:12:28.0750 0276 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/14 23:12:28.0781 0276 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/14 23:12:28.0812 0276 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/14 23:12:28.0859 0276 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/14 23:12:28.0890 0276 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/14 23:12:28.0937 0276 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/14 23:12:28.0984 0276 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/14 23:12:29.0046 0276 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/14 23:12:29.0140 0276 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/14 23:12:29.0187 0276 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/14 23:12:29.0312 0276 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/14 23:12:29.0375 0276 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/14 23:12:29.0437 0276 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/14 23:12:29.0468 0276 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/14 23:12:29.0484 0276 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/14 23:12:29.0515 0276 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/14 23:12:29.0593 0276 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/14 23:12:29.0640 0276 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/04/14 23:12:29.0687 0276 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/14 23:12:29.0703 0276 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/04/14 23:12:29.0734 0276 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/14 23:12:29.0781 0276 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/14 23:12:29.0812 0276 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/14 23:12:29.0875 0276 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/14 23:12:29.0953 0276 massfilter (09721f2c56681a83c93ecdfab8b102a9) C:\WINDOWS\system32\drivers\massfilter.sys
2011/04/14 23:12:30.0000 0276 mdvrmng (4e10e84320a8ec1c12bd0d00973b22ab) C:\WINDOWS\system32\drivers\mdvrmng.sys
2011/04/14 23:12:30.0046 0276 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/14 23:12:30.0093 0276 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/14 23:12:30.0125 0276 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/14 23:12:30.0171 0276 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/14 23:12:30.0203 0276 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/14 23:12:30.0250 0276 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/14 23:12:30.0296 0276 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/14 23:12:30.0343 0276 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/14 23:12:30.0390 0276 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/14 23:12:30.0390 0276 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/14 23:12:30.0406 0276 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/14 23:12:30.0437 0276 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/14 23:12:30.0484 0276 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/14 23:12:30.0531 0276 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/14 23:12:30.0562 0276 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/14 23:12:30.0625 0276 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/14 23:12:30.0656 0276 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/14 23:12:30.0703 0276 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/14 23:12:30.0734 0276 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/14 23:12:30.0750 0276 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/14 23:12:30.0781 0276 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/14 23:12:30.0812 0276 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/14 23:12:30.0828 0276 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/14 23:12:30.0875 0276 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/14 23:12:30.0937 0276 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/14 23:12:31.0015 0276 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/14 23:12:31.0203 0276 nv (a05d99cbf55eb493c9e82b4bca848ef5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/14 23:12:31.0390 0276 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/14 23:12:31.0437 0276 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/14 23:12:31.0484 0276 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/14 23:12:31.0500 0276 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/14 23:12:31.0546 0276 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/14 23:12:31.0593 0276 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/14 23:12:31.0625 0276 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/14 23:12:31.0656 0276 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/14 23:12:31.0687 0276 PD0620VID (ea296b87ba381c640b441d95f90785f8) C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
2011/04/14 23:12:31.0812 0276 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/14 23:12:31.0843 0276 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/14 23:12:31.0890 0276 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/14 23:12:31.0984 0276 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/14 23:12:32.0031 0276 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/04/14 23:12:32.0046 0276 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/14 23:12:32.0078 0276 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/14 23:12:32.0109 0276 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/14 23:12:32.0125 0276 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/14 23:12:32.0171 0276 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/14 23:12:32.0203 0276 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/14 23:12:32.0250 0276 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/14 23:12:32.0296 0276 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/14 23:12:32.0343 0276 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
2011/04/14 23:12:32.0453 0276 RTLE8023xp (6fc7ddf3b8d94fba7ac664452d6478d4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/04/14 23:12:32.0500 0276 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/04/14 23:12:32.0546 0276 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/14 23:12:32.0578 0276 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/14 23:12:32.0671 0276 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/14 23:12:32.0718 0276 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/14 23:12:32.0796 0276 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/14 23:12:32.0843 0276 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/14 23:12:32.0890 0276 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/04/14 23:12:32.0890 0276 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/04/14 23:12:32.0906 0276 sptd - detected Locked file (1)
2011/04/14 23:12:32.0906 0276 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/14 23:12:32.0953 0276 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/14 23:12:33.0031 0276 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/04/14 23:12:33.0078 0276 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/14 23:12:33.0140 0276 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/14 23:12:33.0171 0276 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/14 23:12:33.0265 0276 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/14 23:12:33.0312 0276 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/14 23:12:33.0359 0276 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/14 23:12:33.0390 0276 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/14 23:12:33.0437 0276 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/14 23:12:33.0515 0276 U400bus (e2dba4238cea4a707ecf232b0a18285b) C:\WINDOWS\system32\DRIVERS\U400bus.sys
2011/04/14 23:12:33.0562 0276 U400mdfl (7024be4e5db0278f902d8f8168c21a1e) C:\WINDOWS\system32\DRIVERS\U400mdfl.sys
2011/04/14 23:12:33.0578 0276 U400mdm (f81b907b5d826c52be70becfa8d061e3) C:\WINDOWS\system32\DRIVERS\U400mdm.sys
2011/04/14 23:12:33.0593 0276 U400mgmt (1ae1765623c8e58349b89bc1dc7ffd52) C:\WINDOWS\system32\DRIVERS\U400mgmt.sys
2011/04/14 23:12:33.0625 0276 U400obex (780c0b1655008e38d7e6ba631f17fbb8) C:\WINDOWS\system32\DRIVERS\U400obex.sys
2011/04/14 23:12:33.0687 0276 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/14 23:12:33.0750 0276 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/14 23:12:33.0796 0276 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/14 23:12:33.0828 0276 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/14 23:12:33.0859 0276 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/14 23:12:33.0906 0276 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/14 23:12:33.0953 0276 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/14 23:12:34.0000 0276 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/14 23:12:34.0031 0276 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/14 23:12:34.0078 0276 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/14 23:12:34.0109 0276 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/14 23:12:34.0171 0276 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/04/14 23:12:34.0218 0276 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/14 23:12:34.0312 0276 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/14 23:12:34.0359 0276 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/14 23:12:34.0390 0276 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/14 23:12:34.0437 0276 xusb21 (09e5340bd9b2cb730bf4dc6be7721291) C:\WINDOWS\system32\DRIVERS\xusb21.sys
2011/04/14 23:12:34.0515 0276 ZTEusbmdm6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
2011/04/14 23:12:34.0531 0276 ZTEusbnmea (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
2011/04/14 23:12:34.0546 0276 ZTEusbser6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
2011/04/14 23:12:34.0578 0276 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/14 23:12:34.0593 0276 ================================================================================
2011/04/14 23:12:34.0593 0276 Scan finished
2011/04/14 23:12:34.0593 0276 ================================================================================
2011/04/14 23:12:34.0593 0680 Detected object count: 2
2011/04/14 23:14:59.0984 0680 Locked file(sptd) - User select action: Skip
2011/04/14 23:15:00.0000 0680 \HardDisk0 - copied to quarantine
2011/04/14 23:15:00.0000 0680 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
2011/04/14 23:15:00.0031 0680 \HardDisk0\TDLFS\mbr - copied to quarantine
2011/04/14 23:15:00.0031 0680 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
2011/04/14 23:15:00.0046 0680 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
2011/04/14 23:15:00.0046 0680 \HardDisk0\TDLFS\ldr16 - copied to quarantine
2011/04/14 23:15:00.0046 0680 \HardDisk0\TDLFS\ldr32 - copied to quarantine
2011/04/14 23:15:00.0046 0680 \HardDisk0\TDLFS\ldr64 - copied to quarantine
2011/04/14 23:15:00.0062 0680 \HardDisk0\TDLFS\drv64 - copied to quarantine
2011/04/14 23:15:00.0062 0680 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
2011/04/14 23:15:00.0078 0680 \HardDisk0\TDLFS\drv32 - copied to quarantine
2011/04/14 23:15:00.0078 0680 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine

############################

SUSPICIOUS OBJECT

2011/04/14 23:30:54.0828 3788 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/14 23:30:54.0843 3788 ================================================================================
2011/04/14 23:30:54.0843 3788 SystemInfo:
2011/04/14 23:30:54.0843 3788
2011/04/14 23:30:54.0843 3788 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/14 23:30:54.0843 3788 Product type: Workstation
2011/04/14 23:30:54.0843 3788 ComputerName: DANCREATION4
2011/04/14 23:30:54.0843 3788 UserName: Dan
2011/04/14 23:30:54.0843 3788 Windows directory: C:\WINDOWS
2011/04/14 23:30:54.0843 3788 System windows directory: C:\WINDOWS
2011/04/14 23:30:54.0843 3788 Processor architecture: Intel x86
2011/04/14 23:30:54.0843 3788 Number of processors: 2
2011/04/14 23:30:54.0843 3788 Page size: 0x1000
2011/04/14 23:30:54.0843 3788 Boot type: Normal boot
2011/04/14 23:30:54.0843 3788 ================================================================================
2011/04/14 23:30:54.0953 3788 Initialize success
2011/04/14 23:30:56.0515 3820 ================================================================================
2011/04/14 23:30:56.0515 3820 Scan started
2011/04/14 23:30:56.0515 3820 Mode: Manual;
2011/04/14 23:30:56.0515 3820 ================================================================================
2011/04/14 23:30:58.0781 3820 a2acc (71574a98093d94bdbb3cb74e272d29a5) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
2011/04/14 23:30:58.0953 3820 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/14 23:30:59.0000 3820 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/14 23:30:59.0062 3820 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/14 23:30:59.0109 3820 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/14 23:30:59.0421 3820 AR5416 (2f9a4beb4163590b78e26cdedc789ed4) C:\WINDOWS\system32\DRIVERS\athw.sys
2011/04/14 23:30:59.0640 3820 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/14 23:30:59.0687 3820 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/14 23:30:59.0750 3820 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/14 23:30:59.0796 3820 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/14 23:30:59.0859 3820 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/04/14 23:30:59.0953 3820 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/04/14 23:30:59.0984 3820 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/04/14 23:31:00.0031 3820 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/14 23:31:00.0062 3820 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/14 23:31:00.0093 3820 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/14 23:31:00.0140 3820 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/14 23:31:00.0187 3820 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/14 23:31:00.0218 3820 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/14 23:31:00.0343 3820 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/14 23:31:00.0484 3820 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/14 23:31:00.0546 3820 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/14 23:31:00.0593 3820 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/14 23:31:00.0656 3820 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/14 23:31:00.0718 3820 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/14 23:31:00.0796 3820 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/04/14 23:31:00.0875 3820 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/14 23:31:00.0921 3820 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/14 23:31:00.0953 3820 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/14 23:31:00.0968 3820 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/14 23:31:01.0000 3820 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/14 23:31:01.0046 3820 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/14 23:31:01.0078 3820 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/14 23:31:01.0125 3820 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/14 23:31:01.0156 3820 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/14 23:31:01.0187 3820 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/14 23:31:01.0250 3820 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/14 23:31:01.0296 3820 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/14 23:31:01.0390 3820 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/14 23:31:01.0437 3820 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/14 23:31:01.0546 3820 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/14 23:31:01.0625 3820 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/14 23:31:01.0671 3820 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/14 23:31:01.0687 3820 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/14 23:31:01.0703 3820 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/14 23:31:01.0734 3820 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/14 23:31:01.0765 3820 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/14 23:31:01.0812 3820 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/04/14 23:31:01.0843 3820 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/14 23:31:01.0859 3820 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/04/14 23:31:01.0890 3820 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/14 23:31:01.0921 3820 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/14 23:31:01.0968 3820 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/14 23:31:02.0000 3820 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/14 23:31:02.0062 3820 massfilter (09721f2c56681a83c93ecdfab8b102a9) C:\WINDOWS\system32\drivers\massfilter.sys
2011/04/14 23:31:02.0109 3820 mdvrmng (4e10e84320a8ec1c12bd0d00973b22ab) C:\WINDOWS\system32\drivers\mdvrmng.sys
2011/04/14 23:31:02.0156 3820 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/14 23:31:02.0187 3820 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/14 23:31:02.0234 3820 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/14 23:31:02.0296 3820 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/14 23:31:02.0328 3820 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/14 23:31:02.0375 3820 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/14 23:31:02.0421 3820 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/14 23:31:02.0468 3820 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/14 23:31:02.0531 3820 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/14 23:31:02.0546 3820 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/14 23:31:02.0562 3820 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/14 23:31:02.0593 3820 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/14 23:31:02.0640 3820 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/14 23:31:02.0687 3820 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/14 23:31:02.0718 3820 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/14 23:31:02.0765 3820 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/14 23:31:02.0796 3820 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/14 23:31:02.0843 3820 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/14 23:31:02.0859 3820 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/14 23:31:02.0875 3820 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/14 23:31:02.0906 3820 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/14 23:31:02.0937 3820 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/14 23:31:02.0953 3820 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/14 23:31:03.0000 3820 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/14 23:31:03.0046 3820 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/14 23:31:03.0109 3820 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/14 23:31:03.0296 3820 nv (a05d99cbf55eb493c9e82b4bca848ef5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/14 23:31:03.0703 3820 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/14 23:31:03.0750 3820 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/14 23:31:03.0812 3820 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/14 23:31:03.0828 3820 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/14 23:31:03.0875 3820 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/14 23:31:03.0921 3820 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/14 23:31:03.0937 3820 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/14 23:31:03.0968 3820 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/14 23:31:04.0093 3820 PD0620VID (ea296b87ba381c640b441d95f90785f8) C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
2011/04/14 23:31:04.0218 3820 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/14 23:31:04.0234 3820 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/14 23:31:04.0265 3820 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/14 23:31:04.0328 3820 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/14 23:31:04.0375 3820 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/04/14 23:31:04.0390 3820 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/14 23:31:04.0421 3820 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/14 23:31:04.0453 3820 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/14 23:31:04.0484 3820 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/14 23:31:04.0500 3820 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/14 23:31:04.0531 3820 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/14 23:31:04.0593 3820 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/14 23:31:04.0703 3820 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/14 23:31:04.0781 3820 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
2011/04/14 23:31:04.0890 3820 RTLE8023xp (6fc7ddf3b8d94fba7ac664452d6478d4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/04/14 23:31:05.0046 3820 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/04/14 23:31:05.0078 3820 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/14 23:31:05.0093 3820 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/14 23:31:05.0140 3820 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/14 23:31:05.0187 3820 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/14 23:31:05.0281 3820 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/14 23:31:05.0390 3820 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/14 23:31:05.0453 3820 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/04/14 23:31:05.0453 3820 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/04/14 23:31:05.0468 3820 sptd - detected Locked file (1)
2011/04/14 23:31:05.0468 3820 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/14 23:31:05.0500 3820 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/14 23:31:05.0578 3820 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/04/14 23:31:05.0656 3820 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/14 23:31:05.0734 3820 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/14 23:31:05.0765 3820 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/14 23:31:05.0843 3820 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/14 23:31:05.0906 3820 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/14 23:31:05.0953 3820 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/14 23:31:06.0000 3820 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/14 23:31:06.0046 3820 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/14 23:31:06.0109 3820 U400bus (e2dba4238cea4a707ecf232b0a18285b) C:\WINDOWS\system32\DRIVERS\U400bus.sys
2011/04/14 23:31:06.0187 3820 U400mdfl (7024be4e5db0278f902d8f8168c21a1e) C:\WINDOWS\system32\DRIVERS\U400mdfl.sys
2011/04/14 23:31:06.0234 3820 U400mdm (f81b907b5d826c52be70becfa8d061e3) C:\WINDOWS\system32\DRIVERS\U400mdm.sys
2011/04/14 23:31:06.0281 3820 U400mgmt (1ae1765623c8e58349b89bc1dc7ffd52) C:\WINDOWS\system32\DRIVERS\U400mgmt.sys
2011/04/14 23:31:06.0312 3820 U400obex (780c0b1655008e38d7e6ba631f17fbb8) C:\WINDOWS\system32\DRIVERS\U400obex.sys
2011/04/14 23:31:06.0375 3820 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/14 23:31:06.0406 3820 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/14 23:31:06.0468 3820 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/14 23:31:06.0500 3820 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/14 23:31:06.0531 3820 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/14 23:31:06.0609 3820 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/14 23:31:06.0750 3820 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/14 23:31:06.0781 3820 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/14 23:31:06.0828 3820 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/14 23:31:06.0890 3820 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/14 23:31:06.0921 3820 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/14 23:31:06.0968 3820 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/04/14 23:31:07.0031 3820 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/14 23:31:07.0156 3820 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/14 23:31:07.0203 3820 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/14 23:31:07.0250 3820 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/14 23:31:07.0390 3820 xusb21 (09e5340bd9b2cb730bf4dc6be7721291) C:\WINDOWS\system32\DRIVERS\xusb21.sys
2011/04/14 23:31:07.0468 3820 ZTEusbmdm6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
2011/04/14 23:31:07.0500 3820 ZTEusbnmea (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
2011/04/14 23:31:07.0515 3820 ZTEusbser6k (616b411bfc0e9f535a436759f19b79d8) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
2011/04/14 23:31:07.0640 3820 ================================================================================
2011/04/14 23:31:07.0640 3820 Scan finished
2011/04/14 23:31:07.0640 3820 ================================================================================
2011/04/14 23:31:07.0671 3812 Detected object count: 1
2011/04/14 23:31:30.0640 3812 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/04/14 23:31:30.0640 3812 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/04/14 23:31:30.0640 3812 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
2011/04/14 23:31:30.0640 3812 Locked file(sptd) - User select action: Quarantine

Asimov, Apr 14, 2011

#3
Bobbye Helper on the Fringe
Please run this:
Bootkit Remover:

Download bootkitremover.rar and save to your desktop.

Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. (Use 7-Zip if you don't have an extraction program, )

Double-click on the remover.exe file to run the program.
NOTE: The tool should be run from a command line with Administrator privileges.

Scanning should be completed quickly

Paste the output in your next reply.

======================================
You can also go ahead with this: Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

We will work through these first.
Bobbye, Apr 14, 2011

#4
Asimov Newcomer, in training

Thank you - bootkit remover and Combofix logs below in separate threads due to size - only remaining problem is that windows firewall is temporarily disabled when I attempt to connect to the internet - however it is enabled again once I am actually connected:

.\debug.cpp(238) : Debug log started at 15.04.2011 - 13:44:17
.\boot_cleaner.cpp(527) : Bootkit Remover
.\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
.\boot_cleaner.cpp(529) : www.esagelab.com
.\boot_cleaner.cpp(533) : Program version: 1.2.0.0
.\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)
.\debug.cpp(248) : **********************************************
.\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
.\debug.cpp(250) : **********************************************
.\debug.cpp(256) : 0x804d7000 0x0020e000 "\WINDOWS\system32\ntkrnlpa.exe"
.\debug.cpp(256) : 0x806e5000 0x00020d00 "\WINDOWS\system32\hal.dll"
.\debug.cpp(256) : 0xb85a8000 0x00002000 "\WINDOWS\system32\KDCOM.DLL"
.\debug.cpp(256) : 0xb84b8000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
.\debug.cpp(256) : 0xb7eb4000 0x000f3000 "spsl.sys"
.\debug.cpp(256) : 0xb85aa000 0x00002000 "\WINDOWS\System32\Drivers\WMILIB.SYS"
.\debug.cpp(256) : 0xb7e9c000 0x00018000 "\WINDOWS\System32\Drivers\SCSIPORT.SYS"
.\debug.cpp(256) : 0xb7e6e000 0x0002e000 "ACPI.sys"
.\debug.cpp(256) : 0xb7e5d000 0x00011000 "pci.sys"
.\debug.cpp(256) : 0xb80a8000 0x0000a000 "isapnp.sys"
.\debug.cpp(256) : 0xb8670000 0x00001000 "pciide.sys"
.\debug.cpp(256) : 0xb8328000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xb80b8000 0x0000b000 "MountMgr.sys"
.\debug.cpp(256) : 0xb7e3e000 0x0001f000 "ftdisk.sys"
.\debug.cpp(256) : 0xb85ac000 0x00002000 "dmload.sys"
.\debug.cpp(256) : 0xb7e18000 0x00026000 "dmio.sys"
.\debug.cpp(256) : 0xb8330000 0x00005000 "PartMgr.sys"
.\debug.cpp(256) : 0xb80c8000 0x0000d000 "VolSnap.sys"
.\debug.cpp(256) : 0xb7e00000 0x00018000 "atapi.sys"
.\debug.cpp(256) : 0xb80d8000 0x00009000 "disk.sys"
.\debug.cpp(256) : 0xb80e8000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xb7de0000 0x00020000 "fltMgr.sys"
.\debug.cpp(256) : 0xb7dce000 0x00012000 "sr.sys"
.\debug.cpp(256) : 0xb7db7000 0x00017000 "KSecDD.sys"
.\debug.cpp(256) : 0xb7d2a000 0x0008d000 "Ntfs.sys"
.\debug.cpp(256) : 0xb7cfd000 0x0002d000 "NDIS.sys"
.\debug.cpp(256) : 0xb7ce3000 0x0001a000 "Mup.sys"
.\debug.cpp(256) : 0xb81a8000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
.\debug.cpp(256) : 0xb7250000 0x009c4000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
.\debug.cpp(256) : 0xb723c000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xb7214000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
.\debug.cpp(256) : 0xb8468000 0x00006000 "\SystemRoot\system32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0xb71f0000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0xb8470000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
.\debug.cpp(256) : 0xb8478000 0x00007000 "\SystemRoot\system32\DRIVERS\fdc.sys"
.\debug.cpp(256) : 0xb81b8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
.\debug.cpp(256) : 0xb7c2c000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
.\debug.cpp(256) : 0xb8480000 0x00005000 "\SystemRoot\system32\DRIVERS\irsir.sys"
.\debug.cpp(256) : 0xb7c28000 0x00003000 "\SystemRoot\system32\DRIVERS\irenum.sys"
.\debug.cpp(256) : 0xb81c8000 0x0000d000 "\SystemRoot\system32\DRIVERS\i8042prt.sys"
.\debug.cpp(256) : 0xb8488000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xb8490000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xb81d8000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
.\debug.cpp(256) : 0xb81e8000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0xb81f8000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
.\debug.cpp(256) : 0xb71cd000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
.\debug.cpp(256) : 0xb8498000 0x00006000 "\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys"
.\debug.cpp(256) : 0xb7194000 0x00039000 "\SystemRoot\System32\Drivers\asnlvldr.SYS"
.\debug.cpp(256) : 0xb8731000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
.\debug.cpp(256) : 0xb83a8000 0x00005000 "\SystemRoot\system32\DRIVERS\rasirda.sys"
.\debug.cpp(256) : 0xb83b0000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
.\debug.cpp(256) : 0xb8208000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0xb8558000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0xb717d000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0xb8218000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
.\debug.cpp(256) : 0xb8228000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0xb716c000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
.\debug.cpp(256) : 0xb8238000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
.\debug.cpp(256) : 0xb83b8000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
.\debug.cpp(256) : 0xb83c0000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
.\debug.cpp(256) : 0xb713c000 0x00030000 "\SystemRoot\system32\DRIVERS\rdpdr.sys"
.\debug.cpp(256) : 0xb8248000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0xb85ea000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xb70b6000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xb8578000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0xb8258000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0xb4a53000 0x004a6000 "\SystemRoot\system32\drivers\RtkHDAud.sys"
.\debug.cpp(256) : 0xb4a2f000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
.\debug.cpp(256) : 0xb8288000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
.\debug.cpp(256) : 0xb8298000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xb85f0000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xb83d8000 0x00005000 "\SystemRoot\system32\DRIVERS\flpydisk.sys"
.\debug.cpp(256) : 0xb85f4000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xb8696000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xb85f6000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xb83e8000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xb85f8000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
.\debug.cpp(256) : 0xb85fa000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
.\debug.cpp(256) : 0xb83f0000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xb83f8000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xb7c1c000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0xb49ac000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
.\debug.cpp(256) : 0xb4953000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
.\debug.cpp(256) : 0xb492d000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
.\debug.cpp(256) : 0xb4905000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
.\debug.cpp(256) : 0xb82b8000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
.\debug.cpp(256) : 0xb48e3000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
.\debug.cpp(256) : 0xb82c8000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
.\debug.cpp(256) : 0xb8400000 0x00006000 "\SystemRoot\system32\DRIVERS\ssmdrv.sys"
.\debug.cpp(256) : 0xb82d8000 0x0000e000 "\SystemRoot\System32\Drivers\SCDEmu.SYS"
.\debug.cpp(256) : 0xb4868000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
.\debug.cpp(256) : 0xb47d0000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
.\debug.cpp(256) : 0xb82e8000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
.\debug.cpp(256) : 0xb47b4000 0x0001c000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
.\debug.cpp(256) : 0xb479d000 0x00017000 "\SystemRoot\system32\DRIVERS\P0620Vid.sys"
.\debug.cpp(256) : 0xb8138000 0x0000d000 "\SystemRoot\system32\DRIVERS\STREAM.SYS"
.\debug.cpp(256) : 0xb8606000 0x00002000 "\??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys"
.\debug.cpp(256) : 0xb4764000 0x00011000 "\SystemRoot\System32\Drivers\Udfs.SYS"
.\debug.cpp(256) : 0xb474c000 0x00018000 "\SystemRoot\System32\Drivers\dump_atapi.sys"
.\debug.cpp(256) : 0xb8630000 0x00002000 "\SystemRoot\System32\Drivers\dump_WMILIB.SYS"
.\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
.\debug.cpp(256) : 0xb485c000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
.\debug.cpp(256) : 0xb8448000 0x00005000 "\SystemRoot\System32\watchdog.sys"
.\debug.cpp(256) : 0xb8450000 0x00008000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
.\debug.cpp(256) : 0xbd000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
.\debug.cpp(256) : 0xb879e000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
.\debug.cpp(256) : 0xb4732000 0x0001a000 "\SystemRoot\system32\DRIVERS\ZTEusbser6k.sys"
.\debug.cpp(256) : 0xb4718000 0x0001a000 "\SystemRoot\system32\DRIVERS\ZTEusbnmea.sys"
.\debug.cpp(256) : 0xb8460000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
.\debug.cpp(256) : 0xb46fe000 0x0001a000 "\SystemRoot\system32\DRIVERS\ZTEusbmdm6k.sys"
.\debug.cpp(256) : 0xb84a0000 0x00008000 "\SystemRoot\System32\Drivers\Modem.SYS"
.\debug.cpp(256) : 0xbd012000 0x005fe000 "\SystemRoot\System32\nv4_disp.dll"
.\debug.cpp(256) : 0xbd610000 0x00047000 "\SystemRoot\System32\ATMFD.DLL"
.\debug.cpp(256) : 0xb43aa000 0x00014000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
.\debug.cpp(256) : 0xb427c000 0x00016000 "\SystemRoot\system32\DRIVERS\irda.sys"
.\debug.cpp(256) : 0xb4240000 0x00014000 "\??\C:\WINDOWS\system32\drivers\mdvrmng.sys"
.\debug.cpp(256) : 0xb437a000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
.\debug.cpp(256) : 0xb4033000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
.\debug.cpp(256) : 0xb3e73000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
.\debug.cpp(256) : 0xb41b8000 0x0000a000 "\SystemRoot\system32\DRIVERS\secdrv.sys"
.\debug.cpp(256) : 0xb3c56000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
.\debug.cpp(256) : 0xb3d23000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
.\debug.cpp(256) : 0xb38d6000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
.\debug.cpp(256) : 0xb200f000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
.\debug.cpp(256) : 0xb3e33000 0x00003000 "\??\C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys"
.\debug.cpp(256) : 0xb1ef2000 0x00004000 "\SystemRoot\system32\DRIVERS\asyncmac.sys"
.\debug.cpp(256) : 0xb1bca000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
.\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
.\debug.cpp(256) : 0x10000000 0x00246000 "\Program Files\DAEMON Tools Lite\Engine.dll"
.\debug.cpp(263) : **********************************************
.\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
.\debug.cpp(308) : **********************************************
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\USBPDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
.\debug.cpp(400) : Destination "\Device\Ndis"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
.\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
.\debug.cpp(400) : Destination "\Device\Video0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{F2786CDC-3D5F-41F5-AEA7-1B2C5F80F558}"
.\debug.cpp(400) : Destination "\Device\{F2786CDC-3D5F-41F5-AEA7-1B2C5F80F558}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
.\debug.cpp(400) : Destination "\Device\Video1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{71985f4a-1ca1-11d3-9cc8-00c04f7971e0}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{95F3E431-4118-4346-87C2-556B28BC457C}"
.\debug.cpp(400) : Destination "\Device\{95F3E431-4118-4346-87C2-556B28BC457C}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000032"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000041"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmIoDaemon"
.\debug.cpp(400) : Destination "\Device\DmControl\DmIoDaemon"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000042"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
.\debug.cpp(400) : Destination "\Device\Ip"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0F13#4&1e5e1293&0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000064"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
.\debug.cpp(400) : Destination "\Device\Video2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
.\debug.cpp(400) : Destination "\Device\CdRom2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000070"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
.\debug.cpp(400) : Destination "\Device\IPSEC"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QFK&Prod_MZOHAJ4HE&Rev_1.03#5&36e5972&0&010#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1Port3Path0Target1Lun0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_01#6&28dd5ef7&0&0001#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgio"
.\debug.cpp(400) : Destination "\Device\avgio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
.\debug.cpp(400) : Destination "\Device\Video3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&97309fc&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000031"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{98d80fc2-f183-11de-93d6-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{eeab7790-c514-11d1-b42b-00805fc1270e}#asyncmac#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\KSENUM#0000000a"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
.\debug.cpp(400) : Destination "\Device\NDProxy"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9aa4a2cc-81e0-4cfd-802f-0f74526d2bd3}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QFK&Prod_MZOHAJ4HE&Rev_1.03#5&36e5972&0&010#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1Port3Path0Target1Lun0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000070"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_01#6&28dd5ef7&0&0001#{c88e99de-6905-47d6-ae7e-a110aa903b98}"
.\debug.cpp(400) : Destination "\Device\0000007c"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27C9&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&E9#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0006"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{fd0a5af4-b41d-11d2-9c95-00c04f7971e0}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DB7D22B0-B0B3-4C85-B18D-EFD86309BC96}"
.\debug.cpp(400) : Destination "\Device\{DB7D22B0-B0B3-4C85-B18D-EFD86309BC96}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\RdpDrDvMgr"
.\debug.cpp(400) : Destination "\Device\RdpDrDvMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{0d40596c-f9f9-11de-93f2-00226861af02}"
.\debug.cpp(400) : Destination "\Device\CdRom2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&37bf52fa&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
.\debug.cpp(400) : Destination "\Device\WMIDataDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
.\debug.cpp(400) : Destination "\Device\Serial0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#8&2942c0c1&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_200j______________________1.36____#5&210095b5&0&0.0.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
.\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0303#4&1e5e1293&0#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000065"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev0"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination "\Device\00000040"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) : Destination "\Device\NamedPipe"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{dda54a40-1e4c-11d1-a050-405705c10000}"
.\debug.cpp(400) : Destination "\Device\00000070"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{6994ad05-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\USBPDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev1"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
.\debug.cpp(400) : Destination "\Device\CdRom3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
.\debug.cpp(400) : Destination "\Device\PSched"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_03#6&28dd5ef7&0&0003#{c88e99de-6905-47d6-ae7e-a110aa903b98}"
.\debug.cpp(400) : Destination "\Device\0000007e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
.\debug.cpp(400) : Destination "\Device\Mup"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev2"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
.\debug.cpp(400) : Destination "\Device\IPNAT"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0622&SUBSYS_00000000&REV_A1#4&b5a4e3&0&0008#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0015"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{DF1210A4-888C-493B-9A6C-295CAA888F3A}"
.\debug.cpp(400) : Destination "\Device\{DF1210A4-888C-493B-9A6C-295CAA888F3A}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GEARAspiWDMDevice"
.\debug.cpp(400) : Destination "\Device\GEARAspiWDMDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination "\Device\USBFDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_03#6&28dd5ef7&0&0003#{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}"
.\debug.cpp(400) : Destination "\Device\0000007e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev3"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
.\debug.cpp(400) : Destination "\Device\Tcp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0510#4&1e5e1293&0#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000063"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_ZTE&Prod_MMC_Storage&Rev_2.31#7&a37a6e2&0&P673A3H3GD010000&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000082"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
.\debug.cpp(400) : Destination "\Device\VideoPdo0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM6"
.\debug.cpp(400) : Destination "\Device\QCUSB_COM6_1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031#P673A3H3GD010000#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-6"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination "\Device\USBPDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev4"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CA&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&EA#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0007"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination "\Device\USBFDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000037"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM7"
.\debug.cpp(400) : Destination "\Device\QCUSB_COM7_1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\RivaTuner32"
.\debug.cpp(400) : Destination "\Device\RivaTuner32"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
.\debug.cpp(400) : Destination "\DosDevices\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev5"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{CFBB1CE9-9D90-48E1-8F64-1D73673E738B}"
.\debug.cpp(400) : Destination "\Device\{CFBB1CE9-9D90-48E1-8F64-1D73673E738B}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD2"
.\debug.cpp(400) : Destination "\Device\USBFDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{cf1dda2c-9743-11d0-a3ee-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\H:"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
.\debug.cpp(400) : Destination "\Device\sysaudio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM8"
.\debug.cpp(400) : Destination "\Device\QCUSB_COM8_1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
.\debug.cpp(400) : Destination "\Device\FsWrap"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev6"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd6"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD3"
.\debug.cpp(400) : Destination "\Device\USBFDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000034"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{ba33b750-f182-11de-918d-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&278ba93&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\FloppyPDO0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev7"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd7"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD4"
.\debug.cpp(400) : Destination "\Device\USBFDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom1"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MipIrpFlt"
.\debug.cpp(400) : Destination "\Device\MipIrpFlt"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature41524151Offset7E00Length3A380D0200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_200j______________________1.36____#5&210095b5&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
.\debug.cpp(400) : Destination "\Device\USBPDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev8"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd8"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom2"
.\debug.cpp(400) : Destination "\Device\CdRom2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000047"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
.\debug.cpp(400) : Destination "\GLOBAL??"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{EA2CEE46-255E-4BE2-AF5F-C5BDE4BC7CFF}"
.\debug.cpp(400) : Destination "\Device\{EA2CEE46-255E-4BE2-AF5F-C5BDE4BC7CFF}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QFK&Prod_MZOHAJ4HE&Rev_1.03#5&36e5972&0&000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1Port3Path0Target0Lun0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom3"
.\debug.cpp(400) : Destination "\Device\CdRom3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev9"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd9"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination "\Device\00000062"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Secdrv"
.\debug.cpp(400) : Destination "\Device\Secdrv"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#THRM#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) : Destination "\Device\00000046"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#CdRom&Ven_HSPA&Prod_USB_SCSI_CD-ROM&Rev_2.31#7&a37a6e2&0&P673A3H3GD010000&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000081"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#CdRom&Ven_HSPA&Prod_USB_SCSI_CD-ROM&Rev_2.31#7&a37a6e2&0&P673A3H3GD010000&0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000081"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CC&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&EF#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0009"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{3EA2FF8F-D427-479B-BAF6-28167CFC1A36}"
.\debug.cpp(400) : Destination "\Device\{3EA2FF8F-D427-479B-BAF6-28167CFC1A36}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNPA000#4&5d18f2df&0#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000049"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{07dad660-22f1-11d1-a9f4-00c04fbbde8f}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E7E2FA0E-4EC8-496C-9943-1ADE7DF4566F}"
.\debug.cpp(400) : Destination "\Device\{E7E2FA0E-4EC8-496C-9943-1ADE7DF4566F}"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#8&2942c0c1&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
.\debug.cpp(400) : Destination "\Device\00000062"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{98d80fc3-f183-11de-93d6-806d6172696f}"
.\debug.cpp(400) : Destination "\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_00#6&28dd5ef7&0&0000#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
.\debug.cpp(400) : Destination "\Device\0000007b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27CB&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&EB#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0008"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&1119f944&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
.\debug.cpp(400) : Destination "\Device\MountPointManager"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
.\debug.cpp(400) : Destination "\Device\00000070"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ssmctl"
.\debug.cpp(400) : Destination "\Device\ssmctl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&4554f2f&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_8086&DEV_27C8&SUBSYS_0DF2105B&REV_01#3&2411e6fe&0&E8#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
.\debug.cpp(400) : Destination "\Device\NTPNP_PCI0005"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000030"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmConfig"
.\debug.cpp(400) : Destination "\Device\DmControl\DmConfig"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_QFK&Prod_MZOHAJ4HE&Rev_1.03#5&36e5972&0&000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Scsi\asnlvldr1Port3Path0Target0Lun0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
.\debug.cpp(400) : Destination "\Device\WANARP"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#CdRomHP_DVD_Writer_200j______________________1.36____#5&210095b5&0&0.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP0T0L0-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev10"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd10"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0662&SUBSYS_105B0DF2&REV_1001#4&2c9307f7&0&0201#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
.\debug.cpp(400) : Destination "\Device\00000070"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000003"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_041e&Pid_4034#5&2f245085&0&1#{fb6c428a-0353-11d1-905f-0000c0cc16ba}"
.\debug.cpp(400) : Destination "\Device\USBPDO-5"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev11"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd11"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmTrace"
.\debug.cpp(400) : Destination "\Device\DmControl\DmTrace"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\A:"
.\debug.cpp(400) : Destination "\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev12"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd12"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&22500a87&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination "\Device\USBPDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
.\debug.cpp(400) : Destination "\Device\NdisWanIp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#dmio#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ASYNCMAC"
.\debug.cpp(400) : Destination "\Device\ASYNCMAC"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
.\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_19d2&Pid_0031&MI_00#6&28dd5ef7&0&0000#{c88e99de-6905-47d6-ae7e-a110aa903b98}"
.\debug.cpp(400) : Destination "\Device\0000007b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev20"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd20"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev13"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd13"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev21"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd21"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev14"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd14"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev22"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd22"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev15"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd15"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\00000033"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
.\debug.cpp(400) : Destination "\Device\ParTechInc0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{2706c302-f212-11de-93db-00226861af02}"
.\debug.cpp(400) : Destination "\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
.\debug.cpp(400) : Destination "\Device\0000003b"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
.\debug.cpp(400) : Destination "\Device\NdisTapi"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
.\debug.cpp(400) : Destination "\Device\NdisWan"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AscKmd"
.\debug.cpp(400) : Destination "\Device\AscKmd"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IDE#DiskSTM3250318AS____________________________CC37____#5&18134b26&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination "\Device\Ide\IdeDeviceP1T1L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev16"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd16"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
.\debug.cpp(400) : Destination "\Device\IPMULTICAST"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
.\debug.cpp(400) : Destination "\Device\ParTechInc1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmLoader"
.\debug.cpp(400) : Destination "\Device\DmLoader"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
.\debug.cpp(400) : Destination "\Device\LanmanRedirector"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev17"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd17"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
.\debug.cpp(400) : Destination "\Device\ParTechInc2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\ZTE Proprietary USB Modem"
.\debug.cpp(400) : Destination "\Device\0000007e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
.\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev18"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd18"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_IRDAMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) : Destination "\Device\0000002f"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
.\debug.cpp(400) : Destination "\Device\FtControl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
.\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
.\debug.cpp(400) : Destination "\Device\MailSlot"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
.\debug.cpp(400) : Destination "\DosDevices\COM1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCDEmuDev19"
.\debug.cpp(400) : Destination "\Device\SCDEmu\SCDEmuCd19"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{d6b3fad6-ca65-11df-958e-9db6baff5083}"
.\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{d6b3fad5-ca65-11df-958e-9db6baff5083}"
.\debug.cpp(400) : Destination "\Device\CdRom3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
.\debug.cpp(400) : Destination ""
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
.\debug.cpp(400) : Destination "\Device\Ndisuio"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\0000003a"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
.\debug.cpp(400) : Destination "\Device\Ide\IdePort2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
.\debug.cpp(400) : Destination "\Device\Null"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination "\Device\00000039"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
.\debug.cpp(400) : Destination "\Device\avipbb"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\DmInfo"
.\debug.cpp(400) : Destination "\Device\DmControl\DmInfo"
.\debug.cpp(409) : --
.\debug.cpp(453) : **********************************************
.\boot_cleaner.cpp(565) : System volume is \\.\C:
.\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
.\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
.\boot_cleaner.cpp(1060) :
.\boot_cleaner.cpp(1061) : Size Device Name MBR Status
.\boot_cleaner.cpp(1062) : --------------------------------------------
.\boot_cleaner.cpp(1106) : 232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
.\boot_cleaner.cpp(1112) :
.\boot_cleaner.cpp(1151) : Done;

###########################

Asimov, Apr 15, 2011

#5
Asimov Newcomer, in training

Combofix log:

ComboFix 11-04-14.03 - Dan 04/15/2011 14:52:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1595 [GMT 1:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-15 13:39 . 2011-04-15 13:39 -------- d-----w- c:\windows\LastGood
2011-04-14 22:14 . 2011-04-14 22:31 -------- d-----w- C:\TDSSKiller_Quarantine
2011-04-13 21:39 . 2011-04-13 21:39 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-13 16:14 . 2011-04-13 16:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-13 16:10 . 2011-04-13 16:10 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes
2011-04-13 16:10 . 2011-04-13 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-13 16:10 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-13 16:09 . 2011-04-13 16:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-13 16:09 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-12 19:38 . 2011-04-12 19:38 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2011-04-12 19:25 . 2011-04-12 19:25 -------- d-----w- c:\program files\Common Files\Java
2011-04-07 19:12 . 2011-04-12 22:10 -------- d-----w- c:\documents and settings\Dan\Application Data\DivX
2011-04-07 19:00 . 2011-04-12 22:10 -------- d-----w- c:\program files\DivX
2011-04-07 18:57 . 2011-04-12 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-03-24 23:17 . 2011-03-24 23:17 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc48.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2008-04-14 04:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
.
c:\documents and settings\Dan\Start Menu\Programs\Startup\
Registration Heroes of Might & Magic 5.LNK - c:\program files\Ubisoft\Heroes of Might and Magic V\registration\RegistrationReminder.exe [2011-1-24 868352]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /installquiet
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DXDllRegExe"=c:\windows\system32\dxdllreg.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Codemasters\\DiRT2\\dirt2_game.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/26/2009 12:13 AM 691696]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [8/11/2010 10:28 PM 2855440]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/7/2010 8:09 PM 108289]
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [9/27/2010 7:35 PM 1737464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/12/2010 8:23 PM 135664]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [8/11/2010 10:28 PM 73728]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [9/27/2010 7:34 PM 9216]
S3 U400bus;LGE U400 driver (WDM);c:\windows\system32\drivers\U400bus.sys [8/27/2010 10:45 PM 61440]
S3 U400mdfl;LGE U400 USB WMC Modem Filter;c:\windows\system32\drivers\U400mdfl.sys [8/27/2010 10:45 PM 9264]
S3 U400mdm;LGE U400 USB WMC Modem Driver;c:\windows\system32\drivers\U400mdm.sys [8/27/2010 10:45 PM 96960]
S3 U400mgmt;LGE U400 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\U400mgmt.sys [8/27/2010 10:45 PM 88528]
S3 U400obex;LGE U400 USB WMC OBEX Interface;c:\windows\system32\drivers\U400obex.sys [8/27/2010 10:45 PM 86336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-12 19:23]
.
2011-04-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-12 19:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 14:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-220523388-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5e,be,06,e1,95,12,f8,54,06,63,69,4f,cd,7e,b9,7a,98,6c,e1,29,a9,a1,ee,
e9,17,1a,81,b1,c2,31,d1,0a,4a,a5,ec,89,33,a4,23,24,17,95,54,5f,de,1a,43,d9,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
[HKEY_USERS\S-1-5-21-1390067357-220523388-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:02,28,6a,1f,6d,8a,15,98,a4,3d,3a,e4,5f,85,f2,7d,c2,d0,1d,cc,91,
f0,8c,34,7d,71,13,c0,79,3c,e1,ce,47,5f,43,73,62,8b,e5,7f,2c,d2,08,31,dd,5e,\
"rkeysecu"=hex:8f,e6,f9,2e,39,4a,ee,29,f1,5e,3d,dd,32,c3,d0,1b
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2736)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-15 14:55:59
ComboFix-quarantined-files.txt 2011-04-15 13:55
.
Pre-Run: 185,935,450,112 bytes free
Post-Run: 185,939,931,136 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 66CA4282347E4FEE68A4A12100913CBA

Asimov, Apr 15, 2011

#6
Bobbye Helper on the Fringe

Question: Have you or the Administrator intentionally disabled the startup of some programs using a Registry Edit?

Bobbye, Apr 15, 2011

#7
Asimov Newcomer, in training

Not intentionally no. Before finding this site I did do a registry check through CCLeaner, however I did a system restore after reading the 8 point checklist.

Asimov, Apr 15, 2011

#8
Bobbye Helper on the Fringe

My suggestion is to remove CCleaner. You don't need a program that cleans the Registry! It is safer to have a program like TFC.

I would also like to recommend that you uninstall Emsisoft Anti-Malware 5.0 It is reviewed to find malware well but fails in the removal of it. It also erroneously flagged several valid programs as specific, named malware, and its behavior-based detection kills both good and bad programs.

I will be glad to give you recommendations for other security programs.
=====================================
The processes below are what I'm referring to as being disabled to start:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /installquiet
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DXDllRegExe"=c:\windows\system32\dxdllreg.exe

It you don't want programs to start on boot, they can be unchecked on the Startup menu using msconfig. The above would appear to stop the programs from running at all.
======================================
Please update Java: Check this site .Java Updates Uninstall Java v6u17 and any other earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

I'll be back in the morning with script to run in Combofix. Let me know about those disabled programs.

Bobbye, Apr 15, 2011

#9
Asimov Newcomer, in training

I've removed Emisoft Anti malware and the old version of Java as recommended. However.. following automatic updates installed last night, I now have a windows validation error which says my version of windows did not pass genuine Windows Validation. I have the blue star in my task bar and a microsoft logo on my desktop.

I've run a microsoft genuine advantage diagnostic tool and it's confirmed that my product key is now blocked.

Is there anything I can do about this?

Also with reference to the disabled programs I can confirm I've never used msconfig to prevent programs from starting on boot.

Asimov, Apr 16, 2011

#10
Bobbye Helper on the Fringe
Well, it is still morning by 2 minutes!

Do you know what the update was that installed last night? Did the validation error show up before or after the install? Check the Add/Remove Programs in the Control Panel. be sure 'show updates' at the top is checked. Find the last update and give me the number.
====================================
To remove entries from the Startup Menu using the msconfig utility:

Click on Start> Run> type in msconfig> enter>

Click on Selective Startup

Choose the Startup tab:

All images courtesy NetSquirrel

To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.

Uncheck any processes you don't want to start on boot.f

Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
====================================
Please run this scan:
Download CKScanner and save to your desktop.

Doubleclick CKScanner.exe and click Search For Files.

When the cursor hourglass disappears, click Save List To File.

A message box will verify that the file is saved.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
in your next reply.

=====================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Code:

File:: c:\windows\system32\zdcndis5.sys c:\program files\common files\windows live\.cache\wlc48.tmp c:\program files\emsisoft anti-malware\a2service.exe Folder:: C:\TDSSKiller_Quarantine DDS:: StartupFolder: c:\docume~1\dan\startm~1\programs\startup\regist~1.lnk - c:\program files\ubisoft\heroes of might and magic v\registration\RegistrationReminder.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab RegNull:: [HKEY_USERS\S-1-5-21-1390067357-220523388-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] [HKEY_USERS\S-1-5-21-1390067357-220523388-725345543-1003\Software\SecuROM\License information*] Driver:: ZDCndis5 a2AntiMalware

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
You might want to read up on this in Google News: Internet poker houses charged with fraud. PokerStars is included:
http://www.bloomberg.com/news/2011-...rged-with-fraud-money-laundering-by-u-s-.html
Bobbye, Apr 16, 2011

#11
Asimov Newcomer, in training

Logs from CKScanner and ComboFix are below.

There were 21 updates installed, from the Microsoft website it appears 20 of them were security updates to prevent remote attacks - I wonder if the rootkit had been preventing these from being downloaded. The one relevant to the verification issue is the following:

"Update for Windows XP (KB2524375) Brief Description

--------------------------------------------------------------------------------
Install this update to resolve an issue which requires an update to the certificate revocation list on Windows systems and to keep your systems certificate list up to date."

This has resulted in WfaTray.exe being run on startup which pastes a 'genuine microsoft logo' permanently on my desktop and pop ups at regular intervals.

The good news is that there are no further signs of any infection and firewall + antivirus are on as normal at startup.

Thanks for the info on the poker sites by the way, very interesting.

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\partygaming\partycasino\language\en_us\images\flashlobby\lobby\safecrackerkeno.swf
c:\program files\partygaming\partycasino\language\en_us\images\flashlobby\lobby\safecrackerkeno_popup.swf
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack3x2_1
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack3x2_2
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack3x2_3
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack3x2_4
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack5x3_1
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack5x3_2
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack5x3_3
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack5x3_4
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack7x2_1
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack7x4_1
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmapobjectlink\mapobjects\_(advmapobjectlink)\objects-lava\lavacracks\lavacrack7x5_1
c:\program files\ubisoft\heroes of might and magic v\editor\iconcache\advmaptile\mapobjects\_(advmaptile)\sand\sand_cracked
scanner sequence 3.IE.11
----- EOF -----

####################

ComboFix 11-04-15.06 - Dan 04/16/2011 18:28:58.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1564 [GMT 1:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\program files\common files\windows live\.cache\wlc48.tmp"
"c:\program files\emsisoft anti-malware\a2service.exe"
"c:\windows\system32\zdcndis5.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\dan\startm~1\programs\startup\regist~1.lnk
c:\program files\common files\windows live\.cache\wlc48.tmp
c:\program files\ubisoft\heroes of might and magic v\registration\RegistrationReminder.exe
C:\TDSSKiller_Quarantine
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\mbr0000\object.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\mbr0000\tsk0000.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\mbr0000\tsk0000.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\object.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\object.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0000.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0000.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0001.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0001.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0002.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0002.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0003.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0003.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0004.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0004.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0005.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0005.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0006.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0006.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0007.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0007.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0008.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0008.ini
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0009.dta
c:\tdsskiller_quarantine\14.04.2011_23.12.19\boot0000\tdlfs0000\tsk0009.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\mbr0000\object.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\mbr0000\tsk0000.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\mbr0000\tsk0000.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\object.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\object.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0000.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0000.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0001.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0001.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0002.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0002.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0003.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0003.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0004.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0004.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0005.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0005.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0006.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0006.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0007.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0007.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0008.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0008.ini
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0009.dta
c:\tdsskiller_quarantine\14.04.2011_23.24.50\boot0000\tdlfs0000\tsk0009.ini
c:\tdsskiller_quarantine\14.04.2011_23.30.54\susp0000\object.ini
c:\tdsskiller_quarantine\14.04.2011_23.30.54\susp0000\svc0000\object.ini
c:\tdsskiller_quarantine\14.04.2011_23.30.54\susp0000\svc0000\tsk0000.dta
c:\tdsskiller_quarantine\14.04.2011_23.30.54\susp0000\svc0000\tsk0000.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ZDCndis5
.
.
((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
.
.
2011-04-16 15:13 . 2011-04-16 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-04-16 14:49 . 2011-04-16 14:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-16 14:49 . 2011-04-16 14:49 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-16 14:13 . 2011-04-16 14:13 -------- d-----w- c:\windows\LastGood.Tmp
2011-04-16 13:57 . 2011-04-16 13:57 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-15 19:12 . 2011-04-16 13:56 -------- d-----w- c:\program files\Mozilla Firefox(2)
2011-04-13 16:14 . 2011-04-13 16:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-04-13 16:10 . 2011-04-13 16:10 -------- d-----w- c:\documents and settings\Dan\Application Data\Malwarebytes
2011-04-13 16:10 . 2011-04-13 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-13 16:10 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-13 16:09 . 2011-04-13 16:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-13 16:09 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-12 19:38 . 2011-04-12 19:38 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2011-04-12 19:25 . 2011-04-12 19:25 -------- d-----w- c:\program files\Common Files\Java
2011-04-07 19:12 . 2011-04-12 22:10 -------- d-----w- c:\documents and settings\Dan\Application Data\DivX
2011-04-07 19:00 . 2011-04-12 22:10 -------- d-----w- c:\program files\DivX
2011-04-07 18:57 . 2011-04-12 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-22 11:41 . 2008-04-13 23:07 385024 ----a-w- c:\windows\system32\html.iec
2011-01-21 14:44 . 2008-04-14 04:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-16_17.24.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-16 17:32 . 2011-04-16 17:32 16384 c:\windows\temp\Perflib_Perfdata_694.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" [2009-08-22 2781184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"PD0620 STISvc"="P0620Pin.dll" [2005-05-10 36864]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /installquiet
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DXDllRegExe"=c:\windows\system32\dxdllreg.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Codemasters\\DiRT2\\dirt2_game.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/26/2009 12:13 AM 691696]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/7/2010 8:09 PM 108289]
R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [9/27/2010 7:35 PM 1737464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/12/2010 8:23 PM 135664]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [9/27/2010 7:34 PM 9216]
S3 U400bus;LGE U400 driver (WDM);c:\windows\system32\drivers\U400bus.sys [8/27/2010 10:45 PM 61440]
S3 U400mdfl;LGE U400 USB WMC Modem Filter;c:\windows\system32\drivers\U400mdfl.sys [8/27/2010 10:45 PM 9264]
S3 U400mdm;LGE U400 USB WMC Modem Driver;c:\windows\system32\drivers\U400mdm.sys [8/27/2010 10:45 PM 96960]
S3 U400mgmt;LGE U400 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\U400mgmt.sys [8/27/2010 10:45 PM 88528]
S3 U400obex;LGE U400 USB WMC OBEX Interface;c:\windows\system32\drivers\U400obex.sys [8/27/2010 10:45 PM 86336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-12 19:23]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-12 19:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-16 18:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3180)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\RunDLL32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-16 18:35:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-16 17:35
ComboFix2.txt 2011-04-16 17:25
ComboFix3.txt 2011-04-15 13:55
.
Pre-Run: 184,860,106,752 bytes free
Post-Run: 184,764,891,136 bytes free
.
- - End Of File - - 80DFF680AEB283DA1761B0E3A0A77714

Asimov, Apr 16, 2011

#12
Bobbye Helper on the Fringe

Ha! I can't begin to relate how interesting some of my searches are! For instance, anything with the word 'crack', 'cracked' or 'keygen' is automatically suspect. But how to enter the search word isn't always easy:
For instance: 'lavacracks', single word, will only give me an image someone left in image shack of- guess what> cracks in lava! But Google suggests I search for Lava Cracks, a bit better because I find it's a photoshop plugin to make the textures of lava cracks. Imagine that!

Continuing on this same line, I look for 'sand cracks'- depending entirely on which site I choose, I am told:
1.It's the horn of the foot (Horse site)
2. A rum/coconut drink named 'Sand in the Crack.'

So it appears that I need to drastically modify my search> so I try this "ubisoft\heroes of might and magic v\editor\iconcache" which is what I should have started with! Please tell me you came by all of these honestly!
============================================
Regarding Update for Windows XP (KB2524375): You meant you got WgaTray.exe on the Taskbar, right> I note many other had a problem with this update. You may have gotten off easy! See this thread:
Microsoft Social TechNet
===========================================
Regarding the list of run-disabled programs: Please do the following:
1. Make sure you can open/start any of the programs.
2. Make sure 1 or 2 are on the Start Menu. Reboot the computer. Do the programs start?
If there is a problem starting them, I will then make a registry change with script.
==========================================
Hope you don't mind my dabbling in the ridiculous! Every once in a while I have to make sure I have a sense of humor buried somewhere!

Bobbye, Apr 16, 2011

#13
Asimov Newcomer, in training

No not at all it's interesting to see how much detective work is involved !

Thanks for the link to the WgaTray thread, it was quite an easy fix in the end to prevent it from running at start up, however I guess it'll mean turning off automatic updates to prevent it reinstalling itself. Compared to problems other people have had I definitely got off lightly !

I did what you suggested with the list of run disabled programs, making sure a couple of them were on start menu after rebooting, and they started fine.

No other issues - however I'd be grateful for any advice on how to prevent this kind of infection in future

Asimov, Apr 16, 2011

#14
Bobbye Helper on the Fringe
however I guess it'll mean turning off automatic updates to prevent it reinstalling itself.

A better suggestion is one of the following:
1. Choose 'download but don't install'- notify me first
or
2. Don't download OR install- notify me.

In either of the above choices, you can check each update and decide which you want.
The only auto-update I allow is the AV program. Nothing else is 'automatic.' I don't like programs slipping updates on to my system. It puts a bit more responsibility on the user to check, but it also stops the programs from contacting the internet every day, several times a day, looking for an update that may come only every few months! And in some cases, such as Java and the Adobe Reader, it helps you remember to uninstall the old version because the programs don't overwrite.
=========================================
Maybe this will remove the try icon- but you will also have to uncheck it on the Startup menu:
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

Code:

File:: c:\windows\system32\WgaTray.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt. I do not need to see this log:
===================================
Back to this group again> I did not make any change with the Registry entry, but an FYI to you>> none of these need to start on boot!

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /installquiet
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DXDllRegExe"=c:\windows\system32\dxdllreg.exe

=================================
Looks like you may have inadvertently downloaded and installed twice:(2)
2011-04-16 13:56 -------- d-----w- c:\program files\Mozilla Firefox.
===============================
Run this last scan. After I check the log, I'll have your remove the cleaning tools. Then I will give you some security tips:
Download HijackThis and save to your desktop.

Extract it to a directory on your hard drive called c:\HijackThis.

Then navigate to that directory and double-click on the hijackthis.exe file.

When started click on the Scan button and then the Save Log button to create a log of your information.

The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Bobbye, Apr 17, 2011

#15
Asimov Newcomer, in training

Sorted, the annoying wgatray has disappeared. I've changed the automatic updates to notify me first and also noticed an HOURLY google toolbar update which was in scheduled updates - explains why my bandwidth would drop suddenly for a few minutes every hour.. surely hourly updates are a bit excessive?!

Hijackthis log is below.

With reference to those programs which you advised were not required on startup, would it be best to remove these from booting via ms config, or would you prefer to do a registry edit?

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /installquiet
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"DXDllRegExe"=c:\windows\system32\dxdllreg.exe

--------------------------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:10:15 PM, on 4/18/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Dan\LOCALS~1\Temp\Rar$EX02.734\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Dan\Desktop\PartyPoker.lnk
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Dan\Desktop\PartyPoker.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E12A03E0-357A-4D08-9D38-720A10A03941}: NameServer = 217.171.132.1 217.171.135.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BecHelperService - Unknown owner - C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

--
End of file - 7040 bytes

Asimov, Apr 18, 2011

#16
Asimov Newcomer, in training

Aaaargh Avira has just identified the following virus:

Virus or unwanted program 'JS/Dldr.FakeAV.D [virus]'
detected in file 'C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\lu58s0aq.default\Cache\9\39\0FE7Ed01.
Action performed: Move file to quarantine

I don't know if it's related, but Windows Firewall is temporarily disabled at startup for about a minute, at which point it then turns itself back on.

Stubborn little infection isn't it...

Asimov, Apr 19, 2011

#17
Bobbye Helper on the Fringe
surely hourly updates are a bit excessive?!

About the Google Toolbar Notifier. I can't count how many times I've killed that updater! The very idea that a search toolbar needs to be in constant contact with the internet looking for updates is beyond me! I've seriously even considered removing it at times!

About Avast finding the JS 'virus': This is no biggie- you do have an antivirus program to both prevent and remove viruses. Please do the following for this:
To clear the Java Plug-in cache:

[1]. Click Start > Control Panel.
[2]. Double-click the Java icon in the control panel. The Java Control Panel appears.

[3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
[4] Click Delete Files.The Delete Temporary Files dialog box appears.

There are three options on this window to clear the cache.Check all.

. Delete Files

.View Applications

.View Applets
[5]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[6]. Click Apply> OK on Temporary Files Settings window.

Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
=======================================

With reference to those programs which you advised were not required on startup, would it be best to remove these from booting via ms config,

Some help here, you finish with msconfig.
======================================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [PD0620 STISvc] RunDLL32.exe P0620Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Dan\Desktop\PartyPoker.lnk
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Documents and Settings\Dan\Desktop\PartyPoker.lnk
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe

Close all Windows except HijackThis and click on "Fix Checked."
=====================================
Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.

Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Start> run type in services.msc> enter> Find each of the following and set Startup Type as given:

gupdate> Disable> Stop Service

iPod> Manual

Java Quick Start (jqs)> Disable> Stop Service

NMIIndexing> Disable> Stop Service

nvsvc> Manual

pgsql-8.3> Manual
When finished, exit Services
Reboot into Normal Mode.

==============================================
To keep the processes you checked above in HijackThis from starting on boot, use msconfig to uncheck the entries on the Startup Menu. Then rescan with Combofix and if there are any entries still loading on boot, I'll remove them.
===============================================
Take auto-startups off programs as follows:
Use Windows Explorer> Windows key + E> My computer> Double click on Local Drive(C)> Programs> find the following and change as given:
ADOBE READER:
[1]. Use msconfig to UNCHECK all; Adobe Reader entries> Apply> OK
[2]. Open the Adobe Reader and Disable all Toolbars-unless you use the PDF feature frequently.
[3]. Change the Adobe LM Service to Manual Startup.
JAVA:
[1] UNCHECK all Java entries on the Startup menu: Start> Run> msconfig> enter> Selective Startup Startup tab.
[2] Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start.
[3] Stop auto update:. Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Apply> Click YES when asked to confirm> OK
QUICK TIME
[1]. Use msconfig to UNCHECK any QuickTime entries on Startup> Apply> OK
[2]. Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
[3]. Rename the qttask.exe file: Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.
ITUNES Big resource user!
iTunesHelper.exe
Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
1. UNCHECK on Startup menu using msconfig. It uses nearly 6MB of memory.
Bobbye, Apr 19, 2011

#18
Asimov Newcomer, in training

Excellent that's done the trick, Firewall is now on straight away on start up, Google update, itunes helper and all their memory hogging friends have all disappeared too, confirmed by Combofix - notable decrease in time taken to start up as well.

Thank you for all your help Bobbye you've been a massive help. Any last steps I should be taking now everything's sorted?

Asimov, Apr 20, 2011

#19
Bobbye Helper on the Fringe
You are very welcome! Last steps- you bet!
Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.[/img]

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
================================
And to help keep it clean: Tips for added security and safer browsing: (Links are in Bold Blue)

Browser Security
[o] Safe Settings
[o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
[o] Replace the Host Files
[o] Google Toolbar Pop Up Blocker
[o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.

Have layered Security:
[o]Antivirus :(only one):Both of the following programs are free and known to be good:
[o]Avira-AntiVir-Personal-Free-Antivirus
[o]Avast Free Version
[o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
[o]Comodo
[o]Zone Alarm

Antimalware: I recommend all of the following:
[o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
[o]Spybot Search & Destroy

Updates: Stay current:
[o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
[o]Adobe Reader Install current, uninstall old.
[o]Java Updates Install current, uninstall old.

Tracking Cookies
Reset Cookie:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List
[o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.

Do regular Maintenance
[o] Temporary File Cleaner

Restore Points:
[o]See System Restore Guide

Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Please let me know if you find any bad link.
Bobbye, Apr 20, 2011

#20

(You must log in or sign up to reply here.)

Page 1 of 2

Thread Status:: Not open for further replies.

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved