CPU at 100% with no activity

Inactive
By Code Butcher
Feb 28, 2012
  1. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    TDSSKiller did not run. It just popped up a NTVDM window thenn closed.
  2. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    Boot back to OTLPE CD

    Double-click on the OTLPE icon.

    Under the Custom Scan box paste this in:

    /md5start
    NTVDM.EXE
    /md5stop


    Post new log.
  3. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    FWIW here is the Rkill.log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 02/29/2012 at 11:24:23.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 02/29/2012 at 11:24:47.


    Rkill completed on 02/29/2012 at 11:25:18.
  4. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    Error: Unable to interpret </md5start> in the current context!
    Error: Unable to interpret <NTVDM.EXE> in the current context!
    Error: Unable to interpret </md5stop> in the current context!
    Error: Unable to interpret < > in the current context!

    OTLPE by OldTimer - Version 3.1.48.0 log created on 02292012_161913
  5. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    You did something wrong (clicked wrong button I guess...).

    After pasting my script...
    Press Run Scan to start the scan.
  6. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    I thought it was a Fix. Here is the log:

    OTL logfile created on: 2/29/2012 4:58:17 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 97.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 74.51 Gb Total Space | 56.28 Gb Free Space | 75.54% Space Free | Partition Type: FAT32
    Drive D: | 7.55 Gb Total Space | 0.26 Gb Free Space | 3.46% Space Free | Partition Type: FAT32
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet003

    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled] -- -- (HidServ)
    SRV - [2011/12/12 11:03:40 | 000,290,832 | ---- | M] (Verizon) [Auto] -- C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe -- (IHA_MessageCenter)
    SRV - [2010/04/28 14:21:30 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand] -- C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe -- (Sony SCSI Helper Service)
    SRV - [2010/04/05 07:19:58 | 000,444,928 | ---- | M] (Livescribe) [Auto] -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe -- (PenCommService)
    SRV - [2009/11/18 10:50:40 | 000,668,912 | ---- | M] (Radialpoint Inc.) [Auto] -- C:\Program Files\Verizon\VSP\ServicepointService.exe -- (ServicepointService)
    SRV - [2008/10/28 16:42:30 | 000,156,968 | ---- | M] (Seagate Technology LLC) [Auto] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
    SRV - [2008/09/30 17:41:08 | 000,116,664 | ---- | M] (symantec) [On_Demand] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
    SRV - [2008/09/30 17:41:04 | 001,956,792 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
    SRV - [2008/09/30 17:40:56 | 000,031,160 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
    SRV - [2008/08/20 15:50:30 | 000,214,408 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
    SRV - [2008/06/24 18:17:38 | 000,169,320 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
    SRV - [2008/06/24 18:17:36 | 000,191,848 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
    SRV - [2007/09/12 18:27:26 | 002,999,664 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
    SRV - [2007/07/26 19:25:20 | 001,181,016 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
    SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
    SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (MRENDIS5)
    DRV - File not found [Kernel | On_Demand] -- -- (MREMPR5)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2012/02/23 19:14:52 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2012/02/13 01:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
    DRV - [2012/01/16 11:48:06 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120224.002\NAVEX15.SYS -- (NAVEX15)
    DRV - [2012/01/16 11:48:06 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20120224.002\NAVENG.SYS -- (NAVENG)
    DRV - [2010/05/14 00:16:40 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/05/04 14:55:44 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
    DRV - [2010/05/04 14:55:44 | 000,012,872 | ---- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
    DRV - [2010/04/05 07:20:00 | 000,020,096 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PulseUsb.sys -- (PulseUsb)
    DRV - [2010/03/17 13:53:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
    DRV - [2010/03/17 13:53:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
    DRV - [2009/02/14 10:28:06 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
    DRV - [2008/08/20 15:50:02 | 000,188,808 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
    DRV - [2008/08/20 15:49:56 | 000,023,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
    DRV - [2008/05/28 11:31:24 | 000,337,280 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
    DRV - [2008/05/28 11:31:24 | 000,054,656 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
    DRV - [2007/11/15 21:18:20 | 000,572,416 | R--- | M] (Ralink Technology, Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rt2860.sys -- (RT80x86)
    DRV - [2007/09/26 15:58:00 | 000,461,952 | ---- | M] (Marvell Semiconductor, Inc) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\MRVW245.sys -- (MRVW245)
    DRV - [2007/07/26 19:25:18 | 000,400,216 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    IE - HKU\Edna_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.aol.com/
    IE - HKU\Edna_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Edna_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



    IE - HKU\test_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Alcatel-Lucent)
    FF - HKLM\Software\MozillaPlugins\@radialpoint.com/SPA,version=1: C:\Program Files\Verizon\VSP\nprpspa.dll (Verizon)
    FF - HKLM\Software\MozillaPlugins\@sony.com/eBookLibrary: C:\Program Files\Sony\Reader\Data\bin\npebldetectmoz.dll (Sony Corporation)



    O1 HOSTS File: ([2012/02/28 23:23:54 | 000,001,626 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Verizon Broadband Toolbar) - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\Program Files\verizon_broad\verizon_broad.dll (Verizon Online. )
    O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKU\Edna_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
    O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
    O4 - HKLM..\Run: [Reader Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe (Sony Corporation)
    O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\VSP\VerizonServicepoint.exe (Verizon)
    O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
    O4 - HKU\Edna_ON_C..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - HKU\Edna_ON_C..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Edna_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\test_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O9 - Extra Button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll ()
    O9 - Extra 'Tools' menuitem : Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll ()
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon High Speed Internet Installer.cab (Support.com Configuration Class)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1234638438733 (WUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_19)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab (GpcContainer Class)
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
    O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/02/14 10:09:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O36 - AppCertDlls: rsvpMRT - (C:\WINDOWS\system32\fixmdiag.dll) - C:\WINDOWS\system32\fixmdiag.dll (Kaspersky Lab)
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/02/28 23:23:50 | 000,000,000 | ---D | C] -- C:\_OTL
    [2012/02/28 17:26:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\My Documents\My Books
    [2012/02/28 17:22:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\Sun
    [2012/02/28 17:21:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Local Settings\Application Data\kinoma
    [2012/02/28 17:21:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Local Settings\Application Data\Sony Corporation
    [2012/02/28 17:08:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\SUPERAntiSpyware.com
    [2012/02/28 16:48:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\Apple Computer
    [2012/02/28 16:40:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\Verizon
    [2012/02/28 16:36:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\VERIZON_BROAD
    [2012/02/28 16:29:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Application Data\Identities
    [2012/02/28 16:28:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\My Documents\My Music
    [2012/02/28 16:28:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\My Documents\My Pictures
    [2012/02/28 16:28:46 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\test\IETldCache
    [2012/02/28 16:27:24 | 000,000,000 | --SD | C] -- C:\Documents and Settings\test\Application Data\Microsoft
    [2012/02/28 16:27:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\test\SendTo
    [2012/02/28 16:27:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\test\Recent
    [2012/02/28 16:27:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\test\Application Data
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\Start Menu\Programs\Startup
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\Start Menu
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\My Documents
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\Favorites
    [2012/02/28 16:27:24 | 000,000,000 | R--D | C] -- C:\Documents and Settings\test\Start Menu\Programs\Accessories
    [2012/02/28 16:27:24 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\test\Cookies
    [2012/02/28 16:27:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\test\PrintHood
    [2012/02/28 16:27:24 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\test\NetHood
    [2012/02/28 16:27:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Desktop
    [2012/02/28 16:27:23 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\test\Templates
    [2012/02/28 16:27:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\test\Local Settings\Application Data\Microsoft
    [2012/02/28 16:27:22 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\test\Local Settings
    [2012/02/28 16:20:38 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
    [2012/02/28 16:18:20 | 000,000,000 | -HSD | C] -- C:\FOUND.004
    [2012/02/27 23:33:06 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2012/02/27 19:05:38 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
    [2012/02/27 12:32:06 | 000,086,528 | -H-- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\fixmdiag.dll
    [2012/02/25 18:58:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/02/29 16:50:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/02/29 16:47:08 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    [2012/02/29 16:04:10 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Edna\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/29 11:06:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/02/29 10:39:36 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Edna\Desktop\rkill.exe
    [2012/02/29 10:39:26 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Edna\Desktop\rkill.com
    [2012/02/29 03:39:08 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
    [2012/02/28 16:30:30 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\test\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2012/02/28 16:30:20 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\test\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2012/02/28 11:49:30 | 000,607,260 | ---- | M] () -- C:\Documents and Settings\test\Desktop\dds.scr
    [2012/02/28 11:49:30 | 000,607,260 | ---- | M] () -- C:\Documents and Settings\Edna\Desktop\dds.scr
    [2012/02/28 11:49:30 | 000,607,260 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
    [2012/02/28 11:49:16 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\test\Desktop\GMER.exe
    [2012/02/28 11:49:16 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Edna\Desktop\GMER.exe
    [2012/02/28 11:49:16 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\GMER.exe
    [2012/02/27 23:59:38 | 009,502,424 | ---- | M] () -- C:\Documents and Settings\test\Desktop\mbam--setup-1.60.1.1000.exe
    [2012/02/27 23:59:38 | 009,502,424 | ---- | M] () -- C:\Documents and Settings\Edna\Desktop\mbam--setup-1.60.1.1000.exe
    [2012/02/27 18:01:42 | 004,420,957 | ---- | M] () -- C:\Documents and Settings\Edna\Desktop\Edna.exe
    [2012/02/27 18:01:42 | 004,420,957 | ---- | M] () -- C:\Documents and Settings\test\Desktop\ComboFix.exe
    [2012/02/27 18:01:42 | 004,420,957 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2012/02/27 12:59:34 | 002,062,896 | ---- | M] () -- C:\Documents and Settings\test\Desktop\TDSSKiller.exe
    [2012/02/27 12:59:34 | 002,062,896 | ---- | M] () -- C:\Documents and Settings\Edna\Desktop\TDSSKiller.exe
    [2012/02/27 12:32:08 | 000,086,528 | -H-- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\fixmdiag.dll
    [2012/02/25 23:15:00 | 000,000,089 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\avbase.dat
    [2012/02/23 19:15:20 | 000,247,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2012/02/22 23:09:56 | 000,432,778 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/02/22 23:09:56 | 000,067,734 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/02/22 23:07:18 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/02/29 11:07:20 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Edna\Desktop\rkill.exe
    [2012/02/29 11:07:20 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Edna\Desktop\rkill.com
    [2012/02/29 11:07:12 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Edna\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/02/29 09:19:04 | 009,502,424 | ---- | C] () -- C:\Documents and Settings\Edna\Desktop\mbam--setup-1.60.1.1000.exe
    [2012/02/29 09:19:04 | 002,062,896 | ---- | C] () -- C:\Documents and Settings\Edna\Desktop\TDSSKiller.exe
    [2012/02/28 18:50:05 | 002,062,896 | ---- | C] () -- C:\Documents and Settings\test\Desktop\TDSSKiller.exe
    [2012/02/28 17:27:52 | 009,502,424 | ---- | C] () -- C:\Documents and Settings\test\Desktop\mbam--setup-1.60.1.1000.exe
    [2012/02/28 16:54:23 | 000,607,260 | ---- | C] () -- C:\Documents and Settings\test\Desktop\dds.scr
    [2012/02/28 16:54:23 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\test\Desktop\GMER.exe
    [2012/02/28 16:54:21 | 004,420,957 | ---- | C] () -- C:\Documents and Settings\test\Desktop\ComboFix.exe
    [2012/02/28 16:30:29 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\test\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2012/02/28 16:30:29 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\test\Start Menu\Programs\Internet Explorer.lnk
    [2012/02/28 16:30:19 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\test\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2012/02/28 16:29:56 | 000,000,651 | ---- | C] () -- C:\Documents and Settings\test\Start Menu\Programs\Outlook Express.lnk
    [2012/02/28 16:27:26 | 000,001,512 | ---- | C] () -- C:\Documents and Settings\test\Start Menu\Programs\Remote Assistance.lnk
    [2012/02/28 16:27:26 | 000,000,705 | ---- | C] () -- C:\Documents and Settings\test\Start Menu\Programs\Windows Media Player.lnk
    [2012/02/28 16:21:43 | 004,420,957 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    [2012/02/28 16:21:43 | 000,607,260 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
    [2012/02/28 16:21:43 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\GMER.exe
    [2012/02/28 16:21:28 | 000,607,260 | ---- | C] () -- C:\Documents and Settings\Edna\Desktop\dds.scr
    [2012/02/28 16:21:28 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Edna\Desktop\GMER.exe
    [2012/02/27 19:12:40 | 004,420,957 | ---- | C] () -- C:\Documents and Settings\Edna\Desktop\Edna.exe
    [2012/02/25 23:13:27 | 000,000,089 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\avbase.dat
    [2012/02/22 21:46:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/22 21:46:17 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
    [2011/01/11 18:05:18 | 000,008,592 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
    [2010/01/07 16:15:24 | 000,051,300 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/01/07 15:30:52 | 000,068,294 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
    [2010/01/07 15:30:52 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
    [2009/02/16 12:56:46 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
    [2009/02/14 10:48:34 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/02/14 10:44:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
    [2009/02/14 10:21:01 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
    [2009/02/14 10:13:13 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2009/02/14 10:06:39 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2009/02/14 10:01:59 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009/02/14 10:01:02 | 000,247,904 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2005/03/22 01:48:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2005/03/22 01:48:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 12:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 12:00:00 | 000,432,778 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 12:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 12:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 12:00:00 | 000,067,734 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 12:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 12:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 12:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2004/08/04 12:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

    ========== LOP Check ==========

    [2010/05/04 16:01:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Edna\Application Data\Downloaded Installations
    [2011/03/04 15:00:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Edna\Application Data\TechWizard
    [2011/07/30 13:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Edna\Application Data\Broderbund
    [2009/02/17 11:17:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
    [2010/01/07 16:07:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kinoma
    [2010/04/28 20:28:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Radialpoint
    [2010/05/04 16:17:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Livescribe, Inc
    [2011/04/29 14:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2011/07/18 19:38:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
    [2011/07/30 13:20:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
    [2011/09/21 18:21:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask
    [2012/02/29 03:39:08 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

    ========== Purity Check ==========



    ========== Custom Scans ==========



    < MD5 for: NTVDM.EXE >
    [2004/08/04 12:00:00 | 000,419,840 | ---- | M] (Microsoft Corporation) MD5=0738F4B53D967E46CC5E51F84BC1EB39 -- C:\WINDOWS\$NtServicePackUninstall$\ntvdm.exe
    [2008/04/13 16:12:30 | 000,420,864 | ---- | M] (Microsoft Corporation) MD5=681B807E53BDADA337735C28C0E48A1B -- C:\WINDOWS\ServicePackFiles\i386\ntvdm.exe
    [2008/04/13 16:12:30 | 000,420,864 | ---- | M] (Microsoft Corporation) MD5=681B807E53BDADA337735C28C0E48A1B -- C:\WINDOWS\system32\ntvdm.exe
    < End of report >
  7. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    It seems I can run programs that were installed but not copied files. Doe that make any sense?
  8. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    I'm not sure if I understand.

    OTL log looks clean.
  9. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    I tried searching for NTVDM.EXE in the registry, but it all looks normal. Anything else we can try? 0Access is one though MOFO.
  10. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    You didn't answer my question.
    I'm not sure what you mean by:
  11. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    SuperAntiSpyware was previously installed, but anything just copied and run on the desktop, gets those two dos windows. It's like something is trying to pass those programs through another program or script.

    Also what is causing the CPU to go at 100%? I'm looking at Task Manager and don't seem to see any odd processes, other than multiple SVCHOST.
  12. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    I'm not really sure what we're dealing here with because OTL log seems to be clean.

    When you ran commands from my reply #17 did they execute successfully?
  13. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    Yeah, they boot ran ok, I think. Both times it asked, if I really wanted to fix the MBR and Boot. I just answered with a "y" unless I'm supposed to answer with a YES.
     
  14. Broni

    Broni Malware Annihilator Posts: 45,224   +243

  15. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    I ran the repair installation, rebooted the system. Same thing. A NTVDM.EXE window will open then close, followed by C:\Doc&Settings\Edna\(filename).exe window open and close.

    I ran rKill.exe and saw it in Processes in Task Manager. After about 30 mins it ran and still running. I'm going to let it run it's course and see what happens.
  16. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    I let rKill run overnight, but nothing happened. I was able to run TDSSKiller, but it found nothing. I was able to run aswMBR and here is the log:

    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-01 00:30:21
    -----------------------------
    00:30:21.716 OS Version: Windows 5.1.2600 Service Pack 2
    00:30:21.716 Number of processors: 1 586 0x209
    00:30:22.091 ComputerName: SANCHEZ-12D2B13 UserName: Edna
    00:32:32.122 Initialize success
    00:39:35.372 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    00:39:35.372 Disk 0 Vendor: MAXTOR_STM3802110A 3.AAK Size: 76319MB BusType: 3
    00:39:35.372 Disk 0 MBR read successfully
    00:39:35.372 Disk 0 MBR scan
    00:39:35.529 Disk 0 Windows XP default MBR code
    00:39:35.529 Disk 0 Partition 1 80 (A) 0C FAT32 LBA MSWIN4.1 76316 MB offset 63
    00:39:35.685 Disk 0 scanning sectors +156296385
    00:39:35.732 Disk 0 scanning C:\WINDOWS\system32\drivers
    00:46:16.435 Service scanning
    00:52:22.232 Modules scanning
    00:56:22.997 Disk 0 trace - called modules:
    00:56:23.154 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    00:56:23.466 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89808ab8]
    00:56:23.466 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x897b0d98]
    00:56:25.138 Scan finished successfully
    08:02:17.013 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
    08:02:17.482 The log file has been saved successfully to "E:\aswMBR.txt"
  17. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    Can you try Combofix again?
  18. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    I keep trying ComboFix whenever I can, on the hopes it will run. Here is the TDSSKiller log:

    00:42:00.0607 1292 TDSS rootkit removing tool 2.7.15.0 Feb 27 2012 12:59:02
    00:42:02.0919 1292 ============================================================
    00:42:02.0919 1292 Current date / time: 2012/03/01 00:42:02.0919
    00:42:02.0919 1292 SystemInfo:
    00:42:02.0919 1292
    00:42:03.0076 1292 OS Version: 5.1.2600 ServicePack: 2.0
    00:42:03.0076 1292 Product type: Workstation
    00:42:03.0076 1292 ComputerName: SANCHEZ-12D2B13
    00:42:03.0263 1292 UserName: Edna
    00:42:03.0263 1292 Windows directory: C:\WINDOWS
    00:42:03.0263 1292 System windows directory: C:\WINDOWS
    00:42:03.0263 1292 Processor architecture: Intel x86
    00:42:03.0263 1292 Number of processors: 1
    00:42:03.0419 1292 Page size: 0x1000
    00:42:03.0419 1292 Boot type: Normal boot
    00:42:03.0419 1292 ============================================================
    00:44:00.0779 1292 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    00:44:01.0591 1292 Drive \Device\Harddisk1\DR4 - Size: 0x1E4700000 (7.57 Gb), SectorSize: 0x200, Cylinders: 0x3DC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    00:44:01.0591 1292 \Device\Harddisk0\DR0:
    00:44:01.0747 1292 MBR used
    00:44:01.0747 1292 \Device\Harddisk0\DR0\Partition0: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x950E482
    00:44:01.0747 1292 \Device\Harddisk1\DR4:
    00:44:01.0747 1292 MBR used
    00:44:01.0747 1292 \Device\Harddisk1\DR4\Partition0: MBR, Type 0xC, StartLBA 0x1F80, BlocksNum 0xF21880
    00:44:02.0076 1292 Initialize success
    00:44:02.0076 1292 ============================================================
    00:44:11.0654 4068 ============================================================
    00:44:11.0654 4068 Scan started
    00:44:11.0654 4068 Mode: Manual;
    00:44:11.0654 4068 ============================================================
    00:44:19.0435 4068 Abiosdsk - ok
    00:44:25.0779 4068 abp480n5 - ok
    00:44:28.0794 4068 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    00:44:28.0794 4068 ACPI - ok
    00:44:31.0497 4068 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    00:44:31.0497 4068 ACPIEC - ok
    00:44:37.0497 4068 adpu160m - ok
    00:44:42.0685 4068 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
    00:44:42.0685 4068 aeaudio - ok
    00:44:46.0638 4068 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    00:44:46.0638 4068 aec - ok
    00:44:50.0497 4068 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
    00:44:50.0497 4068 AFD - ok
    00:44:56.0529 4068 Aha154x - ok
    00:45:02.0497 4068 aic78u2 - ok
    00:45:09.0013 4068 aic78xx - ok
    00:45:14.0997 4068 AliIde - ok
    00:45:21.0357 4068 amsint - ok
    00:45:27.0513 4068 asc - ok
    00:45:33.0466 4068 asc3350p - ok
    00:45:39.0654 4068 asc3550 - ok
    00:45:43.0716 4068 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    00:45:43.0716 4068 AsyncMac - ok
    00:45:45.0451 4068 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    00:45:45.0451 4068 atapi - ok
    00:45:51.0810 4068 Atdisk - ok
    00:45:55.0701 4068 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    00:45:55.0701 4068 Atmarpc - ok
    00:45:58.0857 4068 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    00:45:58.0857 4068 audstub - ok
    00:45:59.0919 4068 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    00:45:59.0919 4068 Beep - ok
    00:46:01.0076 4068 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    00:46:01.0076 4068 cbidf2k - ok
    00:46:07.0341 4068 cd20xrnt - ok
    00:46:10.0076 4068 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    00:46:10.0076 4068 Cdaudio - ok
    00:46:11.0982 4068 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    00:46:11.0982 4068 Cdfs - ok
    00:46:15.0544 4068 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    00:46:15.0544 4068 Cdrom - ok
    00:46:17.0935 4068 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
    00:46:17.0935 4068 cercsr6 - ok
    00:46:23.0904 4068 Changer - ok
    00:46:30.0076 4068 CmdIde - ok
    00:46:36.0138 4068 Cpqarray - ok
    00:46:42.0279 4068 dac2w2k - ok
    00:46:48.0497 4068 dac960nt - ok
    00:46:50.0341 4068 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    00:46:50.0341 4068 Disk - ok
    00:46:55.0122 4068 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    00:46:55.0154 4068 dmboot - ok
    00:46:58.0185 4068 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
    00:46:58.0185 4068 dmio - ok
    00:46:58.0888 4068 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    00:46:58.0888 4068 dmload - ok
    00:47:04.0107 4068 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    00:47:04.0122 4068 DMusic - ok
    00:47:10.0372 4068 dpti2o - ok
    00:47:14.0544 4068 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    00:47:14.0544 4068 drmkaud - ok
    00:47:18.0091 4068 E1000 (a8b3ec8ee13cbe14f067c72110155a1b) C:\WINDOWS\system32\DRIVERS\e1000325.sys
    00:47:18.0091 4068 E1000 - ok
    00:47:20.0263 4068 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    00:47:20.0904 4068 eeCtrl - ok
    00:47:22.0966 4068 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    00:47:24.0357 4068 EraserUtilRebootDrv - ok
    00:47:28.0622 4068 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    00:47:28.0622 4068 Fastfat - ok
    00:47:31.0669 4068 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    00:47:31.0669 4068 Fdc - ok
    00:47:32.0591 4068 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    00:47:32.0591 4068 Fips - ok
    00:47:36.0341 4068 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    00:47:36.0341 4068 Flpydisk - ok
    00:47:38.0435 4068 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
    00:47:38.0857 4068 FltMgr - ok
    00:47:39.0857 4068 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    00:47:39.0857 4068 Fs_Rec - ok
    00:47:40.0622 4068 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    00:47:40.0779 4068 Ftdisk - ok
    00:47:43.0529 4068 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    00:47:43.0529 4068 GEARAspiWDM - ok
    00:47:47.0013 4068 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    00:47:47.0154 4068 Gpc - ok
    00:47:48.0310 4068 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    00:47:48.0310 4068 HidUsb - ok
    00:47:54.0638 4068 hpn - ok
    00:47:57.0216 4068 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    00:47:57.0216 4068 HPZid412 - ok
    00:47:59.0966 4068 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    00:47:59.0966 4068 HPZipr12 - ok
    00:48:02.0544 4068 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    00:48:02.0544 4068 HPZius12 - ok
    00:48:04.0013 4068 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
    00:48:04.0013 4068 HTTP - ok
    00:48:09.0872 4068 i2omgmt - ok
    00:48:15.0919 4068 i2omp - ok
    00:48:19.0154 4068 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    00:48:19.0154 4068 i8042prt - ok
    00:48:23.0044 4068 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    00:48:23.0060 4068 ialm - ok
    00:48:26.0951 4068 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    00:48:26.0951 4068 Imapi - ok
    00:48:33.0513 4068 ini910u - ok
    00:48:36.0888 4068 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    00:48:36.0888 4068 IntelIde - ok
    00:48:39.0622 4068 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    00:48:39.0622 4068 intelppm - ok
    00:48:43.0888 4068 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
    00:48:43.0888 4068 Ip6Fw - ok
    00:48:46.0529 4068 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    00:48:46.0529 4068 IpFilterDriver - ok
    00:48:50.0826 4068 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    00:48:50.0826 4068 IpInIp - ok
    00:48:55.0169 4068 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    00:48:55.0169 4068 IpNat - ok
    00:48:58.0857 4068 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    00:48:58.0857 4068 IPSec - ok
    00:49:03.0326 4068 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    00:49:03.0326 4068 IRENUM - ok
    00:49:05.0013 4068 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    00:49:05.0013 4068 isapnp - ok
    00:49:08.0372 4068 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    00:49:08.0372 4068 Kbdclass - ok
    00:49:12.0451 4068 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    00:49:12.0451 4068 kmixer - ok
    00:49:15.0591 4068 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
    00:49:15.0591 4068 KSecDD - ok
    00:49:21.0997 4068 lbrtfdc - ok
    00:49:24.0529 4068 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    00:49:24.0544 4068 mnmdd - ok
    00:49:27.0779 4068 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    00:49:27.0779 4068 Modem - ok
    00:49:31.0372 4068 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    00:49:31.0372 4068 Mouclass - ok
    00:49:33.0060 4068 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    00:49:33.0060 4068 mouhid - ok
    00:49:35.0466 4068 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    00:49:35.0482 4068 MountMgr - ok
    00:49:41.0482 4068 mraid35x - ok
    00:49:43.0279 4068 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    00:49:43.0279 4068 MREMP50 - ok
    00:49:45.0341 4068 MREMPR5 - ok
    00:49:47.0263 4068 MRENDIS5 - ok
    00:49:49.0044 4068 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    00:49:49.0044 4068 MRESP50 - ok
    00:49:50.0997 4068 MRVW245 (ba8c30c9a505c53b2008293d6850eb84) C:\WINDOWS\system32\DRIVERS\MRVW245.sys
    00:49:51.0310 4068 MRVW245 - ok
    00:49:54.0779 4068 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    00:49:54.0779 4068 MRxDAV - ok
    00:49:58.0529 4068 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    00:49:58.0544 4068 MRxSmb - ok
    00:50:01.0872 4068 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    00:50:01.0872 4068 Msfs - ok
    00:50:04.0107 4068 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    00:50:04.0107 4068 MSKSSRV - ok
    00:50:08.0279 4068 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    00:50:08.0279 4068 MSPCLOCK - ok
    00:50:12.0810 4068 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    00:50:12.0810 4068 MSPQM - ok
    00:50:17.0466 4068 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    00:50:17.0466 4068 mssmbios - ok
    00:50:20.0732 4068 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    00:50:20.0732 4068 Mup - ok
    00:50:23.0122 4068 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120224.002\naveng.sys
    00:50:23.0122 4068 NAVENG - ok
    00:50:26.0576 4068 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120224.002\navex15.sys
    00:50:26.0591 4068 NAVEX15 - ok
    00:50:29.0935 4068 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    00:50:30.0107 4068 NDIS - ok
    00:50:32.0935 4068 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    00:50:32.0935 4068 NdisTapi - ok
    00:50:35.0091 4068 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    00:50:35.0107 4068 Ndisuio - ok
    00:50:38.0951 4068 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    00:50:39.0091 4068 NdisWan - ok
    00:50:39.0810 4068 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    00:50:39.0810 4068 NDProxy - ok
    00:50:42.0451 4068 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    00:50:42.0451 4068 NetBIOS - ok
    00:50:44.0841 4068 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    00:50:44.0841 4068 NetBT - ok
    00:50:48.0701 4068 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    00:50:48.0701 4068 Npfs - ok
    00:50:53.0763 4068 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    00:50:54.0138 4068 Ntfs - ok
    00:50:55.0013 4068 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    00:50:55.0013 4068 Null - ok
    00:50:56.0232 4068 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    00:50:56.0232 4068 NwlnkFlt - ok
    00:50:57.0435 4068 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    00:50:57.0435 4068 NwlnkFwd - ok
    00:51:01.0122 4068 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    00:51:01.0122 4068 Parport - ok
    00:51:02.0013 4068 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    00:51:02.0013 4068 PartMgr - ok
    00:51:04.0826 4068 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    00:51:04.0826 4068 ParVdm - ok
    00:51:07.0888 4068 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    00:51:07.0888 4068 PCI - ok
    00:51:13.0919 4068 PCIDump - ok
    00:51:15.0669 4068 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    00:51:15.0669 4068 PCIIde - ok
    00:51:17.0732 4068 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    00:51:17.0747 4068 Pcmcia - ok
    00:51:24.0107 4068 PDCOMP - ok
    00:51:30.0294 4068 PDFRAME - ok
    00:51:36.0310 4068 PDRELI - ok
    00:51:42.0341 4068 PDRFRAME - ok
    00:51:48.0763 4068 perc2 - ok
    00:51:54.0685 4068 perc2hib - ok
    00:51:58.0466 4068 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    00:51:58.0466 4068 PptpMiniport - ok
    00:52:02.0185 4068 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    00:52:02.0185 4068 PSched - ok
    00:52:04.0935 4068 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    00:52:04.0951 4068 Ptilink - ok
    00:52:07.0372 4068 PulseUsb (071ae03df7d37fbbf9766703265ad871) C:\WINDOWS\system32\DRIVERS\PulseUsb.sys
    00:52:07.0372 4068 PulseUsb - ok
    00:52:13.0466 4068 ql1080 - ok
    00:52:19.0763 4068 Ql10wnt - ok
    00:52:25.0982 4068 ql12160 - ok
    00:52:32.0310 4068 ql1240 - ok
    00:52:38.0529 4068 ql1280 - ok
    00:52:39.0466 4068 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    00:52:39.0466 4068 RasAcd - ok
    00:52:43.0185 4068 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    00:52:43.0326 4068 Rasl2tp - ok
    00:52:46.0794 4068 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    00:52:46.0794 4068 RasPppoe - ok
    00:52:47.0529 4068 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    00:52:47.0529 4068 Raspti - ok
    00:52:50.0497 4068 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    00:52:50.0513 4068 Rdbss - ok
    00:52:51.0716 4068 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    00:52:51.0716 4068 RDPCDD - ok
    00:52:56.0435 4068 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    00:52:56.0435 4068 rdpdr - ok
    00:53:01.0654 4068 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    00:53:01.0794 4068 RDPWD - ok
    00:53:06.0435 4068 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    00:53:06.0435 4068 redbook - ok
    00:53:12.0497 4068 RT80x86 (aebf31765a926746dd7946fa14c52297) C:\WINDOWS\system32\DRIVERS\RT2860.sys
    00:53:12.0529 4068 RT80x86 - ok
    00:53:14.0091 4068 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    00:53:14.0091 4068 SASDIFSV - ok
    00:53:15.0654 4068 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    00:53:15.0654 4068 SASENUM - ok
    00:53:17.0247 4068 SASKUTIL (4fd72291a89793049104ca0a7e353cd4) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    00:53:17.0247 4068 SASKUTIL - ok
    00:53:19.0060 4068 SAVRT (2861c841b03def48402e63277d9cac22) C:\Program Files\Symantec AntiVirus\savrt.sys
    00:53:19.0060 4068 SAVRT - ok
    00:53:20.0654 4068 SAVRTPEL (54484c13e4d9b268c66d59e9ccb570e6) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
    00:53:20.0654 4068 SAVRTPEL - ok
    00:53:25.0310 4068 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    00:53:25.0310 4068 Secdrv - ok
    00:53:29.0076 4068 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    00:53:29.0076 4068 serenum - ok
    00:53:32.0732 4068 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    00:53:32.0732 4068 Serial - ok
    00:53:36.0497 4068 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    00:53:36.0497 4068 Sfloppy - ok
    00:53:42.0732 4068 Simbad - ok
    00:53:47.0732 4068 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
    00:53:47.0919 4068 smwdm - ok
    00:53:53.0935 4068 Sparrow - ok
    00:53:55.0716 4068 SPBBCDrv (60053e9c1fc4f6887c296c19cb825244) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    00:53:55.0716 4068 SPBBCDrv - ok
    00:54:00.0435 4068 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    00:54:00.0435 4068 splitter - ok
    00:54:05.0169 4068 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    00:54:05.0310 4068 sr - ok
    00:54:09.0732 4068 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
    00:54:09.0732 4068 Srv - ok
    00:54:13.0529 4068 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    00:54:13.0529 4068 swenum - ok
    00:54:14.0435 4068 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    00:54:14.0435 4068 swmidi - ok
    00:54:20.0794 4068 symc810 - ok
    00:54:27.0060 4068 symc8xx - ok
    00:54:33.0216 4068 SymEvent (c5eafb6a8c73fb26b73ee613c1a5aef6) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    00:54:33.0216 4068 SymEvent - ok
    00:54:38.0763 4068 SYMREDRV (5f9055055dc4900f74fb690b61448be4) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    00:54:38.0763 4068 SYMREDRV - ok
    00:54:44.0826 4068 SYMTDI (5561a9d2d1b6529a95cbbffaed7791c1) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    00:54:44.0841 4068 SYMTDI - ok
    00:54:51.0076 4068 sym_hi - ok
    00:54:57.0404 4068 sym_u3 - ok
    00:55:01.0404 4068 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    00:55:01.0560 4068 sysaudio - ok
    00:55:05.0779 4068 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    00:55:05.0794 4068 Tcpip - ok
    00:55:08.0638 4068 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    00:55:08.0638 4068 TDPIPE - ok
    00:55:13.0732 4068 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    00:55:13.0732 4068 TDTCP - ok
    00:55:18.0779 4068 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    00:55:18.0779 4068 TermDD - ok
    00:55:25.0122 4068 TosIde - ok
    00:55:30.0216 4068 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    00:55:30.0216 4068 Udfs - ok
    00:55:36.0576 4068 ultra - ok
    00:55:41.0201 4068 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    00:55:41.0201 4068 Update - ok
    00:55:44.0044 4068 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
    00:55:44.0044 4068 USBAAPL - ok
    00:55:48.0888 4068 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    00:55:48.0888 4068 usbccgp - ok
    00:55:52.0201 4068 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    00:55:52.0201 4068 usbehci - ok
    00:55:55.0341 4068 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    00:55:55.0357 4068 usbhub - ok
    00:56:01.0404 4068 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    00:56:01.0404 4068 usbprint - ok
    00:56:06.0951 4068 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    00:56:06.0951 4068 usbscan - ok
    00:56:09.0357 4068 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    00:56:09.0357 4068 USBSTOR - ok
    00:56:12.0326 4068 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    00:56:12.0326 4068 usbuhci - ok
    00:56:16.0013 4068 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    00:56:16.0013 4068 VgaSave - ok
    00:56:22.0294 4068 ViaIde - ok
    00:56:25.0544 4068 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    00:56:25.0560 4068 VolSnap - ok
    00:56:29.0310 4068 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    00:56:29.0310 4068 Wanarp - ok
    00:56:32.0013 4068 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    00:56:32.0169 4068 Wdf01000 - ok
    00:56:38.0216 4068 WDICA - ok
    00:56:40.0872 4068 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    00:56:40.0872 4068 wdmaud - ok
    00:56:41.0263 4068 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    00:56:46.0685 4068 \Device\Harddisk0\DR0 - ok
    00:56:46.0685 4068 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR4
    00:56:49.0341 4068 \Device\Harddisk1\DR4 - ok
    00:56:49.0513 4068 Boot (0x1200) (9327f293ca635f6c9c7a141812a5ed03) \Device\Harddisk0\DR0\Partition0
    00:56:49.0513 4068 \Device\Harddisk0\DR0\Partition0 - ok
    00:56:49.0513 4068 Boot (0x1200) (63915386365426eba23d9df12d4acb5c) \Device\Harddisk1\DR4\Partition0
    00:56:49.0513 4068 \Device\Harddisk1\DR4\Partition0 - ok
    00:56:49.0529 4068 ============================================================
    00:56:49.0529 4068 Scan finished
    00:56:49.0529 4068 ============================================================
    00:56:49.0669 3168 Detected object count: 0
    00:56:49.0669 3168 Actual detected object count: 0
    08:02:40.0576 4000 Deinitialize success
  19. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    What happens when you try?
  20. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    The NTVDM window then the Locals\Edna\Edna.exe (Combofix renamed) window, with the text "Program to big for memory".

    When I plugged in the network cable briefly to update SAS, iexpore.exe window appears but the directory is from Locals\Temp\RarFX0\iexpore. I was thinking, "what if I delete the contents of the temp dir?" But I wanted to ask you first.
  21. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    You can surely do that.
  22. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    The RARFX## directories are created from rKill. I don't know what else to try other than reformatting and re-install the OS from scratch.
  23. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    At this point I'm not even sure if we're dealing with any infection anymore.
    Reinstalling may be the best option.
  24. Code Butcher

    Code Butcher TechSpot Member Topic Starter Posts: 84

    I agree, it's not really worth wasting anymore time on, though I am curious what is causing it to peg the CPU. I won't really know until I reformat the drive after backing up the system. Thanks for your time.
  25. Broni

    Broni Malware Annihilator Posts: 45,224   +243

    You're very welcome [​IMG]
    I wish we did better :(


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.