TechSpot

Loaded with viruses

By denb69
Mar 31, 2012
  1. staretd with google redirect and svchost taking up too much ram now explorer wont load google or netflix or any of my most commonly used sites. I tried following the 5 step instructions but gmer wont run it says it is not a valid win32 program. what now? attached is my MWB log.

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6845

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    6/12/2011 10:09:33 PM
    mbam-log-2011-06-12 (22-09-33).txt

    Scan type: Quick scan
    Objects scanned: 169466
    Time elapsed: 4 minute(s), 30 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\RECYCLER\s-1-5-21-545942363-657050502-1754407576-1137\Dc98.exe (Trojan.P2P.Agent) -> Quarantined and deleted successfully.
    c:\documents and settings\dbouchard\local settings\Temp\R66v.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\documents and settings\dbouchard\local settings\Temp\WSZugo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\documents and settings\dbouchard\local settings\Temp\~nsuwz.tmp\whitesmoke-silent.exe (PUP.BHO) -> Quarantined and deleted successfully.
    c:\documents and settings\dbouchard\local settings\Temp\wsget.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    Skip GMER for now.
     
  3. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    virus removal

    ok I am running a scan with norton in normal mode and then will follow the rest of the steps. where do i find the logs for norton when i am ready to post?
     
  4. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    I don't need Norton's log.
     
  5. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    Log Files

    here are the log files for MWB and DDS. I have skipped gmer for now as you requested.

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.31.14

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    dbouchard :: TOSHIBA-ENG [administrator]

    3/31/2012 7:40:13 PM
    mbam-log-2012-03-31 (19-40-13).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 263430
    Time elapsed: 40 minute(s), 3 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by dbouchard at 21:11:58 on 2012-03-31
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1205 [GMT -4:00]
    .
    AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\windows\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\windows\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\windows\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    E:\Realplayer\update\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Synaptics\SynTP\SynToshiba.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\windows\System32\svchost.exe -k netsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    uInternet Settings,ProxyOverride = *.local
    mURLSearchHooks: H - No File
    BHO: AutorunsDisabled - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.7.0.13\ips\IPSBHO.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [fdbdbccfdddct] "c:\documents and settings\all users\application data\fdbdbccfdddct.exe"
    mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AGRSMMSG] AGRSMMSG.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [TkBellExe] "e:\realplayer\update\realsched.exe" -osboot
    dRun: [dplaysvr] %APPDATA%\dplaysvr.exe
    dRun: [fdbdbccfdddct] "c:\documents and settings\all users\application data\fdbdbccfdddct.exe"
    mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
    dPolicies-explorer: NoDesktop = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{72294989-4E76-47A0-AFD8-66C921700C14} : DhcpNameServer = 75.75.75.75 75.75.76.76
    Notify: igfxcui - igfxdev.dll
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = scecli psqlpwd
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207000.00d\symds.sys [2012-1-30 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207000.00d\symefa.sys [2012-1-30 744568]
    R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-2-8 16896]
    R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-2-7 6528]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20120317.002\BHDrvx86.sys [2012-3-19 820856]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys [2012-1-30 136312]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.0.13\ccsvchst.exe [2012-1-30 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-16 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20120330.002\IDSXpx86.sys [2012-3-31 356280]
    R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20120330.036\NAVENG.SYS [2012-3-31 86136]
    R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20120330.036\NAVEX15.SYS [2012-3-31 1576312]
    S?4 EraserSvc11122;Symantec Eraser Service;c:\program files\norton internet security\engine\18.7.0.13\ccsvchst.exe [2012-1-30 130008]
    S3 TBIMount;TBIMount;c:\windows\system32\drivers\TBIMount.sys [2010-12-14 87648]
    S4 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\dbouch~1\locals~1\temp\f-secure\blacklight\fsbldrv.sys --> c:\docume~1\dbouch~1\locals~1\temp\f-secure\blacklight\fsbldrv.sys [?]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-28 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-28 136176]
    S4 ktlwku;ktlwku;c:\windows\system32\drivers\oess.sys --> c:\windows\system32\drivers\oess.sys [?]
    S4 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
    S4 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
    .
    =============== Created Last 30 ================
    .
    2012-03-31 15:44:04 86016 ----a-w- c:\documents and settings\all users\application data\fdbdbccfdddct.exe
    2012-03-25 12:04:42 -------- d-----w- c:\documents and settings\all users\Application DataMicrosoft
    2012-03-03 16:12:24 -------- d-sh--w- c:\documents and settings\dbouchard\IECompatCache
    .
    ==================== Find3M ====================
    .
    2012-03-01 17:53:54 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-03-01 17:53:54 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-02-12 15:59:22 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-04 00:48:42 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: HTS541080G9SA00 rev.MB4OC60D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x8A41C49F]<<
    c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a423738]; MOV EAX, [0x8a4238ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A707AB8]
    3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\THPDRV[0x8A709948]
    5 thpdrv[0xF76796FF] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000008c[0x8A6E24B0]
    7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A70C940]
    \Driver\atapi[0x8A4C3168] -> IRP_MJ_CREATE -> 0x8A41C49F
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A41C2C6
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 21:14:06.32 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/13/2010 10:48:40 PM
    System Uptime: 3/31/2012 6:41:45 PM (3 hours ago)
    .
    Motherboard: Intel Corporation | | CAPELL VALLEY(NAPA) CRB
    Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | U2E1 | 1828/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 71 GiB total, 22.998 GiB free.
    E: is FIXED (NTFS) - 279 GiB total, 219.664 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\D134601E80DA0
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\D134601E80DA0
    Service: NIC1394
    .
    Class GUID: {4D36E970-E325-11CE-BFC1-08002BE10318}
    Description: Texas Instruments PCIxx12 Integrated FlashMedia Controller
    Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_FF101179&REV_00\4&6B16D5B&0&32F0
    Manufacturer: Texas Instruments Inc
    Name: Texas Instruments PCIxx12 Integrated FlashMedia Controller
    PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_FF101179&REV_00\4&6B16D5B&0&32F0
    Service: tifm21
    .
    Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GMA-4082N_______________HV02____\3142333141374337373532342020202020202020
    Manufacturer: (Standard CD-ROM drives)
    Name: HL-DT-ST DVDRAM GMA-4082N
    PNP Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GMA-4082N_______________HV02____\3142333141374337373532342020202020202020
    Service: cdrom
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\TOS6209\2&DABA3FF&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\TOS6209\2&DABA3FF&0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP360: 12/31/2011 8:20:16 PM - System Checkpoint
    RP361: 1/1/2012 7:37:44 PM - Software Distribution Service 3.0
    RP362: 1/2/2012 10:27:48 PM - System Checkpoint
    RP363: 1/4/2012 4:03:04 AM - System Checkpoint
    RP364: 1/5/2012 12:05:59 PM - System Checkpoint
    RP365: 1/6/2012 1:05:47 PM - System Checkpoint
    RP366: 1/7/2012 1:45:55 PM - System Checkpoint
    RP367: 1/8/2012 11:27:35 PM - System Checkpoint
    RP368: 1/10/2012 1:10:20 AM - System Checkpoint
    RP369: 1/11/2012 1:45:55 AM - System Checkpoint
    RP370: 1/12/2012 4:15:46 AM - System Checkpoint
    RP371: 1/13/2012 4:45:56 AM - System Checkpoint
    RP372: 1/14/2012 4:50:08 AM - System Checkpoint
    RP373: 1/15/2012 7:26:10 AM - System Checkpoint
    RP374: 1/16/2012 10:10:10 AM - System Checkpoint
    RP375: 1/17/2012 11:09:55 AM - System Checkpoint
    RP376: 1/18/2012 11:51:59 AM - System Checkpoint
    RP377: 1/20/2012 3:26:38 AM - System Checkpoint
    RP378: 1/21/2012 3:51:59 AM - System Checkpoint
    RP379: 1/22/2012 11:54:54 AM - System Checkpoint
    RP380: 1/23/2012 11:58:36 AM - System Checkpoint
    RP381: 1/24/2012 11:33:08 PM - System Checkpoint
    RP382: 1/25/2012 11:46:22 PM - System Checkpoint
    RP383: 1/27/2012 6:40:56 AM - System Checkpoint
    RP384: 1/28/2012 7:09:00 AM - System Checkpoint
    RP385: 1/29/2012 8:00:33 AM - System Checkpoint
    RP386: 1/30/2012 10:23:02 AM - System Checkpoint
    RP387: 1/31/2012 10:32:17 AM - System Checkpoint
    RP388: 2/1/2012 11:15:46 AM - System Checkpoint
    RP389: 2/2/2012 12:54:37 PM - System Checkpoint
    RP390: 2/3/2012 1:16:51 PM - System Checkpoint
    RP391: 2/7/2012 12:08:23 AM - System Checkpoint
    RP392: 2/8/2012 12:28:07 AM - System Checkpoint
    RP393: 2/8/2012 2:34:51 AM - Software Distribution Service 3.0
    RP394: 2/9/2012 12:00:37 PM - System Checkpoint
    RP395: 2/12/2012 3:01:41 AM - System Checkpoint
    RP396: 2/12/2012 7:05:20 AM - Removed Apple Software Update
    RP397: 2/12/2012 7:05:43 AM - Removed Ask Toolbar.
    RP398: 2/12/2012 7:13:46 AM - Removed Ask Toolbar.
    RP399: 2/12/2012 7:15:05 AM - Removed Bonjour
    RP400: 2/16/2012 10:50:45 AM - System Checkpoint
    RP401: 2/16/2012 2:28:40 PM - Software Distribution Service 3.0
    RP402: 2/18/2012 5:45:11 PM - System Checkpoint
    RP403: 2/19/2012 12:41:49 AM - Software Distribution Service 3.0
    RP404: 2/20/2012 1:08:08 PM - System Checkpoint
    RP405: 2/23/2012 11:47:50 PM - System Checkpoint
    RP406: 3/3/2012 1:49:30 AM - System Checkpoint
    RP407: 3/3/2012 11:17:09 AM - Removed Apple Application Support
    RP408: 3/3/2012 11:19:23 AM - Removed TOSHIBA Hotkey Utility
    RP409: 3/3/2012 1:27:02 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
    RP410: 3/4/2012 3:28:59 PM - System Checkpoint
    RP411: 3/7/2012 10:51:12 PM - System Checkpoint
    RP412: 3/13/2012 11:08:52 PM - System Checkpoint
    RP413: 3/19/2012 7:22:32 PM - Software Distribution Service 3.0
    RP414: 3/20/2012 9:34:08 PM - System Checkpoint
    RP415: 3/24/2012 12:49:52 AM - System Checkpoint
    RP416: 3/25/2012 3:08:19 AM - System Checkpoint
    RP417: 3/27/2012 5:00:38 PM - System Checkpoint
    RP418: 3/29/2012 11:45:32 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.0.1)
    CopyTrans Suite Remove Only
    DivX Setup
    FrostWire 4.21.8
    Google Chrome
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet/Wireless Software
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 21
    Malwarebytes Anti-Malware version 1.60.1.1000
    mCore
    mDrWiFi
    MediaBar
    mHelp
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    mIWA
    mLogView
    mMHouse
    mPfMgr
    mPfWiz
    mProSafe
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    mWlsSafe
    mXML
    mZConfig
    Norton Internet Security
    Protector Suite QL 5.6
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek High Definition Audio Driver
    RealUpgrade 1.1
    SD Secure Module
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2416400)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    SMSC IrCC V5.1.3600.7
    Synaptics Pointing Device Driver
    TBIView 4.23 - TBIMount 1.05
    TOSHIBA HDD Protection
    TOSHIBA Power Saver
    TOSHIBA SD Memory Card Format
    TOSHIBA Software Modem
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676-v2)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.6195
    VoiceOver Kit
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/31/2012 9:00:01 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: General access denied error
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Windows Time service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The System Restore Service service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Secondary Logon service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Remote Access Auto Connection Manager service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Automatic Updates service terminated unexpectedly. It has done this 1 time(s).
    3/31/2012 8:35:41 PM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/31/2012 8:35:41 PM, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    3/31/2012 8:35:41 PM, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
    3/31/2012 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: General access denied error
    3/31/2012 12:16:38 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 eeCtrl Fips intelppm SRTSP SRTSPX SymIRON SYMTDI
    3/31/2012 12:15:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/31/2012 12:15:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
    3/31/2012 12:15:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ALG with arguments "" in order to run the server: {D6015EC3-FA16-4813-9CA1-DA204574F5DA}
    3/31/2012 11:39:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    3/30/2012 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
    3/30/2012 9:00:00 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402
    3/30/2012 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
    3/30/2012 8:00:00 AM, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402
    3/30/2012 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
    3/30/2012 7:00:00 AM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402
    3/30/2012 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
    3/30/2012 6:00:00 AM, error: Schedule [7901] - The At31.job command failed to start due to the following error: %%2147942402
    3/30/2012 5:00:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
    3/30/2012 5:00:00 AM, error: Schedule [7901] - The At30.job command failed to start due to the following error: %%2147942402
    3/30/2012 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
    3/30/2012 4:00:00 AM, error: Schedule [7901] - The At29.job command failed to start due to the following error: %%2147942402
    3/30/2012 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
    3/30/2012 3:00:00 AM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402
    3/30/2012 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
    3/30/2012 2:00:00 AM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402
    3/30/2012 12:39:00 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402
    3/30/2012 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
    3/30/2012 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
    3/30/2012 11:00:00 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402
    3/30/2012 10:00:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
    3/30/2012 10:00:00 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
    3/30/2012 1:00:02 AM, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402
    3/30/2012 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
    3/27/2012 3:38:59 PM, error: DCOM [10005] - DCOM got error "%1054" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    3/27/2012 3:38:59 PM, error: DCOM [10005] - DCOM got error "%1054" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    3/25/2012 8:53:17 AM, error: NETLOGON [5719] - No Domain Controller is available for domain PRIMEPOWERINC due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    3/25/2012 7:58:33 AM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
    3/25/2012 7:12:58 AM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.103, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
    3/25/2012 7:08:09 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
    3/25/2012 7:08:09 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    3/25/2012 7:03:14 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
    3/25/2012 2:54:48 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments "" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
    3/24/2012 5:42:14 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
    3/24/2012 5:42:14 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================
     
  6. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  7. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    Reboot to Nothing

    I downloaded and ran TDSskiller it requested I reboot but on reboot it boots into a black screen with flashing white curser at top left. I am contacting you through another computer right now. How do I get out of this one?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Turn the computer off manually.
    Wait 1 minute.
    Try to start it again.
    Try normal and safe mode.
     
  9. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    No Reboot

    I have done that. It doesn't let me F8 and start into safe mode. the only options i have are F12 and F1 or 2 i forget. I've unplugged from the wall and waited 10 minutes it still will not boot. Before I ran TDSskiller i had to reboot after running DDS because my computer was unresponsive. I notice during that reboot, where I am seeing black screen and curser now, I saw "bad boot.ini" then the next line "C:\windows", and then it would go into the windows blue screen sequence getting me to the log in screen. Could the TDSskiller take out the boot file it was redirecting to and now I'm left with the bad boot.ini?
     
  10. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    We need to use the Recovery Console to try to fix your issue.

    • You'll need to find your Windows XP installation disk.
    • Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
    • If prompted, click any options that are required to start the computer from the CD-ROM drive.
    • When the Welcome to Setup screen appears, press R to start the Recovery Console.
    • The Recovery Console will start and ask you which Windows installation you would like to log on to.
      • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
    • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    • You will now be presented with a C:\Windows> prompt
    • Type with an Enter after each line:

    • fixmbr

      fixboot

      exit
    • Restart computer.

    ************************

    If you don't have Windows CD...
    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD.
    Boot to the CD...let it finish loading.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
     
  11. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    Recovery

    Can I download the recovery consol into usb stick and boot from that?
     
  12. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    Recovery Successful

    wouldn't work off the memory stick so I was able to burn the recovery consol to CD. I didn't think I had a blank CD at first. anyway im attaching the TDSSkiller log. I'll talk to you tomorrow. oops, I mean today :)


    22:23:28.0843 5840 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
    22:23:30.0859 5840 ============================================================
    22:23:30.0859 5840 Current date / time: 2012/03/31 22:23:30.0859
    22:23:30.0859 5840 SystemInfo:
    22:23:30.0859 5840
    22:23:30.0859 5840 OS Version: 5.1.2600 ServicePack: 3.0
    22:23:30.0859 5840 Product type: Workstation
    22:23:30.0859 5840 ComputerName: TOSHIBA-ENG
    22:23:30.0859 5840 UserName: dbouchard
    22:23:30.0859 5840 Windows directory: C:\windows
    22:23:30.0859 5840 System windows directory: C:\windows
    22:23:30.0859 5840 Processor architecture: Intel x86
    22:23:30.0859 5840 Number of processors: 2
    22:23:30.0859 5840 Page size: 0x1000
    22:23:30.0859 5840 Boot type: Normal boot
    22:23:30.0859 5840 ============================================================
    22:23:56.0437 5840 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    22:23:57.0375 5840 Drive \Device\Harddisk1\DR3 - Size: 0x45DECD2000 (279.48 Gb), SectorSize: 0x200, Cylinders: 0x8DF57, SectorsPerTrack: 0x3F, TracksPerCylinder: 0x10, Type 'W'
    22:23:57.0390 5840 \Device\Harddisk0\DR0:
    22:23:57.0484 5840 MBR used
    22:23:57.0484 5840 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x8D2677E
    22:23:57.0484 5840 \Device\Harddisk1\DR3:
    22:23:57.0484 5840 MBR used
    22:23:57.0484 5840 \Device\Harddisk1\DR3\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x22EF5691
    22:23:58.0671 5840 Initialize success
    22:23:58.0671 5840 ============================================================
    22:24:03.0375 1868 ============================================================
    22:24:03.0375 1868 Scan started
    22:24:03.0375 1868 Mode: Manual;
    22:24:03.0375 1868 ============================================================
    22:24:05.0734 1868 .cdrom - ok
    22:24:06.0875 1868 Abiosdsk - ok
    22:24:07.0234 1868 abp480n5 - ok
    22:24:07.0312 1868 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\windows\system32\DRIVERS\ACPI.sys
    22:24:07.0328 1868 Suspicious file (Forged): C:\windows\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
    22:24:07.0328 1868 ACPI ( Virus.Win32.Rloader.a ) - infected
    22:24:07.0328 1868 ACPI - detected Virus.Win32.Rloader.a (0)
    22:24:07.0359 1868 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\windows\system32\DRIVERS\ACPIEC.sys
    22:24:07.0390 1868 ACPIEC - ok
    22:24:07.0406 1868 adpu160m - ok
    22:24:07.0500 1868 aec (8bed39e3c35d6a489438b8141717a557) C:\windows\system32\drivers\aec.sys
    22:24:07.0515 1868 aec - ok
    22:24:07.0593 1868 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\windows\System32\drivers\afd.sys
    22:24:07.0656 1868 AFD - ok
    22:24:07.0812 1868 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\windows\system32\DRIVERS\AGRSM.sys
    22:24:07.0843 1868 AgereSoftModem - ok
    22:24:07.0875 1868 Aha154x - ok
    22:24:07.0890 1868 aic78u2 - ok
    22:24:07.0906 1868 aic78xx - ok
    22:24:07.0953 1868 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\windows\system32\alrsvc.dll
    22:24:08.0031 1868 Alerter - ok
    22:24:08.0156 1868 ALG (8c515081584a38aa007909cd02020b3d) C:\windows\System32\alg.exe
    22:24:08.0156 1868 ALG - ok
    22:24:08.0171 1868 AliIde - ok
    22:24:08.0171 1868 amsint - ok
    22:24:08.0234 1868 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\windows\System32\appmgmts.dll
    22:24:08.0312 1868 AppMgmt - ok
    22:24:08.0406 1868 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\windows\system32\DRIVERS\arp1394.sys
    22:24:08.0421 1868 Arp1394 - ok
    22:24:08.0421 1868 asc - ok
    22:24:08.0437 1868 asc3350p - ok
    22:24:08.0453 1868 asc3550 - ok
    22:24:08.0531 1868 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
    22:24:08.0656 1868 aspnet_state - ok
    22:24:08.0703 1868 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\windows\system32\DRIVERS\asyncmac.sys
    22:24:08.0703 1868 AsyncMac - ok
    22:24:08.0750 1868 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\windows\system32\DRIVERS\atapi.sys
    22:24:08.0750 1868 atapi - ok
    22:24:08.0796 1868 Atdisk - ok
    22:24:08.0812 1868 Atmarpc (9916c1225104ba14794209cfa8012159) C:\windows\system32\DRIVERS\atmarpc.sys
    22:24:08.0812 1868 Atmarpc - ok
    22:24:08.0875 1868 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\windows\System32\audiosrv.dll
    22:24:08.0875 1868 AudioSrv - ok
    22:24:09.0062 1868 audstub (d9f724aa26c010a217c97606b160ed68) C:\windows\system32\DRIVERS\audstub.sys
    22:24:09.0109 1868 audstub - ok
    22:24:09.0156 1868 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\windows\system32\drivers\Beep.sys
    22:24:09.0156 1868 Beep - ok
    22:24:09.0484 1868 BHDrvx86 (eb7f1f1dfa95c25d762c22d3cf13d4e0) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120317.002\BHDrvx86.sys
    22:24:09.0500 1868 BHDrvx86 - ok
    22:24:09.0671 1868 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
    22:24:09.0703 1868 BITS - ok
    22:24:09.0781 1868 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\windows\System32\browser.dll
    22:24:09.0796 1868 Browser - ok
    22:24:09.0875 1868 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\windows\system32\drivers\cbidf2k.sys
    22:24:09.0875 1868 cbidf2k - ok
    22:24:09.0890 1868 cd20xrnt - ok
    22:24:09.0968 1868 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\windows\system32\drivers\Cdaudio.sys
    22:24:09.0968 1868 Cdaudio - ok
    22:24:10.0031 1868 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\windows\system32\drivers\Cdfs.sys
    22:24:10.0078 1868 Cdfs - ok
    22:24:10.0093 1868 Changer - ok
    22:24:10.0125 1868 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\windows\system32\cisvc.exe
    22:24:10.0140 1868 CiSvc - ok
    22:24:10.0156 1868 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\windows\system32\clipsrv.exe
    22:24:10.0156 1868 ClipSrv - ok
    22:24:10.0328 1868 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    22:24:10.0406 1868 clr_optimization_v2.0.50727_32 - ok
    22:24:10.0500 1868 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\windows\system32\DRIVERS\CmBatt.sys
    22:24:10.0500 1868 CmBatt - ok
    22:24:10.0500 1868 CmdIde - ok
    22:24:10.0515 1868 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\windows\system32\DRIVERS\compbatt.sys
    22:24:10.0515 1868 Compbatt - ok
    22:24:10.0531 1868 COMSysApp - ok
    22:24:10.0562 1868 Cpqarray - ok
    22:24:10.0656 1868 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\windows\System32\cryptsvc.dll
    22:24:10.0656 1868 CryptSvc - ok
    22:24:10.0671 1868 dac2w2k - ok
    22:24:10.0671 1868 dac960nt - ok
    22:24:10.0750 1868 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\windows\system32\rpcss.dll
    22:24:10.0750 1868 DcomLaunch - ok
    22:24:10.0859 1868 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\windows\System32\dhcpcsvc.dll
    22:24:10.0859 1868 Dhcp - ok
    22:24:10.0921 1868 Disk (044452051f3e02e7963599fc8f4f3e25) C:\windows\system32\DRIVERS\disk.sys
    22:24:10.0921 1868 Disk - ok
    22:24:10.0937 1868 dmadmin - ok
    22:24:11.0062 1868 dmboot (d992fe1274bde0f84ad826acae022a41) C:\windows\system32\drivers\dmboot.sys
    22:24:11.0093 1868 dmboot - ok
    22:24:11.0140 1868 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\windows\system32\drivers\dmio.sys
    22:24:11.0140 1868 dmio - ok
    22:24:11.0171 1868 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\windows\system32\drivers\dmload.sys
    22:24:11.0171 1868 dmload - ok
    22:24:11.0203 1868 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\windows\System32\dmserver.dll
    22:24:11.0203 1868 dmserver - ok
    22:24:11.0265 1868 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\windows\system32\drivers\DMusic.sys
    22:24:11.0265 1868 DMusic - ok
    22:24:11.0296 1868 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\windows\System32\dnsrslvr.dll
    22:24:11.0296 1868 Dnscache - ok
    22:24:11.0359 1868 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\windows\System32\dot3svc.dll
    22:24:11.0390 1868 Dot3svc - ok
    22:24:11.0390 1868 dpti2o - ok
    22:24:11.0421 1868 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\windows\system32\drivers\drmkaud.sys
    22:24:11.0421 1868 drmkaud - ok
    22:24:11.0468 1868 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\windows\system32\DRIVERS\e1e5132.sys
    22:24:11.0484 1868 e1express - ok
    22:24:11.0515 1868 EapHost (2187855a7703adef0cef9ee4285182cc) C:\windows\System32\eapsvc.dll
    22:24:11.0515 1868 EapHost - ok
    22:24:11.0687 1868 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    22:24:11.0687 1868 eeCtrl - ok
    22:24:11.0718 1868 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    22:24:11.0734 1868 EraserUtilRebootDrv - ok
    22:24:11.0781 1868 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\windows\System32\ersvc.dll
    22:24:11.0781 1868 ERSvc - ok
    22:24:11.0843 1868 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\windows\system32\services.exe
    22:24:11.0859 1868 Eventlog - ok
    22:24:11.0984 1868 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
    22:24:11.0984 1868 EventSystem - ok
    22:24:12.0203 1868 EvtEng (6a197698a141ffe7651b962ae3172008) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    22:24:12.0281 1868 EvtEng - ok
    22:24:12.0390 1868 Fastfat (38d332a6d56af32635675f132548343e) C:\windows\system32\drivers\Fastfat.sys
    22:24:12.0515 1868 Fastfat - ok
    22:24:12.0640 1868 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\windows\System32\shsvcs.dll
    22:24:12.0640 1868 FastUserSwitchingCompatibility - ok
    22:24:12.0687 1868 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\windows\system32\drivers\Fdc.sys
    22:24:12.0687 1868 Fdc - ok
    22:24:12.0703 1868 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\windows\system32\drivers\Fips.sys
    22:24:12.0703 1868 Fips - ok
    22:24:12.0718 1868 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\windows\system32\drivers\Flpydisk.sys
    22:24:12.0718 1868 Flpydisk - ok
    22:24:12.0765 1868 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\windows\system32\DRIVERS\fltMgr.sys
    22:24:12.0781 1868 FltMgr - ok
    22:24:12.0859 1868 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    22:24:12.0859 1868 FontCache3.0.0.0 - ok
    22:24:13.0203 1868 fsbl-standalone - ok
    22:24:13.0421 1868 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\windows\system32\drivers\Fs_Rec.sys
    22:24:13.0421 1868 Fs_Rec - ok
    22:24:13.0453 1868 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\windows\system32\DRIVERS\ftdisk.sys
    22:24:13.0468 1868 Ftdisk - ok
    22:24:13.0515 1868 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
    22:24:13.0515 1868 GEARAspiWDM - ok
    22:24:13.0578 1868 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\windows\system32\DRIVERS\msgpc.sys
    22:24:13.0578 1868 Gpc - ok
    22:24:13.0609 1868 GTNDIS5 - ok
    22:24:13.0765 1868 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
    22:24:13.0781 1868 gupdate - ok
    22:24:13.0796 1868 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
    22:24:13.0796 1868 gupdatem - ok
    22:24:13.0843 1868 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\windows\system32\DRIVERS\HDAudBus.sys
    22:24:13.0859 1868 HDAudBus - ok
    22:24:14.0125 1868 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\windows\PCHealth\HelpCtr\Binaries\pchsvc.dll
    22:24:14.0125 1868 helpsvc - ok
    22:24:14.0203 1868 HidServ (deb04da35cc871b6d309b77e1443c796) C:\windows\System32\hidserv.dll
    22:24:14.0203 1868 HidServ - ok
    22:24:14.0265 1868 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\windows\system32\DRIVERS\hidusb.sys
    22:24:14.0265 1868 HidUsb - ok
    22:24:14.0312 1868 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\windows\System32\kmsvc.dll
    22:24:14.0390 1868 hkmsvc - ok
    22:24:14.0390 1868 hpn - ok
    22:24:14.0468 1868 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\windows\system32\Drivers\HTTP.sys
    22:24:14.0468 1868 HTTP - ok
    22:24:14.0562 1868 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\windows\System32\w3ssl.dll
    22:24:14.0578 1868 HTTPFilter - ok
    22:24:14.0703 1868 i2omgmt - ok
    22:24:14.0703 1868 i2omp - ok
    22:24:14.0750 1868 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\windows\system32\DRIVERS\i8042prt.sys
    22:24:14.0765 1868 i8042prt - ok
    22:24:14.0906 1868 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\windows\system32\DRIVERS\ialmnt5.sys
    22:24:14.0921 1868 ialm - ok
    22:24:15.0281 1868 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    22:24:15.0296 1868 idsvc - ok
    22:24:15.0484 1868 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120330.002\IDSxpx86.sys
    22:24:15.0484 1868 IDSxpx86 - ok
    22:24:15.0609 1868 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\windows\system32\DRIVERS\imapi.sys
    22:24:15.0609 1868 Imapi - ok
    22:24:15.0687 1868 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
    22:24:15.0703 1868 ImapiService - ok
    22:24:15.0703 1868 ini910u - ok
    22:24:15.0968 1868 IntcAzAudAddService (7c09d605fcae64e3cb11ebf90fb1e3a1) C:\windows\system32\drivers\RtkHDAud.sys
    22:24:16.0093 1868 IntcAzAudAddService - ok
    22:24:16.0203 1868 IntelIde - ok
    22:24:16.0265 1868 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\windows\system32\DRIVERS\intelppm.sys
    22:24:16.0265 1868 intelppm - ok
    22:24:16.0281 1868 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\windows\system32\DRIVERS\Ip6Fw.sys
    22:24:16.0281 1868 Ip6Fw - ok
    22:24:16.0312 1868 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\windows\system32\DRIVERS\ipfltdrv.sys
    22:24:16.0343 1868 IpFilterDriver - ok
    22:24:16.0343 1868 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\windows\system32\DRIVERS\ipinip.sys
    22:24:16.0343 1868 IpInIp - ok
    22:24:16.0375 1868 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\windows\system32\DRIVERS\ipnat.sys
    22:24:16.0375 1868 IpNat - ok
    22:24:16.0484 1868 iPod Service (6e27978a4755f4789f912f5f49392f7c) C:\Program Files\iPod\bin\iPodService.exe
    22:24:16.0500 1868 iPod Service - ok
    22:24:16.0546 1868 IPSec (23c74d75e36e7158768dd63d92789a91) C:\windows\system32\DRIVERS\ipsec.sys
    22:24:16.0546 1868 IPSec - ok
    22:24:16.0593 1868 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\windows\system32\DRIVERS\irda.sys
    22:24:16.0609 1868 irda - ok
    22:24:16.0671 1868 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\windows\system32\DRIVERS\irenum.sys
    22:24:16.0687 1868 IRENUM - ok
    22:24:16.0781 1868 Irmon (49cc4533ce897cb2e93c1e84a818fde5) C:\windows\System32\irmon.dll
    22:24:16.0781 1868 Irmon - ok
    22:24:16.0843 1868 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\windows\system32\DRIVERS\isapnp.sys
    22:24:16.0843 1868 isapnp - ok
    22:24:16.0906 1868 JavaQuickStarterService (e4ae0cbc0b55a5faa6996e38ce6c981b) C:\Program Files\Java\jre6\bin\jqs.exe
    22:24:16.0906 1868 JavaQuickStarterService - ok
    22:24:17.0046 1868 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\windows\system32\DRIVERS\kbdclass.sys
    22:24:17.0046 1868 Kbdclass - ok
    22:24:17.0125 1868 kmixer (692bcf44383d056aed41b045a323d378) C:\windows\system32\drivers\kmixer.sys
    22:24:17.0125 1868 kmixer - ok
    22:24:17.0156 1868 KSecDD (b467646c54cc746128904e1654c750c1) C:\windows\system32\drivers\KSecDD.sys
    22:24:17.0250 1868 KSecDD - ok
    22:24:17.0312 1868 ktlwku - ok
    22:24:17.0500 1868 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\windows\System32\srvsvc.dll
    22:24:17.0500 1868 LanmanServer - ok
    22:24:17.0562 1868 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\windows\System32\wkssvc.dll
    22:24:17.0562 1868 lanmanworkstation - ok
    22:24:17.0671 1868 lbrtfdc - ok
    22:24:17.0734 1868 LmHosts (a7db739ae99a796d91580147e919cc59) C:\windows\System32\lmhsvc.dll
    22:24:17.0734 1868 LmHosts - ok
    22:24:17.0765 1868 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\windows\System32\msgsvc.dll
    22:24:17.0781 1868 Messenger - ok
    22:24:17.0812 1868 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\windows\system32\drivers\mnmdd.sys
    22:24:17.0828 1868 mnmdd - ok
    22:24:17.0859 1868 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
    22:24:17.0890 1868 mnmsrvc - ok
    22:24:17.0968 1868 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\windows\system32\drivers\Modem.sys
    22:24:17.0968 1868 Modem - ok
    22:24:18.0109 1868 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\windows\system32\DRIVERS\mouclass.sys
    22:24:18.0109 1868 Mouclass - ok
    22:24:18.0187 1868 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\windows\system32\DRIVERS\mouhid.sys
    22:24:18.0187 1868 mouhid - ok
    22:24:18.0406 1868 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\windows\system32\drivers\MountMgr.sys
    22:24:18.0406 1868 MountMgr - ok
    22:24:18.0421 1868 mraid35x - ok
    22:24:18.0421 1868 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\windows\system32\DRIVERS\mrxdav.sys
    22:24:18.0437 1868 MRxDAV - ok
    22:24:18.0515 1868 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\windows\system32\DRIVERS\mrxsmb.sys
    22:24:18.0531 1868 MRxSmb - ok
    22:24:18.0562 1868 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
    22:24:18.0593 1868 MSDTC - ok
    22:24:18.0656 1868 Msfs (c941ea2454ba8350021d774daf0f1027) C:\windows\system32\drivers\Msfs.sys
    22:24:18.0656 1868 Msfs - ok
    22:24:18.0656 1868 MSIServer - ok
    22:24:18.0687 1868 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\windows\system32\drivers\MSKSSRV.sys
    22:24:18.0687 1868 MSKSSRV - ok
    22:24:18.0718 1868 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\windows\system32\drivers\MSPCLOCK.sys
    22:24:18.0718 1868 MSPCLOCK - ok
    22:24:18.0750 1868 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\windows\system32\drivers\MSPQM.sys
    22:24:18.0750 1868 MSPQM - ok
    22:24:18.0812 1868 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\windows\system32\DRIVERS\mssmbios.sys
    22:24:18.0812 1868 mssmbios - ok
    22:24:18.0843 1868 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\windows\system32\drivers\Mup.sys
    22:24:18.0843 1868 Mup - ok
    22:24:19.0046 1868 napagent (0102140028fad045756796e1c685d695) C:\windows\System32\qagentrt.dll
    22:24:19.0109 1868 napagent - ok
    22:24:19.0343 1868 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20120330.036\NAVENG.SYS
    22:24:19.0343 1868 NAVENG - ok
    22:24:19.0437 1868 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20120330.036\NAVEX15.SYS
    22:24:19.0468 1868 NAVEX15 - ok
    22:24:19.0593 1868 NDIS (1df7f42665c94b825322fae71721130d) C:\windows\system32\drivers\NDIS.sys
    22:24:19.0593 1868 NDIS - ok
    22:24:19.0671 1868 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\windows\system32\DRIVERS\ndistapi.sys
    22:24:19.0687 1868 NdisTapi - ok
    22:24:19.0812 1868 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\windows\system32\DRIVERS\ndisuio.sys
    22:24:19.0843 1868 Ndisuio - ok
    22:24:19.0875 1868 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\windows\system32\DRIVERS\ndiswan.sys
    22:24:19.0875 1868 NdisWan - ok
    22:24:19.0953 1868 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\windows\system32\drivers\NDProxy.sys
    22:24:20.0015 1868 NDProxy - ok
    22:24:20.0031 1868 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\windows\system32\DRIVERS\netbios.sys
    22:24:20.0031 1868 NetBIOS - ok
    22:24:20.0046 1868 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\windows\system32\DRIVERS\netbt.sys
    22:24:20.0062 1868 NetBT - ok
    22:24:20.0203 1868 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\windows\system32\netdde.exe
    22:24:20.0234 1868 NetDDE - ok
    22:24:20.0234 1868 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\windows\system32\netdde.exe
    22:24:20.0234 1868 NetDDEdsdm - ok
    22:24:20.0296 1868 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
    22:24:20.0296 1868 Netlogon - ok
    22:24:20.0328 1868 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\windows\System32\netman.dll
    22:24:20.0328 1868 Netman - ok
    22:24:20.0406 1868 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    22:24:20.0406 1868 NetTcpPortSharing - ok
    22:24:20.0593 1868 NETw3x32 (50f5de54e1d1646c02078f3eddc15a8e) C:\windows\system32\DRIVERS\NETw3x32.sys
    22:24:20.0734 1868 NETw3x32 - ok
    22:24:20.0843 1868 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\windows\system32\DRIVERS\nic1394.sys
    22:24:20.0843 1868 NIC1394 - ok
    22:24:21.0078 1868 NIS (e78a365cc3e0fbfc018a33dce01909f8) C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
    22:24:21.0078 1868 NIS - ok
    22:24:21.0312 1868 Nla (943337d786a56729263071623bbb9de5) C:\windows\System32\mswsock.dll
    22:24:21.0312 1868 Nla - ok
    22:24:21.0359 1868 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\windows\system32\drivers\Npfs.sys
    22:24:21.0359 1868 Npfs - ok
    22:24:21.0453 1868 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\windows\system32\drivers\Ntfs.sys
    22:24:21.0500 1868 Ntfs - ok
    22:24:21.0531 1868 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
    22:24:21.0531 1868 NtLmSsp - ok
    22:24:21.0562 1868 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\windows\system32\ntmssvc.dll
    22:24:21.0578 1868 NtmsSvc - ok
    22:24:21.0671 1868 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\windows\system32\drivers\Null.sys
    22:24:21.0687 1868 Null - ok
    22:24:21.0750 1868 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\windows\system32\DRIVERS\nwlnkflt.sys
    22:24:21.0765 1868 NwlnkFlt - ok
    22:24:21.0796 1868 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\windows\system32\DRIVERS\nwlnkfwd.sys
    22:24:21.0796 1868 NwlnkFwd - ok
    22:24:21.0812 1868 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\windows\system32\DRIVERS\ohci1394.sys
    22:24:21.0812 1868 ohci1394 - ok
    22:24:22.0359 1868 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    22:24:22.0406 1868 ose - ok
    22:24:25.0296 1868 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\windows\system32\DRIVERS\parport.sys
    22:24:25.0453 1868 Parport - ok
    22:24:26.0281 1868 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\windows\system32\drivers\PartMgr.sys
    22:24:26.0296 1868 PartMgr - ok
    22:24:26.0375 1868 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\windows\system32\drivers\ParVdm.sys
    22:24:26.0375 1868 ParVdm - ok
    22:24:26.0562 1868 PCI (a219903ccf74233761d92bef471a07b1) C:\windows\system32\DRIVERS\pci.sys
    22:24:26.0578 1868 PCI - ok
    22:24:26.0656 1868 PCIDump - ok
    22:24:26.0671 1868 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\windows\system32\DRIVERS\pciide.sys
    22:24:26.0671 1868 PCIIde - ok
    22:24:26.0703 1868 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\windows\system32\DRIVERS\pcmcia.sys
    22:24:26.0718 1868 Pcmcia - ok
    22:24:26.0890 1868 PDCOMP - ok
    22:24:26.0890 1868 PDFRAME - ok
    22:24:26.0906 1868 PDRELI - ok
    22:24:26.0921 1868 PDRFRAME - ok
    22:24:26.0921 1868 perc2 - ok
    22:24:26.0937 1868 perc2hib - ok
    22:24:27.0000 1868 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\windows\system32\services.exe
    22:24:27.0000 1868 PlugPlay - ok
    22:24:27.0062 1868 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
    22:24:27.0062 1868 PolicyAgent - ok
    22:24:27.0078 1868 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\windows\system32\DRIVERS\raspptp.sys
    22:24:27.0078 1868 PptpMiniport - ok
    22:24:27.0093 1868 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
    22:24:27.0093 1868 ProtectedStorage - ok
    22:24:27.0093 1868 PSched (09298ec810b07e5d582cb3a3f9255424) C:\windows\system32\DRIVERS\psched.sys
    22:24:27.0109 1868 PSched - ok
    22:24:27.0109 1868 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\windows\system32\DRIVERS\ptilink.sys
    22:24:27.0109 1868 Ptilink - ok
    22:24:27.0171 1868 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\windows\system32\Drivers\PxHelp20.sys
    22:24:27.0171 1868 PxHelp20 - ok
    22:24:27.0171 1868 ql1080 - ok
    22:24:27.0187 1868 Ql10wnt - ok
    22:24:27.0203 1868 ql12160 - ok
    22:24:27.0203 1868 ql1240 - ok
    22:24:27.0234 1868 ql1280 - ok
    22:24:27.0265 1868 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\windows\system32\DRIVERS\rasacd.sys
    22:24:27.0265 1868 RasAcd - ok
    22:24:27.0281 1868 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\windows\System32\rasauto.dll
    22:24:27.0296 1868 RasAuto - ok
    22:24:27.0343 1868 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\windows\system32\DRIVERS\rasirda.sys
    22:24:27.0343 1868 Rasirda - ok
    22:24:27.0359 1868 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\windows\system32\DRIVERS\rasl2tp.sys
    22:24:27.0359 1868 Rasl2tp - ok
    22:24:27.0375 1868 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\windows\System32\rasmans.dll
    22:24:27.0390 1868 RasMan - ok
    22:24:27.0390 1868 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\windows\system32\DRIVERS\raspppoe.sys
    22:24:27.0406 1868 RasPppoe - ok
    22:24:27.0406 1868 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\windows\system32\DRIVERS\raspti.sys
    22:24:27.0406 1868 Raspti - ok
    22:24:27.0437 1868 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\windows\system32\DRIVERS\rdbss.sys
    22:24:27.0437 1868 Rdbss - ok
    22:24:27.0484 1868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\windows\system32\DRIVERS\RDPCDD.sys
    22:24:27.0500 1868 RDPCDD - ok
    22:24:27.0546 1868 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\windows\system32\DRIVERS\rdpdr.sys
    22:24:27.0562 1868 rdpdr - ok
    22:24:27.0671 1868 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\windows\system32\drivers\RDPWD.sys
    22:24:27.0687 1868 RDPWD - ok
    22:24:27.0718 1868 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
    22:24:27.0781 1868 RDSessMgr - ok
    22:24:27.0859 1868 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\windows\system32\DRIVERS\redbook.sys
    22:24:27.0875 1868 redbook - ok
    22:24:28.0062 1868 RegSrvc (d8f61aaae73a1fbde6f538becc891f2f) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    22:24:28.0062 1868 RegSrvc - ok
    22:24:28.0171 1868 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\windows\System32\mprdim.dll
    22:24:28.0187 1868 RemoteAccess - ok
    22:24:28.0250 1868 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\windows\system32\regsvc.dll
    22:24:28.0265 1868 RemoteRegistry - ok
    22:24:28.0296 1868 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\windows\system32\locator.exe
    22:24:28.0296 1868 RpcLocator - ok
    22:24:28.0359 1868 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\windows\system32\rpcss.dll
    22:24:28.0375 1868 RpcSs - ok
    22:24:28.0468 1868 RSVP (471b3f9741d762abe75e9deea4787e47) C:\windows\system32\rsvp.exe
    22:24:28.0468 1868 RSVP - ok
    22:24:28.0718 1868 S24EventMonitor (25f697e3afa7b337bbcaddbce38e6934) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    22:24:28.0734 1868 S24EventMonitor - ok
    22:24:29.0062 1868 s24trans (2862adb14481ac28f98105ff33a99eb0) C:\windows\system32\DRIVERS\s24trans.sys
    22:24:29.0062 1868 s24trans - ok
    22:24:29.0156 1868 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
    22:24:29.0156 1868 SamSs - ok
    22:24:29.0203 1868 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\windows\System32\SCardSvr.exe
    22:24:29.0234 1868 SCardSvr - ok
    22:24:29.0281 1868 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\windows\system32\schedsvc.dll
    22:24:29.0281 1868 Schedule - ok
    22:24:29.0312 1868 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\windows\system32\DRIVERS\sdbus.sys
    22:24:29.0312 1868 sdbus - ok
    22:24:29.0343 1868 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\DRIVERS\secdrv.sys
    22:24:29.0343 1868 Secdrv - ok
    22:24:29.0375 1868 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\windows\System32\seclogon.dll
    22:24:29.0375 1868 seclogon - ok
    22:24:29.0406 1868 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\windows\system32\sens.dll
    22:24:29.0406 1868 SENS - ok
    22:24:29.0468 1868 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\windows\system32\DRIVERS\serenum.sys
    22:24:29.0468 1868 serenum - ok
    22:24:29.0500 1868 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\windows\system32\DRIVERS\serial.sys
    22:24:29.0500 1868 Serial - ok
    22:24:29.0531 1868 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\windows\system32\drivers\Sfloppy.sys
    22:24:29.0546 1868 Sfloppy - ok
    22:24:29.0609 1868 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\windows\System32\ipnathlp.dll
    22:24:29.0625 1868 SharedAccess - ok
    22:24:29.0718 1868 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\windows\System32\shsvcs.dll
    22:24:29.0734 1868 ShellHWDetection - ok
    22:24:29.0734 1868 Simbad - ok
    22:24:29.0750 1868 SMCIRDA (62556d170f22c43a544481e4ee16d2e2) C:\windows\system32\DRIVERS\smcirda.sys
    22:24:29.0781 1868 SMCIRDA - ok
    22:24:29.0796 1868 Sparrow - ok
    22:24:29.0859 1868 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\windows\system32\drivers\splitter.sys
    22:24:29.0859 1868 splitter - ok
    22:24:29.0937 1868 Spooler (60784f891563fb1b767f70117fc2428f) C:\windows\system32\spoolsv.exe
    22:24:29.0937 1868 Spooler - ok
    22:24:30.0000 1868 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\windows\system32\DRIVERS\sr.sys
    22:24:30.0000 1868 sr - ok
    22:24:30.0078 1868 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
    22:24:30.0093 1868 srservice - ok
    22:24:30.0187 1868 SRTSP (83726cf02eced69138948083e06b6eac) C:\windows\System32\Drivers\NIS\1207000.00D\SRTSP.SYS
    22:24:30.0234 1868 SRTSP - ok
    22:24:30.0281 1868 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\windows\system32\drivers\NIS\1207000.00D\SRTSPX.SYS
    22:24:30.0281 1868 SRTSPX - ok
    22:24:30.0343 1868 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\windows\system32\DRIVERS\srv.sys
    22:24:30.0343 1868 Srv - ok
    22:24:30.0390 1868 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\windows\System32\ssdpsrv.dll
    22:24:30.0406 1868 SSDPSRV - ok
    22:24:30.0453 1868 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\windows\system32\wiaservc.dll
    22:24:30.0468 1868 stisvc - ok
    22:24:30.0593 1868 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\windows\system32\DRIVERS\swenum.sys
    22:24:30.0593 1868 swenum - ok
    22:24:30.0687 1868 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\windows\system32\drivers\swmidi.sys
    22:24:30.0687 1868 swmidi - ok
    22:24:30.0703 1868 SwPrv - ok
    22:24:30.0718 1868 symc810 - ok
    22:24:30.0734 1868 symc8xx - ok
    22:24:30.0812 1868 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\windows\system32\drivers\NIS\1207000.00D\SYMDS.SYS
    22:24:30.0828 1868 SymDS - ok
    22:24:30.0906 1868 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\windows\system32\drivers\NIS\1207000.00D\SYMEFA.SYS
    22:24:30.0921 1868 SymEFA - ok
    22:24:31.0015 1868 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    22:24:31.0031 1868 SymEvent - ok
    22:24:31.0046 1868 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\windows\system32\drivers\NIS\1207000.00D\Ironx86.SYS
    22:24:31.0062 1868 SymIRON - ok
    22:24:31.0140 1868 SYMTDI (336cace58f0359d5cbb1ae6b8a2fb205) C:\windows\System32\Drivers\NIS\1207000.00D\SYMTDI.SYS
    22:24:31.0156 1868 SYMTDI - ok
    22:24:31.0156 1868 sym_hi - ok
    22:24:31.0171 1868 sym_u3 - ok
    22:24:31.0234 1868 SynTP (cfb41bf11ae95c26133bae3ec2e334bd) C:\windows\system32\DRIVERS\SynTP.sys
    22:24:31.0234 1868 SynTP - ok
    22:24:31.0296 1868 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\windows\system32\drivers\sysaudio.sys
    22:24:31.0296 1868 sysaudio - ok
    22:24:31.0359 1868 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\windows\system32\smlogsvc.exe
    22:24:31.0406 1868 SysmonLog - ok
    22:24:31.0421 1868 szkg5 - ok
    22:24:31.0437 1868 szkgfs - ok
    22:24:31.0468 1868 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\windows\System32\tapisrv.dll
    22:24:31.0468 1868 TapiSrv - ok
    22:24:31.0671 1868 TAPPSRV (90861642fd6d8fafb1408ee26fa93cb4) C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
    22:24:31.0687 1868 TAPPSRV - ok
    22:24:31.0843 1868 TBIMount (bcefc0bb200eeb5f0d16c3f826b284a9) C:\windows\System32\drivers\tbimount.sys
    22:24:32.0125 1868 TBIMount - ok
    22:24:32.0203 1868 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\windows\system32\DRIVERS\tcpip.sys
    22:24:32.0203 1868 Tcpip - ok
    22:24:32.0312 1868 TcUsb (125f5adc14839b4afd31cc581629d2b3) C:\windows\system32\Drivers\tcusb.sys
    22:24:32.0312 1868 TcUsb - ok
    22:24:32.0375 1868 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\windows\system32\drivers\TDPIPE.sys
    22:24:32.0375 1868 TDPIPE - ok
    22:24:32.0406 1868 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\windows\system32\drivers\TDTCP.sys
    22:24:32.0421 1868 TDTCP - ok
    22:24:32.0468 1868 TermDD (88155247177638048422893737429d9e) C:\windows\system32\DRIVERS\termdd.sys
    22:24:32.0484 1868 TermDD - ok
    22:24:32.0531 1868 TermService (ff3477c03be7201c294c35f684b3479f) C:\windows\System32\termsrv.dll
    22:24:32.0531 1868 TermService - ok
    22:24:32.0656 1868 Themes (99bc0b50f511924348be19c7c7313bbf) C:\windows\System32\shsvcs.dll
    22:24:32.0656 1868 Themes - ok
    22:24:32.0703 1868 Thpdrv (9e6f8b0a638cf0cb421f38fa367335f5) C:\windows\system32\DRIVERS\thpdrv.sys
    22:24:32.0703 1868 Thpdrv - ok
    22:24:32.0921 1868 Thpevm (beeca51c9ef368a1038e455278e4715e) C:\windows\system32\DRIVERS\Thpevm.SYS
    22:24:32.0937 1868 Thpevm - ok
    22:24:32.0984 1868 Thpsrv (f6d4a4238ad7d08e5c09fd7fb58a2d90) C:\WINDOWS\system32\ThpSrv.exe
    22:24:32.0984 1868 Thpsrv - ok
    22:24:33.0062 1868 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\windows\system32\drivers\tifm21.sys
    22:24:33.0062 1868 tifm21 - ok
    22:24:33.0109 1868 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
    22:24:33.0125 1868 TlntSvr - ok
    22:24:33.0140 1868 TosIde - ok
    22:24:33.0187 1868 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\windows\system32\trkwks.dll
    22:24:33.0203 1868 TrkWks - ok
    22:24:33.0234 1868 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\windows\system32\DRIVERS\NBSMI.sys
    22:24:33.0234 1868 TVALD - ok
    22:24:33.0265 1868 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\windows\system32\drivers\Udfs.sys
    22:24:33.0281 1868 Udfs - ok
    22:24:33.0296 1868 ultra - ok
    22:24:33.0359 1868 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\windows\system32\DRIVERS\update.sys
    22:24:33.0375 1868 Update - ok
    22:24:33.0453 1868 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\windows\System32\upnphost.dll
    22:24:33.0453 1868 upnphost - ok
    22:24:33.0484 1868 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\windows\System32\ups.exe
    22:24:33.0500 1868 UPS - ok
    22:24:33.0500 1868 USBAAPL - ok
    22:24:33.0562 1868 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\windows\system32\DRIVERS\usbccgp.sys
    22:24:33.0562 1868 usbccgp - ok
    22:24:33.0593 1868 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\windows\system32\DRIVERS\usbehci.sys
    22:24:33.0609 1868 usbehci - ok
    22:24:33.0671 1868 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\windows\system32\DRIVERS\usbhub.sys
    22:24:33.0703 1868 usbhub - ok
    22:24:33.0828 1868 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\windows\system32\DRIVERS\usbscan.sys
    22:24:33.0828 1868 usbscan - ok
    22:24:33.0906 1868 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\windows\system32\DRIVERS\USBSTOR.SYS
    22:24:33.0906 1868 USBSTOR - ok
    22:24:33.0937 1868 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\windows\system32\DRIVERS\usbuhci.sys
    22:24:33.0937 1868 usbuhci - ok
    22:24:33.0984 1868 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\windows\system32\DRIVERS\usb8023.sys
    22:24:34.0015 1868 USB_RNDIS - ok
    22:24:34.0109 1868 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\windows\System32\drivers\vga.sys
    22:24:34.0109 1868 VgaSave - ok
    22:24:34.0125 1868 ViaIde - ok
    22:24:34.0140 1868 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\windows\system32\drivers\VolSnap.sys
    22:24:34.0140 1868 VolSnap - ok
    22:24:34.0187 1868 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\windows\System32\vssvc.exe
    22:24:34.0187 1868 VSS - ok
    22:24:34.0250 1868 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
    22:24:34.0250 1868 W32Time - ok
    22:24:34.0281 1868 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\windows\system32\DRIVERS\wanarp.sys
    22:24:34.0281 1868 Wanarp - ok
    22:24:34.0296 1868 WDICA - ok
    22:24:34.0343 1868 wdmaud (6768acf64b18196494413695f0c3a00f) C:\windows\system32\drivers\wdmaud.sys
    22:24:34.0359 1868 wdmaud - ok
    22:24:34.0390 1868 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\windows\System32\webclnt.dll
    22:24:34.0390 1868 WebClient - ok
    22:24:34.0484 1868 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\windows\system32\wbem\WMIsvc.dll
    22:24:34.0484 1868 winmgmt - ok
    22:24:34.0562 1868 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
    22:24:34.0593 1868 WmdmPmSN - ok
    22:24:35.0171 1868 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\windows\System32\advapi32.dll
    22:24:35.0203 1868 Wmi - ok
    22:24:35.0515 1868 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
    22:24:35.0546 1868 WmiApSrv - ok
    22:24:35.0703 1868 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\windows\System32\drivers\ws2ifsl.sys
    22:24:35.0828 1868 WS2IFSL - ok
    22:24:36.0078 1868 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
    22:24:36.0078 1868 wuauserv - ok
    22:24:36.0171 1868 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\windows\system32\DRIVERS\WudfPf.sys
    22:24:36.0218 1868 WudfPf - ok
    22:24:36.0328 1868 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\windows\system32\DRIVERS\wudfrd.sys
    22:24:36.0359 1868 WudfRd - ok
    22:24:36.0390 1868 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\windows\System32\WUDFSvc.dll
    22:24:36.0390 1868 WudfSvc - ok
    22:24:36.0500 1868 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\windows\System32\wzcsvc.dll
    22:24:36.0515 1868 WZCSVC - ok
    22:24:36.0640 1868 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\windows\System32\xmlprov.dll
    22:24:36.0640 1868 xmlprov - ok
    22:24:36.0703 1868 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
    22:24:36.0921 1868 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected
    22:24:36.0921 1868 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)
    22:24:36.0921 1868 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3
    22:24:36.0921 1868 \Device\Harddisk1\DR3 - ok
    22:24:36.0953 1868 Boot (0x1200) (dbc41d45d721ae228d9025a5280edfd9) \Device\Harddisk0\DR0\Partition0
    22:24:36.0953 1868 \Device\Harddisk0\DR0\Partition0 - ok
    22:24:36.0953 1868 Boot (0x1200) (d184e3d18feee494877467b99539be43) \Device\Harddisk1\DR3\Partition0
    22:24:36.0953 1868 \Device\Harddisk1\DR3\Partition0 - ok
    22:24:36.0953 1868 ============================================================
    22:24:36.0953 1868 Scan finished
    22:24:36.0953 1868 ============================================================
    22:24:36.0968 4828 Detected object count: 2
    22:24:36.0968 4828 Actual detected object count: 2
    22:24:43.0578 4828 C:\windows\system32\DRIVERS\ACPI.sys - copied to quarantine
    22:25:07.0546 4828 Backup copy not found, trying to cure infected file..
    22:25:07.0546 4828 Cure success, using it..
    22:25:09.0187 4828 C:\windows\system32\DRIVERS\ACPI.sys - will be cured on reboot
    22:25:09.0187 4828 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
    22:25:21.0406 4828 \Device\Harddisk0\DR0\# - copied to quarantine
    22:25:21.0406 4828 \Device\Harddisk0\DR0 - copied to quarantine
    22:25:21.0437 4828 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
    22:25:21.0500 4828 \Device\Harddisk0\DR0 - ok
    22:25:21.0515 4828 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
    22:25:48.0062 1408 Deinitialize success
     
  13. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Good job :)

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==============================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  14. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    aswMBR and Bootkit Remover

    Here are the logs for aswMBR and Bootkit Remover:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-01 15:49:30
    -----------------------------
    15:49:30.390 OS Version: Windows 5.1.2600 Service Pack 3
    15:49:30.390 Number of processors: 2 586 0xE08
    15:49:30.390 ComputerName: TOSHIBA-ENG UserName: dbouchard
    15:49:32.359 Initialize success
    15:52:32.531 AVAST engine defs: 12040101
    15:53:22.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    15:53:22.625 Disk 0 Vendor: HTS541080G9SA00 MB4OC60D Size: 76319MB BusType: 3
    15:53:22.656 Disk 0 MBR read successfully
    15:53:22.656 Disk 0 MBR scan
    15:53:22.703 Disk 0 Windows XP default MBR code
    15:53:22.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 72268 MB offset 63
    15:53:22.734 Disk 0 Partition 2 00 1C Hidd FAT32 LBA MSDOS5.0 4047 MB offset 148006845
    15:53:22.734 Disk 0 scanning sectors +156296385
    15:53:22.750 Disk 0 malicious Win32:MBRoot code @ sector 156296388 !
    15:53:22.796 Disk 0 scanning C:\windows\system32\drivers
    15:53:31.328 Service scanning
    15:53:31.875 Service .cdrom \? **LOCKED** 123
    15:53:50.109 Modules scanning
    15:53:56.625 Disk 0 trace - called modules:
    15:53:56.625 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
    15:53:56.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a669ab8]
    15:53:56.625 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\THPDRV[0x8a6e9948]
    15:53:56.640 5 thpdrv.sys[f76796ff] -> nt!IofCallDriver -> \Device\0000008c[0x8a6b8138]
    15:53:56.640 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a74fd98]
    15:53:57.421 AVAST engine scan C:\windows
    15:54:09.796 AVAST engine scan C:\windows\system32
    15:56:19.906 AVAST engine scan C:\windows\system32\drivers
    15:56:32.109 AVAST engine scan C:\Documents and Settings\dbouchard
    15:57:36.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\dbouchard\Desktop\MBR.dat"
    15:57:36.296 The log file has been saved successfully to "C:\Documents and Settings\dbouchard\Desktop\aswMBR.txt"


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  15. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Good.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  16. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    even though I disabled norton combofix is still detecting it. it gave the following warning: "The above realtime scanner is still active but combofix will continue to run. kindly note this is at your own risk
     
  17. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Go ahead and run it.
     
  18. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    while running combofix it asked for recovery consol so i clicked yes and the following error returned "boot partition can not be enumerated correctly." Is this a big deal?
     
  19. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    It looks like you have boot.ini file missing/corrupted.

    Download BootCheck.exe to your desktop.

    • Double click BootCheck.exe to run the check
    • When complete, a Notepad window will open with some text in it
    • Save the Notepad file to your desktop as BootCheck.txt
    • Copy the contents of BootCheck.txt and post it in your next reply
     
  20. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    Combofix log

    Ran combofix. Here is the log.

    ComboFix 12-04-01.01 - dbouchard 04/01/2012 20:10:55.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1522 [GMT -4:00]
    Running from: c:\documents and settings\dbouchard\Desktop\ComboFix.exe
    AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\avbase.dat
    c:\documents and settings\All Users\Application Data\fdbdbccfdddct.exe
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\dennis\WINDOWS
    c:\documents and settings\NetworkService\Application Data\Microsoft\Microsoft
    c:\windows\$NtUninstallKB24570$
    c:\windows\$NtUninstallKB24570$\3203652787
    c:\windows\system32\drivers\etc\hosts.ics
    .
    c:\windows\system32\drivers\cdrom.sys was missing
    Restored copy from - c:\system volume information\_restore{4E050833-19BF-4AB5-9E56-C7581072F5E7}\RP418\A0141142.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_.cdrom
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-02 00:24 . 2008-04-14 04:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
    2012-04-02 00:24 . 2008-04-14 04:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-04-01 02:24 . 2012-04-01 02:24 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-03-30 04:59 . 2012-03-30 04:59 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2012-03-30 03:14 . 2012-03-30 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2012-03-30 03:14 . 2012-03-30 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2012-03-27 01:01 . 2012-03-27 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    2012-03-27 01:01 . 2012-03-27 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2012-03-25 12:04 . 2012-03-25 12:04 -------- d-----w- c:\documents and settings\All Users\Application DataMicrosoft
    2012-03-03 16:12 . 2012-03-03 16:12 -------- d-sh--w- c:\documents and settings\dbouchard\IECompatCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-01 06:13 . 2008-04-14 04:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2012-03-01 17:53 . 2012-03-01 17:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-03-01 17:53 . 2012-03-01 17:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-02-12 15:59 . 2012-02-12 15:59 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2006-11-06 16:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2006-11-06 16:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ThpSrv"="c:\windows\system32\thpsrv" [X]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2006-11-06 16:34 52224 ----a-w- c:\windows\system32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck msln\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli psqlpwd
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "sdCoreService"=3 (0x3)
    "sdAuxService"=3 (0x3)
    "Browser Defender Update Service"=2 (0x2)
    "Thpsrv"=2 (0x2)
    "TAPPSRV"=2 (0x2)
    "S24EventMonitor"=2 (0x2)
    "RegSrvc"=2 (0x2)
    "ose"=3 (0x3)
    "iPod Service"=3 (0x3)
    "idsvc"=3 (0x3)
    "gupdatem"=3 (0x3)
    "gupdate"=2 (0x2)
    "EvtEng"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207000.00D\symds.sys [1/30/2012 11:37 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207000.00D\symefa.sys [1/30/2012 11:37 PM 744568]
    R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2/8/2007 2:46 PM 16896]
    R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2/7/2007 6:29 PM 6528]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120317.002\BHDrvx86.sys [3/19/2012 9:02 PM 820856]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207000.00D\ironx86.sys [1/30/2012 11:37 PM 136312]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.0.13\ccsvchst.exe [1/30/2012 11:37 PM 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/16/2012 12:11 PM 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120330.002\IDSXpx86.sys [3/31/2012 2:25 PM 356280]
    S3 TBIMount;TBIMount;c:\windows\system32\drivers\TBIMount.sys [12/14/2010 8:47 PM 87648]
    S4 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\DBOUCH~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\DBOUCH~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2012 3:24 AM 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2012 3:24 AM 136176]
    S4 ktlwku;ktlwku;c:\windows\system32\drivers\oess.sys --> c:\windows\system32\drivers\oess.sys [?]
    S4 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
    S4 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-28 07:23]
    .
    2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-28 07:23]
    .
    2012-04-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-545942363-657050502-1754407576-1137.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
    .
    2012-03-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-545942363-657050502-1754407576-1137.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
    .
    2012-04-02 c:\windows\Tasks\User_Feed_Synchronization-{BC25EC36-1F3F-4F75-8E0E-E642523A8159}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Toolbar-Locked - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKCU-Run-fdbdbccfdddct - c:\documents and settings\All Users\Application Data\fdbdbccfdddct.exe
    HKLM-Run-TkBellExe - e:\realplayer\update\realsched.exe
    HKU-Default-Run-dplaysvr - c:\documents and settings\dbouchard\Application Data\dplaysvr.exe
    HKU-Default-Run-fdbdbccfdddct - c:\documents and settings\All Users\Application Data\fdbdbccfdddct.exe
    SafeBoot-58805711.sys
    AddRemove-FrostWire - e:\frostwire\Uninstall.exe
    AddRemove-RealPlayer 15.0 - e:\realplayer\Update\r1puninst.exe
    AddRemove-Shareaza MediaBar - c:\program files\Shareaza Applications\MediaBar\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-01 20:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
    "Appinit_Dlls"="c:\\PROGRA~1\\SHAREA~1\\MediaBar\\Datamngr\\datamngr.dll c:\\PROGRA~1\\SHAREA~1\\MediaBar\\Datamngr\\IEBHO.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(916)
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\program files\Protector Suite QL\homepass.dll
    c:\program files\Protector Suite QL\bio.dll
    c:\program files\Protector Suite QL\remote.dll
    .
    - - - - - - - > 'lsass.exe'(972)
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    .
    - - - - - - - > 'explorer.exe'(4020)
    c:\windows\system32\WININET.dll
    c:\program files\Protector Suite QL\farchns.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\AGRSMMSG.exe
    c:\program files\Synaptics\SynTP\SynToshiba.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-01 20:39:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-02 00:39
    .
    Pre-Run: 25,724,964,864 bytes free
    Post-Run: 34,081,218,560 bytes free
    .
    - - End Of File - - 2597215168E3FAC89D350FC688F95E33
     
  21. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Please read my previous reply.
     
  22. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    Bootcheck log

    Here is the bootcheck log.


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

    Contents of boot.ini:
     
  23. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Click Start, click Run, type sysdm.cpl, and then click OK.
    On the Advanced tab, click Settings under Startup and Recovery.
    Under System Startup, click Edit. This will open boot.ini file in Notepad.
    In your case Notepad will be empty.

    Copy following text:
    and paste it into open Notepad window.
    Go File>Save
    Close Notepad.

    Restart computer, re-run Combofix and it should allow you to install Recovery Console this time.
     
  24. denb69

    denb69 TS Rookie Topic Starter Posts: 44

    Combofix re-run

    here is the combofix log.

    ComboFix 12-04-01.01 - dbouchard 04/01/2012 21:33:31.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1348 [GMT -4:00]
    Running from: c:\documents and settings\dbouchard\Desktop\ComboFix.exe
    AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
    FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-02 00:24 . 2008-04-14 04:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
    2012-04-02 00:24 . 2008-04-14 04:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2012-04-01 02:24 . 2012-04-01 02:24 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-03-30 04:59 . 2012-03-30 04:59 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2012-03-30 03:14 . 2012-03-30 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2012-03-30 03:14 . 2012-03-30 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2012-03-27 01:01 . 2012-03-27 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
    2012-03-27 01:01 . 2012-03-27 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2012-03-25 12:04 . 2012-03-25 12:04 -------- d-----w- c:\documents and settings\All Users\Application DataMicrosoft
    2012-03-03 16:12 . 2012-03-03 16:12 -------- d-sh--w- c:\documents and settings\dbouchard\IECompatCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-01 06:13 . 2008-04-14 04:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
    2012-03-01 17:53 . 2012-03-01 17:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2012-03-01 17:53 . 2012-03-01 17:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2012-02-12 15:59 . 2012-02-12 15:59 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
    2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2006-11-06 16:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2006-11-06 16:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ThpSrv"="c:\windows\system32\thpsrv" [X]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2006-11-06 16:34 52224 ----a-w- c:\windows\system32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck msln\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli psqlpwd
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "sdCoreService"=3 (0x3)
    "sdAuxService"=3 (0x3)
    "Browser Defender Update Service"=2 (0x2)
    "Thpsrv"=2 (0x2)
    "TAPPSRV"=2 (0x2)
    "S24EventMonitor"=2 (0x2)
    "RegSrvc"=2 (0x2)
    "ose"=3 (0x3)
    "iPod Service"=3 (0x3)
    "idsvc"=3 (0x3)
    "gupdatem"=3 (0x3)
    "gupdate"=2 (0x2)
    "EvtEng"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207000.00D\symds.sys [1/30/2012 11:37 PM 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207000.00D\symefa.sys [1/30/2012 11:37 PM 744568]
    R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2/8/2007 2:46 PM 16896]
    R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2/7/2007 6:29 PM 6528]
    R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120317.002\BHDrvx86.sys [3/19/2012 9:02 PM 820856]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207000.00D\ironx86.sys [1/30/2012 11:37 PM 136312]
    R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.0.13\ccsvchst.exe [1/30/2012 11:37 PM 130008]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/16/2012 12:11 PM 106104]
    R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120330.002\IDSXpx86.sys [3/31/2012 2:25 PM 356280]
    S3 TBIMount;TBIMount;c:\windows\system32\drivers\TBIMount.sys [12/14/2010 8:47 PM 87648]
    S4 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\DBOUCH~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\DBOUCH~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
    S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2012 3:24 AM 136176]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2012 3:24 AM 136176]
    S4 ktlwku;ktlwku;c:\windows\system32\drivers\oess.sys --> c:\windows\system32\drivers\oess.sys [?]
    S4 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
    S4 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-28 07:23]
    .
    2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-28 07:23]
    .
    2012-04-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-545942363-657050502-1754407576-1137.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
    .
    2012-03-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-545942363-657050502-1754407576-1137.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
    .
    2012-04-02 c:\windows\Tasks\User_Feed_Synchronization-{BC25EC36-1F3F-4F75-8E0E-E642523A8159}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-01 21:38
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
    "Appinit_Dlls"="c:\\PROGRA~1\\SHAREA~1\\MediaBar\\Datamngr\\datamngr.dll c:\\PROGRA~1\\SHAREA~1\\MediaBar\\Datamngr\\IEBHO.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(916)
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\program files\Protector Suite QL\homepass.dll
    c:\program files\Protector Suite QL\bio.dll
    c:\program files\Protector Suite QL\remote.dll
    .
    - - - - - - - > 'lsass.exe'(972)
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    .
    - - - - - - - > 'explorer.exe'(1912)
    c:\windows\system32\WININET.dll
    c:\program files\Protector Suite QL\farchns.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2012-04-01 21:41:23
    ComboFix-quarantined-files.txt 2012-04-02 01:41
    ComboFix2.txt 2012-04-02 00:39
    .
    Pre-Run: 34,084,126,720 bytes free
    Post-Run: 34,071,580,672 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
    .
    - - End Of File - - F61796B75A0AAF4E306133AE6748FF58
     
  25. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Good job :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...