Since my window xp pro boots slow, I tried to clean my computer of viruses and trojans. I came across your board and found very helpful suggestions. I have downloaded combofix and mbam and have them scanned and cleaned my computer. There were quite a number deletes.
However, the problem persists, or even worse: now the names in services.msc are changed, eg "Cryptographic Service" to "CryptSvc", etc. And those services that I intentionally set to "Disable" were running again with permission changed to either "Automatic" or "Manual", they are: Cryptographic Servic, Error Reporting Service, Help and Support, Second Logon, Task Scheduler. A few weird name show up: eg zrrrn...
I was able to notice there is always a ghostly driver file shows up in "ntbtlog.txt" during the boot, but gone after boot, eg "Loaded driver \SystemRoot\System32\Drivers\abuqheog.SYS", but not there when I look for it using explorer.exe. rootrepeal does report it as hidden.
After each boot, either in Safe Mode or normal model, system reports an new unknown device found. Later on, it says found a CDRom device and install it automatically. The device profile reports a UK3386L 00T011W SCSI CdRom Device. When I searched UK3386 in regedit, I was able to trace to the driver by the name of the ghost driver file found earlier in ntbtlog.txt, eg. abuqheog.SYS.
There are other symptoms, system restore fails by reporting something like "cannot create a retore point and try it again after rebooting.", explorer.exe restarts itself once a while, component services (comuid.dll) not accessible ...Maybe they are caused by more than one virus.
I suspect the solution is to stop the ghostly SCSI CDROM device to install itself at very early on in the booting sequence. I have no idea of how to do that. Some help would be greatly appreciated!
Edited by hanfeng, 21 October 2009 - 02:22 AM.