Solved Being redirected, can't Windows Update or post to this site

Status
Not open for further replies.
R

Rstynls

Posts: 19   +0
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4937

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/24/2010 11:13:35 AM
mbam-log-2010-10-24 (11-13-35).txt

Scan type: Quick scan
Objects scanned: 153496
Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-24 12:08:12
Windows 5.1.2600 Service Pack 3
Running: srxsv2jd.exe; Driver: C:\DOCUME~1\Tom\LOCALS~1\Temp\kgroypow.sys


---- System - GMER 1.0.15 ----

SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwClose [0xECC9FCF0]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwCreateKey [0xECC9FBAC]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwDeleteKey [0xECCA0160]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwDeleteValueKey [0xECCA008A]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwDuplicateObject [0xECC9F782]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwOpenKey [0xECC9FC86]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwOpenProcess [0xECC9F6C2]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwOpenThread [0xECC9F726]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwQueryValueKey [0xECC9FDA6]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwRenameKey [0xECCA022E]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwRestoreKey [0xECC9FD66]
SSDT*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwSetValueKey [0xECC9FEE6]

Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwCreateProcessEx [0xECCACBAE]
Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwCreateSection [0xECCAC9D2]
Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ZwLoadDriver [0xECCACB0C]
Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** NtCreateSection
Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ObInsertObject
Code*********** \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)*************************************************************** ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE*********** ntkrnlpa.exe!ZwLoadDriver*************************************************************************************************************************** 805795FA 7 Bytes* JMP ECCACB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE*********** ntkrnlpa.exe!NtCreateSection************************************************************************************************************************ 805A075C 7 Bytes* JMP ECCAC9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE*********** ntkrnlpa.exe!ObMakeTemporaryObject****************************************************************************************************************** 805B1CE0 5 Bytes* JMP ECCA85D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE*********** ntkrnlpa.exe!ObInsertObject************************************************************************************************************************* 805B8B58 5 Bytes* JMP ECCA9FFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE*********** ntkrnlpa.exe!ZwCreateProcessEx********************************************************************************************************************** 805C73EA 7 Bytes* JMP ECCACBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
?************** omtl.sys******************************************************************************************************************************************** The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text********** C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!NtProtectVirtualMemory****************************************************************************** 7C90D6EE 5 Bytes* JMP 00D0000A
.text********** C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!NtWriteVirtualMemory******************************************************************************** 7C90DFAE 5 Bytes* JMP 00D1000A
.text********** C:\WINDOWS\System32\svchost.exe[1176] ntdll.dll!KiUserExceptionDispatcher*************************************************************************** 7C90E47C 5 Bytes* JMP 00CF000C
.text********** C:\WINDOWS\System32\svchost.exe[1176] USER32.dll!GetCursorPos*************************************************************************************** 7E42974E 5 Bytes* JMP 0171000A
.text********** C:\WINDOWS\System32\svchost.exe[1176] ole32.dll!CoCreateInstance************************************************************************************ 774FF1AC 5 Bytes* JMP 00EA000A
.text********** C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1796] kernel32.dll!SetUnhandledExceptionFilter************************************************** 7C84495D 4 Bytes* [C2, 04, 00, 90] {RET 0x4; NOP }
.text********** C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!NtProtectVirtualMemory************************************************************************************** 7C90D6EE 5 Bytes* JMP 00C9000A
.text********** C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!NtWriteVirtualMemory**************************************************************************************** 7C90DFAE 5 Bytes* JMP 00D2000A
.text********** C:\WINDOWS\Explorer.EXE[1808] ntdll.dll!KiUserExceptionDispatcher*********************************************************************************** 7C90E47C 5 Bytes* JMP 00C8000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT************ C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]**************************************** 003B0002
IAT************ C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]********************************************** 003B0000

---- Devices - GMER 1.0.15 ----

Device********* \FileSystem\Ntfs \Ntfs****************************************************************************************************************************** aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice* \FileSystem\Ntfs \Ntfs****************************************************************************************************************************** aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice* \Driver\Tcpip \Device\Ip**************************************************************************************************************************** aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice* \Driver\Tcpip \Device\Tcp*************************************************************************************************************************** aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice* \Driver\Tcpip \Device\Udp*************************************************************************************************************************** aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice* \Driver\Tcpip \Device\RawIp************************************************************************************************************************* aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device********* \Driver\viasraid -> DriverStartIo \Device\Scsi\viasraid1******************************************************************************************** 8705C292
Device********* \Device\Scsi\viasraid1Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&Rev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}* device not found

---- Modules - GMER 1.0.15 ----

Module********* (noname) (*** hidden *** )************************************************************************************************************************** 02000000-03F8F000 (33091584 bytes)***********************************************************************************

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-10-21.02) - NTFSx86*
Run by Tom at 12:12:16.81 on Sun 10/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition* 5.1.2600.3.1252.1.1033.18.1023.284 [GMT -7:00]

AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated)** {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: avast! Antivirus *On-access scanning enabled* (Updated)** {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\RSSoft\RedSwoosh.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = About:Blank
uSearch Bar = About:Blank
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = About:Blank
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearch Bar = about:blank
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = About:Blank
mSearchURL = about:blank
mSearchAssistant = about:blank
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e3bb3f2a-8f67-4b96-a432-8190258c0fd1} - c:\windows\system32\rqRKEXnO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &ESPN: {ae6f2894-af10-4c9c-b16e-1dfc6ff8c0c6} - c:\program files\espn\toolbar\DIGToolBar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RemoteCenter] c:\program files\creative\mediasource\remotecontrol\RCMan.EXE
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Red Swoosh] c:\program files\rssoft\RedSwoosh.exe /S
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [DIGServices] c:\program files\espnruntime\DIGServices.exe** /brand=ESPN** /priority=0** /poll=24
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053v4\BelkinWCUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - c:\program files\belkin\nostromo\nost_LM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: aol.com\free
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.08.43&unknown&unknown&http://www.toyota.com/vehicles/2005/prius/key_features/pc/index.html
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://active.macromedia.com/flash2/cabs/swflash.cab
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKEXnO
LSA: Notification Packages = scecli c:\windows\system32\kejajumo.dll

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [2010-5-13 77056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-31 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-31 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2004-12-4 16168]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-31 40384]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-1-12 517632]
S1 MpKsl8e8849bf;MpKsl8e8849bf;\??\c:\windows\system32\mpenginestore\mpksl8e8849bf.sys --> c:\windows\system32\mpenginestore\MpKsl8e8849bf.sys [?]
S2 tcaicchg;tcaicchg;\??\c:\windows\system32\tcaicchg.sys --> c:\windows\system32\tcaicchg.sys [?]
S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\tcaitdi.sys --> c:\windows\system32\drivers\TCAITDI.sys [?]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-23 22821]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\lavalys\everest ultimate edition\kerneld.wnt --> c:\program files\lavalys\everest ultimate edition\kerneld.wnt [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2008-12-23 552448]

=============== Created Last 30 ================

2010-10-24 08:50:42*** --------*** d-----w-*** c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-10-24 08:50:40*** --------*** d-----w-*** c:\program files\McAfee Security Scan
2010-10-15 05:40:07*** 974848*** -c----w-*** c:\windows\system32\dllcache\mfc42.dll
2010-10-15 05:40:07*** 953856*** -c----w-*** c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 05:39:58*** 617472*** -c----w-*** c:\windows\system32\dllcache\comctl32.dll
2010-10-04 18:50:10*** --------*** d-----w-*** c:\program files\iTunes
2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-10-04 18:48:04*** 159744*** ----a-w-*** c:\program files\internet explorer\plugins\npqtplugin.dll
2010-10-04 18:46:00*** --------*** d-----w-*** c:\program files\Bonjour
2010-09-26 15:43:59*** --------*** d-----w-*** c:\docume~1\tom\applic~1\OpenOffice.org
2010-09-26 15:07:51*** --------*** d-----w-*** c:\program files\JRE
2010-09-26 15:07:11*** --------*** d-----w-*** c:\program files\OpenOffice.org 3
2010-09-26 15:06:54*** 472808*** ----a-w-*** c:\windows\system32\deployJava1.dll
2010-09-26 03:29:51*** 421888*** ----a-w-*** c:\windows\system32\EKIJ5000MON.dll
2010-09-26 03:29:51*** 196608*** ----a-w-*** c:\windows\system32\spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-09-26 03:29:51*** 131072*** ----a-w-*** c:\windows\system32\EKIJCOINST09.dll

==================== Find3M* ====================

2010-09-18 19:23:26*** 974848*** ----a-w-*** c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25*** 974848*** ----a-w-*** c:\windows\system32\mfc42.dll
2010-09-18 06:53:25*** 954368*** ----a-w-*** c:\windows\system32\mfc40.dll
2010-09-18 06:53:25*** 953856*** ----a-w-*** c:\windows\system32\mfc40u.dll
2010-09-15 09:29:49*** 73728*** ----a-w-*** c:\windows\system32\javacpl.cpl
2010-09-10 05:58:08*** 916480*** ----a-w-*** c:\windows\system32\wininet.dll
2010-09-10 05:58:06*** 43520*** ----a-w-*** c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06*** 1469440*** ----a-w-*** c:\windows\system32\inetcpl.cpl
2010-09-08 18:17:46*** 94208*** ----a-w-*** c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17:46*** 69632*** ----a-w-*** c:\windows\system32\QuickTime.qts
2010-09-07 15:12:17*** 38848*** ----a-w-*** c:\windows\avastSS.scr
2010-09-01 11:51:14*** 285824*** ----a-w-*** c:\windows\system32\atmfd.dll
2010-08-31 13:42:52*** 1852800*** ----a-w-*** c:\windows\system32\win32k.sys
2010-08-27 08:02:29*** 119808*** ----a-w-*** c:\windows\system32\t2embed.dll
2010-08-27 05:57:43*** 99840*** ----a-w-*** c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45*** 5120*** ----a-w-*** c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04*** 617472*** ----a-w-*** c:\windows\system32\comctl32.dll
2010-08-17 13:17:06*** 58880*** ----a-w-*** c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00*** 590848*** ----a-w-*** c:\windows\system32\rpcrt4.dll
2010-07-28 01:44:10*** 91424*** ----a-w-*** c:\windows\system32\dnssd.dll
2010-07-28 01:44:10*** 107808*** ----a-w-*** c:\windows\system32\dns-sd.exe

============= FINISH: 12:13:23.48 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-21.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/26/2006 5:00:51 PM
System Uptime: 10/24/2010 11:14:49 AM (1 hours ago)

Motherboard: ASUSTeK Computer Inc. |* | SK8V
Processor: AMD Athlon(tm) 64 FX-51 Processor | Socket 754 | 2202/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 224 GiB total, 157.514 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com Gigabit LOM (3C940)
Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\3&267A616A&0&50
Manufacturer: 3Com
Name: 3Com Gigabit LOM (3C940)
PNP Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\3&267A616A&0&50
Service: EL2000

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: MAC Bridge Miniport
Device ID: ROOT\MS_BRIDGEMP\0000
Manufacturer: Microsoft
Name: MAC Bridge Miniport
PNP Device ID: ROOT\MS_BRIDGEMP\0000
Service: BridgeMP

==== System Restore Points ===================

RP1290: 8/1/2010 1:25:04 AM - System Checkpoint
RP1291: 8/2/2010 1:37:37 AM - System Checkpoint
RP1292: 8/2/2010 11:21:35 PM - Software Distribution Service 3.0
RP1293: 8/5/2010 10:28:05 PM - System Checkpoint
RP1294: 8/8/2010 11:14:40 PM - System Checkpoint
RP1295: 8/11/2010 10:21:24 PM - System Checkpoint
RP1296: 8/12/2010 10:23:37 PM - System Checkpoint
RP1297: 8/12/2010 11:32:51 PM - Software Distribution Service 3.0
RP1298: 8/15/2010 2:08:05 AM - System Checkpoint
RP1299: 8/16/2010 2:15:57 AM - System Checkpoint
RP1300: 8/22/2010 3:44:26 PM - System Checkpoint
RP1301: 8/25/2010 9:51:31 PM - System Checkpoint
RP1302: 8/28/2010 8:01:29 PM - System Checkpoint
RP1303: 8/29/2010 8:38:14 PM - System Checkpoint
RP1304: 8/30/2010 9:27:05 PM - System Checkpoint
RP1305: 8/31/2010 9:28:31 PM - System Checkpoint
RP1306: 9/3/2010 7:30:31 PM - System Checkpoint
RP1307: 9/4/2010 8:30:58 PM - System Checkpoint
RP1308: 9/12/2010 9:50:32 PM - System Checkpoint
RP1309: 9/15/2010 10:55:46 PM - Software Distribution Service 3.0
RP1310: 9/17/2010 8:48:56 PM - System Checkpoint
RP1311: 9/18/2010 9:36:20 PM - System Checkpoint
RP1312: 9/19/2010 9:59:03 PM - System Checkpoint
RP1313: 9/21/2010 9:19:54 PM - System Checkpoint
RP1314: 9/22/2010 10:16:56 PM - System Checkpoint
RP1315: 9/23/2010 7:04:51 AM - Software Distribution Service 3.0
RP1316: 9/25/2010 7:04:42 PM - System Checkpoint
RP1317: 9/26/2010 8:06:35 AM - Installed Java(TM) 6 Update 20
RP1318: 9/26/2010 8:07:07 AM - Installed OpenOffice.org 3.2
RP1319: 9/27/2010 8:47:15 AM - System Checkpoint
RP1320: 9/28/2010 11:44:04 PM - Software Distribution Service 3.0
RP1321: 10/2/2010 6:37:13 PM - System Checkpoint
RP1322: 10/3/2010 6:53:41 PM - System Checkpoint
RP1323: 10/4/2010 9:25:51 PM - System Checkpoint
RP1324: 10/5/2010 11:45:43 PM - System Checkpoint
RP1325: 10/7/2010 11:25:04 PM - Software Distribution Service 3.0
RP1326: 10/9/2010 7:26:46 PM - System Checkpoint
RP1327: 10/10/2010 7:46:02 PM - System Checkpoint
RP1328: 10/11/2010 8:46:08 PM - System Checkpoint
RP1329: 10/13/2010 9:24:28 PM - System Checkpoint
RP1330: 10/14/2010 11:22:17 PM - Software Distribution Service 3.0
RP1331: 10/16/2010 8:23:35 PM - System Checkpoint
RP1332: 10/17/2010 9:05:51 PM - System Checkpoint
RP1333: 10/20/2010 7:51:48 PM - System Checkpoint
RP1334: 10/21/2010 8:47:19 PM - System Checkpoint
RP1335: 10/22/2010 10:00:42 PM - System Checkpoint
RP1336: 10/24/2010 1:52:40 AM - Installed Java(TM) 6 Update 22

==== Installed Programs ======================

3Com NIC Diagnostics
3ivx D4 4.5.1 (remove only)
AC3Filter (remove only)
ACDSee
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
aiofw
aioprnt
aioscnnr
AKoff Music Composer
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AsfTools 3.1 (remove only)
avast! Free Antivirus
AVI to MPEG Converter
AVIcodec (remove only)
Belkin N Wireless USB Adapter Setup
BitTorrent
BLM 2.5.3
Bonjour
C4USelfUpdater
center
CleanUp!
Codec Pack - All In 1 6.0.3.0
Creative MediaSource
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
DataPilot
DataPilot USB Driver Pack
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec 3.1alpha release
Easy CD & DVD Creator 6
eMule
EQ2MAP Updater 0.9.7
ESPN Java Check
ESPN RunTime
EVEREST Ultimate Edition v5.01
EverQuest II
FavOrg
ffdshow [rev 2527] [2008-12-19]
FinePixViewer Ver.4.2
FLV Player 2.0 (build 25)
Forté Agent
FUJIFILM USB Driver
GetBot
GSpot Codec Information Appliance
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImageMixer VCD2 for FinePix
Intel A/V Codecs V2.0
InterVideo DVDCopy5
iPhone Configuration Utility
iPod for Windows 2005-11-17
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) SE Runtime Environment 6 Update 1
KODAK AiO Home Center
ksDIP
Lexmark Supplies Monitor
Lexmark Z25-Z35
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Master Cook Deluxe
MasterCook Deluxe
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Office XP Standard for Students and Teachers
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MicroStaff WINASPI
MidiNotate Musician
Mozilla Firefox (3.0.10)
Mozilla Firefox (3.6.11)
MP3 WAV Converter 2.68
Mpeg Layer3 Codec FHG-Radium v1.263
MSN Music Assistant
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Nostromo Array Programming Software
NVIDIA Drivers
On2 VP3 Video for Windows Codec
OpenOffice.org 3.2
Pixia
PreReq
QuickTime
RAW FILE CONVERTER LE
RealPlayer
Red Swoosh
SeaTools for Windows
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SimilarImages
SkillJam SecurePlayer
Sound Blaster Audigy 2 ZS
Spelling Dictionaries For Adobe Reader Package
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster 4.1
TVAnts 1.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Universal Driver
VCW VicMan's Photo Editor 7.9
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WD Diagnostics
WD Firewire HID Driver
WebFldrs XP
Winamp (remove only)
Windows 7 Upgrade Advisor
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB822603
Windows XP Service Pack 3
WinRAR archiver
Xilisoft DVD to iPod Converter
XviD MPEG-4 Video Codec
YASA DVD to MP4 Converter v2.9 (build 044)
YASA MP4 Video Converter v3.2 (build 0051)

==== Event Viewer Messages From Past Week ========

10/24/2010 10:56:30 AM, error: Service Control Manager [7034]* - The NVIDIA Display Driver Service service terminated unexpectedly.* It has done this 1 time(s).
10/24/2010 10:56:30 AM, error: Service Control Manager [7034]* - The Kodak AiO Network Discovery Service service terminated unexpectedly.* It has done this 1 time(s).
10/24/2010 10:56:30 AM, error: Service Control Manager [7034]* - The Java Quick Starter service terminated unexpectedly.* It has done this 1 time(s).
10/24/2010 10:56:29 AM, error: Service Control Manager [7034]* - The Creative Service for CDROM Access service terminated unexpectedly.* It has done this 1 time(s).
10/24/2010 10:56:29 AM, error: Service Control Manager [7034]* - The Bonjour Service service terminated unexpectedly.* It has done this 1 time(s).
10/24/2010 10:56:29 AM, error: Service Control Manager [7031]* - The Apple Mobile Device service terminated unexpectedly.* It has done this 1 time(s).* The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The Telephony service terminated unexpectedly.* It has done this 8 time(s).
10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The System Event Notification service terminated unexpectedly.* It has done this 8 time(s).
10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The Remote Access Connection Manager service terminated unexpectedly.* It has done this 8 time(s).
10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The Network Location Awareness (NLA) service terminated unexpectedly.* It has done this 8 time(s).
10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The Cryptographic Services service terminated unexpectedly.* It has done this 4 time(s).
10/24/2010 10:47:34 AM, error: Service Control Manager [7034]* - The COM+ Event System service terminated unexpectedly.* It has done this 8 time(s).
10/24/2010 10:47:34 AM, error: Service Control Manager [7031]* - The Windows Time service terminated unexpectedly.* It has done this 1 time(s).* The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/24/2010 10:47:34 AM, error: Service Control Manager [7031]* - The Windows Management Instrumentation service terminated unexpectedly.* It has done this 8 time(s).* The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/24/2010 10:03:08 AM, error: Service Control Manager [7000]* - The 6to4 service failed to start due to the following error:* The system cannot find the path specified.
10/24/2010 1:39:07 AM, error: DCOM [10005]* - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/22/2010 9:33:43 PM, error: DCOM [10005]* - DCOM got error "%1055" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
10/22/2010 9:33:43 PM, error: DCOM [10005]* - DCOM got error "%1055" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/22/2010 9:33:43 PM, error: DCOM [10005]* - DCOM got error "%1055" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
10/22/2010 9:33:43 PM, error: DCOM [10005]* - DCOM got error "%1055" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/22/2010 9:33:41 PM, error: Service Control Manager [7000]* - The TCAITDI Protocol service failed to start due to the following error:* The system cannot find the file specified.
10/22/2010 9:33:41 PM, error: Service Control Manager [7000]* - The tcaicchg service failed to start due to the following error:* The system cannot find the file specified.
10/22/2010 9:33:41 PM, error: Service Control Manager [7000]* - The PfModNT service failed to start due to the following error:* The system cannot find the file specified.
10/22/2010 9:33:10 PM, error: iviVD [9]* - The device, \Device\Scsi\iviVD1, did not respond within the timeout period.

==== End Of File ===========================
 
You have a CoolWebSearch malware infection. It is strange that Mbam didn't pick more of it up. You have several old versions of Java> all vulnerabilities, two versions of Firefox, one Mozilla Firefox (3.0.10) way out of date, also a vulnerability.

1. Please download randmbam.exe
It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.Once done, run a new scan with MBAM.

2. Security Check
Download Security Check and save it to your Desktop.
  • Double-click SecurityCheck.exe to run.
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post this log in your next reply.
==============================
3. Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
======================================
4. Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Do the best you can. These programs will remove some of the malware and give me information for entries to be removed. Leave all logs in next reply- okay to use multiple posts.
 
Thanks

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4943

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/25/2010 10:51:19 AM
mbam-log-2010-10-25 (10-51-19).txt

Scan type: Quick scan
Objects scanned: 154737
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*Results of screen317's Security Check version 0.99.5*
*Windows XP Service Pack 3*
*Internet Explorer 8*
``````````````````````````````
Antivirus/Firewall Check:
*avast! Free Antivirus***
*McAfee Security Scan Plus**
```````````````````````````````
Anti-malware/Other Utilities Check:
*Out of date Spybot installed!
*Ad-Aware
*Out of date HijackThis installed!
*Malwarebytes' Anti-Malware***
*HijackThis 1.99.1***
*Hijackthis 1.99.1***
*Java(TM) 6 Update 22*
*Java(TM) SE Runtime Environment 6 Update 1
*Out of date Java installed!
*Adobe Flash Player 9 (Out of date Flash Player installed!)
*Adobe Flash Player 10.1.85.3*
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
*Mozilla Firefox (x86 en-US..) Firefox Out of Date!*
````````````````````````````````
Process Check:*
objlist.exe by Laurent
*Ad-Aware AAWService.exe is disabled!
*Ad-Aware AAWTray.exe is disabled!
*Alwil Software Avast5 AvastSvc.exe*
*ALWILS~1 Avast5 avastUI.exe*
````````````````````````````````
DNS Vulnerability Check:
*GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cd05b446a638da4ea8ee7160551946f8
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-25 07:47:10
# local_time=2010-10-25 12:47:10 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 15384598 15384598 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=166279
# found=6
# cleaned=0
# scan_time=3061
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip*** Win32/Bagle.gen.zip worm*** 00000000000000000000000000000000*** I
C:\New Folder\acdsee_3_retail\CORE99.EXE*** a variant of Win32/Packed.PECrypt32.A application*** 00000000000000000000000000000000*** I
C:\WINDOWS\system32\ajagebir.ini*** Win32/Adware.Virtumonde.NEO application*** 00000000000000000000000000000000*** I
C:\WINDOWS\system32\ehihidav.ini*** Win32/Adware.Virtumonde.NEO application*** 00000000000000000000000000000000*** I
C:\WINDOWS\system32\xrljfmos.ini*** Win32/Adware.Virtumonde.NEO application*** 00000000000000000000000000000000*** I
G:\Files\acdsee_3_retail\CORE99.EXE*** a variant of Win32/Packed.PECrypt32.A application*** 00000000000000000000000000000000*** I

ComboFix 10-10-24.06 - Tom 10/25/2010* 13:43:11.1.1 - x86
Microsoft Windows XP Home Edition* 5.1.2600.3.1252.1.1033.18.1023.715 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

(((((((((((((((((((((((((((((((((((((((** Other Deletions** )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ystem~1
c:\windows\run.log
c:\windows\system32\_006046_.tmp.dll
c:\windows\system32\_006215_.tmp.dll
c:\windows\system32\_006216_.tmp.dll
c:\windows\system32\_006217_.tmp.dll
c:\windows\system32\_006218_.tmp.dll
c:\windows\system32\_006225_.tmp.dll
c:\windows\system32\_006226_.tmp.dll
c:\windows\system32\_006227_.tmp.dll
c:\windows\system32\ajagebir.ini
c:\windows\system32\ehihidav.ini
c:\windows\system32\xrljfmos.ini

.
(((((((((((((((((((((((((((((((((((((((** Drivers/Services** )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SERVICE


(((((((((((((((((((((((((** Files Created from 2010-09-25 to 2010-10-25* )))))))))))))))))))))))))))))))
.

2010-10-25 18:48 . 2010-10-25 18:48*** --------*** d-----w-*** c:\program files\ESET
2010-10-24 12:30 . 2010-10-24 12:30*** --------*** d-----w-*** c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-10-24 11:54 . 2010-10-24 11:54*** --------*** d-----w-*** c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-24 08:50 . 2010-10-24 08:50*** --------*** d-----w-*** c:\documents and settings\All Users\Application Data\McAfee
2010-10-24 08:50 . 2010-10-24 08:50*** --------*** d-----w-*** c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-10-24 08:50 . 2010-10-24 08:50*** --------*** d-----w-*** c:\program files\McAfee Security Scan
2010-10-15 05:40 . 2010-09-18 06:53*** 974848*** -c----w-*** c:\windows\system32\dllcache\mfc42.dll
2010-10-15 05:40 . 2010-09-18 06:53*** 953856*** -c----w-*** c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 05:39 . 2010-08-23 16:12*** 617472*** -c----w-*** c:\windows\system32\dllcache\comctl32.dll
2010-10-04 18:50 . 2010-10-04 18:50*** --------*** d-----w-*** c:\program files\iTunes
2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-10-04 18:48 . 2010-10-04 18:48*** 159744*** ----a-w-*** c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-10-04 18:47 . 2010-10-04 18:48*** --------*** d-----w-*** c:\program files\QuickTime
2010-10-04 18:46 . 2010-10-04 18:46*** --------*** d-----w-*** c:\program files\Bonjour
2010-09-26 15:43 . 2010-09-26 15:43*** --------*** d-----w-*** c:\documents and settings\Tom\Application Data\OpenOffice.org
2010-09-26 15:07 . 2010-09-26 15:07*** --------*** d-----w-*** c:\program files\JRE
2010-09-26 15:07 . 2010-09-26 15:07*** --------*** d-----w-*** c:\program files\OpenOffice.org 3
2010-09-26 15:06 . 2010-09-15 11:50*** 472808*** ----a-w-*** c:\windows\system32\deployJava1.dll
2010-09-26 03:29 . 2010-09-02 15:21*** 131072*** ----a-w-*** c:\windows\system32\EKIJCOINST09.dll
2010-09-26 03:29 . 2010-09-02 15:17*** 196608*** ----a-w-*** c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-09-26 03:29 . 2010-09-02 15:17*** 421888*** ----a-w-*** c:\windows\system32\EKIJ5000MON.dll

.
((((((((((((((((((((((((((((((((((((((((** Find3M Report** ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2001-08-18 12:00*** 974848*** ----a-w-*** c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 12:00*** 974848*** ----a-w-*** c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 12:00*** 954368*** ----a-w-*** c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 12:00*** 953856*** ----a-w-*** c:\windows\system32\mfc40u.dll
2010-09-15 09:29 . 2007-04-19 04:45*** 73728*** ----a-w-*** c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2006-06-23 19:33*** 916480*** ----a-w-*** c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2006-06-27 01:29*** 43520*** ----a-w-*** c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2006-06-27 01:29*** 1469440*** ----a-w-*** c:\windows\system32\inetcpl.cpl
2010-09-08 18:17 . 2010-09-08 18:17*** 94208*** ----a-w-*** c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17*** 69632*** ----a-w-*** c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-06-30 06:13*** 38848*** ----a-w-*** c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-06-01 01:32*** 167592*** ----a-w-*** c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-06-01 01:32*** 46672*** ----a-w-*** c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-06-01 01:32*** 165584*** ----a-w-*** c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-06-01 01:32*** 23376*** ----a-w-*** c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-06-01 01:32*** 100176*** ----a-w-*** c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-06-01 01:32*** 94544*** ----a-w-*** c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-06-01 01:32*** 17744*** ----a-w-*** c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-06-01 01:32*** 28880*** ----a-w-*** c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:51 . 2001-08-18 12:00*** 285824*** ----a-w-*** c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2001-08-18 12:00*** 1852800*** ----a-w-*** c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 12:00*** 119808*** ----a-w-*** c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 12:00*** 99840*** ----a-w-*** c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 12:00*** 357248*** ----a-w-*** c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-19 05:52*** 5120*** ----a-w-*** c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2001-08-18 12:00*** 617472*** ----a-w-*** c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55*** 58880*** ----a-w-*** c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16*** 590848*** ----a-w-*** c:\windows\system32\rpcrt4.dll
2010-07-28 01:44 . 2010-07-28 01:44*** 91424*** ----a-w-*** c:\windows\system32\dnssd.dll
2010-07-28 01:44 . 2010-07-28 01:44*** 107808*** ----a-w-*** c:\windows\system32\dns-sd.exe
.

(((((((((((((((((((((((((((((((((((((** Reg Loading Points** ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-23 442368]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute*** REG_MULTI_SZ** *** autocheck autochk *\0SsiEfr.e\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG.exe -on [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 10:43*** 83608*** ----a-w-*** c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-31 00:45*** 313472*** ----a-w-*** c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 5:35 AM 77056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 6:32 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 6:32 PM 17744]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 10:17 AM 16168]
S1 MpKsl8e8849bf;MpKsl8e8849bf;\??\c:\windows\system32\MpEngineStore\MpKsl8e8849bf.sys --> c:\windows\system32\MpEngineStore\MpKsl8e8849bf.sys [?]
S2 tcaicchg;tcaicchg;\??\c:\windows\System32\tcaicchg.sys --> c:\windows\System32\tcaicchg.sys [?]
S2 TCAITDI;TCAITDI Protocol;c:\windows\system32\DRIVERS\TCAITDI.sys --> c:\windows\system32\DRIVERS\TCAITDI.sys [?]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 12:16 PM 22821]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 7:17 PM 552448]
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = About:Blank
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearch Bar = about:blank
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = About:Blank
mSearchURL = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www
.
- - - - ORPHANS REMOVED - - - -

BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - c:\windows\System32\rqRKEXnO.dll
HKLM-Run-LXSUPMON - c:\windows\System32\LXSUPMON.EXE
Notify-rqRIxxXn - (no file)
MSConfigStartUp-runner1 - c:\windows\retadpu72.exe
AddRemove-Ad-Aware SE Personal - c:\progra~1\Lavasoft\AD-AWA~1\UNWISE.EXE
AddRemove-eMule - c:\new folder\eMule\Uninstall.exe
AddRemove-EVEREST Ultimate Edition_is1 - c:\program files\Lavalys\EVEREST Ultimate Edition\unins000.exe
AddRemove-FLV Player - g:\files\FLV Player\uninst.exe
AddRemove-GSpot - c:\program files\GSpot\Uninstall.exe
AddRemove-HijackThis - c:\program files\Hijackthis\HijackThis.exe
AddRemove-Hijackthis_is1 - c:\program files\Hijackthis\unins000.exe
AddRemove-Lexmark Supplies Monitor - c:\windows\System32\LXSMUNIN.EXE
AddRemove-Mozilla Firefox (3.0.10) - c:\program files\Mozilla Firefox\uninstall\helper.exe
AddRemove-Mozilla Firefox (3.6.11) - g:\files\Mozilla Firefox\uninstall\helper.exe
AddRemove-Mozilla Firefox 4.0b6 (x86 en-US) - g:\files\Mozilla Firefox 4.0 Beta 6\uninstall\helper.exe
AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe
AddRemove-Xilisoft DVD to iPod Converter - c:\program files\Xilisoft\DVD to iPod Converter 4\Uninstall.exe
AddRemove-YASA DVD to MP4 Converter v2.9 (build 044) - c:\progra~1\YASADV~1\UNWISE.EXE
AddRemove-YASA MP4 Video Converter v3.2 (build 0051) - c:\progra~1\YASAMP~1\UNWISE.EXE
AddRemove-BitTorrent - g:\files\BitTorrent\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-25 14:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...*

scanning hidden autostart entries ...

scanning hidden files ...*

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.0 by Gmer, http://www.gmer.net
Windows 5.1.2600

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705C446]<<
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8712BAB8]
2 ntkrnlpa[0x804EE130] -> CLASSPNP.SYS[0xF7679FD7] -> \Device\Harddisk0\DR0[0x8712BAB8]
3 CLASSPNP[0xF7679FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8700F138]
\Driver\viasraid[0x870206D8] -> IRP_MJ_CREATE -> 0x8705C446
4 ntkrnlpa[0x804EE130] -> UNKNOWN[0x8705C449] -> [0x8700F138]
error: Read \Device\Ide\IdePort0 The system cannot find the file specified.
kernel: MBR read successfully
detected hooks:
\Device\Scsi\viasraid1Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&Rev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\Disk -> CLASSPNP.SYS @ 0xf767df28
\Driver\ACPI -> ACPI.sys @ 0xf74e0cb8
\Driver\atapi -> atapi.sys @ 0xf7480852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
*SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
*SecurityProcedure -> ntkrnlpa.exe @ 0x805791fa
NDIS:* -> SendCompleteHandler -> 0x0
*PacketIndicateHandler -> 0x0
*SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2224)
c:\windows\system32\WININET.dll
c:\program files\Belkin\Nostromo\nost_FSH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\WDBtnMgr.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\windows\System32\nvsvc32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-10-25* 14:11:01 - machine was rebooted
ComboFix-quarantined-files.txt* 2010-10-25 21:10

Pre-Run: 168,726,827,008 bytes free
Post-Run: 168,598,908,928 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 7774A791B92594870C329204C134A0B6
 
We have some housekeeping to do: First, you need to uninstall one of these 2 AV programs: Avast or McAfee Multiple AV programs can make a system more vulnerable, not less. Here are tools to help with either:
McAfee Removal
Avast Removal
Reboot the computer after the uninstall.
========================================
To remove the Eset entries:
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Processes	
:Files
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip
C:\New Folder\acdsee_3_retail\CORE99.EXE
C:\WINDOWS\system32\ajagebir.ini
C:\WINDOWS\system32\ehihidav.ini
C:\WINDOWS\system32\xrljfmos.ini
G:\Files\acdsee_3_retail\CORE99.EXE
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================================
Open Spybot Search & Destroy and delete the contents of the quarantine folder.
===========================================
When finished, uninstall the following in Add/Remove Programs in the Control Panel:
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Mozilla Firefox (3.0.10)
All of the above are out of date and you do have the current (except for HijackThis and I'll give you a link to run that later), correct versions installed. These old versions also present a vulnerability.
=========================================
Run the following scan: It will produce a log- I need to see it.
Download CKScanner and save to your desktop.
  • Double click CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click [b/]Save List To File.[/b]
  • A message box will verify that the file is saved.
  • Double-click the [/b]CKFiles.txt icon[/b] on your desktop and copy/paste the contents
    in your next reply.
======================================


Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Credits to Broni
=======================================
I will set up script for you to run through Combofix after I see these logs.
 
You can go ahead and run this script after you finish the previous instructions.

Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\MpEngineStore\MpKsl8e88 49bf.sys
c:\windows\System32\tcaicchg.sys
c:\windows\system32\DRIVERS\TCAITDI.sys
DDS::
uSearch Page = About:Blank
uSearch Bar = About:Blank
uDefault_Search_URL = About:Blank
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearch Bar = about:blank
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = About:Blank
mSearchURL = about:blank
mSearchAssistant = about:blank
BHO: {e3bb3f2a-8f67-4b96-a432-8190258c0fd1} - c:\windows\system32\rqRKEXnO.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKEXnO
LSA: Notification Packages = scecli c:\windows\system32\kejajumo.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-

Driver::
MpKsl8e8849bf
tcaicchg
TCAITDI
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
We have more to do.
 
Update

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip moved successfully.
C:\New Folder\acdsee_3_retail\CORE99.EXE moved successfully.
File/Folder C:\WINDOWS\system32\ajagebir.ini not found.
File/Folder C:\WINDOWS\system32\ehihidav.ini not found.
File/Folder C:\WINDOWS\system32\xrljfmos.ini not found.
File/Folder G:\Files\acdsee_3_retail\CORE99.EXE not found.
========== COMMANDS ==========
C:\Documents and Settings\Tom\Application Data\?ystem32 folder moved successfully.

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator.GAME-MACHINE
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 43529803 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 7473 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 41036445 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 6712 bytes

User: Tom
->Temp folder emptied: 4354228 bytes
->Temporary Internet Files folder emptied: 5591724 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 341308213 bytes
->Flash cache emptied: 14317 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2229291 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 418.00 mb


OTM by OldTimer - Version 3.1.17.1 log created on 10282010_133654

Files moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\tom\favorites\computer stuff\http--kickme.to-crackz182.url
c:\documents and settings\tom\favorites\computer stuff\seriall.com - serials, keys, keygen, cracks.url
c:\documents and settings\tom\favorites\test\favorites\misc\crack's smilies =).url
c:\documents and settings\tom\favorites\test\favorites\misc\mp3 sound - warez - appz - gamez - mp3z - hacking - serialz - crackz - ftpz.url
c:\documents and settings\tom\favorites\test\misc\best microbez appz - here you can download all !warez! !crackz! !full retail appz! !real direct download! !iso! !gamez!.url
c:\documents and settings\tom\favorites\test\misc\fast downloads - here you can see warez crackz serialz full appz gamez real direct download iso 1 file.url
scanner sequence 3.FN.11
----- EOF -----

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
223 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

ComboFix 10-10-27.A3 - Tom 10/28/2010 15:03:44.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.735 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\DRIVERS\TCAITDI.sys"
"c:\windows\system32\MpEngineStore\MpKsl8e88 49bf.sys"
"c:\windows\System32\tcaicchg.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk
c:\documents and settings\Tom\Application Data\Bitrix Security
c:\documents and settings\Tom\Application Data\Bitrix Security\cet.txt
c:\documents and settings\Tom\Application Data\Bitrix Security\lrtg.txt
c:\documents and settings\Tom\Application Data\Bitrix Security\mor.txt
c:\documents and settings\Tom\Application Data\Bitrix Security\mxd1.txt
c:\documents and settings\Tom\Application Data\Bitrix Security\podzce.dll
c:\documents and settings\Tom\Application Data\Bitrix Security\podzce_shrd
c:\documents and settings\Tom\Application Data\Bitrix Security\rgx.txt
c:\documents and settings\Tom\Application Data\Bitrix Security\uurn
c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MPKSL8E8849BF
-------\Legacy_TCAICCHG
-------\Legacy_TCAITDI
-------\Service_MpKsl8e8849bf
-------\Service_tcaicchg
-------\Service_TCAITDI


((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-28 20:36 . 2010-10-28 20:36 -------- d-----w- C:\_OTM
2010-10-28 20:22 . 2010-10-28 20:22 -------- d-sh--w- c:\documents and settings\Tom\IECompatCache
2010-10-25 18:48 . 2010-10-25 18:48 -------- d-----w- c:\program files\ESET
2010-10-24 12:30 . 2010-10-24 12:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-10-24 11:54 . 2010-10-24 11:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-15 05:40 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 05:40 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 05:39 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-04 18:50 . 2010-10-04 18:50 -------- d-----w- c:\program files\iTunes
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-10-04 18:47 . 2010-10-04 18:48 -------- d-----w- c:\program files\QuickTime
2010-10-04 18:46 . 2010-10-04 18:46 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50 . 2010-09-26 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29 . 2007-04-19 04:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2006-06-27 01:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2006-06-27 01:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-06-30 06:13 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-06-01 01:32 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-06-01 01:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-06-01 01:32 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-06-01 01:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-06-01 01:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-06-01 01:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-06-01 01:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-06-01 01:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-02 15:21 . 2010-09-26 03:29 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll
2010-09-02 15:17 . 2010-09-26 03:29 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-09-02 15:17 . 2010-09-26 03:29 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll
2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-19 05:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2001-08-18 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
[BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG.exe -on [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-31 00:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 5:35 AM 77056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 6:32 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 6:32 PM 17744]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 10:17 AM 16168]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [?]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 7:17 PM 552448]
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = About:Blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www
.
- - - - ORPHANS REMOVED - - - -

BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_01\bin\jusched.exe
ActiveSetup-{CB92D056-5802-4D2E-A0FE-59E3F5EF3598} - c:\documents and settings\Tom\Application Data\Bitrix Security\podzce.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 15:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705C446]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\WDBtnMgr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-28 15:23:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-28 22:23
ComboFix2.txt 2010-10-25 21:11

Pre-Run: 168,369,741,824 bytes free
Post-Run: 168,374,726,656 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D7570FA0DF7E13D15E6ACE1E6A96948E
 
Okay. Now I need you to run HijackThis so I can how this is coming up: SearchAssistant = About:Blank

Download the HijackThis Installer and save to the desktop:
  1. Double-click on HJTInstall.exe to run the program.
  2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
  3. Accept the license agreement by clicking the "I Accept" button.
  4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  5. Click "Save log" to save the log file and then the log will open in notepad.
  6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
===============================================
Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\drivers\bcgame.sys
c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]

Driver::
bcgame
EverestDriver
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
When we're finished, you will need to update the Adobe Reader: Visit this Adobe Reader site and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
 
Update

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:50:32 PM, on 11/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\RSSoft\RedSwoosh.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = About:Blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = About:Blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ehicles/2005/prius/key_features/pc/index.html
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - Winlogon Notify: rqRIxxXn - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 9453 bytes

ComboFix 10-10-27.A3 - Tom 11/01/2010 17:55:01.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.727 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

FILE ::
"c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
"c:\windows\system32\drivers\bcgame.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVERESTDRIVER
-------\Service_bcgame
-------\Service_EverestDriver


((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
.

2010-11-01 19:49 . 2010-11-01 19:49 388096 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-01 19:49 . 2010-11-01 19:49 -------- d-----w- c:\program files\Trend Micro
2010-10-28 20:36 . 2010-10-28 20:36 -------- d-----w- C:\_OTM
2010-10-28 20:22 . 2010-10-28 20:22 -------- d-sh--w- c:\documents and settings\Tom\IECompatCache
2010-10-25 18:48 . 2010-10-25 18:48 -------- d-----w- c:\program files\ESET
2010-10-24 12:30 . 2010-10-24 12:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-10-24 11:54 . 2010-10-24 11:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-10-15 05:40 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 05:40 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 05:39 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-04 18:50 . 2010-10-04 18:50 -------- d-----w- c:\program files\iTunes
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-10-04 18:48 . 2010-10-04 18:48 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-10-04 18:47 . 2010-10-04 18:48 -------- d-----w- c:\program files\QuickTime
2010-10-04 18:46 . 2010-10-04 18:46 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50 . 2010-09-26 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29 . 2007-04-19 04:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2006-06-27 01:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2006-06-27 01:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-06-30 06:13 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-06-01 01:32 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-06-01 01:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-06-01 01:32 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-06-01 01:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-06-01 01:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-06-01 01:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-06-01 01:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-06-01 01:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-02 15:21 . 2010-09-26 03:29 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll
2010-09-02 15:17 . 2010-09-26 03:29 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-09-02 15:17 . 2010-09-26 03:29 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll
2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-19 05:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2001-08-18 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2005-06-10 23:55 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-03-06 02:16 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
[BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG.exe -on [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-31 00:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 5:35 AM 77056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 6:32 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 6:32 PM 17744]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 10:17 AM 16168]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 7:17 PM 552448]
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = About:Blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www
.
- - - - ORPHANS REMOVED - - - -

BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 18:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705D446]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\WDBtnMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-11-01 18:18:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-02 01:18
ComboFix2.txt 2010-10-28 22:24
ComboFix3.txt 2010-10-25 21:11

Pre-Run: 166,740,090,880 bytes free
Post-Run: 167,640,354,816 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 51DFF10F66C69A0712B06ACF275F48D8
 
You are very patient! The thread turned the age and I didn't- sorry.
Before I forget, next time you open Notepad, please click on Format> Uncheck 'Word Wrap.' That will make it much easier for you to paste and for me to read the logs.

The CK scan shows several entries for pirated data:
c:\documents and settings\tom\favorites\computer stuff\http--kickme.to-crackz182.url
c:\documents and settings\tom\favorites\computer stuff\seriall.com - serials, keys, keygen, cracks.url
c:\documents and settings\tom\favorites\test\favorites\misc\crack's smilies =).url
c:\documents and settings\tom\favorites\test\favorites\misc\mp3 sound - warez - appz - gamez - mp3z - hacking - serialz - crackz - ftpz.url
c:\documents and settings\tom\favorites\test\misc\best microbez appz - here you can download all !warez! !crackz! !full retail appz! !real direct download! !iso! !gamez!.url
c:\documents and settings\tom\favorites\test\misc\fast downloads - here you can see warez crackz serialz full appz gamez real direct download iso 1 file.url
scanner sequence 3.FN.11
Cracks and keygens are used to activate a program using a license key or activation code in order to get a program without paying for it.

Please remove all of the entries above if you want continued support. Reboot the computer when finished, then repeat the CK Scan.
=============================================
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)
  • Copy the file(s) path in the below Code box:
  • At the upload site, click once inside the window next to Browse.
  • Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    Code: 
    : [Select]
c:\windows\system32\rqRKEXnO.dll
c:\windows\system32\kejajumo.dll
  • Next click Submit file
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
  • This will perform a scan across multiple different virus scanning engines.
  • Important: Wait for all of the scanning engines to complete.
  • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
==============================================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = About:Blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = About:Blank
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN (See Note 1)
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS.../pc/index.html
O20 - Winlogon Notify: rqRIxxXn - Invalid registry found

Close all Windows except HijackThis and click on "Fix Checked."

Note 1: RegShave:
Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly
=======================================
You will need to update the Adobe Reader to v9.xx when we are finished: Visit this Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.

I have script written for you to run through Combofix. After I see the logs from the above scans, I will know if I need to include any other entries.
 
NP, very patient. Appreciate the help.

Wordwrap not checked.

Old bookmarks deleted.

Jotti's didn't work. Couldn't paste anything, either ctrl-v or right click. Looked up files manually, they weren't there.

Uninstalled Adobe Reader v7, haven't installed v9 yet.

Logs:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11
----- EOF -----

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:56:18 AM, on 11/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\RSSoft\RedSwoosh.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Red Swoosh] C:\Program Files\RSSoft\RedSwoosh.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8697 bytes
 
Try these again please- I should have put them in a Quote box, not a Code box. If nothing comes up with Jotti, try this:
Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

  • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page- remember, only select one at a time:
    .
    c:\windows\system32\rqRKEXnO.dll

    c:\windows\system32\kejajumo.dll
    Click to expand...

    [2]. At the upload site, click once inside the window next to Browse.
    [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
    [4]. Click on the Upload button.
    This will perform a scan across multiple different virus scanning engines.
    Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    Important: Wait for all of the scanning engines to complete.
    [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
    [6]. Paste the contents of the Clipboard in your next reply.
 
Tried them all. Unable to paste anything in the submit box on any of them. Tried manually browsing for the files and they are not there.

Could be part of the virus I guess. Can't make posts to message boards either. Have to do this from a different computer.
 
Windows Updates can wait. Is this the only site you can't post to? Do you access it?
 
Turned off Windows Update, it seemed to keep crashing the computer when it tried to check on its own.

I can see the message board just when I hit the submit button I get an error page that says no network connection, pretty sure it happens anywhere there is a submit button.

Doesn't let me send emails from hotmail either. Soon after I tried my account was locked, same with my gmail account. Reset passwords and not accessing anything that uses a password on that computer.

The longer I leave it on I get Avast popping with virus alerts, always a svchost file. Oh and at some point something crashes and I lose sound.

I can start writing down the errors if you want.
 
Please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\program files\lavalys\everest ultimate edition\kerneld.wnt
Folder::
c:\docume~1\alluse~1\applic~1\McAfee Security Scan
c:\program files\McAfee Security Scan

DDS::
uSearch Page = About:Blank
uSearch Bar = About:Blank
uDefault_Search_URL = About:Blank
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
mSearch Bar = about:blank
mSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = About:Blank
mSearchURL = about:blank
mSearchAssistant = about:blank
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.08.43&unknown&unknown&http://www.toyota.com/vehicles/2005/.../pc/index.html

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn] 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
[BU]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
In Errors: Are you using the following?/
10/22/2010 9:33:41 PM, The TCAITDI Protocol service failed to start due to the following error:* The system cannot find the file specified.
TCAICCHG.SYS Related to TCAICCHG.SYS 3Com Windows NT NIC Diagnostic Memory/Port Access Driver.
10/22/2010 9:33:41 PM, - The tcaicchg service failed to start due to the following error:* The system cannot find the file specified.
10/22/2010 9:33:41 PM, The PfModNT service failed to start due to the following error:* The system cannot find the file specified.>> Related to PfModNT.sys PCI/ISA Device Info. Service from Creative Technology\
10/22/2010 9:33:10 PM, error: iviVD [9]* - The device, \Device\Scsi\iviVD1, did not respond within the timeout period.>>>virtual drive that AUTOMATICALLY gets installed with intervideo copy dvd 4
 
Reopened at member's request.

Please provide description of continuing problems.
Also new scan with Combofix.

And Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Note: We close these threads if there has not been a reply for 5 days. This is both to prevent others from posting on the thread and also because earlier logs may be out of date.
 
Logs

Thanks

No real changes since the beginning, accept now Avast catches something called taskcgr.exe, also noticed after about an hour I lose audio through windows media player.

On the errors you mentioned in the previous post, no programs I'm using/need.

Logs:

ComboFix 10-11-18.03 - Tom 11/18/2010 20:11:49.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.420 [GMT -8:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lsp21.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-19 04:11 . 2010-11-19 04:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-19 04:11 . 2010-11-19 04:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-11-12 07:05 . 2010-11-12 07:05 0 ----a-w- c:\windows\system32\lsp21.tmp
2010-11-03 05:07 . 2010-11-03 05:07 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Mozilla Corporation
2010-11-01 19:49 . 2010-11-01 19:49 388096 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-01 19:49 . 2010-11-01 19:49 -------- d-----w- c:\program files\Trend Micro
2010-10-28 20:36 . 2010-10-28 20:36 -------- d-----w- C:\_OTM
2010-10-28 20:22 . 2010-10-28 20:22 -------- d-sh--w- c:\documents and settings\Tom\IECompatCache
2010-10-25 18:48 . 2010-10-25 18:48 -------- d-----w- c:\program files\ESET
2010-10-24 12:30 . 2010-10-24 12:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-10-24 11:54 . 2010-11-02 01:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50 . 2010-09-26 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29 . 2007-04-19 04:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2006-06-27 01:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2006-06-27 01:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-06-30 06:13 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-06-01 01:32 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-06-01 01:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-06-01 01:32 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-06-01 01:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-06-01 01:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-06-01 01:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-06-01 01:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-06-01 01:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-02 15:21 . 2010-09-26 03:29 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll
2010-09-02 15:17 . 2010-09-26 03:29 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-09-02 15:17 . 2010-09-26 03:29 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll
2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-19 05:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2001-08-18 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
[BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG.exe -on [X]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 4:35 AM 77056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 5:32 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 5:32 PM 17744]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 4:18 PM 308656]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 9:17 AM 16168]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 6:17 PM 552448]
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www
.
- - - - ORPHANS REMOVED - - - -

BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: VIA_SATA rev.____ -> Harddisk0\DR0 -> \Device\Scsi\viasraid1

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705D446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87063504]; MOV EAX, [0x87063580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8712BAB8]
3 CLASSPNP[0xF7640FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8700C678]
\Driver\viasraid[0x87053560] -> IRP_MJ_CREATE -> 0x8705D446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Scsi\viasraid1Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&Rev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4012)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\WDBtnMgr.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2010-11-18 20:33:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-19 04:33
ComboFix2.txt 2010-11-02 01:18
ComboFix3.txt 2010-10-28 22:24
ComboFix4.txt 2010-10-25 21:11

Pre-Run: 166,402,981,888 bytes free
Post-Run: 167,253,151,744 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 4ECD232065445E642D7162C1931F9978

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cd05b446a638da4ea8ee7160551946f8
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-25 07:47:10
# local_time=2010-10-25 12:47:10 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 15384598 15384598 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=166279
# found=6
# cleaned=0
# scan_time=3061
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\New Folder\acdsee_3_retail\CORE99.EXE a variant of Win32/Packed.PECrypt32.A application 00000000000000000000000000000000 I
C:\WINDOWS\system32\ajagebir.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\WINDOWS\system32\ehihidav.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\WINDOWS\system32\xrljfmos.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
G:\Files\acdsee_3_retail\CORE99.EXE a variant of Win32/Packed.PECrypt32.A application 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cd05b446a638da4ea8ee7160551946f8
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-19 05:22:27
# local_time=2010-11-18 09:22:27 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1414144 1414144 0 0
# compatibility_mode=768 16777215 100 0 17493146 17493146 0 0
# compatibility_mode=8192 67108863 100 0 2022601 2022601 0 0
# scanned=80649
# found=13
# cleaned=0
# scan_time=2631
C:\Qoobox\Quarantine\C\Documents and Settings\Tom\Application Data\Bitrix Security\podzce.dll.vir Win32/AutoRun.Spy.Ambler.CE worm 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ajagebir.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\ehihidav.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsp21.dll.vir Win32/TrojanClicker.Agent.NMF trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\xrljfmos.ini.vir Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1337\A0153618.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1337\A0153619.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1337\A0153620.ini Win32/Adware.Virtumonde.NEO application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1345\A0156930.dll Win32/AutoRun.Spy.Ambler.CE worm 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1349\A0172934.exe Win32/TrojanClicker.Agent.NME trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{4D144980-39AB-4148-9EEB-A6415203F250}\RP1350\A0173137.dll Win32/TrojanClicker.Agent.NMF trojan 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\10282010_133654\C_Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde16.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\_OTM\MovedFiles\10282010_133654\C_New Folder\acdsee_3_retail\CORE99.EXE a variant of Win32/Packed.PECrypt32.A application 00000000000000000000000000000000 I
 
No real changes since the beginning, accept now Avast catches something called taskcgr.exe, also noticed after about an hour I lose audio through windows media player.
Click to expand...
Let's get together here. You started this 3 weeks ago. I helped you through several scans, including setting up removals for the Eset entries and multiple scripts to run through Combofix. You left the thread and I closed it after 5 days of no reply.

The Eset scan shows no new infections. Did you run the last script I left?
============================================
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
 
Logs

Possibly Avast updated and its something it now catches? Or I just didn't notice it. I get alot of virus messages and things crashing. Have been keeping a list now. Avast also catches alot of svchost.exe and I get a popup for "Generic Host Process for Win32 Services" shutting down.

Ran the script but it didn't post a log after computer restarted, mentioned that when I messaged you but understand you are helping alot of people and just missed it because its not in this thread. Just ran it again and log follows along with TDSSKiller log.

ComboFix 10-11-20.03 - Tom 11/20/2010 17:34:07.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.412 [GMT -8:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

FILE ::
"c:\program files\lavalys\everest ultimate edition\kerneld.wnt"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\regshave\REGSHAVE.EXE

.
((((((((((((((((((((((((( Files Created from 2010-10-21 to 2010-11-21 )))))))))))))))))))))))))))))))
.

2010-11-19 04:11 . 2010-11-19 04:11 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-19 04:11 . 2010-11-19 04:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-11-12 07:05 . 2010-11-12 07:05 0 ----a-w- c:\windows\system32\lsp21.tmp
2010-11-03 05:07 . 2010-11-03 05:07 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Mozilla Corporation
2010-11-01 19:49 . 2010-11-01 19:49 388096 ----a-r- c:\documents and settings\Tom\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-01 19:49 . 2010-11-01 19:49 -------- d-----w- c:\program files\Trend Micro
2010-10-28 20:36 . 2010-10-28 20:36 -------- d-----w- C:\_OTM
2010-10-28 20:22 . 2010-10-28 20:22 -------- d-sh--w- c:\documents and settings\Tom\IECompatCache
2010-10-25 18:48 . 2010-10-25 18:48 -------- d-----w- c:\program files\ESET
2010-10-24 12:30 . 2010-10-24 12:30 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-10-24 11:54 . 2010-11-02 01:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50 . 2010-09-26 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29 . 2007-04-19 04:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2006-06-23 19:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2006-06-27 01:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2006-06-27 01:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 18:17 . 2010-09-08 18:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17 . 2010-09-08 18:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-06-30 06:13 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-06-01 01:32 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-06-01 01:32 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-06-01 01:32 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-06-01 01:32 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-06-01 01:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-06-01 01:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-06-01 01:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-06-01 01:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-02 15:21 . 2010-09-26 03:29 131072 ----a-w- c:\windows\system32\EKIJCOINST09.dll
2010-09-02 15:17 . 2010-09-26 03:29 196608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EKIJ5000PPR.dll
2010-09-02 15:17 . 2010-09-26 03:29 421888 ----a-w- c:\windows\system32\EKIJ5000MON.dll
2010-09-01 11:51 . 2001-08-18 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2001-08-18 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-18 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-18 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-19 05:52 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2001-08-18 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-10-25_21.06.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 01:17 . 2010-11-21 01:17 16384 c:\windows\Temp\Perflib_Perfdata_bb0.dat
+ 2001-08-18 12:00 . 2010-11-08 06:57 72446 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2010-10-08 06:28 72446 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2010-11-08 06:57 443942 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2010-10-08 06:28 443942 c:\windows\system32\perfh009.dat
+ 2010-11-01 19:49 . 2010-11-01 19:49 1094656 c:\windows\Installer\9aa12.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-10-08 139264]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2007-07-19 62436]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
"nwiz"="nwiz.exe" [2004-10-29 921600]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"CTHelper"="CTHELPER.EXE" [2007-04-09 19456]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"WD Button Manager"="WDBtnMgr.exe" [2007-09-24 364544]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-1-12 1474560]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-12-30 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
[BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0sprestrt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
TCAUDIAG.exe -on [X]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R0 viasraid;viasraid;c:\windows\system32\drivers\VIASRAID.SYS [5/13/2010 4:35 AM 77056]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/31/2010 5:32 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/31/2010 5:32 PM 17744]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 4:18 PM 308656]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [12/4/2004 9:17 AM 16168]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [12/23/2008 6:17 PM 552448]
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www
.
- - - - ORPHANS REMOVED - - - -

BHO-{E3BB3F2A-8F67-4B96-A432-8190258C0FD1} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-20 17:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: VIA_SATA rev.____ -> Harddisk0\DR0 -> \Device\Scsi\viasraid1

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8705D446]<<
c:\docume~1\Tom\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87063504]; MOV EAX, [0x87063580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8712BAB8]
3 CLASSPNP[0xF7640FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x86FCF928]
\Driver\viasraid[0x87053560] -> IRP_MJ_CREATE -> 0x8705D446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Scsi\viasraid1Port3Path0Target0Lun0 -> \??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&Rev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\WININET.dll
.
Completion time: 2010-11-20 17:49:41
ComboFix-quarantined-files.txt 2010-11-21 01:49
ComboFix2.txt 2010-11-19 04:33
ComboFix3.txt 2010-11-02 01:18
ComboFix4.txt 2010-10-28 22:24
ComboFix5.txt 2010-11-21 01:29

Pre-Run: 166,796,300,288 bytes free
Post-Run: 167,066,992,640 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D87FEE5C3CDB25E42DF5ECA83A277AD6

2010/11/20 17:54:20.0750 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/20 17:54:20.0750 ================================================================================
2010/11/20 17:54:20.0750 SystemInfo:
2010/11/20 17:54:20.0750
2010/11/20 17:54:20.0750 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/20 17:54:20.0765 Product type: Workstation
2010/11/20 17:54:20.0765 ComputerName: GAME-MACHINE
2010/11/20 17:54:20.0765 UserName: Tom
2010/11/20 17:54:20.0765 Windows directory: C:\WINDOWS
2010/11/20 17:54:20.0765 System windows directory: C:\WINDOWS
2010/11/20 17:54:20.0765 Processor architecture: Intel x86
2010/11/20 17:54:20.0765 Number of processors: 1
2010/11/20 17:54:20.0765 Page size: 0x1000
2010/11/20 17:54:20.0765 Boot type: Normal boot
2010/11/20 17:54:20.0765 ================================================================================
2010/11/20 17:54:20.0984 Initialize success
2010/11/20 17:54:26.0078 ================================================================================
2010/11/20 17:54:26.0078 Scan started
2010/11/20 17:54:26.0078 Mode: Manual;
2010/11/20 17:54:26.0078 ================================================================================
2010/11/20 17:54:26.0593 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/11/20 17:54:26.0859 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/20 17:54:26.0921 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/20 17:54:27.0109 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/20 17:54:27.0187 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/11/20 17:54:27.0265 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/20 17:54:27.0703 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/20 17:54:27.0937 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2010/11/20 17:54:28.0046 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/11/20 17:54:28.0125 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/11/20 17:54:28.0218 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/11/20 17:54:28.0296 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2010/11/20 17:54:28.0359 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/11/20 17:54:28.0406 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/20 17:54:28.0515 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/20 17:54:28.0640 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/20 17:54:28.0734 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/20 17:54:28.0843 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/20 17:54:28.0953 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/11/20 17:54:28.0968 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2010/11/20 17:54:29.0234 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/20 17:54:29.0359 CdaD10BA (841cefab8228ee691705d059e7f21c47) C:\WINDOWS\System32\drivers\CdaD10BA.SYS
2010/11/20 17:54:29.0437 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/20 17:54:29.0500 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/20 17:54:29.0562 Cdr4_xp (cedcbeee331deffe6999b6b4162e2246) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2010/11/20 17:54:29.0671 Cdralw2k (38b2f2439213fd5095f654afded23457) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2010/11/20 17:54:29.0718 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/20 17:54:29.0781 cdudf_xp (294f75a9f2c3317c61f5e51325e9976c) C:\WINDOWS\system32\drivers\cdudf_xp.sys
2010/11/20 17:54:30.0000 COMMONFX.DLL (1ef05b641e9a67ded74ac8ad40055dbf) C:\WINDOWS\system32\COMMONFX.DLL
2010/11/20 17:54:30.0156 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL
2010/11/20 17:54:30.0250 ctac32k (8ac5f77e30e37d2d11bd99eff0c53d8c) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/11/20 17:54:30.0343 ctaud2k (673241d314e932f4890509ae8ebf26db) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/11/20 17:54:30.0437 CTAUDFX.DLL (472b82d7e549e7fab428852e4d16f21d) C:\WINDOWS\system32\CTAUDFX.DLL
2010/11/20 17:54:30.0546 ctdvda2k (ed316d4c3d39c5b6c23de067e275c183) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/11/20 17:54:30.0609 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL
2010/11/20 17:54:30.0687 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL
2010/11/20 17:54:30.0750 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL
2010/11/20 17:54:30.0828 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL
2010/11/20 17:54:30.0875 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL
2010/11/20 17:54:30.0984 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL
2010/11/20 17:54:31.0093 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL
2010/11/20 17:54:31.0171 ctprxy2k (34e7f8a499fd8361df14fedb724c0ad3) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/11/20 17:54:31.0265 CTSBLFX.DLL (679ae21eb7f48a08184813aebabdec7c) C:\WINDOWS\system32\CTSBLFX.DLL
2010/11/20 17:54:31.0359 ctsfm2k (32098497cb4dfe9ea7660fa62dd91060) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/11/20 17:54:31.0593 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/20 17:54:31.0718 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/20 17:54:31.0812 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/20 17:54:31.0906 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/20 17:54:31.0984 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/20 17:54:32.0140 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/20 17:54:32.0234 DVDVRRdr_xp (a2abb2a771a522b9dd57ce57d9960661) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
2010/11/20 17:54:32.0312 dvd_2K (9d6fabf24b9ac7bd2ef52d7907fd2f8e) C:\WINDOWS\system32\drivers\dvd_2K.sys
2010/11/20 17:54:32.0406 EL2000 (9d356817b223067ff6f7f9eb867585ef) C:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
2010/11/20 17:54:32.0500 emupia (2885f72d2daffd0329272f12e16d6579) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/11/20 17:54:32.0625 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/20 17:54:32.0671 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/20 17:54:32.0765 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/20 17:54:32.0812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/20 17:54:32.0906 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/20 17:54:33.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/20 17:54:33.0078 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/20 17:54:33.0125 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2010/11/20 17:54:33.0203 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/11/20 17:54:33.0281 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/11/20 17:54:33.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/20 17:54:33.0453 ha10kx2k (da2c735b66d2e7b739f9a46146581a9d) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/11/20 17:54:33.0578 hap16v2k (5c7d6d68796e4621b4168c879908dae0) C:\WINDOWS\system32\drivers\hap16v2k.sys
2010/11/20 17:54:33.0718 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys
2010/11/20 17:54:33.0812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/20 17:54:34.0015 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/20 17:54:34.0218 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/20 17:54:34.0312 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/20 17:54:34.0515 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/20 17:54:34.0578 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/20 17:54:34.0625 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/20 17:54:34.0734 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/20 17:54:34.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/20 17:54:34.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/20 17:54:35.0015 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/20 17:54:35.0078 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
2010/11/20 17:54:35.0156 iviVD (7bd8ff29fecc1f4ef5b26ce3ffa80ae8) C:\WINDOWS\system32\DRIVERS\iviVD.sys
2010/11/20 17:54:35.0234 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/20 17:54:35.0281 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/20 17:54:35.0375 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/20 17:54:35.0484 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/20 17:54:35.0671 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys
2010/11/20 17:54:35.0781 mmc_2K (0ba70511363a4a148815c6e57a5f99c5) C:\WINDOWS\system32\drivers\mmc_2K.sys
2010/11/20 17:54:35.0875 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/20 17:54:35.0968 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/20 17:54:36.0046 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/20 17:54:36.0125 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/20 17:54:36.0187 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/20 17:54:36.0312 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/20 17:54:36.0390 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/20 17:54:36.0500 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/20 17:54:36.0593 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/20 17:54:36.0671 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/20 17:54:36.0734 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/20 17:54:36.0828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/20 17:54:36.0921 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/20 17:54:37.0015 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/20 17:54:37.0093 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/20 17:54:37.0140 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/20 17:54:37.0218 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/20 17:54:37.0281 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/20 17:54:37.0343 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/20 17:54:37.0406 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/20 17:54:37.0562 netr28u (6f8480809d14f0594b4b1df07385da33) C:\WINDOWS\system32\DRIVERS\netr28u.sys
2010/11/20 17:54:37.0718 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/20 17:54:37.0812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/20 17:54:37.0890 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/20 17:54:37.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/20 17:54:38.0140 nv (c823d5e609762c075f26f7fc56690f34) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/20 17:54:38.0328 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/20 17:54:38.0406 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/20 17:54:38.0484 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/20 17:54:38.0578 ossrv (61c85afeaa6ef0c1b32d43f84f7bfbcf) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/11/20 17:54:38.0671 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/20 17:54:38.0703 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/20 17:54:38.0812 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/20 17:54:38.0906 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/20 17:54:39.0046 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/20 17:54:39.0468 PfDetNT (6dabb70783ef470492adb7b9a6e60bf3) C:\WINDOWS\System32\drivers\PfModNT.sys
2010/11/20 17:54:39.0515 PfModNT (6dabb70783ef470492adb7b9a6e60bf3) C:\WINDOWS\System32\drivers\PfModNT.sys
2010/11/20 17:54:39.0609 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/20 17:54:39.0687 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/20 17:54:39.0781 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/20 17:54:39.0843 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/20 17:54:39.0921 pwd_2k (a69812bcdf900f99e3ace4c38a3aefb2) C:\WINDOWS\system32\drivers\pwd_2k.sys
2010/11/20 17:54:40.0000 PxHelp20 (183ef96bcc2ec3d5294cb2c2c0ecbcd1) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/20 17:54:40.0281 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/20 17:54:40.0359 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/20 17:54:40.0437 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/20 17:54:40.0500 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/20 17:54:40.0578 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/20 17:54:40.0656 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/20 17:54:40.0765 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/20 17:54:40.0859 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/20 17:54:40.0984 rt2870 (c2a6f7f35e617744a65dbfb0c0a64adc) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2010/11/20 17:54:41.0078 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/11/20 17:54:41.0218 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/20 17:54:41.0312 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/20 17:54:41.0406 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/20 17:54:41.0500 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/20 17:54:41.0703 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/20 17:54:41.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/20 17:54:41.0921 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/20 17:54:42.0046 Sus2pl (3461268d6daa38b65de2936f521afbc4) C:\WINDOWS\system32\DRIVERS\sus2pl.sys
2010/11/20 17:54:42.0125 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/20 17:54:42.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/20 17:54:42.0500 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/20 17:54:42.0609 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/20 17:54:42.0656 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/20 17:54:42.0734 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/20 17:54:42.0812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/20 17:54:43.0031 UdfReadr_xp (8d719ae3cc449768963a6a1f7ff4b769) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
2010/11/20 17:54:43.0093 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/20 17:54:43.0234 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/20 17:54:43.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/20 17:54:43.0343 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/20 17:54:43.0390 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/20 17:54:43.0437 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/20 17:54:43.0515 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/20 17:54:43.0578 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2010/11/20 17:54:43.0656 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/20 17:54:43.0718 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/11/20 17:54:43.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/20 17:54:43.0859 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/11/20 17:54:43.0921 viasraid (45469fa05947d75874316649a22878d4) C:\WINDOWS\system32\DRIVERS\VIASRAID.SYS
2010/11/20 17:54:43.0984 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/20 17:54:44.0078 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/20 17:54:44.0187 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/20 17:54:44.0421 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/11/20 17:54:44.0546 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/20 17:54:44.0593 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/20 17:54:44.0703 WUSB54GPV4SRV (70aeec67e87a2002e6b2cc353d56e222) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
2010/11/20 17:54:44.0859 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/20 17:54:44.0859 ================================================================================
2010/11/20 17:54:44.0875 Scan finished
2010/11/20 17:54:44.0875 ================================================================================
2010/11/20 17:54:44.0906 Detected object count: 1
2010/11/20 17:55:03.0890 \HardDisk0 - will be cured after reboot
2010/11/20 17:55:03.0890 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/20 17:55:19.0750 Deinitialize success
 
I missed this earlier. AV: The Shield Deluxe Antivirus *On-access scanning disabled* (Outdated It's in the Combofix header, running in addition to Avast. I don't see any entries in the log. The program had a trial and if this is what you have, it can be removed. If you do not have it in the installed programs and it only appears in the header, I can remove it from there- If it's installed, follow this:

The Shield Deluxe 2010, powered by BitDefender: Removal:
Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
  1. Open the control panel and select "Programs and Features" in Vista or "Add/Remove Programs" in older versions of Windows.
  2. Find The Shield Deluxe in your list of available programs and click "Remove."
  3. Read the choices in the uninstall wizard that pops up. Remove all aspects of the program, including definitions, the protected vaults and user configuration data.
  4. Verify that the Shield Deluxe is not longer checked on the Startup menu
  5. Wait until the wizard finishes, and then restart your computer into Normal Mode.
=========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\lsp21.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
======================================
Download bootkitremover.rar and save it to your desktop.
  • Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip
  • Double-click on the remover.exe file to run the program.
  • Paste the output in your next reply.
 
Logs

Posting this from infected computer, seeing if it works

Don't have Shield Deluxe installed

Things starting to seem more stable, something called PEV had an error and closed when combofix ran.

Logs: Log has been removed as it is unreadable with Word Wrap on. Member advised, scan being repeated.

ComboFix 10-11-23.01 - Tom 11/23/2010
 
Logs continued

It worked

BE0925924BB3CD5A60B396D50C7B3DC4

.\debug.cpp(238) : Debug log started at

24.11.2010 - 03:03:41
.\boot_cleaner.cpp(527) :

Bootkit Remover
.\boot_cleaner.cpp(528) : (c)

2009 eSage Lab
.\boot_cleaner.cpp(529) :

www.esagelab.com
.\boot_cleaner.cpp(533) :

Program version: 1.2.0.0
.\boot_cleaner.cpp(540)

: OS Version: Microsoft Windows XP Home Edition

Service Pack 3 (build 2600)
.\debug.cpp(248) :

**********************************************
.\debug.cpp(249) : *** [ LOADED MODULES

INFORMATION ] ***********
.\debug.cpp(250) :

**********************************************
.\debug.cpp(256) : 0x804d7000 0x001f8980

"\WINDOWS\system32\ntkrnlpa.exe"
.\debug.cpp(256) : 0x806d0000 0x00020300

"\WINDOWS\system32\hal.dll"
.\debug.cpp(256) :

0xf7ad0000 0x00002000

"\WINDOWS\system32\KDCOM.DLL"
.\debug.cpp(256) :

0xf79e0000 0x00003000

"\WINDOWS\system32\BOOTVID.dll"
.\debug.cpp(256)

: 0xf74a1000 0x0002e000 "ACPI.sys"
.\debug.cpp(256) : 0xf7ad2000 0x00002000

"\WINDOWS\System32\DRIVERS\WMILIB.SYS"
.\debug.cpp(256) : 0xf7490000 0x00011000

"pci.sys"
.\debug.cpp(256) : 0xf75d0000

0x0000a000 "isapnp.sys"
.\debug.cpp(256) :

0xf75e0000 0x00010000 "ohci1394.sys"
.\debug.cpp(256) : 0xf75f0000 0x0000e000

"\WINDOWS\System32\DRIVERS\1394BUS.SYS"
.\debug.cpp(256) : 0xf7ad4000 0x00002000

"viaide.sys"
.\debug.cpp(256) : 0xf7850000

0x00007000

"\WINDOWS\System32\DRIVERS\PCIIDEX.SYS"
.\debug.cpp(256) : 0xf7600000 0x0000b000

"MountMgr.sys"
.\debug.cpp(256) : 0xf7471000

0x0001f000 "ftdisk.sys"
.\debug.cpp(256) :

0xf7858000 0x00005000 "PartMgr.sys"
.\debug.cpp(256) : 0xf7610000 0x0000d000

"VolSnap.sys"
.\debug.cpp(256) : 0xf7620000

0x0000b000 "iviVD.sys"
.\debug.cpp(256) :

0xf7459000 0x00018000

"\WINDOWS\System32\DRIVERS\SCSIPORT.SYS"
.\debug.cpp(256) : 0xf7441000 0x00018000

"atapi.sys"
.\debug.cpp(256) : 0xf742e000

0x00013000 "VIASRAID.SYS"
.\debug.cpp(256) :

0xf7630000 0x00009000 "disk.sys"
.\debug.cpp(256) : 0xf7640000 0x0000d000

"\WINDOWS\System32\DRIVERS\CLASSPNP.SYS"
.\debug.cpp(256) : 0xf740e000 0x00020000

"fltmgr.sys"
.\debug.cpp(256) : 0xf73fc000

0x00012000 "sr.sys"
.\debug.cpp(256) :

0xf7860000 0x00005000 "PxHelp20.sys"
.\debug.cpp(256) : 0xf73e5000 0x00017000

"KSecDD.sys"
.\debug.cpp(256) : 0xf7358000

0x0008d000 "Ntfs.sys"
.\debug.cpp(256) :

0xf732b000 0x0002d000 "NDIS.sys"
.\debug.cpp(256) : 0xf7311000 0x0001a000

"Mup.sys"
.\debug.cpp(256) : 0xf7650000

0x0000c000 "gagp30kx.sys"
.\debug.cpp(256) :

0xeb2e2000 0x002b3000

"\SystemRoot\System32\DRIVERS\nv4_mini.sys"
.\debug.cpp(256) : 0xeb2ce000 0x00014000

"\SystemRoot\System32\DRIVERS\VIDEOPRT.SYS"
.\debug.cpp(256) : 0xf7730000 0x00010000

"\SystemRoot\System32\DRIVERS\nic1394.sys"
.\debug.cpp(256) : 0xec9aa000 0x00006000

"\SystemRoot\system32\DRIVERS\RTL8139.SYS"
.\debug.cpp(256) : 0xeb250000 0x0007e000

"\SystemRoot\system32\drivers\ctaud2k.sys"
.\debug.cpp(256) : 0xeb22c000 0x00024000

"\SystemRoot\system32\drivers\portcls.sys"
.\debug.cpp(256) : 0xf77e0000 0x0000f000

"\SystemRoot\system32\drivers\drmk.sys"
.\debug.cpp(256) : 0xeb209000 0x00023000

"\SystemRoot\system32\drivers\ks.sys"
.\debug.cpp(256) : 0xeb1d5000 0x00034000

"\SystemRoot\system32\drivers\ctoss2k.sys"
.\debug.cpp(256) : 0xebe1d000 0x00008000

"\SystemRoot\system32\drivers\ctprxy2k.sys"
.\debug.cpp(256) : 0xecb05000 0x00003000

"\SystemRoot\System32\DRIVERS\gameenum.sys"
.\debug.cpp(256) : 0xf7800000 0x0000b000

"\SystemRoot\System32\DRIVERS\imapi.sys"
.\debug.cpp(256) : 0xecb01000 0x00003000

"\SystemRoot\system32\drivers\iviaspi.sys"
.\debug.cpp(256) : 0xeb1c4000 0x00011000

"\SystemRoot\System32\Drivers\Cdr4_xp.SYS"
.\debug.cpp(256) : 0xf7810000 0x00010000

"\SystemRoot\System32\DRIVERS\cdrom.sys"
.\debug.cpp(256) : 0xf77c0000 0x0000f000

"\SystemRoot\System32\DRIVERS\redbook.sys"
.\debug.cpp(256) : 0xebe15000 0x00006000

"\SystemRoot\System32\Drivers\Cdralw2k.SYS"
.\debug.cpp(256) : 0xeb1a7000 0x0001d000

"\SystemRoot\System32\Drivers\pwd_2k.SYS"
.\debug.cpp(256) : 0xebe0d000 0x00006000

"\SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys"
.\debug.cpp(256) : 0xebe05000 0x00006000

"\SystemRoot\System32\DRIVERS\usbuhci.sys"
.\debug.cpp(256) : 0xeb183000 0x00024000

"\SystemRoot\System32\DRIVERS\USBPORT.SYS"
.\debug.cpp(256) : 0xebdfd000 0x00008000

"\SystemRoot\System32\DRIVERS\usbehci.sys"
.\debug.cpp(256) : 0xebdf5000 0x00007000

"\SystemRoot\System32\DRIVERS\fdc.sys"
.\debug.cpp(256) : 0xeb16f000 0x00014000

"\SystemRoot\System32\DRIVERS\parport.sys"
.\debug.cpp(256) : 0xf7750000 0x00010000

"\SystemRoot\System32\DRIVERS\serial.sys"
.\debug.cpp(256) : 0xecaf5000 0x00004000

"\SystemRoot\System32\DRIVERS\serenum.sys"
.\debug.cpp(256) : 0xf7760000 0x00009000

"\SystemRoot\System32\DRIVERS\processr.sys"
.\debug.cpp(256) : 0xeb9eb000 0x00001000

"\SystemRoot\System32\DRIVERS\audstub.sys"
.\debug.cpp(256) : 0xeb15d000 0x00012000

"\SystemRoot\System32\DRIVERS\bridge.sys"
.\debug.cpp(256) : 0xebded000 0x00005000

"\SystemRoot\System32\DRIVERS\TDI.SYS"
.\debug.cpp(256) : 0xebc40000 0x0000d000

"\SystemRoot\System32\DRIVERS\rasl2tp.sys"
.\debug.cpp(256) : 0xecae9000 0x00003000

"\SystemRoot\System32\DRIVERS\ndistapi.sys"
.\debug.cpp(256) : 0xeb146000 0x00017000

"\SystemRoot\System32\DRIVERS\ndiswan.sys"
.\debug.cpp(256) : 0xebc30000 0x0000b000

"\SystemRoot\System32\DRIVERS\raspppoe.sys"
.\debug.cpp(256) : 0xebc20000 0x0000c000

"\SystemRoot\System32\DRIVERS\raspptp.sys"
.\debug.cpp(256) : 0xeb135000 0x00011000

"\SystemRoot\System32\DRIVERS\psched.sys"
.\debug.cpp(256) : 0xebc10000 0x00009000

"\SystemRoot\System32\DRIVERS\msgpc.sys"
.\debug.cpp(256) : 0xebde5000 0x00005000

"\SystemRoot\System32\DRIVERS\ptilink.sys"
.\debug.cpp(256) : 0xebddd000 0x00005000

"\SystemRoot\System32\DRIVERS\raspti.sys"
.\debug.cpp(256) : 0xebc00000 0x0000a000

"\SystemRoot\System32\DRIVERS\termdd.sys"
.\debug.cpp(256) : 0xebdd5000 0x00006000

"\SystemRoot\System32\DRIVERS\kbdclass.sys"
.\debug.cpp(256) : 0xeb8ca000 0x00006000

"\SystemRoot\System32\DRIVERS\mouclass.sys"
.\debug.cpp(256) : 0xf7ade000 0x00002000

"\SystemRoot\System32\DRIVERS\swenum.sys"
.\debug.cpp(256) : 0xeb0d7000 0x0005e000

"\SystemRoot\System32\DRIVERS\update.sys"
.\debug.cpp(256) : 0xecae5000 0x00004000

"\SystemRoot\System32\DRIVERS\mssmbios.sys"
.\debug.cpp(256) : 0xeb8c2000 0x00006000

"\SystemRoot\System32\Drivers\mmc_2K.SYS"
.\debug.cpp(256) : 0xebbf0000 0x0000a000

"\SystemRoot\System32\Drivers\NDProxy.SYS"
.\debug.cpp(256) : 0xeb0ac000 0x0002b000

"\SystemRoot\system32\drivers\hap16v2k.sys"
.\debug.cpp(256) : 0xebaa6000 0x0010a000

"\SystemRoot\system32\drivers\ha10kx2k.sys"
.\debug.cpp(256) : 0xeb07d000 0x0002f000

"\SystemRoot\system32\drivers\emupia2k.sys"
.\debug.cpp(256) : 0xeb054000 0x00029000

"\SystemRoot\system32\drivers\ctsfm2k.sys"
.\debug.cpp(256) : 0xeba0a000 0x0009c000

"\SystemRoot\system32\drivers\ctac32k.sys"
.\debug.cpp(256) : 0xeb039000 0x0001b000

"\SystemRoot\system32\COMMONFX.DLL"
.\debug.cpp(256) : 0xebd29000 0x0008b000

"\SystemRoot\system32\CTAUDFX.DLL"
.\debug.cpp(256) : 0xebc9b000 0x0008e000

"\SystemRoot\system32\CTSBLFX.DLL"
.\debug.cpp(256) : 0xebbe0000 0x0000f000

"\SystemRoot\System32\DRIVERS\usbhub.sys"
.\debug.cpp(256) : 0xedb24000 0x00002000

"\SystemRoot\System32\DRIVERS\USBD.SYS"
.\debug.cpp(256) : 0xeb8ba000 0x00005000

"\SystemRoot\System32\DRIVERS\flpydisk.sys"
.\debug.cpp(256) : 0xedb22000 0x00002000

"\SystemRoot\System32\Drivers\Fs_Rec.SYS"
.\debug.cpp(256) : 0xf7c02000 0x00001000

"\SystemRoot\System32\Drivers\Null.SYS"
.\debug.cpp(256) : 0xedb20000 0x00002000

"\SystemRoot\System32\Drivers\Beep.SYS"
.\debug.cpp(256) : 0xeb8aa000 0x00007000

"\SystemRoot\System32\DRIVERS\HIDPARSE.SYS"
.\debug.cpp(256) : 0xeb8a2000 0x00006000

"\SystemRoot\System32\drivers\vga.sys"
.\debug.cpp(256) : 0xedb1e000 0x00002000

"\SystemRoot\System32\Drivers\mnmdd.SYS"
.\debug.cpp(256) : 0xedb1c000 0x00002000

"\SystemRoot\System32\DRIVERS\RDPCDD.sys"
.\debug.cpp(256) : 0xeb5af000 0x00040000

"\SystemRoot\System32\Drivers\cdudf_xp.SYS"
.\debug.cpp(256) : 0xeb6a7000 0x00024000

"\SystemRoot\System32\Drivers\DVDVRRdr_xp.SYS"
.\debug.cpp(256) : 0xeb89a000 0x00005000

"\SystemRoot\System32\Drivers\Msfs.SYS"
.\debug.cpp(256) : 0xeb892000 0x00008000

"\SystemRoot\System32\Drivers\Npfs.SYS"
.\debug.cpp(256) : 0xeb7f5000 0x00035000

"\SystemRoot\System32\Drivers\UdfReadr_xp.SYS"
.\debug.cpp(256) : 0xf7acc000 0x00003000

"\SystemRoot\System32\DRIVERS\rasacd.sys"
.\debug.cpp(256) : 0xeb86f000 0x00013000

"\SystemRoot\System32\DRIVERS\ipsec.sys"
.\debug.cpp(256) : 0xebf78000 0x00059000

"\SystemRoot\System32\DRIVERS\tcpip.sys"
.\debug.cpp(256) : 0xebbb0000 0x0000a000

"\SystemRoot\System32\Drivers\aswTdi.SYS"
.\debug.cpp(256) : 0xeb847000 0x00028000

"\SystemRoot\System32\DRIVERS\netbt.sys"
.\debug.cpp(256) : 0xf72e1000 0x00003000

"\SystemRoot\System32\drivers\ws2ifsl.sys"
.\debug.cpp(256) : 0xeb8ec000 0x00022000

"\SystemRoot\System32\drivers\afd.sys"
.\debug.cpp(256) : 0xeb67f000 0x00009000

"\SystemRoot\System32\DRIVERS\netbios.sys"
.\debug.cpp(256) : 0xeb9bc000 0x0002b000

"\SystemRoot\System32\DRIVERS\rdbss.sys"
.\debug.cpp(256) : 0xebf08000 0x00070000

"\SystemRoot\System32\DRIVERS\mrxsmb.sys"
.\debug.cpp(256) : 0xeb66f000 0x0000b000

"\SystemRoot\System32\Drivers\Fips.SYS"
.\debug.cpp(256) : 0xebc5a000 0x00026000

"\SystemRoot\System32\DRIVERS\ipnat.sys"
.\debug.cpp(256) : 0xeb65f000 0x00009000

"\SystemRoot\System32\DRIVERS\wanarp.sys"
.\debug.cpp(256) : 0xeb64f000 0x0000f000

"\SystemRoot\System32\DRIVERS\arp1394.sys"
.\debug.cpp(256) : 0xebee1000 0x00027000

"\SystemRoot\System32\Drivers\aswSP.SYS"
.\debug.cpp(256) : 0xeb882000 0x00006000

"\SystemRoot\System32\Drivers\Aavmker4.SYS"
.\debug.cpp(256) : 0xeb61f000 0x00010000

"\SystemRoot\System32\Drivers\Cdfs.SYS"
.\debug.cpp(256) : 0xebe62000 0x0007f000

"\SystemRoot\system32\DRIVERS\rt2870.sys"
.\debug.cpp(256) : 0xf78e0000 0x00008000

"\SystemRoot\System32\DRIVERS\usbccgp.sys"
.\debug.cpp(256) : 0xf6c5e000 0x00004000

"\SystemRoot\System32\DRIVERS\usbscan.sys"
.\debug.cpp(256) : 0xf5c9a000 0x00007000

"\SystemRoot\System32\DRIVERS\usbprint.sys"
.\debug.cpp(256) : 0xf7a8c000 0x00003000

"\SystemRoot\System32\DRIVERS\hidusb.sys"
.\debug.cpp(256) : 0xeb60f000 0x00009000

"\SystemRoot\System32\DRIVERS\HIDCLASS.SYS"
.\debug.cpp(256) : 0xf7a74000 0x00004000

"\SystemRoot\System32\DRIVERS\kbdhid.sys"
.\debug.cpp(256) : 0xf7a78000 0x00004000

"\SystemRoot\System32\Drivers\dump_diskdump.sys"
.\debug.cpp(256) : 0xeb8d9000 0x00013000

"\SystemRoot\System32\Drivers\dump_viasraid.sys"
.\debug.cpp(256) : 0xbf800000 0x001c5000

"\SystemRoot\System32\win32k.sys"
.\debug.cpp(256) : 0xf7a84000 0x00003000

"\SystemRoot\System32\drivers\Dxapi.sys"
.\debug.cpp(256) : 0xf78c0000 0x00005000

"\SystemRoot\System32\watchdog.sys"
.\debug.cpp(256) : 0xbf000000 0x00012000

"\SystemRoot\System32\drivers\dxg.sys"
.\debug.cpp(256) : 0xf7cc4000 0x00001000

"\SystemRoot\System32\drivers\dxgthk.sys"
.\debug.cpp(256) : 0xbf012000 0x00391000

"\SystemRoot\System32\nv4_disp.dll"
.\debug.cpp(256) : 0xbffa0000 0x00046000

"\SystemRoot\System32\ATMFD.DLL"
.\debug.cpp(256) : 0xf09c8000 0x00003000

"\SystemRoot\System32\Drivers\aswFsBlk.SYS"
.\debug.cpp(256) : 0xf1169000 0x00005000

"\SystemRoot\system32\DRIVERS\AegisP.sys"
.\debug.cpp(256) : 0xf2e54000 0x00004000

"\SystemRoot\System32\DRIVERS\ndisuio.sys"
.\debug.cpp(256) : 0xec710000 0x00017000

"\SystemRoot\System32\Drivers\aswMon2.SYS"
.\debug.cpp(256) : 0xf3f9d000 0x0000f000

"\SystemRoot\system32\drivers\sysaudio.sys"
.\debug.cpp(256) : 0xec044000 0x00015000

"\SystemRoot\system32\drivers\wdmaud.sys"
.\debug.cpp(256) : 0xec7b6000 0x0002d000

"\SystemRoot\System32\DRIVERS\mrxdav.sys"
.\debug.cpp(256) : 0xf24b3000 0x00002000

"\SystemRoot\System32\Drivers\ParVdm.SYS"
.\debug.cpp(256) : 0xf78e8000 0x00005000

"\SystemRoot\System32\drivers\aspi32.sys"
.\debug.cpp(256) : 0xec065000 0x00003000

"\??\C:\WINDOWS\System32\drivers\CdaD10BA.SYS"
.\debug.cpp(256) : 0xf11c9000 0x00002000

"\SystemRoot\System32\Drivers\MASPINT.SYS"
.\debug.cpp(256) : 0xec813000 0x00058000

"\SystemRoot\System32\DRIVERS\srv.sys"
.\debug.cpp(256) : 0xecace000 0x00017000

"\??\C:\WINDOWS\System32\drivers\PfModNT.sys"
.\debug.cpp(256) : 0xecb27000 0x00041000

"\SystemRoot\System32\Drivers\HTTP.sys"
.\debug.cpp(256) : 0xeda67000 0x00003000

"\SystemRoot\System32\DRIVERS\mouhid.sys"
.\debug.cpp(256) : 0xf1189000 0x00005000

"\SystemRoot\System32\Drivers\aswRdr.SYS"
.\debug.cpp(256) : 0xed3c4000 0x00002000

"\??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS"
.\debug.cpp(256) : 0xeb8b2000 0x00008000

"\??\C:\DOCUME~1\Tom\LOCALS~1\Temp\catchme.sys"
.\debug.cpp(256) : 0xecd87000 0x0002b000

"\SystemRoot\system32\drivers\kmixer.sys"
.\debug.cpp(256) : 0x7c900000 0x000b2000

"\WINDOWS\system32\ntdll.dll"
.\debug.cpp(263) :

**********************************************
.\debug.cpp(307) : *** [ DEVICE OBJECTS

INFORMATION ] ***********
.\debug.cpp(308) :

**********************************************
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
.\debug.cpp(400) : Destination

"\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Volume{0caa2527-b2bd-11dc-94b9-000ea6

4e849f}"
.\debug.cpp(400) : Destination

"\Device\CdRom2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_045e&Pid_001c#5&3278073a&0&2#

{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination

"\Device\USBPDO-9"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_040a&Pid_4032&MI_02#7&2bade5b

3&2&0002#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
.\debug.cpp(400) : Destination

"\Device\0000007a"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\NDIS"
.\debug.cpp(400) : Destination

"\Device\Ndis"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\IDE#CdRomSONY_DVD-ROM_DDU1612________

____________DYS3____#5&6a6be80&0&0.1.0#{53f56308

-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400)

: Destination "\Device\Ide\IdeDeviceP1T1L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Root#MS_PSCHEDMP#0004#{ad498944-762f-

11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\00000043"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Scsi3:"
.\debug.cpp(400) :

Destination "\Device\Scsi\viasraid1"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Volume{8e0fd423-0531-11db-9c39-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\HarddiskVolume1"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\DISPLAY1"
.\debug.cpp(400) :

Destination "\Device\Video0"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1106&DEV_3044&SUBSYS_808A1043

&REV_80#3&267a616a&0&38#{6bdd1fc1-810f-11d0-bec7

-08002be2092f}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0002"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ASWSP"
.\debug.cpp(400) :

Destination "\Device\aswSP"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-

90d9-421418b03a8e}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\SCSI#CdRom&Ven_IVI&Prod_Virtual_CD&Re

v_0.5a#1&2afd7d61&0&000#{53f56308-b6bf-11d0-94f2

-00a0c91efb8b}"
.\debug.cpp(400) : Destination

"\Device\Scsi\iviVD1Port0Path0Target0Lun0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Volume{e86c4cb7-4511-11d9-8ffa-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\HarddiskVolume1"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\DISPLAY2"
.\debug.cpp(400) :

Destination "\Device\Video1"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1106&DEV_3038&SUBSYS_80ED1043

&REV_81#3&267a616a&0&80#{3abf6f2d-71c4-462a-8a92

-1e6861e6af27}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0011"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-

762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\0000003e"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Volume{dd7a9ac3-4545-11d9-a0d5-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
.\debug.cpp(400) : Destination "\Device\Ip"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\aswSP_Pot2"
.\debug.cpp(400) : Destination

"\Device\aswSP_Pot2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\DISPLAY3"
.\debug.cpp(400) :

Destination "\Device\Video2"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\E:"
.\debug.cpp(400) : Destination

"\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\FDC#GENERIC_FLOPPY_DRIVE#5&6edbab&0&0

#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) : Destination

"\Device\FloppyPDO0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\IPSECDev"
.\debug.cpp(400) :

Destination "\Device\IPSEC"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\DISPLAY4"
.\debug.cpp(400) :

Destination "\Device\Video3"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\CTAUDFX.DLL"
.\debug.cpp(400) :

Destination "\Device\CTAUDFX.DLL"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f

-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\0000003d"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\V1394#NIC1394#593734e01800#{ad498944-

762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\00000069"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\CDR4_XP"
.\debug.cpp(400) :

Destination "\Device\CDR4_XP"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HID#Vid_046d&Pid_c501#6&491ecb8&0&000

0#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination

"\Device\00000085"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\NDPROXY"
.\debug.cpp(400) :

Destination "\Device\NDProxy"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ASWMON"
.\debug.cpp(400) :

Destination "\Device\aswMon"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

&REV_04#3&267a616a&0&70#{dda54a40-1e4c-11d1-a050

-405705c10000}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0006"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SCSIADAPTER#0000#{2accfe60-c130-

11d2-b082-00a0c91efb8b}"
.\debug.cpp(400) :

Destination "\Device\00000047"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HID#Vid_046d&Pid_c501#6&491ecb8&0&000

0#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination

"\Device\00000085"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#ROOT_HUB#4&467fdfe&0#{f18a0e88-c3

0c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) :

Destination "\Device\USBPDO-0"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\$VDMLPT1"
.\debug.cpp(400) :

Destination "\Device\ParallelVdm0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-

b40f-00a0c9223196}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1102&DEV_4001&SUBSYS_00101102

&REV_04#3&267a616a&0&72#{6bdd1fc1-810f-11d0-bec7

-08002be2092f}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0008"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
.\debug.cpp(400) : Destination

"\Device\CdRom2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\SCSI#CdRom&Ven_IVI&Prod_Virtual_CD&Re

v_0.5a#1&2afd7d61&0&000#{53f5630d-b6bf-11d0-94f2

-00a0c91efb8b}"
.\debug.cpp(400) : Destination

"\Device\Scsi\iviVD1Port0Path0Target0Lun0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\WMIDataDevice"
.\debug.cpp(400) : Destination

"\Device\WMIDataDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

&REV_04#3&267a616a&0&70#{dff220f3-f70f-11d0-b917

-00a0c9223196}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0006"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\COM1"
.\debug.cpp(400) : Destination

"\Device\Serial1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\V1394#NIC1394#51069f3223c01#{ad498944

-762f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400)

: Destination "\Device\0000006a"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-

b917-00a0c9223196}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\COM2"
.\debug.cpp(400) : Destination

"\Device\Serial0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\{151F8550-BBF5-4F6E-96BA-D998840E2E02

}"
.\debug.cpp(400) : Destination

"\Device\{151F8550-BBF5-4F6E-96BA-D998840E2E02}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\PIPE"
.\debug.cpp(400) :

Destination "\Device\NamedPipe"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\HID#Vid_045e&Pid_001d&MI_01&Col02#8&4

a0078c&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000

030}"
.\debug.cpp(400) : Destination

"\Device\00000083"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Usbscan0"
.\debug.cpp(400) :

Destination "\Device\Usbscan0"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0

407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c

5066e-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination

"\Device\KSENUM#00000001"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-

a5d6-28db04c10000}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_045e&Pid_001d#6&22c12eed&0&1#

{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination

"\Device\USBPDO-10"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\UdfReadr_XP"
.\debug.cpp(400) :

Destination "\Device\UdfReadr_XP"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\PCI#VEN_1106&DEV_3038&SUBSYS_80ED1043

&REV_81#3&267a616a&0&83#{3abf6f2d-71c4-462a-8a92

-1e6861e6af27}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0014"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Volume{ef5e205f-4544-11d9-997e-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\HarddiskVolume1"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\IDE#CdRomSONY_DVD-ROM_DDU1612________

____________DYS3____#5&6a6be80&0&0.1.0#{53f5630d

-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400)

: Destination "\Device\Ide\IdeDeviceP1T1L0-e"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\PfModNT"
.\debug.cpp(400) : Destination

"\Device\PfModNT"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PSched"
.\debug.cpp(400) :

Destination "\Device\PSched"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Usbscan1"
.\debug.cpp(400) :

Destination "\Device\Usbscan1"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Volume{d3438a5a-4516-11d9-8378-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\UNC"
.\debug.cpp(400) : Destination

"\Device\Mup"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\IPNAT"
.\debug.cpp(400) :

Destination "\Device\IPNAT"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HAP16V2K"
.\debug.cpp(400) :

Destination "\Device\HAP16V2K"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\GEARAspiWDMDevice"
.\debug.cpp(400) :

Destination "\Device\GEARAspiWDMDevice"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-

a3cc-00a0c9223196}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HCD0"
.\debug.cpp(400) : Destination

"\Device\USBFDO-0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ASWTDI"
.\debug.cpp(400) :

Destination "\Device\ASWTDI"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HID#Vid_045e&Pid_001d&MI_00#8&24b85c9

d&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
.\debug.cpp(400) : Destination

"\Device\00000081"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Tcp"
.\debug.cpp(400) : Destination

"\Device\Tcp"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1106&DEV_3038&SUBSYS_80ED1043

&REV_81#3&267a616a&0&81#{3abf6f2d-71c4-462a-8a92

-1e6861e6af27}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0012"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\{B12488EA-F0D0-4BE5-A74E-17283D9459A0

}"
.\debug.cpp(400) : Destination

"\Device\{B12488EA-F0D0-4BE5-A74E-17283D9459A0}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\{EEF58D39-4FA6-42ED-8F65-F8961947706E

}"
.\debug.cpp(400) : Destination

"\Device\{EEF58D39-4FA6-42ED-8F65-F8961947706E}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\FltMgrMsg"
.\debug.cpp(400) : Destination

"\FileSystem\Filters\FltMgrMsg"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HCD1"
.\debug.cpp(400) : Destination

"\Device\USBFDO-1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\EMUPIA"
.\debug.cpp(400) :

Destination "\Device\EMUPIA"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\AegisP_{739A61E4-B24F-4826-A90D-706B6

E1C9246}"
.\debug.cpp(400) : Destination

"\Device\AegisP_{739A61E4-B24F-4826-A90D-706B6E1

C9246}"
.\debug.cpp(409) : --
.\debug.cpp(369)

: SymbolicLink "\GLOBAL??\LCD"
.\debug.cpp(400)

: Destination "\Device\VideoPdo0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\DVDVRRdr_XP"
.\debug.cpp(400) : Destination

"\Device\DVDVRRdr_XP"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-76

2f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\00000044"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink
 
More logs

"\GLOBAL??\ACPI#AuthenticAMD_-_x86_Family_15_Mod

el_5#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
.\debug.cpp(400) : Destination

"\Device\0000004e"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\IVIaspi0"
.\debug.cpp(400) :

Destination "\Device\IVIaspi0"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PhysicalDrive0"
.\debug.cpp(400) :

Destination "\Device\Harddisk0\DR0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\HID#Vid_045e&Pid_001d&MI_00#8&24b85c9

d&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
.\debug.cpp(400) : Destination

"\Device\00000081"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HCD2"
.\debug.cpp(400) : Destination

"\Device\USBFDO-2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PRN"
.\debug.cpp(400) : Destination

"\DosDevices\LPT1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-

a5d6-28db04c10000}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HCD3"
.\debug.cpp(400) : Destination

"\Device\USBFDO-3"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\sysaudio"
.\debug.cpp(400) :

Destination "\Device\sysaudio"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\fsWrap"
.\debug.cpp(400) :

Destination "\Device\FsWrap"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#MS_PSCHEDMP#0002#{ad498944-762f-

11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\00000042"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-

a3ea-00a0c9223196}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-

11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\00000040"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\CdRom0"
.\debug.cpp(400) :

Destination "\Device\CdRom0"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HCD4"
.\debug.cpp(400) : Destination

"\Device\USBFDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\MbMmDp32"
.\debug.cpp(400) :

Destination "\Device\MbMmDp32"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1186&DEV_1300&SUBSYS_13011186

&REV_10#3&267a616a&0&60#{ad498944-762f-11d0-8dcb

-00c04fc3358c}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0005"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\{9F0A51CA-7F03-4E1E-9AE5-5F6774947D28

}"
.\debug.cpp(400) : Destination

"\Device\{9F0A51CA-7F03-4E1E-9AE5-5F6774947D28}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\{A9850E1D-EBF3-4D30-AA6A-54CA75D115E2

}"
.\debug.cpp(400) : Destination

"\Device\{A9850E1D-EBF3-4D30-AA6A-54CA75D115E2}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\CdRom1"
.\debug.cpp(400)

: Destination "\Device\CdRom1"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#ROOT_HUB#4&2d491760&0#{f18a0e88-c

30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) :

Destination "\Device\USBPDO-1"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Global"
.\debug.cpp(400) :

Destination "\GLOBAL??"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\{9D1E06C5-D35E-490C-B535-96BE7A5E96E2

}"
.\debug.cpp(400) : Destination

"\Device\{9D1E06C5-D35E-490C-B535-96BE7A5E96E2}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\CdRom2"
.\debug.cpp(400)

: Destination "\Device\CdRom2"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d5

3-74a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400)

: Destination "\Device\00000052"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\ACPI#PNP0C0C#aa#{4afa3d53-74a7-11d0-b

e5e-00a0c9062857}"
.\debug.cpp(400) :

Destination "\Device\00000050"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\AegisP_{8BCD12CD-A96A-411A-B624-EFAF4

0C2E99C}"
.\debug.cpp(400) : Destination

"\Device\AegisP_{8BCD12CD-A96A-411A-B624-EFAF40C

2E99C}"
.\debug.cpp(409) : --
.\debug.cpp(369)

: SymbolicLink

"\GLOBAL??\Volume{8e0fd421-0531-11db-9c39-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9c

e4-08003e301f73}"
.\debug.cpp(400) :

Destination "\Device\00000068"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PxHelperDevice0"
.\debug.cpp(400) :

Destination "\Device\PxHelperDevice0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0

407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c

50671-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination

"\Device\KSENUM#00000001"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ACPI#PNP0501#2#{86e0d1e0-8089-11d0-9c

e4-08003e301f73}"
.\debug.cpp(400) :

Destination "\Device\00000067"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1106&DEV_3104&SUBSYS_80ED1043

&REV_86#3&267a616a&0&84#{3abf6f2d-71c4-462a-8a92

-1e6861e6af27}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0015"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1106&DEV_3038&SUBSYS_80ED1043

&REV_81#3&267a616a&0&82#{3abf6f2d-71c4-462a-8a92

-1e6861e6af27}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0013"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\COMMONFX.DLL"
.\debug.cpp(400) :

Destination "\Device\COMMONFX.DLL"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-

8161-0000f8775bf1}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-

a5d6-28db04c10000}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-

9285-bd2bc77afcde}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1106&DEV_3149&SUBSYS_80ED1043

&REV_80#3&267a616a&0&78#{2accfe60-c130-11d2-b082

-00a0c91efb8b}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0009"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_05e3&Pid_0608#5&f7be307&0&4#{

f18a0e88-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) : Destination

"\Device\USBPDO-6"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

&REV_04#3&267a616a&0&70#{65e8773e-8f56-11d0-a3b9

-00a0c9223196}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0006"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ARP1394"
.\debug.cpp(400) :

Destination "\Device\ARP1394"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Bridge"
.\debug.cpp(400) :

Destination "\Device\Bridge"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\catchme"
.\debug.cpp(400) :

Destination "\Device\catchme"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

&REV_04#3&267a616a&0&70#{6994ad04-93ef-11d0-a3cc

-00a0c9223196}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0006"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_050d&Pid_8053#1.0#{ad498944-7

62f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\USBPDO-5"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bf

c1-08002be10318}"
.\debug.cpp(400) :

Destination "\Device\00000068"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_040a&Pid_4032&MI_01#7&2bade5b

3&2&0001#{28d78fad-5a12-11d1-ae5b-0000f803a8c2}"
.\debug.cpp(400) : Destination

"\Device\00000079"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\MbDlDp32"
.\debug.cpp(400) :

Destination "\Device\MbDlDp32"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\MountPointManager"
.\debug.cpp(400) :

Destination "\Device\MountPointManager"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature

2F7F2F7FOffset7E00Length37E4610400#{53f5630d-b6b

f-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400) :

Destination "\Device\HarddiskVolume1"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\ASPINT"
.\debug.cpp(400)

: Destination "\Device\msfaspi"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\CdaD10BA"
.\debug.cpp(400) : Destination

"\Device\CdaD10BA"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0

407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c

50674-72c1-11d2-9755-0000f8004788}"
.\debug.cpp(400) : Destination

"\Device\KSENUM#00000001"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\AAVMKER4"
.\debug.cpp(400) :

Destination "\Device\AavmKer4"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-7

62f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\0000003c"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ACPI#PNP0C0E#2&daba3ff&0#{4afa3d53-74

a7-11d0-be5e-00a0c9062857}"
.\debug.cpp(400) :

Destination "\Device\00000051"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\WanArp"
.\debug.cpp(400) :

Destination "\Device\WANARP"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\CTPROXY"
.\debug.cpp(400) :

Destination "\Device\CTPROXY"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-

94f2-00a0c91efb8b}"
.\debug.cpp(400) :

Destination "\Device\00000002"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USNTracker"
.\debug.cpp(400) :

Destination "\Device\USNTracker"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Volume{389663ec-7ef9-11da-baf3-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\CdRom0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HID#Vid_045e&Pid_001d&MI_01&Col01#8&4

a0078c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000

030}"
.\debug.cpp(400) : Destination

"\Device\00000082"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_046d&Pid_c501#5&3278073a&0&1#

{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination

"\Device\USBPDO-8"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\{739A61E4-B24F-4826-A90D-706B6E1C9246

}"
.\debug.cpp(400) : Destination

"\Device\{739A61E4-B24F-4826-A90D-706B6E1C9246}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Volume{8e0fd422-0531-11db-9c39-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\LPTENUM#MicrosoftRawPort#5&1d62032d&0

&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
.\debug.cpp(400) : Destination

"\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\CTSBLFX.DLL"
.\debug.cpp(400) :

Destination "\Device\CTSBLFX.DLL"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\{49A6E70C-0AFA-421D-9178-D479A58EE126

}"
.\debug.cpp(400) : Destination

"\Device\{49A6E70C-0AFA-421D-9178-D479A58EE126}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\A:"
.\debug.cpp(400) :

Destination "\Device\Floppy0"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-

8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\NDISWANIP"
.\debug.cpp(400) :

Destination "\Device\NdisWanIp"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\AegisP"
.\debug.cpp(400) :

Destination "\Device\AegisP"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-

8a2b-00a0c9255ac1}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0

407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf

6f530-07b9-11d2-a71e-0000f8004788}"
.\debug.cpp(400) : Destination

"\Device\KSENUM#00000001"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Scsi0:"
.\debug.cpp(400) :

Destination "\Device\Scsi\iviVD1"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Volume{e86c4cb4-4511-11d9-8ffa-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\{8123F7A7-CFE3-4460-AA61-619CC6370263

}"
.\debug.cpp(400) : Destination

"\Device\{8123F7A7-CFE3-4460-AA61-619CC6370263}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\USB#ROOT_HUB#4&7d5b616&0#{f18a0e88-c3

0c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) :

Destination "\Device\USBPDO-3"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1102&DEV_7003&SUBSYS_00401102

&REV_04#3&267a616a&0&71#{cae56030-684a-11d0-d6f6

-00a0c90f57da}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0007"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\1394BUS0"
.\debug.cpp(400) :

Destination "\Device\1394BUS0"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ACPI#PNP0400#1#{97f76ef0-f883-11d0-af

1f-0000f800845c}"
.\debug.cpp(400) :

Destination "\Device\00000064"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-

a5d6-28db04c10000}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-7

62f-11d0-8dcb-00c04fc3358c}"
.\debug.cpp(400) :

Destination "\Device\0000003f"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PTILINK1"
.\debug.cpp(400) :

Destination "\Device\ParTechInc0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\1394BUS1"
.\debug.cpp(400) : Destination

"\Device\1394BUS1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-

9ced-00a024bf0407}"
.\debug.cpp(400) :

Destination "\Device\00000048"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Volume{389663ed-7ef9-11da-baf3-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\CdRom1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#ROOT_HUB20#4&2556a5a7&0#{f18a0e88

-c30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400)

: Destination "\Device\USBPDO-4"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\NDISTAPI"
.\debug.cpp(400) : Destination

"\Device\NdisTapi"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\NdisWan"
.\debug.cpp(400) :

Destination "\Device\NdisWan"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_040a&Pid_4032#C057636#{a5dcbf

10-6530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) : Destination

"\Device\USBPDO-7"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Scsi1:"
.\debug.cpp(400) :

Destination "\Device\Ide\IdePort0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\IPMULTICAST"
.\debug.cpp(400) : Destination

"\Device\IPMULTICAST"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\LPT1"
.\debug.cpp(400) : Destination

"\Device\Parallel0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\HA10KX2K"
.\debug.cpp(400) :

Destination "\Device\HA10KX2K"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PTILINK2"
.\debug.cpp(400) :

Destination "\Device\ParTechInc1"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\IDE#CdRomPLEXTOR_CD-R___PREMIUM______

____________1.02____#5&6a6be80&0&0.0.0#{53f5630d

-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400)

: Destination "\Device\Ide\IdeDeviceP1T0L0-6"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\USB#Vid_040a&Pid_4032&MI_00#7&2bade5b

3&2&0000#{6bdd1fc6-810f-11d0-bec7-08002be2092f}"
.\debug.cpp(400) : Destination

"\Device\00000078"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Shadow"
.\debug.cpp(400) :

Destination "\Device\LanmanRedirector"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\ACPI#PNP0501#2#{4d36e978-e325-11ce-bf

c1-08002be10318}"
.\debug.cpp(400) :

Destination "\Device\00000067"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_10DE&DEV_0333&SUBSYS_194E270F

&REV_A1#4&3600494a&0&0008#{5b45201d-f2f2-4f3b-85

bb-30ff1f953599}"
.\debug.cpp(400) :

Destination "\Device\NTPNP_PCI0021"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\PTILINK3"
.\debug.cpp(400) : Destination

"\Device\ParTechInc2"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\pwd_2k"
.\debug.cpp(400) :

Destination "\Device\pwd_2k"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\SCSI#Disk&Ven_VIA_SATA&Prod__RAID_0&R

ev_#4&17c50b7c&0&000#{53f56307-b6bf-11d0-94f2-00

a0c91efb8b}"
.\debug.cpp(400) : Destination

"\Device\Scsi\viasraid1Port3Path0Target0Lun0"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\FltMgr"
.\debug.cpp(400)

: Destination "\FileSystem\Filters\FltMgr"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\FtControl"
.\debug.cpp(400) : Destination

"\Device\FtControl"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
.\debug.cpp(400) : Destination

"\Device\HarddiskVolume1"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\CdUdf_XP"
.\debug.cpp(400) :

Destination "\Device\CdUdf_XP"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\ASWRDR"
.\debug.cpp(400) :

Destination "\Device\ASWRDR"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\aswSP_Avar"
.\debug.cpp(400) :

Destination "\Device\aswSP_Avar"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\USB#ROOT_HUB#4&1a8f66bb&0#{f18a0e88-c

30c-11d0-8815-00a0c906bed8}"
.\debug.cpp(400) :

Destination "\Device\USBPDO-2"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\CdaD23BA"
.\debug.cpp(400) :

Destination "\Device\CdaD23BA"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\PCI#VEN_1102&DEV_0004&SUBSYS_20021102

&REV_04#3&267a616a&0&70#{65e8773d-8f56-11d0-a3b9

-00a0c9223196}"
.\debug.cpp(400) : Destination

"\Device\NTPNP_PCI0006"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Volume{d3438a5d-4516-11d9-8378-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\HarddiskVolume1"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Volume{8e0fd420-0531-11db-9c39-806d61

72696f}"
.\debug.cpp(400) : Destination

"\Device\Floppy0"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\MAILSLOT"
.\debug.cpp(400) :

Destination "\Device\MailSlot"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\AUX"
.\debug.cpp(400) : Destination

"\DosDevices\COM1"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\GLOBALROOT"
.\debug.cpp(400) :

Destination ""
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Ndisuio"
.\debug.cpp(400) :

Destination "\Device\Ndisuio"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1

-bc8c-00a0c91405dd}"
.\debug.cpp(400) :

Destination "\Device\00000046"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\Scsi2:"
.\debug.cpp(400) :

Destination "\Device\Ide\IdePort1"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\NUL"
.\debug.cpp(400) :

Destination "\Device\Null"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\{8BCD12CD-A96A-411A-B624-EFAF40C2E99C

}"
.\debug.cpp(400) : Destination

"\Device\{8BCD12CD-A96A-411A-B624-EFAF40C2E99C}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\IDE#CdRomPLEXTOR_CD-R___PREMIUM______

____________1.02____#5&6a6be80&0&0.0.0#{53f56308

-b6bf-11d0-94f2-00a0c91efb8b}"
.\debug.cpp(400)

: Destination "\Device\Ide\IdeDeviceP1T0L0-6"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink

"\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1

-bc8c-00a0c91405dd}"
.\debug.cpp(400) :

Destination "\Device\00000045"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\USB#Vid_050d&Pid_8053#1.0#{a5dcbf10-6

530-11d2-901f-00c04fb951ed}"
.\debug.cpp(400) :

Destination "\Device\USBPDO-5"
.\debug.cpp(409)

: --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\CTAC32K"
.\debug.cpp(400) :

Destination "\Device\CTAC32K"
.\debug.cpp(409) :

--
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\IDE#CdRomPLEXTOR_CD-R___PREMIUM______

____________1.02____#5&6a6be80&0&0.0.0#{1186654d

-47b8-48b9-beb9-7df113ae3c67}"
.\debug.cpp(400)

: Destination "\Device\Ide\IdeDeviceP1T0L0-6"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\PROCEXP113"
.\debug.cpp(400) : Destination

"\Device\PROCEXP113"
.\debug.cpp(409) : --
.\debug.cpp(369) : SymbolicLink

"\GLOBAL??\{D7075411-6248-4E83-BA44-21DEA793D884

}"
.\debug.cpp(400) : Destination

"\Device\{D7075411-6248-4E83-BA44-21DEA793D884}"
.\debug.cpp(409) : --
.\debug.cpp(369) :

SymbolicLink "\GLOBAL??\CTSFM2K"
.\debug.cpp(400) : Destination

"\Device\CTSFM2K"
.\debug.cpp(409) : --
.\debug.cpp(453) :

**********************************************
.\boot_cleaner.cpp(565) : System volume is

\\.\C:
.\boot_cleaner.cpp(600) : \\.\C: ->

\\.\PhysicalDrive0 at offset

0x00000000`00007e00
.\diskio.cpp(204) :

ATA_Read(): DeviceIoControl() ERROR 1
.\boot_cleaner.cpp(276) : Boot sector MD5 is:

6def5ffcbcdbdb4082f1015625e597bd
.\boot_cleaner.cpp(1060) :
.\boot_cleaner.cpp(1061) : Size Device

Name MBR Status
.\boot_cleaner.cpp(1062) :

--------------------------------------------
.\boot_cleaner.cpp(1106) : 223 GB

\\.\PhysicalDrive0 OK (DOS/Win32 Boot code

found)
.\boot_cleaner.cpp(1112) :
.\boot_cleaner.cpp(1151) : Done;
 
I've deleted the Combofix log as it is unreadable. When you open Notepad, first go to Format> Uncheck 'Word Wrap', then repeat this to generate new log:

Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Code: 
File::
File::
c:\windows\system32\lsp21.tmp
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRIxxXn]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
You don't have to repeat the Bootscan, but any time you use NotePad for the logs, but sure that Word Wrap is unchecked
Note:
Combofix Log has been removed as it is unreadable with Word Wrap on. Member advised, scan being repeated.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
836
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back