Solved Loaded with viruses

D

denb69

Posts: 43   +0
staretd with google redirect and svchost taking up too much ram now explorer wont load google or netflix or any of my most commonly used sites. I tried following the 5 step instructions but gmer wont run it says it is not a valid win32 program. what now? attached is my MWB log.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6845

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/12/2011 10:09:33 PM
mbam-log-2011-06-12 (22-09-33).txt

Scan type: Quick scan
Objects scanned: 169466
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\RECYCLER\s-1-5-21-545942363-657050502-1754407576-1137\Dc98.exe (Trojan.P2P.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\dbouchard\local settings\Temp\R66v.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\dbouchard\local settings\Temp\WSZugo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\dbouchard\local settings\Temp\~nsuwz.tmp\whitesmoke-silent.exe (PUP.BHO) -> Quarantined and deleted successfully.
c:\documents and settings\dbouchard\local settings\Temp\wsget.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==============================================================

Skip GMER for now.
 
virus removal

ok I am running a scan with norton in normal mode and then will follow the rest of the steps. where do i find the logs for norton when i am ready to post?
 
Log Files

here are the log files for MWB and DDS. I have skipped gmer for now as you requested.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.31.14

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
dbouchard :: TOSHIBA-ENG [administrator]

3/31/2012 7:40:13 PM
mbam-log-2012-03-31 (19-40-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 263430
Time elapsed: 40 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by dbouchard at 21:11:58 on 2012-03-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1205 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
svchost.exe
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\windows\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\Realplayer\update\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.7.0.13\ips\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [fdbdbccfdddct] "c:\documents and settings\all users\application data\fdbdbccfdddct.exe"
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TkBellExe] "e:\realplayer\update\realsched.exe" -osboot
dRun: [dplaysvr] %APPDATA%\dplaysvr.exe
dRun: [fdbdbccfdddct] "c:\documents and settings\all users\application data\fdbdbccfdddct.exe"
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
dPolicies-explorer: NoDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{72294989-4E76-47A0-AFD8-66C921700C14} : DhcpNameServer = 75.75.75.75 75.75.76.76
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207000.00d\symds.sys [2012-1-30 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207000.00d\symefa.sys [2012-1-30 744568]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-2-8 16896]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-2-7 6528]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20120317.002\BHDrvx86.sys [2012-3-19 820856]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys [2012-1-30 136312]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.0.13\ccsvchst.exe [2012-1-30 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-16 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20120330.002\IDSXpx86.sys [2012-3-31 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20120330.036\NAVENG.SYS [2012-3-31 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\virusdefs\20120330.036\NAVEX15.SYS [2012-3-31 1576312]
S?4 EraserSvc11122;Symantec Eraser Service;c:\program files\norton internet security\engine\18.7.0.13\ccsvchst.exe [2012-1-30 130008]
S3 TBIMount;TBIMount;c:\windows\system32\drivers\TBIMount.sys [2010-12-14 87648]
S4 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\dbouch~1\locals~1\temp\f-secure\blacklight\fsbldrv.sys --> c:\docume~1\dbouch~1\locals~1\temp\f-secure\blacklight\fsbldrv.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-28 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-28 136176]
S4 ktlwku;ktlwku;c:\windows\system32\drivers\oess.sys --> c:\windows\system32\drivers\oess.sys [?]
S4 szkg5;szkg5;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]
S4 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
.
=============== Created Last 30 ================
.
2012-03-31 15:44:04 86016 ----a-w- c:\documents and settings\all users\application data\fdbdbccfdddct.exe
2012-03-25 12:04:42 -------- d-----w- c:\documents and settings\all users\Application DataMicrosoft
2012-03-03 16:12:24 -------- d-sh--w- c:\documents and settings\dbouchard\IECompatCache
.
==================== Find3M ====================
.
2012-03-01 17:53:54 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-03-01 17:53:54 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-02-12 15:59:22 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-04 00:48:42 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541080G9SA00 rev.MB4OC60D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys >>UNKNOWN [0x8A41C49F]<<
c:\windows\system32\drivers\thpdrv.sys TOSHIBA Corporation TOSHIBA HDD Protection
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a423738]; MOV EAX, [0x8a4238ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A707AB8]
3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\THPDRV[0x8A709948]
5 thpdrv[0xF76796FF] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000008c[0x8A6E24B0]
7 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A70C940]
\Driver\atapi[0x8A4C3168] -> IRP_MJ_CREATE -> 0x8A41C49F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A41C2C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:14:06.32 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/13/2010 10:48:40 PM
System Uptime: 3/31/2012 6:41:45 PM (3 hours ago)
.
Motherboard: Intel Corporation | | CAPELL VALLEY(NAPA) CRB
Processor: Genuine Intel(R) CPU T2400 @ 1.83GHz | U2E1 | 1828/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 22.998 GiB free.
E: is FIXED (NTFS) - 279 GiB total, 219.664 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\D134601E80DA0
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\D134601E80DA0
Service: NIC1394
.
Class GUID: {4D36E970-E325-11CE-BFC1-08002BE10318}
Description: Texas Instruments PCIxx12 Integrated FlashMedia Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_FF101179&REV_00\4&6B16D5B&0&32F0
Manufacturer: Texas Instruments Inc
Name: Texas Instruments PCIxx12 Integrated FlashMedia Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_FF101179&REV_00\4&6B16D5B&0&32F0
Service: tifm21
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GMA-4082N_______________HV02____\3142333141374337373532342020202020202020
Manufacturer: (Standard CD-ROM drives)
Name: HL-DT-ST DVDRAM GMA-4082N
PNP Device ID: IDE\CDROMHL-DT-ST_DVDRAM_GMA-4082N_______________HV02____\3142333141374337373532342020202020202020
Service: cdrom
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\TOS6209\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS6209\2&DABA3FF&0
Service:
.
==== System Restore Points ===================
.
RP360: 12/31/2011 8:20:16 PM - System Checkpoint
RP361: 1/1/2012 7:37:44 PM - Software Distribution Service 3.0
RP362: 1/2/2012 10:27:48 PM - System Checkpoint
RP363: 1/4/2012 4:03:04 AM - System Checkpoint
RP364: 1/5/2012 12:05:59 PM - System Checkpoint
RP365: 1/6/2012 1:05:47 PM - System Checkpoint
RP366: 1/7/2012 1:45:55 PM - System Checkpoint
RP367: 1/8/2012 11:27:35 PM - System Checkpoint
RP368: 1/10/2012 1:10:20 AM - System Checkpoint
RP369: 1/11/2012 1:45:55 AM - System Checkpoint
RP370: 1/12/2012 4:15:46 AM - System Checkpoint
RP371: 1/13/2012 4:45:56 AM - System Checkpoint
RP372: 1/14/2012 4:50:08 AM - System Checkpoint
RP373: 1/15/2012 7:26:10 AM - System Checkpoint
RP374: 1/16/2012 10:10:10 AM - System Checkpoint
RP375: 1/17/2012 11:09:55 AM - System Checkpoint
RP376: 1/18/2012 11:51:59 AM - System Checkpoint
RP377: 1/20/2012 3:26:38 AM - System Checkpoint
RP378: 1/21/2012 3:51:59 AM - System Checkpoint
RP379: 1/22/2012 11:54:54 AM - System Checkpoint
RP380: 1/23/2012 11:58:36 AM - System Checkpoint
RP381: 1/24/2012 11:33:08 PM - System Checkpoint
RP382: 1/25/2012 11:46:22 PM - System Checkpoint
RP383: 1/27/2012 6:40:56 AM - System Checkpoint
RP384: 1/28/2012 7:09:00 AM - System Checkpoint
RP385: 1/29/2012 8:00:33 AM - System Checkpoint
RP386: 1/30/2012 10:23:02 AM - System Checkpoint
RP387: 1/31/2012 10:32:17 AM - System Checkpoint
RP388: 2/1/2012 11:15:46 AM - System Checkpoint
RP389: 2/2/2012 12:54:37 PM - System Checkpoint
RP390: 2/3/2012 1:16:51 PM - System Checkpoint
RP391: 2/7/2012 12:08:23 AM - System Checkpoint
RP392: 2/8/2012 12:28:07 AM - System Checkpoint
RP393: 2/8/2012 2:34:51 AM - Software Distribution Service 3.0
RP394: 2/9/2012 12:00:37 PM - System Checkpoint
RP395: 2/12/2012 3:01:41 AM - System Checkpoint
RP396: 2/12/2012 7:05:20 AM - Removed Apple Software Update
RP397: 2/12/2012 7:05:43 AM - Removed Ask Toolbar.
RP398: 2/12/2012 7:13:46 AM - Removed Ask Toolbar.
RP399: 2/12/2012 7:15:05 AM - Removed Bonjour
RP400: 2/16/2012 10:50:45 AM - System Checkpoint
RP401: 2/16/2012 2:28:40 PM - Software Distribution Service 3.0
RP402: 2/18/2012 5:45:11 PM - System Checkpoint
RP403: 2/19/2012 12:41:49 AM - Software Distribution Service 3.0
RP404: 2/20/2012 1:08:08 PM - System Checkpoint
RP405: 2/23/2012 11:47:50 PM - System Checkpoint
RP406: 3/3/2012 1:49:30 AM - System Checkpoint
RP407: 3/3/2012 11:17:09 AM - Removed Apple Application Support
RP408: 3/3/2012 11:19:23 AM - Removed TOSHIBA Hotkey Utility
RP409: 3/3/2012 1:27:02 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP410: 3/4/2012 3:28:59 PM - System Checkpoint
RP411: 3/7/2012 10:51:12 PM - System Checkpoint
RP412: 3/13/2012 11:08:52 PM - System Checkpoint
RP413: 3/19/2012 7:22:32 PM - Software Distribution Service 3.0
RP414: 3/20/2012 9:34:08 PM - System Checkpoint
RP415: 3/24/2012 12:49:52 AM - System Checkpoint
RP416: 3/25/2012 3:08:19 AM - System Checkpoint
RP417: 3/27/2012 5:00:38 PM - System Checkpoint
RP418: 3/29/2012 11:45:32 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.0.1)
CopyTrans Suite Remove Only
DivX Setup
FrostWire 4.21.8
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Malwarebytes Anti-Malware version 1.60.1.1000
mCore
mDrWiFi
MediaBar
mHelp
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
mZConfig
Norton Internet Security
Protector Suite QL 5.6
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
SD Secure Module
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SMSC IrCC V5.1.3600.7
Synaptics Pointing Device Driver
TBIView 4.23 - TBIMount 1.05
TOSHIBA HDD Protection
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.6195
VoiceOver Kit
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
.
==== Event Viewer Messages From Past Week ========
.
3/31/2012 9:00:01 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: General access denied error
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Workstation service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Windows Time service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The System Restore Service service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Secondary Logon service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Remote Access Auto Connection Manager service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Network Connections service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7034] - The Automatic Updates service terminated unexpectedly. It has done this 1 time(s).
3/31/2012 8:35:41 PM, error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/31/2012 8:35:41 PM, error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/31/2012 8:35:41 PM, error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
3/31/2012 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: General access denied error
3/31/2012 12:16:38 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 eeCtrl Fips intelppm SRTSP SRTSPX SymIRON SYMTDI
3/31/2012 12:15:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/31/2012 12:15:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
3/31/2012 12:15:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service ALG with arguments "" in order to run the server: {D6015EC3-FA16-4813-9CA1-DA204574F5DA}
3/31/2012 11:39:00 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/30/2012 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
3/30/2012 9:00:00 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402
3/30/2012 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
3/30/2012 8:00:00 AM, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402
3/30/2012 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
3/30/2012 7:00:00 AM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402
3/30/2012 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
3/30/2012 6:00:00 AM, error: Schedule [7901] - The At31.job command failed to start due to the following error: %%2147942402
3/30/2012 5:00:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
3/30/2012 5:00:00 AM, error: Schedule [7901] - The At30.job command failed to start due to the following error: %%2147942402
3/30/2012 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
3/30/2012 4:00:00 AM, error: Schedule [7901] - The At29.job command failed to start due to the following error: %%2147942402
3/30/2012 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
3/30/2012 3:00:00 AM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402
3/30/2012 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
3/30/2012 2:00:00 AM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402
3/30/2012 12:39:00 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402
3/30/2012 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
3/30/2012 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
3/30/2012 11:00:00 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402
3/30/2012 10:00:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
3/30/2012 10:00:00 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
3/30/2012 1:00:02 AM, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402
3/30/2012 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
3/27/2012 3:38:59 PM, error: DCOM [10005] - DCOM got error "%1054" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/27/2012 3:38:59 PM, error: DCOM [10005] - DCOM got error "%1054" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
3/25/2012 8:53:17 AM, error: NETLOGON [5719] - No Domain Controller is available for domain PRIMEPOWERINC due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
3/25/2012 7:58:33 AM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
3/25/2012 7:12:58 AM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.103, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
3/25/2012 7:08:09 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
3/25/2012 7:08:09 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/25/2012 7:03:14 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
3/25/2012 2:54:48 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments "" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
3/24/2012 5:42:14 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
3/24/2012 5:42:14 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================
 
Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
Reboot to Nothing

I downloaded and ran TDSskiller it requested I reboot but on reboot it boots into a black screen with flashing white curser at top left. I am contacting you through another computer right now. How do I get out of this one?
 
Turn the computer off manually.
Wait 1 minute.
Try to start it again.
Try normal and safe mode.
 
No Reboot

I have done that. It doesn't let me F8 and start into safe mode. the only options i have are F12 and F1 or 2 i forget. I've unplugged from the wall and waited 10 minutes it still will not boot. Before I ran TDSskiller i had to reboot after running DDS because my computer was unresponsive. I notice during that reboot, where I am seeing black screen and curser now, I saw "bad boot.ini" then the next line "C:\windows", and then it would go into the windows blue screen sequence getting me to the log in screen. Could the TDSskiller take out the boot file it was redirecting to and now I'm left with the bad boot.ini?
 
We need to use the Recovery Console to try to fix your issue.

  • You'll need to find your Windows XP installation disk.
  • Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
  • If prompted, click any options that are required to start the computer from the CD-ROM drive.
  • When the Welcome to Setup screen appears, press R to start the Recovery Console.
  • The Recovery Console will start and ask you which Windows installation you would like to log on to.
    • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
  • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
  • You will now be presented with a C:\Windows> prompt
  • Type with an Enter after each line:

  • fixmbr

    fixboot

    exit
  • Restart computer.

************************

If you don't have Windows CD...
Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...let it finish loading.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
 
Recovery Successful

wouldn't work off the memory stick so I was able to burn the recovery consol to CD. I didn't think I had a blank CD at first. anyway im attaching the TDSSkiller log. I'll talk to you tomorrow. oops, I mean today :)


22:23:28.0843 5840 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
22:23:30.0859 5840 ============================================================
22:23:30.0859 5840 Current date / time: 2012/03/31 22:23:30.0859
22:23:30.0859 5840 SystemInfo:
22:23:30.0859 5840
22:23:30.0859 5840 OS Version: 5.1.2600 ServicePack: 3.0
22:23:30.0859 5840 Product type: Workstation
22:23:30.0859 5840 ComputerName: TOSHIBA-ENG
22:23:30.0859 5840 UserName: dbouchard
22:23:30.0859 5840 Windows directory: C:\windows
22:23:30.0859 5840 System windows directory: C:\windows
22:23:30.0859 5840 Processor architecture: Intel x86
22:23:30.0859 5840 Number of processors: 2
22:23:30.0859 5840 Page size: 0x1000
22:23:30.0859 5840 Boot type: Normal boot
22:23:30.0859 5840 ============================================================
22:23:56.0437 5840 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
22:23:57.0375 5840 Drive \Device\Harddisk1\DR3 - Size: 0x45DECD2000 (279.48 Gb), SectorSize: 0x200, Cylinders: 0x8DF57, SectorsPerTrack: 0x3F, TracksPerCylinder: 0x10, Type 'W'
22:23:57.0390 5840 \Device\Harddisk0\DR0:
22:23:57.0484 5840 MBR used
22:23:57.0484 5840 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x8D2677E
22:23:57.0484 5840 \Device\Harddisk1\DR3:
22:23:57.0484 5840 MBR used
22:23:57.0484 5840 \Device\Harddisk1\DR3\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x22EF5691
22:23:58.0671 5840 Initialize success
22:23:58.0671 5840 ============================================================
22:24:03.0375 1868 ============================================================
22:24:03.0375 1868 Scan started
22:24:03.0375 1868 Mode: Manual;
22:24:03.0375 1868 ============================================================
22:24:05.0734 1868 .cdrom - ok
22:24:06.0875 1868 Abiosdsk - ok
22:24:07.0234 1868 abp480n5 - ok
22:24:07.0312 1868 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\windows\system32\DRIVERS\ACPI.sys
22:24:07.0328 1868 Suspicious file (Forged): C:\windows\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
22:24:07.0328 1868 ACPI ( Virus.Win32.Rloader.a ) - infected
22:24:07.0328 1868 ACPI - detected Virus.Win32.Rloader.a (0)
22:24:07.0359 1868 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\windows\system32\DRIVERS\ACPIEC.sys
22:24:07.0390 1868 ACPIEC - ok
22:24:07.0406 1868 adpu160m - ok
22:24:07.0500 1868 aec (8bed39e3c35d6a489438b8141717a557) C:\windows\system32\drivers\aec.sys
22:24:07.0515 1868 aec - ok
22:24:07.0593 1868 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\windows\System32\drivers\afd.sys
22:24:07.0656 1868 AFD - ok
22:24:07.0812 1868 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\windows\system32\DRIVERS\AGRSM.sys
22:24:07.0843 1868 AgereSoftModem - ok
22:24:07.0875 1868 Aha154x - ok
22:24:07.0890 1868 aic78u2 - ok
22:24:07.0906 1868 aic78xx - ok
22:24:07.0953 1868 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\windows\system32\alrsvc.dll
22:24:08.0031 1868 Alerter - ok
22:24:08.0156 1868 ALG (8c515081584a38aa007909cd02020b3d) C:\windows\System32\alg.exe
22:24:08.0156 1868 ALG - ok
22:24:08.0171 1868 AliIde - ok
22:24:08.0171 1868 amsint - ok
22:24:08.0234 1868 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\windows\System32\appmgmts.dll
22:24:08.0312 1868 AppMgmt - ok
22:24:08.0406 1868 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\windows\system32\DRIVERS\arp1394.sys
22:24:08.0421 1868 Arp1394 - ok
22:24:08.0421 1868 asc - ok
22:24:08.0437 1868 asc3350p - ok
22:24:08.0453 1868 asc3550 - ok
22:24:08.0531 1868 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
22:24:08.0656 1868 aspnet_state - ok
22:24:08.0703 1868 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\windows\system32\DRIVERS\asyncmac.sys
22:24:08.0703 1868 AsyncMac - ok
22:24:08.0750 1868 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\windows\system32\DRIVERS\atapi.sys
22:24:08.0750 1868 atapi - ok
22:24:08.0796 1868 Atdisk - ok
22:24:08.0812 1868 Atmarpc (9916c1225104ba14794209cfa8012159) C:\windows\system32\DRIVERS\atmarpc.sys
22:24:08.0812 1868 Atmarpc - ok
22:24:08.0875 1868 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\windows\System32\audiosrv.dll
22:24:08.0875 1868 AudioSrv - ok
22:24:09.0062 1868 audstub (d9f724aa26c010a217c97606b160ed68) C:\windows\system32\DRIVERS\audstub.sys
22:24:09.0109 1868 audstub - ok
22:24:09.0156 1868 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\windows\system32\drivers\Beep.sys
22:24:09.0156 1868 Beep - ok
22:24:09.0484 1868 BHDrvx86 (eb7f1f1dfa95c25d762c22d3cf13d4e0) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120317.002\BHDrvx86.sys
22:24:09.0500 1868 BHDrvx86 - ok
22:24:09.0671 1868 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
22:24:09.0703 1868 BITS - ok
22:24:09.0781 1868 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\windows\System32\browser.dll
22:24:09.0796 1868 Browser - ok
22:24:09.0875 1868 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\windows\system32\drivers\cbidf2k.sys
22:24:09.0875 1868 cbidf2k - ok
22:24:09.0890 1868 cd20xrnt - ok
22:24:09.0968 1868 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\windows\system32\drivers\Cdaudio.sys
22:24:09.0968 1868 Cdaudio - ok
22:24:10.0031 1868 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\windows\system32\drivers\Cdfs.sys
22:24:10.0078 1868 Cdfs - ok
22:24:10.0093 1868 Changer - ok
22:24:10.0125 1868 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\windows\system32\cisvc.exe
22:24:10.0140 1868 CiSvc - ok
22:24:10.0156 1868 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\windows\system32\clipsrv.exe
22:24:10.0156 1868 ClipSrv - ok
22:24:10.0328 1868 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
22:24:10.0406 1868 clr_optimization_v2.0.50727_32 - ok
22:24:10.0500 1868 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\windows\system32\DRIVERS\CmBatt.sys
22:24:10.0500 1868 CmBatt - ok
22:24:10.0500 1868 CmdIde - ok
22:24:10.0515 1868 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\windows\system32\DRIVERS\compbatt.sys
22:24:10.0515 1868 Compbatt - ok
22:24:10.0531 1868 COMSysApp - ok
22:24:10.0562 1868 Cpqarray - ok
22:24:10.0656 1868 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\windows\System32\cryptsvc.dll
22:24:10.0656 1868 CryptSvc - ok
22:24:10.0671 1868 dac2w2k - ok
22:24:10.0671 1868 dac960nt - ok
22:24:10.0750 1868 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\windows\system32\rpcss.dll
22:24:10.0750 1868 DcomLaunch - ok
22:24:10.0859 1868 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\windows\System32\dhcpcsvc.dll
22:24:10.0859 1868 Dhcp - ok
22:24:10.0921 1868 Disk (044452051f3e02e7963599fc8f4f3e25) C:\windows\system32\DRIVERS\disk.sys
22:24:10.0921 1868 Disk - ok
22:24:10.0937 1868 dmadmin - ok
22:24:11.0062 1868 dmboot (d992fe1274bde0f84ad826acae022a41) C:\windows\system32\drivers\dmboot.sys
22:24:11.0093 1868 dmboot - ok
22:24:11.0140 1868 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\windows\system32\drivers\dmio.sys
22:24:11.0140 1868 dmio - ok
22:24:11.0171 1868 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\windows\system32\drivers\dmload.sys
22:24:11.0171 1868 dmload - ok
22:24:11.0203 1868 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\windows\System32\dmserver.dll
22:24:11.0203 1868 dmserver - ok
22:24:11.0265 1868 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\windows\system32\drivers\DMusic.sys
22:24:11.0265 1868 DMusic - ok
22:24:11.0296 1868 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\windows\System32\dnsrslvr.dll
22:24:11.0296 1868 Dnscache - ok
22:24:11.0359 1868 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\windows\System32\dot3svc.dll
22:24:11.0390 1868 Dot3svc - ok
22:24:11.0390 1868 dpti2o - ok
22:24:11.0421 1868 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\windows\system32\drivers\drmkaud.sys
22:24:11.0421 1868 drmkaud - ok
22:24:11.0468 1868 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\windows\system32\DRIVERS\e1e5132.sys
22:24:11.0484 1868 e1express - ok
22:24:11.0515 1868 EapHost (2187855a7703adef0cef9ee4285182cc) C:\windows\System32\eapsvc.dll
22:24:11.0515 1868 EapHost - ok
22:24:11.0687 1868 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
22:24:11.0687 1868 eeCtrl - ok
22:24:11.0718 1868 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
22:24:11.0734 1868 EraserUtilRebootDrv - ok
22:24:11.0781 1868 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\windows\System32\ersvc.dll
22:24:11.0781 1868 ERSvc - ok
22:24:11.0843 1868 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\windows\system32\services.exe
22:24:11.0859 1868 Eventlog - ok
22:24:11.0984 1868 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
22:24:11.0984 1868 EventSystem - ok
22:24:12.0203 1868 EvtEng (6a197698a141ffe7651b962ae3172008) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
22:24:12.0281 1868 EvtEng - ok
22:24:12.0390 1868 Fastfat (38d332a6d56af32635675f132548343e) C:\windows\system32\drivers\Fastfat.sys
22:24:12.0515 1868 Fastfat - ok
22:24:12.0640 1868 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\windows\System32\shsvcs.dll
22:24:12.0640 1868 FastUserSwitchingCompatibility - ok
22:24:12.0687 1868 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\windows\system32\drivers\Fdc.sys
22:24:12.0687 1868 Fdc - ok
22:24:12.0703 1868 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\windows\system32\drivers\Fips.sys
22:24:12.0703 1868 Fips - ok
22:24:12.0718 1868 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\windows\system32\drivers\Flpydisk.sys
22:24:12.0718 1868 Flpydisk - ok
22:24:12.0765 1868 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\windows\system32\DRIVERS\fltMgr.sys
22:24:12.0781 1868 FltMgr - ok
22:24:12.0859 1868 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
22:24:12.0859 1868 FontCache3.0.0.0 - ok
22:24:13.0203 1868 fsbl-standalone - ok
22:24:13.0421 1868 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\windows\system32\drivers\Fs_Rec.sys
22:24:13.0421 1868 Fs_Rec - ok
22:24:13.0453 1868 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\windows\system32\DRIVERS\ftdisk.sys
22:24:13.0468 1868 Ftdisk - ok
22:24:13.0515 1868 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
22:24:13.0515 1868 GEARAspiWDM - ok
22:24:13.0578 1868 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\windows\system32\DRIVERS\msgpc.sys
22:24:13.0578 1868 Gpc - ok
22:24:13.0609 1868 GTNDIS5 - ok
22:24:13.0765 1868 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
22:24:13.0781 1868 gupdate - ok
22:24:13.0796 1868 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
22:24:13.0796 1868 gupdatem - ok
22:24:13.0843 1868 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\windows\system32\DRIVERS\HDAudBus.sys
22:24:13.0859 1868 HDAudBus - ok
22:24:14.0125 1868 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\windows\PCHealth\HelpCtr\Binaries\pchsvc.dll
22:24:14.0125 1868 helpsvc - ok
22:24:14.0203 1868 HidServ (deb04da35cc871b6d309b77e1443c796) C:\windows\System32\hidserv.dll
22:24:14.0203 1868 HidServ - ok
22:24:14.0265 1868 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\windows\system32\DRIVERS\hidusb.sys
22:24:14.0265 1868 HidUsb - ok
22:24:14.0312 1868 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\windows\System32\kmsvc.dll
22:24:14.0390 1868 hkmsvc - ok
22:24:14.0390 1868 hpn - ok
22:24:14.0468 1868 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\windows\system32\Drivers\HTTP.sys
22:24:14.0468 1868 HTTP - ok
22:24:14.0562 1868 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\windows\System32\w3ssl.dll
22:24:14.0578 1868 HTTPFilter - ok
22:24:14.0703 1868 i2omgmt - ok
22:24:14.0703 1868 i2omp - ok
22:24:14.0750 1868 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\windows\system32\DRIVERS\i8042prt.sys
22:24:14.0765 1868 i8042prt - ok
22:24:14.0906 1868 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\windows\system32\DRIVERS\ialmnt5.sys
22:24:14.0921 1868 ialm - ok
22:24:15.0281 1868 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
22:24:15.0296 1868 idsvc - ok
22:24:15.0484 1868 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120330.002\IDSxpx86.sys
22:24:15.0484 1868 IDSxpx86 - ok
22:24:15.0609 1868 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\windows\system32\DRIVERS\imapi.sys
22:24:15.0609 1868 Imapi - ok
22:24:15.0687 1868 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
22:24:15.0703 1868 ImapiService - ok
22:24:15.0703 1868 ini910u - ok
22:24:15.0968 1868 IntcAzAudAddService (7c09d605fcae64e3cb11ebf90fb1e3a1) C:\windows\system32\drivers\RtkHDAud.sys
22:24:16.0093 1868 IntcAzAudAddService - ok
22:24:16.0203 1868 IntelIde - ok
22:24:16.0265 1868 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\windows\system32\DRIVERS\intelppm.sys
22:24:16.0265 1868 intelppm - ok
22:24:16.0281 1868 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\windows\system32\DRIVERS\Ip6Fw.sys
22:24:16.0281 1868 Ip6Fw - ok
22:24:16.0312 1868 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\windows\system32\DRIVERS\ipfltdrv.sys
22:24:16.0343 1868 IpFilterDriver - ok
22:24:16.0343 1868 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\windows\system32\DRIVERS\ipinip.sys
22:24:16.0343 1868 IpInIp - ok
22:24:16.0375 1868 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\windows\system32\DRIVERS\ipnat.sys
22:24:16.0375 1868 IpNat - ok
22:24:16.0484 1868 iPod Service (6e27978a4755f4789f912f5f49392f7c) C:\Program Files\iPod\bin\iPodService.exe
22:24:16.0500 1868 iPod Service - ok
22:24:16.0546 1868 IPSec (23c74d75e36e7158768dd63d92789a91) C:\windows\system32\DRIVERS\ipsec.sys
22:24:16.0546 1868 IPSec - ok
22:24:16.0593 1868 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\windows\system32\DRIVERS\irda.sys
22:24:16.0609 1868 irda - ok
22:24:16.0671 1868 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\windows\system32\DRIVERS\irenum.sys
22:24:16.0687 1868 IRENUM - ok
22:24:16.0781 1868 Irmon (49cc4533ce897cb2e93c1e84a818fde5) C:\windows\System32\irmon.dll
22:24:16.0781 1868 Irmon - ok
22:24:16.0843 1868 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\windows\system32\DRIVERS\isapnp.sys
22:24:16.0843 1868 isapnp - ok
22:24:16.0906 1868 JavaQuickStarterService (e4ae0cbc0b55a5faa6996e38ce6c981b) C:\Program Files\Java\jre6\bin\jqs.exe
22:24:16.0906 1868 JavaQuickStarterService - ok
22:24:17.0046 1868 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\windows\system32\DRIVERS\kbdclass.sys
22:24:17.0046 1868 Kbdclass - ok
22:24:17.0125 1868 kmixer (692bcf44383d056aed41b045a323d378) C:\windows\system32\drivers\kmixer.sys
22:24:17.0125 1868 kmixer - ok
22:24:17.0156 1868 KSecDD (b467646c54cc746128904e1654c750c1) C:\windows\system32\drivers\KSecDD.sys
22:24:17.0250 1868 KSecDD - ok
22:24:17.0312 1868 ktlwku - ok
22:24:17.0500 1868 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\windows\System32\srvsvc.dll
22:24:17.0500 1868 LanmanServer - ok
22:24:17.0562 1868 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\windows\System32\wkssvc.dll
22:24:17.0562 1868 lanmanworkstation - ok
22:24:17.0671 1868 lbrtfdc - ok
22:24:17.0734 1868 LmHosts (a7db739ae99a796d91580147e919cc59) C:\windows\System32\lmhsvc.dll
22:24:17.0734 1868 LmHosts - ok
22:24:17.0765 1868 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\windows\System32\msgsvc.dll
22:24:17.0781 1868 Messenger - ok
22:24:17.0812 1868 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\windows\system32\drivers\mnmdd.sys
22:24:17.0828 1868 mnmdd - ok
22:24:17.0859 1868 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
22:24:17.0890 1868 mnmsrvc - ok
22:24:17.0968 1868 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\windows\system32\drivers\Modem.sys
22:24:17.0968 1868 Modem - ok
22:24:18.0109 1868 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\windows\system32\DRIVERS\mouclass.sys
22:24:18.0109 1868 Mouclass - ok
22:24:18.0187 1868 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\windows\system32\DRIVERS\mouhid.sys
22:24:18.0187 1868 mouhid - ok
22:24:18.0406 1868 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\windows\system32\drivers\MountMgr.sys
22:24:18.0406 1868 MountMgr - ok
22:24:18.0421 1868 mraid35x - ok
22:24:18.0421 1868 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\windows\system32\DRIVERS\mrxdav.sys
22:24:18.0437 1868 MRxDAV - ok
22:24:18.0515 1868 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\windows\system32\DRIVERS\mrxsmb.sys
22:24:18.0531 1868 MRxSmb - ok
22:24:18.0562 1868 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
22:24:18.0593 1868 MSDTC - ok
22:24:18.0656 1868 Msfs (c941ea2454ba8350021d774daf0f1027) C:\windows\system32\drivers\Msfs.sys
22:24:18.0656 1868 Msfs - ok
22:24:18.0656 1868 MSIServer - ok
22:24:18.0687 1868 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\windows\system32\drivers\MSKSSRV.sys
22:24:18.0687 1868 MSKSSRV - ok
22:24:18.0718 1868 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\windows\system32\drivers\MSPCLOCK.sys
22:24:18.0718 1868 MSPCLOCK - ok
22:24:18.0750 1868 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\windows\system32\drivers\MSPQM.sys
22:24:18.0750 1868 MSPQM - ok
22:24:18.0812 1868 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\windows\system32\DRIVERS\mssmbios.sys
22:24:18.0812 1868 mssmbios - ok
22:24:18.0843 1868 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\windows\system32\drivers\Mup.sys
22:24:18.0843 1868 Mup - ok
22:24:19.0046 1868 napagent (0102140028fad045756796e1c685d695) C:\windows\System32\qagentrt.dll
22:24:19.0109 1868 napagent - ok
22:24:19.0343 1868 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20120330.036\NAVENG.SYS
22:24:19.0343 1868 NAVENG - ok
22:24:19.0437 1868 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20120330.036\NAVEX15.SYS
22:24:19.0468 1868 NAVEX15 - ok
22:24:19.0593 1868 NDIS (1df7f42665c94b825322fae71721130d) C:\windows\system32\drivers\NDIS.sys
22:24:19.0593 1868 NDIS - ok
22:24:19.0671 1868 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\windows\system32\DRIVERS\ndistapi.sys
22:24:19.0687 1868 NdisTapi - ok
22:24:19.0812 1868 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\windows\system32\DRIVERS\ndisuio.sys
22:24:19.0843 1868 Ndisuio - ok
22:24:19.0875 1868 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\windows\system32\DRIVERS\ndiswan.sys
22:24:19.0875 1868 NdisWan - ok
22:24:19.0953 1868 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\windows\system32\drivers\NDProxy.sys
22:24:20.0015 1868 NDProxy - ok
22:24:20.0031 1868 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\windows\system32\DRIVERS\netbios.sys
22:24:20.0031 1868 NetBIOS - ok
22:24:20.0046 1868 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\windows\system32\DRIVERS\netbt.sys
22:24:20.0062 1868 NetBT - ok
22:24:20.0203 1868 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\windows\system32\netdde.exe
22:24:20.0234 1868 NetDDE - ok
22:24:20.0234 1868 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\windows\system32\netdde.exe
22:24:20.0234 1868 NetDDEdsdm - ok
22:24:20.0296 1868 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
22:24:20.0296 1868 Netlogon - ok
22:24:20.0328 1868 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\windows\System32\netman.dll
22:24:20.0328 1868 Netman - ok
22:24:20.0406 1868 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
22:24:20.0406 1868 NetTcpPortSharing - ok
22:24:20.0593 1868 NETw3x32 (50f5de54e1d1646c02078f3eddc15a8e) C:\windows\system32\DRIVERS\NETw3x32.sys
22:24:20.0734 1868 NETw3x32 - ok
22:24:20.0843 1868 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\windows\system32\DRIVERS\nic1394.sys
22:24:20.0843 1868 NIC1394 - ok
22:24:21.0078 1868 NIS (e78a365cc3e0fbfc018a33dce01909f8) C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
22:24:21.0078 1868 NIS - ok
22:24:21.0312 1868 Nla (943337d786a56729263071623bbb9de5) C:\windows\System32\mswsock.dll
22:24:21.0312 1868 Nla - ok
22:24:21.0359 1868 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\windows\system32\drivers\Npfs.sys
22:24:21.0359 1868 Npfs - ok
22:24:21.0453 1868 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\windows\system32\drivers\Ntfs.sys
22:24:21.0500 1868 Ntfs - ok
22:24:21.0531 1868 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
22:24:21.0531 1868 NtLmSsp - ok
22:24:21.0562 1868 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\windows\system32\ntmssvc.dll
22:24:21.0578 1868 NtmsSvc - ok
22:24:21.0671 1868 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\windows\system32\drivers\Null.sys
22:24:21.0687 1868 Null - ok
22:24:21.0750 1868 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\windows\system32\DRIVERS\nwlnkflt.sys
22:24:21.0765 1868 NwlnkFlt - ok
22:24:21.0796 1868 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\windows\system32\DRIVERS\nwlnkfwd.sys
22:24:21.0796 1868 NwlnkFwd - ok
22:24:21.0812 1868 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\windows\system32\DRIVERS\ohci1394.sys
22:24:21.0812 1868 ohci1394 - ok
22:24:22.0359 1868 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
22:24:22.0406 1868 ose - ok
22:24:25.0296 1868 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\windows\system32\DRIVERS\parport.sys
22:24:25.0453 1868 Parport - ok
22:24:26.0281 1868 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\windows\system32\drivers\PartMgr.sys
22:24:26.0296 1868 PartMgr - ok
22:24:26.0375 1868 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\windows\system32\drivers\ParVdm.sys
22:24:26.0375 1868 ParVdm - ok
22:24:26.0562 1868 PCI (a219903ccf74233761d92bef471a07b1) C:\windows\system32\DRIVERS\pci.sys
22:24:26.0578 1868 PCI - ok
22:24:26.0656 1868 PCIDump - ok
22:24:26.0671 1868 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\windows\system32\DRIVERS\pciide.sys
22:24:26.0671 1868 PCIIde - ok
22:24:26.0703 1868 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\windows\system32\DRIVERS\pcmcia.sys
22:24:26.0718 1868 Pcmcia - ok
22:24:26.0890 1868 PDCOMP - ok
22:24:26.0890 1868 PDFRAME - ok
22:24:26.0906 1868 PDRELI - ok
22:24:26.0921 1868 PDRFRAME - ok
22:24:26.0921 1868 perc2 - ok
22:24:26.0937 1868 perc2hib - ok
22:24:27.0000 1868 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\windows\system32\services.exe
22:24:27.0000 1868 PlugPlay - ok
22:24:27.0062 1868 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
22:24:27.0062 1868 PolicyAgent - ok
22:24:27.0078 1868 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\windows\system32\DRIVERS\raspptp.sys
22:24:27.0078 1868 PptpMiniport - ok
22:24:27.0093 1868 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
22:24:27.0093 1868 ProtectedStorage - ok
22:24:27.0093 1868 PSched (09298ec810b07e5d582cb3a3f9255424) C:\windows\system32\DRIVERS\psched.sys
22:24:27.0109 1868 PSched - ok
22:24:27.0109 1868 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\windows\system32\DRIVERS\ptilink.sys
22:24:27.0109 1868 Ptilink - ok
22:24:27.0171 1868 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\windows\system32\Drivers\PxHelp20.sys
22:24:27.0171 1868 PxHelp20 - ok
22:24:27.0171 1868 ql1080 - ok
22:24:27.0187 1868 Ql10wnt - ok
22:24:27.0203 1868 ql12160 - ok
22:24:27.0203 1868 ql1240 - ok
22:24:27.0234 1868 ql1280 - ok
22:24:27.0265 1868 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\windows\system32\DRIVERS\rasacd.sys
22:24:27.0265 1868 RasAcd - ok
22:24:27.0281 1868 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\windows\System32\rasauto.dll
22:24:27.0296 1868 RasAuto - ok
22:24:27.0343 1868 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\windows\system32\DRIVERS\rasirda.sys
22:24:27.0343 1868 Rasirda - ok
22:24:27.0359 1868 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\windows\system32\DRIVERS\rasl2tp.sys
22:24:27.0359 1868 Rasl2tp - ok
22:24:27.0375 1868 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\windows\System32\rasmans.dll
22:24:27.0390 1868 RasMan - ok
22:24:27.0390 1868 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\windows\system32\DRIVERS\raspppoe.sys
22:24:27.0406 1868 RasPppoe - ok
22:24:27.0406 1868 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\windows\system32\DRIVERS\raspti.sys
22:24:27.0406 1868 Raspti - ok
22:24:27.0437 1868 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\windows\system32\DRIVERS\rdbss.sys
22:24:27.0437 1868 Rdbss - ok
22:24:27.0484 1868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\windows\system32\DRIVERS\RDPCDD.sys
22:24:27.0500 1868 RDPCDD - ok
22:24:27.0546 1868 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\windows\system32\DRIVERS\rdpdr.sys
22:24:27.0562 1868 rdpdr - ok
22:24:27.0671 1868 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\windows\system32\drivers\RDPWD.sys
22:24:27.0687 1868 RDPWD - ok
22:24:27.0718 1868 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
22:24:27.0781 1868 RDSessMgr - ok
22:24:27.0859 1868 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\windows\system32\DRIVERS\redbook.sys
22:24:27.0875 1868 redbook - ok
22:24:28.0062 1868 RegSrvc (d8f61aaae73a1fbde6f538becc891f2f) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
22:24:28.0062 1868 RegSrvc - ok
22:24:28.0171 1868 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\windows\System32\mprdim.dll
22:24:28.0187 1868 RemoteAccess - ok
22:24:28.0250 1868 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\windows\system32\regsvc.dll
22:24:28.0265 1868 RemoteRegistry - ok
22:24:28.0296 1868 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\windows\system32\locator.exe
22:24:28.0296 1868 RpcLocator - ok
22:24:28.0359 1868 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\windows\system32\rpcss.dll
22:24:28.0375 1868 RpcSs - ok
22:24:28.0468 1868 RSVP (471b3f9741d762abe75e9deea4787e47) C:\windows\system32\rsvp.exe
22:24:28.0468 1868 RSVP - ok
22:24:28.0718 1868 S24EventMonitor (25f697e3afa7b337bbcaddbce38e6934) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
22:24:28.0734 1868 S24EventMonitor - ok
22:24:29.0062 1868 s24trans (2862adb14481ac28f98105ff33a99eb0) C:\windows\system32\DRIVERS\s24trans.sys
22:24:29.0062 1868 s24trans - ok
22:24:29.0156 1868 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\windows\system32\lsass.exe
22:24:29.0156 1868 SamSs - ok
22:24:29.0203 1868 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\windows\System32\SCardSvr.exe
22:24:29.0234 1868 SCardSvr - ok
22:24:29.0281 1868 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\windows\system32\schedsvc.dll
22:24:29.0281 1868 Schedule - ok
22:24:29.0312 1868 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\windows\system32\DRIVERS\sdbus.sys
22:24:29.0312 1868 sdbus - ok
22:24:29.0343 1868 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\windows\system32\DRIVERS\secdrv.sys
22:24:29.0343 1868 Secdrv - ok
22:24:29.0375 1868 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\windows\System32\seclogon.dll
22:24:29.0375 1868 seclogon - ok
22:24:29.0406 1868 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\windows\system32\sens.dll
22:24:29.0406 1868 SENS - ok
22:24:29.0468 1868 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\windows\system32\DRIVERS\serenum.sys
22:24:29.0468 1868 serenum - ok
22:24:29.0500 1868 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\windows\system32\DRIVERS\serial.sys
22:24:29.0500 1868 Serial - ok
22:24:29.0531 1868 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\windows\system32\drivers\Sfloppy.sys
22:24:29.0546 1868 Sfloppy - ok
22:24:29.0609 1868 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\windows\System32\ipnathlp.dll
22:24:29.0625 1868 SharedAccess - ok
22:24:29.0718 1868 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\windows\System32\shsvcs.dll
22:24:29.0734 1868 ShellHWDetection - ok
22:24:29.0734 1868 Simbad - ok
22:24:29.0750 1868 SMCIRDA (62556d170f22c43a544481e4ee16d2e2) C:\windows\system32\DRIVERS\smcirda.sys
22:24:29.0781 1868 SMCIRDA - ok
22:24:29.0796 1868 Sparrow - ok
22:24:29.0859 1868 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\windows\system32\drivers\splitter.sys
22:24:29.0859 1868 splitter - ok
22:24:29.0937 1868 Spooler (60784f891563fb1b767f70117fc2428f) C:\windows\system32\spoolsv.exe
22:24:29.0937 1868 Spooler - ok
22:24:30.0000 1868 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\windows\system32\DRIVERS\sr.sys
22:24:30.0000 1868 sr - ok
22:24:30.0078 1868 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
22:24:30.0093 1868 srservice - ok
22:24:30.0187 1868 SRTSP (83726cf02eced69138948083e06b6eac) C:\windows\System32\Drivers\NIS\1207000.00D\SRTSP.SYS
22:24:30.0234 1868 SRTSP - ok
22:24:30.0281 1868 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\windows\system32\drivers\NIS\1207000.00D\SRTSPX.SYS
22:24:30.0281 1868 SRTSPX - ok
22:24:30.0343 1868 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\windows\system32\DRIVERS\srv.sys
22:24:30.0343 1868 Srv - ok
22:24:30.0390 1868 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\windows\System32\ssdpsrv.dll
22:24:30.0406 1868 SSDPSRV - ok
22:24:30.0453 1868 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\windows\system32\wiaservc.dll
22:24:30.0468 1868 stisvc - ok
22:24:30.0593 1868 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\windows\system32\DRIVERS\swenum.sys
22:24:30.0593 1868 swenum - ok
22:24:30.0687 1868 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\windows\system32\drivers\swmidi.sys
22:24:30.0687 1868 swmidi - ok
22:24:30.0703 1868 SwPrv - ok
22:24:30.0718 1868 symc810 - ok
22:24:30.0734 1868 symc8xx - ok
22:24:30.0812 1868 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\windows\system32\drivers\NIS\1207000.00D\SYMDS.SYS
22:24:30.0828 1868 SymDS - ok
22:24:30.0906 1868 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\windows\system32\drivers\NIS\1207000.00D\SYMEFA.SYS
22:24:30.0921 1868 SymEFA - ok
22:24:31.0015 1868 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
22:24:31.0031 1868 SymEvent - ok
22:24:31.0046 1868 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\windows\system32\drivers\NIS\1207000.00D\Ironx86.SYS
22:24:31.0062 1868 SymIRON - ok
22:24:31.0140 1868 SYMTDI (336cace58f0359d5cbb1ae6b8a2fb205) C:\windows\System32\Drivers\NIS\1207000.00D\SYMTDI.SYS
22:24:31.0156 1868 SYMTDI - ok
22:24:31.0156 1868 sym_hi - ok
22:24:31.0171 1868 sym_u3 - ok
22:24:31.0234 1868 SynTP (cfb41bf11ae95c26133bae3ec2e334bd) C:\windows\system32\DRIVERS\SynTP.sys
22:24:31.0234 1868 SynTP - ok
22:24:31.0296 1868 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\windows\system32\drivers\sysaudio.sys
22:24:31.0296 1868 sysaudio - ok
22:24:31.0359 1868 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\windows\system32\smlogsvc.exe
22:24:31.0406 1868 SysmonLog - ok
22:24:31.0421 1868 szkg5 - ok
22:24:31.0437 1868 szkgfs - ok
22:24:31.0468 1868 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\windows\System32\tapisrv.dll
22:24:31.0468 1868 TapiSrv - ok
22:24:31.0671 1868 TAPPSRV (90861642fd6d8fafb1408ee26fa93cb4) C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
22:24:31.0687 1868 TAPPSRV - ok
22:24:31.0843 1868 TBIMount (bcefc0bb200eeb5f0d16c3f826b284a9) C:\windows\System32\drivers\tbimount.sys
22:24:32.0125 1868 TBIMount - ok
22:24:32.0203 1868 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\windows\system32\DRIVERS\tcpip.sys
22:24:32.0203 1868 Tcpip - ok
22:24:32.0312 1868 TcUsb (125f5adc14839b4afd31cc581629d2b3) C:\windows\system32\Drivers\tcusb.sys
22:24:32.0312 1868 TcUsb - ok
22:24:32.0375 1868 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\windows\system32\drivers\TDPIPE.sys
22:24:32.0375 1868 TDPIPE - ok
22:24:32.0406 1868 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\windows\system32\drivers\TDTCP.sys
22:24:32.0421 1868 TDTCP - ok
22:24:32.0468 1868 TermDD (88155247177638048422893737429d9e) C:\windows\system32\DRIVERS\termdd.sys
22:24:32.0484 1868 TermDD - ok
22:24:32.0531 1868 TermService (ff3477c03be7201c294c35f684b3479f) C:\windows\System32\termsrv.dll
22:24:32.0531 1868 TermService - ok
22:24:32.0656 1868 Themes (99bc0b50f511924348be19c7c7313bbf) C:\windows\System32\shsvcs.dll
22:24:32.0656 1868 Themes - ok
22:24:32.0703 1868 Thpdrv (9e6f8b0a638cf0cb421f38fa367335f5) C:\windows\system32\DRIVERS\thpdrv.sys
22:24:32.0703 1868 Thpdrv - ok
22:24:32.0921 1868 Thpevm (beeca51c9ef368a1038e455278e4715e) C:\windows\system32\DRIVERS\Thpevm.SYS
22:24:32.0937 1868 Thpevm - ok
22:24:32.0984 1868 Thpsrv (f6d4a4238ad7d08e5c09fd7fb58a2d90) C:\WINDOWS\system32\ThpSrv.exe
22:24:32.0984 1868 Thpsrv - ok
22:24:33.0062 1868 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\windows\system32\drivers\tifm21.sys
22:24:33.0062 1868 tifm21 - ok
22:24:33.0109 1868 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
22:24:33.0125 1868 TlntSvr - ok
22:24:33.0140 1868 TosIde - ok
22:24:33.0187 1868 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\windows\system32\trkwks.dll
22:24:33.0203 1868 TrkWks - ok
22:24:33.0234 1868 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\windows\system32\DRIVERS\NBSMI.sys
22:24:33.0234 1868 TVALD - ok
22:24:33.0265 1868 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\windows\system32\drivers\Udfs.sys
22:24:33.0281 1868 Udfs - ok
22:24:33.0296 1868 ultra - ok
22:24:33.0359 1868 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\windows\system32\DRIVERS\update.sys
22:24:33.0375 1868 Update - ok
22:24:33.0453 1868 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\windows\System32\upnphost.dll
22:24:33.0453 1868 upnphost - ok
22:24:33.0484 1868 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\windows\System32\ups.exe
22:24:33.0500 1868 UPS - ok
22:24:33.0500 1868 USBAAPL - ok
22:24:33.0562 1868 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\windows\system32\DRIVERS\usbccgp.sys
22:24:33.0562 1868 usbccgp - ok
22:24:33.0593 1868 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\windows\system32\DRIVERS\usbehci.sys
22:24:33.0609 1868 usbehci - ok
22:24:33.0671 1868 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\windows\system32\DRIVERS\usbhub.sys
22:24:33.0703 1868 usbhub - ok
22:24:33.0828 1868 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\windows\system32\DRIVERS\usbscan.sys
22:24:33.0828 1868 usbscan - ok
22:24:33.0906 1868 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\windows\system32\DRIVERS\USBSTOR.SYS
22:24:33.0906 1868 USBSTOR - ok
22:24:33.0937 1868 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\windows\system32\DRIVERS\usbuhci.sys
22:24:33.0937 1868 usbuhci - ok
22:24:33.0984 1868 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\windows\system32\DRIVERS\usb8023.sys
22:24:34.0015 1868 USB_RNDIS - ok
22:24:34.0109 1868 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\windows\System32\drivers\vga.sys
22:24:34.0109 1868 VgaSave - ok
22:24:34.0125 1868 ViaIde - ok
22:24:34.0140 1868 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\windows\system32\drivers\VolSnap.sys
22:24:34.0140 1868 VolSnap - ok
22:24:34.0187 1868 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\windows\System32\vssvc.exe
22:24:34.0187 1868 VSS - ok
22:24:34.0250 1868 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
22:24:34.0250 1868 W32Time - ok
22:24:34.0281 1868 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\windows\system32\DRIVERS\wanarp.sys
22:24:34.0281 1868 Wanarp - ok
22:24:34.0296 1868 WDICA - ok
22:24:34.0343 1868 wdmaud (6768acf64b18196494413695f0c3a00f) C:\windows\system32\drivers\wdmaud.sys
22:24:34.0359 1868 wdmaud - ok
22:24:34.0390 1868 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\windows\System32\webclnt.dll
22:24:34.0390 1868 WebClient - ok
22:24:34.0484 1868 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\windows\system32\wbem\WMIsvc.dll
22:24:34.0484 1868 winmgmt - ok
22:24:34.0562 1868 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
22:24:34.0593 1868 WmdmPmSN - ok
22:24:35.0171 1868 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\windows\System32\advapi32.dll
22:24:35.0203 1868 Wmi - ok
22:24:35.0515 1868 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
22:24:35.0546 1868 WmiApSrv - ok
22:24:35.0703 1868 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\windows\System32\drivers\ws2ifsl.sys
22:24:35.0828 1868 WS2IFSL - ok
22:24:36.0078 1868 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
22:24:36.0078 1868 wuauserv - ok
22:24:36.0171 1868 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\windows\system32\DRIVERS\WudfPf.sys
22:24:36.0218 1868 WudfPf - ok
22:24:36.0328 1868 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\windows\system32\DRIVERS\wudfrd.sys
22:24:36.0359 1868 WudfRd - ok
22:24:36.0390 1868 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\windows\System32\WUDFSvc.dll
22:24:36.0390 1868 WudfSvc - ok
22:24:36.0500 1868 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\windows\System32\wzcsvc.dll
22:24:36.0515 1868 WZCSVC - ok
22:24:36.0640 1868 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\windows\System32\xmlprov.dll
22:24:36.0640 1868 xmlprov - ok
22:24:36.0703 1868 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
22:24:36.0921 1868 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected
22:24:36.0921 1868 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)
22:24:36.0921 1868 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3
22:24:36.0921 1868 \Device\Harddisk1\DR3 - ok
22:24:36.0953 1868 Boot (0x1200) (dbc41d45d721ae228d9025a5280edfd9) \Device\Harddisk0\DR0\Partition0
22:24:36.0953 1868 \Device\Harddisk0\DR0\Partition0 - ok
22:24:36.0953 1868 Boot (0x1200) (d184e3d18feee494877467b99539be43) \Device\Harddisk1\DR3\Partition0
22:24:36.0953 1868 \Device\Harddisk1\DR3\Partition0 - ok
22:24:36.0953 1868 ============================================================
22:24:36.0953 1868 Scan finished
22:24:36.0953 1868 ============================================================
22:24:36.0968 4828 Detected object count: 2
22:24:36.0968 4828 Actual detected object count: 2
22:24:43.0578 4828 C:\windows\system32\DRIVERS\ACPI.sys - copied to quarantine
22:25:07.0546 4828 Backup copy not found, trying to cure infected file..
22:25:07.0546 4828 Cure success, using it..
22:25:09.0187 4828 C:\windows\system32\DRIVERS\ACPI.sys - will be cured on reboot
22:25:09.0187 4828 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
22:25:21.0406 4828 \Device\Harddisk0\DR0\# - copied to quarantine
22:25:21.0406 4828 \Device\Harddisk0\DR0 - copied to quarantine
22:25:21.0437 4828 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
22:25:21.0500 4828 \Device\Harddisk0\DR0 - ok
22:25:21.0515 4828 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
22:25:48.0062 1408 Deinitialize success
 
Good job :)

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==============================================================

Download Bootkit Remover to your desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
aswMBR and Bootkit Remover

Here are the logs for aswMBR and Bootkit Remover:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-01 15:49:30
-----------------------------
15:49:30.390 OS Version: Windows 5.1.2600 Service Pack 3
15:49:30.390 Number of processors: 2 586 0xE08
15:49:30.390 ComputerName: TOSHIBA-ENG UserName: dbouchard
15:49:32.359 Initialize success
15:52:32.531 AVAST engine defs: 12040101
15:53:22.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:53:22.625 Disk 0 Vendor: HTS541080G9SA00 MB4OC60D Size: 76319MB BusType: 3
15:53:22.656 Disk 0 MBR read successfully
15:53:22.656 Disk 0 MBR scan
15:53:22.703 Disk 0 Windows XP default MBR code
15:53:22.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 72268 MB offset 63
15:53:22.734 Disk 0 Partition 2 00 1C Hidd FAT32 LBA MSDOS5.0 4047 MB offset 148006845
15:53:22.734 Disk 0 scanning sectors +156296385
15:53:22.750 Disk 0 malicious Win32:MBRoot code @ sector 156296388 !
15:53:22.796 Disk 0 scanning C:\windows\system32\drivers
15:53:31.328 Service scanning
15:53:31.875 Service .cdrom \? **LOCKED** 123
15:53:50.109 Modules scanning
15:53:56.625 Disk 0 trace - called modules:
15:53:56.625 ntoskrnl.exe CLASSPNP.SYS disk.sys thpdrv.sys hal.dll ACPI.sys atapi.sys pciide.sys PCIIDEX.SYS
15:53:56.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a669ab8]
15:53:56.625 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\THPDRV[0x8a6e9948]
15:53:56.640 5 thpdrv.sys[f76796ff] -> nt!IofCallDriver -> \Device\0000008c[0x8a6b8138]
15:53:56.640 7 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a74fd98]
15:53:57.421 AVAST engine scan C:\windows
15:54:09.796 AVAST engine scan C:\windows\system32
15:56:19.906 AVAST engine scan C:\windows\system32\drivers
15:56:32.109 AVAST engine scan C:\Documents and Settings\dbouchard
15:57:36.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\dbouchard\Desktop\MBR.dat"
15:57:36.296 The log file has been saved successfully to "C:\Documents and Settings\dbouchard\Desktop\aswMBR.txt"


Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
Good.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
even though I disabled norton combofix is still detecting it. it gave the following warning: "The above realtime scanner is still active but combofix will continue to run. kindly note this is at your own risk
 
while running combofix it asked for recovery consol so i clicked yes and the following error returned "boot partition can not be enumerated correctly." Is this a big deal?
 
It looks like you have boot.ini file missing/corrupted.

Download BootCheck.exe to your desktop.

  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply
 
Combofix log

Ran combofix. Here is the log.

ComboFix 12-04-01.01 - dbouchard 04/01/2012 20:10:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1522 [GMT -4:00]
Running from: c:\documents and settings\dbouchard\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\avbase.dat
c:\documents and settings\All Users\Application Data\fdbdbccfdddct.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\dennis\WINDOWS
c:\documents and settings\NetworkService\Application Data\Microsoft\Microsoft
c:\windows\$NtUninstallKB24570$
c:\windows\$NtUninstallKB24570$\3203652787
c:\windows\system32\drivers\etc\hosts.ics
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\system volume information\_restore{4E050833-19BF-4AB5-9E56-C7581072F5E7}\RP418\A0141142.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.cdrom
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 00:24 . 2008-04-14 04:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-04-02 00:24 . 2008-04-14 04:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-04-01 02:24 . 2012-04-01 02:24 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-30 04:59 . 2012-03-30 04:59 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-03-30 03:14 . 2012-03-30 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-30 03:14 . 2012-03-30 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-03-27 01:01 . 2012-03-27 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2012-03-27 01:01 . 2012-03-27 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-03-25 12:04 . 2012-03-25 12:04 -------- d-----w- c:\documents and settings\All Users\Application DataMicrosoft
2012-03-03 16:12 . 2012-03-03 16:12 -------- d-sh--w- c:\documents and settings\dbouchard\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-01 06:13 . 2008-04-14 04:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-03-01 17:53 . 2012-03-01 17:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-03-01 17:53 . 2012-03-01 17:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-02-12 15:59 . 2012-02-12 15:59 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 16:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 16:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 16:34 52224 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck msln\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"Browser Defender Update Service"=2 (0x2)
"Thpsrv"=2 (0x2)
"TAPPSRV"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"EvtEng"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207000.00D\symds.sys [1/30/2012 11:37 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207000.00D\symefa.sys [1/30/2012 11:37 PM 744568]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2/8/2007 2:46 PM 16896]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2/7/2007 6:29 PM 6528]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120317.002\BHDrvx86.sys [3/19/2012 9:02 PM 820856]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207000.00D\ironx86.sys [1/30/2012 11:37 PM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.0.13\ccsvchst.exe [1/30/2012 11:37 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/16/2012 12:11 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120330.002\IDSXpx86.sys [3/31/2012 2:25 PM 356280]
S3 TBIMount;TBIMount;c:\windows\system32\drivers\TBIMount.sys [12/14/2010 8:47 PM 87648]
S4 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\DBOUCH~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\DBOUCH~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2012 3:24 AM 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2012 3:24 AM 136176]
S4 ktlwku;ktlwku;c:\windows\system32\drivers\oess.sys --> c:\windows\system32\drivers\oess.sys [?]
S4 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S4 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-28 07:23]
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-28 07:23]
.
2012-04-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-545942363-657050502-1754407576-1137.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-03-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-545942363-657050502-1754407576-1137.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-04-02 c:\windows\Tasks\User_Feed_Synchronization-{BC25EC36-1F3F-4F75-8E0E-E642523A8159}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-fdbdbccfdddct - c:\documents and settings\All Users\Application Data\fdbdbccfdddct.exe
HKLM-Run-TkBellExe - e:\realplayer\update\realsched.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\dbouchard\Application Data\dplaysvr.exe
HKU-Default-Run-fdbdbccfdddct - c:\documents and settings\All Users\Application Data\fdbdbccfdddct.exe
SafeBoot-58805711.sys
AddRemove-FrostWire - e:\frostwire\Uninstall.exe
AddRemove-RealPlayer 15.0 - e:\realplayer\Update\r1puninst.exe
AddRemove-Shareaza MediaBar - c:\program files\Shareaza Applications\MediaBar\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-01 20:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="c:\\PROGRA~1\\SHAREA~1\\MediaBar\\Datamngr\\datamngr.dll c:\\PROGRA~1\\SHAREA~1\\MediaBar\\Datamngr\\IEBHO.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
.
- - - - - - - > 'lsass.exe'(972)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WININET.dll
c:\program files\Protector Suite QL\farchns.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
.
**************************************************************************
.
Completion time: 2012-04-01 20:39:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-02 00:39
.
Pre-Run: 25,724,964,864 bytes free
Post-Run: 34,081,218,560 bytes free
.
- - End Of File - - 2597215168E3FAC89D350FC688F95E33
 
Bootcheck log

Here is the bootcheck log.


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of boot.ini:
 
Click Start, click Run, type sysdm.cpl, and then click OK.
On the Advanced tab, click Settings under Startup and Recovery.
Under System Startup, click Edit. This will open boot.ini file in Notepad.
In your case Notepad will be empty.

Copy following text:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
Click to expand...
and paste it into open Notepad window.
Go File>Save
Close Notepad.

Restart computer, re-run Combofix and it should allow you to install Recovery Console this time.
 
Combofix re-run

here is the combofix log.

ComboFix 12-04-01.01 - dbouchard 04/01/2012 21:33:31.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1348 [GMT -4:00]
Running from: c:\documents and settings\dbouchard\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-02 to 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 00:24 . 2008-04-14 04:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-04-02 00:24 . 2008-04-14 04:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-04-01 02:24 . 2012-04-01 02:24 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-30 04:59 . 2012-03-30 04:59 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-03-30 03:14 . 2012-03-30 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-30 03:14 . 2012-03-30 03:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-03-27 01:01 . 2012-03-27 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2012-03-27 01:01 . 2012-03-27 01:01 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-03-25 12:04 . 2012-03-25 12:04 -------- d-----w- c:\documents and settings\All Users\Application DataMicrosoft
2012-03-03 16:12 . 2012-03-03 16:12 -------- d-sh--w- c:\documents and settings\dbouchard\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-01 06:13 . 2008-04-14 04:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-03-01 17:53 . 2012-03-01 17:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-03-01 17:53 . 2012-03-01 17:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-02-12 15:59 . 2012-02-12 15:59 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-11-06 16:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-11-06 16:46 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-11-06 16:34 52224 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck msln\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"Browser Defender Update Service"=2 (0x2)
"Thpsrv"=2 (0x2)
"TAPPSRV"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"EvtEng"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1207000.00D\symds.sys [1/30/2012 11:37 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1207000.00D\symefa.sys [1/30/2012 11:37 PM 744568]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2/8/2007 2:46 PM 16896]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2/7/2007 6:29 PM 6528]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120317.002\BHDrvx86.sys [3/19/2012 9:02 PM 820856]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1207000.00D\ironx86.sys [1/30/2012 11:37 PM 136312]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.7.0.13\ccsvchst.exe [1/30/2012 11:37 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/16/2012 12:11 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20120330.002\IDSXpx86.sys [3/31/2012 2:25 PM 356280]
S3 TBIMount;TBIMount;c:\windows\system32\drivers\TBIMount.sys [12/14/2010 8:47 PM 87648]
S4 fsbl-standalone;F-Secure BlackLight Beta Engine Driver;\??\c:\docume~1\DBOUCH~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys --> c:\docume~1\DBOUCH~1\LOCALS~1\Temp\F-Secure\BlackLight\fsbldrv.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2012 3:24 AM 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2012 3:24 AM 136176]
S4 ktlwku;ktlwku;c:\windows\system32\drivers\oess.sys --> c:\windows\system32\drivers\oess.sys [?]
S4 szkg5;szkg5;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]
S4 szkgfs;szkgfs;c:\windows\system32\drivers\szkgfs.sys --> c:\windows\system32\drivers\szkgfs.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-28 07:23]
.
2012-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-28 07:23]
.
2012-04-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-545942363-657050502-1754407576-1137.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-03-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-545942363-657050502-1754407576-1137.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 22:45]
.
2012-04-02 c:\windows\Tasks\User_Feed_Synchronization-{BC25EC36-1F3F-4F75-8E0E-E642523A8159}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-01 21:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"="c:\\PROGRA~1\\SHAREA~1\\MediaBar\\Datamngr\\datamngr.dll c:\\PROGRA~1\\SHAREA~1\\MediaBar\\Datamngr\\IEBHO.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
.
- - - - - - - > 'lsass.exe'(972)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
- - - - - - - > 'explorer.exe'(1912)
c:\windows\system32\WININET.dll
c:\program files\Protector Suite QL\farchns.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-01 21:41:23
ComboFix-quarantined-files.txt 2012-04-02 01:41
ComboFix2.txt 2012-04-02 00:39
.
Pre-Run: 34,084,126,720 bytes free
Post-Run: 34,071,580,672 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
.
- - End Of File - - F61796B75A0AAF4E306133AE6748FF58
 
Good job :)

How is computer doing?

Download OTL to your Desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in:


netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\tasks\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
You must log in or register to reply here.

Similar threads

E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
S
  • Locked
Inactive Please help: Infected-or-not?
Replies
2
Views
3K
Broni
Broni
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni

Latest posts

Back