Help! Virus still on Laptop after reformat.?

Inactive
By mazmac
Feb 5, 2011
Topic Status:
Not open for further replies.
  1. hi, I really hope someone can help me :)
    my boyfriend somehow managed to get a really aggressive virus on his laptop and I've been trying to get rid of it but no luck!
    what the virus does is it closes all the antivirus programs after a couple of seconds, makes new folders, takes control of the start menu, opens/loads other folders and then shuts itself down.
    I've tried to manually remove it using safe mode and deleting bits of it in regedit, but no luck.. it even blocks the keyboard.. its mental!
    luckily before the virus appeared we saved all his files on my external hd.
    so I decided to reform his whole laptop and reinstall windows 7.. he had two partitions and I formated both and deleted both so he now has one partition and the installed windows.. I took a long time and afterwards the same things start to happen.. so I did it again and there were two partitions again, so i reformatted and deleted both and reinstalled windows but the same thing.(I've done this about 4 times now)
    what I've also realised is that while the laptop loads up the keyboard sometimes blocks and I can't press enter or go into BIOS etc.
    I don't know what to do anymore and its really annoying!

    The laptop has not been connected to the internet since the virus came.
    Also the windows 7 installation disc is a legitimate copy.

    So can anyone help me? please?!?! thanks in advance :)
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot![​IMG]
    (Image courtesy animationplayhouse.com)

    I'll try to help you find the source of the problem. A word of Warning! Stay out of the BIOS or any other system processes. You can end up making the matter much worse.

    I will need information about what is on the system. If you cannot access the internet from the problem computer, you can download the scanning programs to a flash drive, then install and run on the problem computer:

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.


    An additional note: It is very possible that a file or folder you backed up was infected with malware. IF you reformatted/reinstalled, then put the file back on to the computer, you may have reinfected it. For now, please do not put any of the backups back onto the system> particularly if they are .exe files.
  3. mazmac

    mazmac Newcomer, in training Topic Starter

    thats the thing i haven't added anything back on it after i reformatted it.
    I did the back up of his things prob a month before the virus so his files aren't infected..

    I've used the following antivirus programs and they shut down after a couple of seconds:

    Microsoft Security Essentials
    Malwarebytes' Anti-Malware
    AVG
    and another one but I can't remember the name.

    Also the first two where already installed before the virus


    the windows disk is an original retail disk so it can't be from that..
    when I reinstalled windows I did a custom install - format then deleted everything.

    also I can't take it to the store where my boyfriends step-dad purchased it from cause that is in Sweden and I live in Croatia, and his laptop is about 4 years old..
  4. mazmac

    mazmac Newcomer, in training Topic Starter

    ok I followed all the instructions on "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions"

    1. I installed Avira Free, it managed to do a quick scan and reported that there were no infected files, then when I tried to do a full scan the whole system went haywire and shut itself down.

    2. I ran TFC but not much happened it removed a very small amount of files and then I restarted it.

    3. surprisingly I managed to run a full scan with Malwarebytes' Anti-Malware before I reformated the laptop it would close the antivirus program in a matter off seconds and then switch the laptop off.. however the scan didn't find anything.
    Here is the log mbam-log-2011-02-05 (22-06-50):

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5363

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    05/02/2011 22:06:50
    mbam-log-2011-02-05 (22-06-50).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 166843
    Time elapsed: 39 minute(s), 38 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    4. I ran GMER and the first time I ran it halfway through the laptop when crazy and shut itself off, it then took me a good 10 minutes to get the system to switch on cause the keyboard gets blocked and I can't select enter for windows to resume normally then somehow after restarting it a couple of times it was ok.
    I then tried to ran it again and it froze and then third time lucky :)
    here is the log gmer:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-05 22:54:52
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST950212A rev.3.05
    Running: wzpj3in2.exe; Driver: C:\Users\Antonio\AppData\Local\Temp\axldqfog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 828698E9 1 Byte [06]
    .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 828893B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\ACPI_HAL \Device\00000040 halacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 9
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlModified 3
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@CrawlType 2
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@InProgress 1
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@DoneAddingCrawlSeeds 1
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@IsCatalogLevel 0
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@LogStartAddId 2
    Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 10

    ---- EOF - GMER 1.0.15 ----


    5. I ran DDS striagth after gmer and here are the logs DDS and Attach:

    DDS log:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Antonio at 22:55:44.54 on 05/02/2011
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.736.366 [GMT 13:00]

    AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Antonio\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

    ============= SERVICES / DRIVERS ===============

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-5 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-5 267944]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-5 61960]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

    =============== Created Last 30 ================

    2011-02-05 21:11:49 -------- d-----w- c:\windows\Panther
    2011-02-05 09:28:26 -------- d-----w- c:\windows\system32\New folder
    2011-02-05 08:26:20 -------- d-----w- c:\users\antonio\appdata\roaming\Malwarebytes
    2011-02-05 08:26:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-05 08:26:14 -------- d-----w- c:\progra~2\Malwarebytes
    2011-02-05 08:26:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-05 08:26:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-05 08:16:31 -------- d-----w- c:\users\antonio\appdata\local\ElevatedDiagnostics
    2011-02-05 07:21:42 -------- d-----w- c:\users\antonio\appdata\roaming\Avira
    2011-02-05 07:19:14 -------- d-----w- c:\windows\system32\wbem\Performance
    2011-02-05 07:18:46 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-05 07:18:45 -------- d-----w- c:\program files\Avira
    2011-02-05 07:18:45 -------- d-----w- c:\progra~2\Avira
    2011-02-05 07:17:23 -------- d-sh--w- c:\windows\Installer

    ==================== Find3M ====================


    ============= FINISH: 22:56:28.40 ===============


    Attach log:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 05/02/2011 13:24:07
    System Uptime: 05/02/2011 22:35:42 (0 hours ago)

    Motherboard: NEC COMPUTERS INTERNATIONAL | | Rhea B
    Processor: Intel(R) Celeron(R) M processor 1.30GHz | mPGA478 | 1294/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 46 GiB total, 39.581 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: Video Controller
    Device ID: PCI\VEN_8086&DEV_3582&SUBSYS_D0041631&REV_02\3&18D45AA6&0&11
    Manufacturer:
    Name: Video Controller
    PNP Device ID: PCI\VEN_8086&DEV_3582&SUBSYS_D0041631&REV_02\3&18D45AA6&0&11
    Service:

    Class GUID:
    Description:
    Device ID: ACPI\MTC0003\4&69EE968&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\MTC0003\4&69EE968&0
    Service:

    Class GUID:
    Description: Multimedia Audio Controller
    Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_D0041631&REV_03\3&18D45AA6&0&FD
    Manufacturer:
    Name: Multimedia Audio Controller
    PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_D0041631&REV_03\3&18D45AA6&0&FD
    Service:

    Class GUID:
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_D0041631&REV_03\3&18D45AA6&0&FE
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_D0041631&REV_03\3&18D45AA6&0&FE
    Service:

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Avira AntiVir Personal - Free Antivirus
    Malwarebytes' Anti-Malware
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

    ==== Event Viewer Messages From Past Week ========

    05/02/2011 22:35:46, Error: Microsoft-Windows-Kernel-Processor-Power [6] - Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.

    ==== End Of File ===========================



    I hope you can help me fix the laptop..

    btw I forgot to mention earlier that when I start the laptop up it sometimes produces these really high pitch sounds and freezes for a bit and then I have to restart it but then sometimes it only does it for a second and then continues normally.

    also the keyboard during start up rarely gives any sign of life but then when it gets to the desktop it sometimes works fine and then sometimes is goes all crazy and inverts everything and the only letters it can type are Á É Í Ó.

    thanks in advance for any other help :)
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    A few questions come to mind:
    1. Do you have another language other than English on the system?
    2. I have some concern about all the reformats/reinstalls you've done and the fact that you wanted to access the BIOS> what did you want to do in the BIOS?
    3. Are you using the touchpad or a USB mouse for the laptop?
    4. Your description of what the keyboard is doing-or isn't doing is system related. Have you ever gone into the Control Panel > typed keyboard in the search and double click the keyboard icon when it displays and checked the settings?
    Windows 7 has some keyboard tweaks such as changing how fast the keys repeat when you hold them down. And if the keyboard has extra buttons along the top, you will need to install the keyboard's software to make them work.
    =====================================
    As for the screaming startup, never a good sign! I'd like you to run the following 2 scan, without doing anything else to the system.

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===============================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  6. mazmac

    mazmac Newcomer, in training Topic Starter

    no I don't have another language installed, when I was installing Windows 7 the keyboard language I chose was English, and I haven't installed any other language after that.

    as for the Bios, I didn't do anything to it, nor did I enter it I was just stating the fact that during start up the keyboard blocks and I can't enter bios, boot on network nor select anything after that, i.e. resume windows etc.

    I use a touchpad and the keyboard doesn't have any extra buttons

    the " the screaming startup" only happens maybe 2/10 times

    I ran the Eset NOD32 Online AntiVirus scan and the first time it got to 99% and then the computer went mental and shut down.. the second time I tried it froze and then the third time it managed to do the scan but I had to constantly close folders and properties of folders and stop it from shutting down, during the scan it created about 12 'New Folders', however the scan didn't find any infected items and when I tried to find the log report I wasn't sure if this was the right one but nevertheless here is the log I found:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    esets_scanner_update returned -1 esets_gle=53251

    I then ran Combofix and here is the log:

    ComboFix 11-02-05.01 - Antonio 07/02/2011 3:01.1.1 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.736.335 [GMT 13:00]
    Running from: c:\users\Antonio\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
    Restored copy from - c:\combofix\HarddiskVolumeShadowCopy5_!Windows!System32!drivers!atapi.sys

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
    .

    2011-02-06 14:25 . 2011-02-06 14:25 -------- d-----w- c:\windows\system32\Wat
    2011-02-06 14:15 . 2011-02-06 14:15 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-06 14:05 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
    2011-02-06 14:03 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
    2011-02-06 13:15 . 2010-08-21 05:36 224256 ----a-w- c:\windows\system32\schannel.dll
    2011-02-06 13:13 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
    2011-02-06 13:13 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
    2011-02-06 13:13 . 2010-08-31 04:32 954752 ----a-w- c:\windows\system32\mfc40.dll
    2011-02-06 13:13 . 2010-08-31 04:32 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2011-02-06 13:13 . 2010-09-01 04:26 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2011-02-06 13:13 . 2010-09-01 04:23 12625408 ----a-w- c:\windows\system32\wmploc.DLL
    2011-02-06 13:11 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2011-02-06 13:08 . 2011-02-02 04:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A1817E31-0F49-40E3-9C03-C609D2981685}\mpengine.dll
    2011-02-06 13:08 . 2011-02-02 04:11 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-02-06 12:58 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2011-02-06 12:58 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-02-06 12:58 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-02-06 12:58 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-06 12:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
    2011-02-06 12:56 . 2010-10-20 03:00 2327552 ----a-w- c:\windows\system32\win32k.sys
    2011-02-06 12:36 . 2011-02-06 12:36 -------- d-----w- c:\program files\ESET
    2011-02-05 23:40 . 2011-02-05 23:40 -------- d-----w- c:\program files\Belkin
    2011-02-05 23:23 . 2011-02-05 23:42 -------- d--h--w- c:\program files\InstallShield Installation Information
    2011-02-05 23:21 . 2011-02-05 23:33 -------- d-----w- c:\program files\Common Files\InstallShield
    2011-02-05 21:11 . 2011-02-05 00:24 -------- d-----w- c:\windows\Panther
    2011-02-05 09:28 . 2011-02-05 09:28 -------- d-----w- c:\windows\system32\New folder
    2011-02-05 08:26 . 2010-12-20 05:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-05 08:26 . 2011-02-05 08:26 -------- d-----w- c:\programdata\Malwarebytes
    2011-02-05 08:26 . 2011-02-05 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-05 08:26 . 2010-12-20 05:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-05 07:19 . 2011-02-06 13:57 -------- d-----w- c:\windows\system32\wbem\Performance
    2011-02-05 07:18 . 2011-01-10 01:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-02-05 07:18 . 2011-01-10 01:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-02-05 07:18 . 2011-02-05 07:18 -------- d-----w- c:\programdata\Avira
    2011-02-05 07:18 . 2011-02-05 07:18 -------- d-----w- c:\program files\Avira
    2011-02-05 07:17 . 2011-02-05 23:40 -------- d-sh--w- c:\windows\Installer
    2011-02-05 00:24 . 2011-02-05 00:24 -------- d-----w- c:\users\Antonio
    2011-02-05 00:24 . 2011-02-05 00:24 -------- d-----w- C:\Recovery

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BrowserChoice"="c:\windows\System32\browserchoice.exe" [2010-02-11 293376]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-06 1343400]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
    S3 kbd;Keyboard;c:\windows\system32\DRIVERS\kbd.sys [2005-09-29 21504]

    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\servicing\TrustedInstaller.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\sppsvc.exe
    c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\System32\mshta.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\vssvc.exe
    c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    c:\windows\system32\DrvInst.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-07 03:36:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-06 14:36

    Pre-Run: 40,792,735,744 bytes free
    Post-Run: 40,068,767,744 bytes free

    - - End Of File - - 9D58F6ABD7F6A24A1BE88B0F53A37EC6



    What do I need to do now? or is the problem sorted? thanks for all the help so far :)
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Didn't get email feedback of reply- sorry.

    Due to the finding and replacing of the infected atapi file, We need to look for a rootkit:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please paste the log into next reply.
    • A reboot is required after disinfection.

    There are several files, folders and directories in the Combofix log which I need to set up to view the contents.

    Please do a search on the system for C:\Program Files\EsetOnlineScanner\log.txt. If found, please post the full log.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :dir
      c:\windows\system32\New folder
      c:\windows\Panther
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ========================================
    What did you put in this directory?> 2011-02-05 00:24 -------- d-----w- c:\users\Antonio
    I don't want to open it like the 2 above and have hundreds of files and folders listed!
    ======================================
    Since you mention the keyboard specifically and I don't know whether it's not working because it's USB, or malware, I wanted to bring this to your attention: The keyboard driver below is dated 2005. It's possible it may need a driver update:
    S3 kbd;Keyboard;c:\windows\system32\DRIVERS\kbd.sys [2005-09-29 21504]
  9. mazmac

    mazmac Newcomer, in training Topic Starter

    I ran TDSSKiller but it didn't find any threats, and there is no quarantine log either just a normal log:


    2011/02/13 01:02:18.0688 3880 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
    2011/02/13 01:02:19.0199 3880 ================================================================================
    2011/02/13 01:02:19.0199 3880 SystemInfo:
    2011/02/13 01:02:19.0199 3880
    2011/02/13 01:02:19.0199 3880 OS Version: 6.1.7600 ServicePack: 0.0
    2011/02/13 01:02:19.0199 3880 Product type: Workstation
    2011/02/13 01:02:19.0199 3880 ComputerName: ANTONIO-PC
    2011/02/13 01:02:19.0199 3880 UserName: Antonio
    2011/02/13 01:02:19.0199 3880 Windows directory: C:\Windows
    2011/02/13 01:02:19.0199 3880 System windows directory: C:\Windows
    2011/02/13 01:02:19.0199 3880 Processor architecture: Intel x86
    2011/02/13 01:02:19.0199 3880 Number of processors: 1
    2011/02/13 01:02:19.0199 3880 Page size: 0x1000
    2011/02/13 01:02:19.0199 3880 Boot type: Normal boot
    2011/02/13 01:02:19.0199 3880 ================================================================================
    2011/02/13 01:02:21.0292 3880 Initialize success
    2011/02/13 01:02:38.0817 3552 ================================================================================
    2011/02/13 01:02:38.0817 3552 Scan started
    2011/02/13 01:02:38.0817 3552 Mode: Manual;
    2011/02/13 01:02:38.0817 3552 ================================================================================
    2011/02/13 01:02:59.0306 3552 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
    2011/02/13 01:03:01.0379 3552 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
    2011/02/13 01:03:03.0111 3552 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
    2011/02/13 01:03:05.0264 3552 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
    2011/02/13 01:03:07.0337 3552 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
    2011/02/13 01:03:09.0270 3552 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
    2011/02/13 01:03:11.0113 3552 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
    2011/02/13 01:03:16.0410 3552 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
    2011/02/13 01:03:17.0772 3552 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
    2011/02/13 01:03:21.0037 3552 ALCXWDM (7997b6f02cbda0e31fa18cc85871b938) C:\Windows\system32\drivers\RTKVAC.SYS
    2011/02/13 01:03:23.0480 3552 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
    2011/02/13 01:03:25.0353 3552 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
    2011/02/13 01:03:27.0646 3552 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
    2011/02/13 01:03:30.0170 3552 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
    2011/02/13 01:03:31.0842 3552 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
    2011/02/13 01:03:33.0264 3552 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
    2011/02/13 01:03:34.0376 3552 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
    2011/02/13 01:03:35.0387 3552 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
    2011/02/13 01:03:36.0649 3552 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
    2011/02/13 01:03:37.0851 3552 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
    2011/02/13 01:03:39.0283 3552 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
    2011/02/13 01:03:40.0505 3552 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
    2011/02/13 01:03:42.0758 3552 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
    2011/02/13 01:03:44.0551 3552 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
    2011/02/13 01:03:47.0695 3552 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\Windows\system32\DRIVERS\avipbb.sys
    2011/02/13 01:03:51.0430 3552 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
    2011/02/13 01:03:55.0867 3552 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
    2011/02/13 01:03:59.0793 3552 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
    2011/02/13 01:04:03.0207 3552 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
    2011/02/13 01:04:06.0212 3552 BLKWGU(Belkin) (ed910b63a75863a89aab65f2763d5b71) C:\Windows\system32\DRIVERS\BLKWGU.sys
    2011/02/13 01:04:08.0856 3552 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
    2011/02/13 01:04:12.0311 3552 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
    2011/02/13 01:04:15.0725 3552 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
    2011/02/13 01:04:19.0341 3552 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
    2011/02/13 01:04:22.0465 3552 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
    2011/02/13 01:04:26.0773 3552 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
    2011/02/13 01:04:30.0398 3552 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
    2011/02/13 01:04:33.0703 3552 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
    2011/02/13 01:04:37.0759 3552 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
    2011/02/13 01:04:40.0783 3552 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
    2011/02/13 01:04:43.0197 3552 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
    2011/02/13 01:04:44.0999 3552 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
    2011/02/13 01:04:47.0943 3552 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
    2011/02/13 01:04:50.0717 3552 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
    2011/02/13 01:04:53.0251 3552 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
    2011/02/13 01:04:55.0687 3552 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
    2011/02/13 01:04:57.0850 3552 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
    2011/02/13 01:05:00.0154 3552 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
    2011/02/13 01:05:02.0888 3552 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
    2011/02/13 01:05:05.0989 3552 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
    2011/02/13 01:05:08.0115 3552 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
    2011/02/13 01:05:10.0949 3552 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
    2011/02/13 01:05:13.0293 3552 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
    2011/02/13 01:05:15.0496 3552 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
    2011/02/13 01:05:20.0072 3552 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
    2011/02/13 01:05:23.0337 3552 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
    2011/02/13 01:05:25.0951 3552 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
    2011/02/13 01:05:28.0494 3552 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
    2011/02/13 01:05:31.0118 3552 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
    2011/02/13 01:05:33.0361 3552 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
    2011/02/13 01:05:35.0565 3552 FETNDIS (f5cb6cb6d12f495516be27cffccde4bf) C:\Windows\system32\DRIVERS\fetnd6.sys
    2011/02/13 01:05:38.0100 3552 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
    2011/02/13 01:05:40.0003 3552 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
    2011/02/13 01:05:42.0066 3552 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
    2011/02/13 01:05:44.0199 3552 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
    2011/02/13 01:05:46.0331 3552 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
    2011/02/13 01:05:49.0215 3552 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
    2011/02/13 01:05:52.0888 3552 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
    2011/02/13 01:05:55.0522 3552 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
    2011/02/13 01:05:58.0215 3552 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
    2011/02/13 01:06:00.0489 3552 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2011/02/13 01:06:02.0832 3552 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
    2011/02/13 01:06:06.0768 3552 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
    2011/02/13 01:06:09.0942 3552 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
    2011/02/13 01:06:14.0449 3552 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
    2011/02/13 01:06:17.0133 3552 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
    2011/02/13 01:06:19.0426 3552 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
    2011/02/13 01:06:21.0619 3552 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
    2011/02/13 01:06:23.0652 3552 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
    2011/02/13 01:06:26.0236 3552 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
    2011/02/13 01:06:28.0088 3552 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
    2011/02/13 01:06:29.0791 3552 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
    2011/02/13 01:06:31.0603 3552 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
    2011/02/13 01:06:33.0626 3552 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2011/02/13 01:06:36.0350 3552 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
    2011/02/13 01:06:38.0874 3552 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
    2011/02/13 01:06:41.0498 3552 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
    2011/02/13 01:06:44.0141 3552 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
    2011/02/13 01:06:47.0156 3552 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
    2011/02/13 01:06:50.0501 3552 kbd (25e069d51596b9c77ea8e0bf51cf0f59) C:\Windows\system32\DRIVERS\kbd.sys
    2011/02/13 01:06:53.0485 3552 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2011/02/13 01:06:56.0569 3552 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
    2011/02/13 01:06:59.0403 3552 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
    2011/02/13 01:07:02.0969 3552 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
    2011/02/13 01:07:07.0645 3552 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
    2011/02/13 01:07:10.0039 3552 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
    2011/02/13 01:07:12.0542 3552 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
    2011/02/13 01:07:14.0675 3552 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
    2011/02/13 01:07:17.0149 3552 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
    2011/02/13 01:07:20.0674 3552 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
    2011/02/13 01:07:23.0178 3552 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
    2011/02/13 01:07:25.0451 3552 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
    2011/02/13 01:07:27.0554 3552 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
    2011/02/13 01:07:29.0537 3552 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
    2011/02/13 01:07:31.0760 3552 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
    2011/02/13 01:07:33.0693 3552 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
    2011/02/13 01:07:35.0896 3552 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
    2011/02/13 01:07:37.0678 3552 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
    2011/02/13 01:07:39.0671 3552 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
    2011/02/13 01:07:41.0734 3552 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
    2011/02/13 01:07:43.0877 3552 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2011/02/13 01:07:45.0980 3552 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2011/02/13 01:07:47.0543 3552 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2011/02/13 01:07:49.0195 3552 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
    2011/02/13 01:07:51.0188 3552 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
    2011/02/13 01:07:52.0940 3552 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
    2011/02/13 01:07:54.0983 3552 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
    2011/02/13 01:07:56.0836 3552 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
    2011/02/13 01:07:58.0629 3552 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
    2011/02/13 01:08:00.0341 3552 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
    2011/02/13 01:08:02.0063 3552 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
    2011/02/13 01:08:03.0986 3552 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
    2011/02/13 01:08:05.0789 3552 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
    2011/02/13 01:08:07.0481 3552 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
    2011/02/13 01:08:09.0344 3552 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
    2011/02/13 01:08:10.0966 3552 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
    2011/02/13 01:08:12.0569 3552 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
    2011/02/13 01:08:14.0712 3552 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
    2011/02/13 01:08:16.0334 3552 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
    2011/02/13 01:08:18.0016 3552 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
    2011/02/13 01:08:19.0839 3552 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
    2011/02/13 01:08:21.0612 3552 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
    2011/02/13 01:08:23.0635 3552 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
    2011/02/13 01:08:25.0507 3552 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
    2011/02/13 01:08:27.0039 3552 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
    2011/02/13 01:08:28.0732 3552 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
    2011/02/13 01:08:30.0394 3552 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
    2011/02/13 01:08:32.0077 3552 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
    2011/02/13 01:08:33.0919 3552 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
    2011/02/13 01:08:35.0972 3552 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
    2011/02/13 01:08:38.0546 3552 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
    2011/02/13 01:08:40.0128 3552 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
    2011/02/13 01:08:41.0871 3552 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
    2011/02/13 01:08:43.0613 3552 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
    2011/02/13 01:08:45.0416 3552 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
    2011/02/13 01:08:47.0319 3552 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
    2011/02/13 01:08:49.0071 3552 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
    2011/02/13 01:08:50.0924 3552 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
    2011/02/13 01:08:52.0616 3552 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
    2011/02/13 01:08:54.0249 3552 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
    2011/02/13 01:08:56.0141 3552 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
    2011/02/13 01:08:58.0074 3552 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
    2011/02/13 01:09:00.0237 3552 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
    2011/02/13 01:09:02.0671 3552 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
    2011/02/13 01:09:04.0443 3552 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
    2011/02/13 01:09:06.0446 3552 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
    2011/02/13 01:09:08.0519 3552 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
    2011/02/13 01:09:10.0532 3552 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
    2011/02/13 01:09:12.0455 3552 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
    2011/02/13 01:09:14.0067 3552 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
    2011/02/13 01:09:15.0689 3552 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2011/02/13 01:09:17.0482 3552 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
    2011/02/13 01:09:19.0134 3552 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
    2011/02/13 01:09:20.0967 3552 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
    2011/02/13 01:09:22.0930 3552 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
    2011/02/13 01:09:24.0622 3552 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2011/02/13 01:09:26.0325 3552 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
    2011/02/13 01:09:27.0967 3552 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
    2011/02/13 01:09:29.0589 3552 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
    2011/02/13 01:09:31.0272 3552 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
    2011/02/13 01:09:33.0094 3552 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
    2011/02/13 01:09:34.0847 3552 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
    2011/02/13 01:09:36.0900 3552 rt2500usb (0f82a97056ea208183c0085589f83050) C:\Windows\system32\DRIVERS\rt2500usb.sys
    2011/02/13 01:09:38.0622 3552 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
    2011/02/13 01:09:40.0285 3552 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
    2011/02/13 01:09:43.0189 3552 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
    2011/02/13 01:09:44.0901 3552 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2011/02/13 01:09:46.0414 3552 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
    2011/02/13 01:09:47.0665 3552 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
    2011/02/13 01:09:48.0687 3552 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
    2011/02/13 01:09:52.0332 3552 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
    2011/02/13 01:09:53.0694 3552 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
    2011/02/13 01:09:54.0966 3552 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
    2011/02/13 01:09:55.0897 3552 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
    2011/02/13 01:09:58.0200 3552 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
    2011/02/13 01:09:59.0723 3552 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
    2011/02/13 01:10:02.0246 3552 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
    2011/02/13 01:10:03.0448 3552 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
    2011/02/13 01:10:04.0790 3552 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
    2011/02/13 01:10:06.0352 3552 srv (2dbedfb1853f06110ec2aa7f3213c89f) C:\Windows\system32\DRIVERS\srv.sys
    2011/02/13 01:10:10.0318 3552 srv2 (db37131d1027c50ea7ee21c8bb4536aa) C:\Windows\system32\DRIVERS\srv2.sys
    2011/02/13 01:10:12.0892 3552 srvnet (f5980b74124db9233b33f86fc5ebbb4f) C:\Windows\system32\DRIVERS\srvnet.sys
    2011/02/13 01:10:15.0395 3552 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
    2011/02/13 01:10:17.0178 3552 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
    2011/02/13 01:10:19.0281 3552 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
    2011/02/13 01:10:20.0793 3552 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
    2011/02/13 01:10:22.0826 3552 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
    2011/02/13 01:10:25.0360 3552 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\drivers\tcpip.sys
    2011/02/13 01:10:28.0564 3552 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\DRIVERS\tcpip.sys
    2011/02/13 01:10:30.0837 3552 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
    2011/02/13 01:10:32.0930 3552 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
    2011/02/13 01:10:34.0713 3552 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
    2011/02/13 01:10:36.0225 3552 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
    2011/02/13 01:10:38.0028 3552 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
    2011/02/13 01:10:40.0171 3552 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2011/02/13 01:10:41.0823 3552 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
    2011/02/13 01:10:43.0526 3552 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
    2011/02/13 01:10:45.0208 3552 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
    2011/02/13 01:10:47.0081 3552 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
    2011/02/13 01:10:48.0543 3552 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
    2011/02/13 01:10:50.0235 3552 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
    2011/02/13 01:10:52.0008 3552 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
    2011/02/13 01:10:53.0740 3552 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
    2011/02/13 01:10:55.0513 3552 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
    2011/02/13 01:10:57.0726 3552 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
    2011/02/13 01:10:59.0849 3552 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
    2011/02/13 01:11:01.0411 3552 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
    2011/02/13 01:11:03.0134 3552 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2011/02/13 01:11:04.0696 3552 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
    2011/02/13 01:11:06.0489 3552 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
    2011/02/13 01:11:08.0151 3552 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
    2011/02/13 01:11:09.0793 3552 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
    2011/02/13 01:11:11.0486 3552 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
    2011/02/13 01:11:13.0128 3552 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
    2011/02/13 01:11:14.0841 3552 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
    2011/02/13 01:11:16.0463 3552 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
    2011/02/13 01:11:18.0326 3552 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
    2011/02/13 01:11:20.0098 3552 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
    2011/02/13 01:11:21.0751 3552 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
    2011/02/13 01:11:23.0463 3552 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
    2011/02/13 01:11:25.0206 3552 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
    2011/02/13 01:11:26.0988 3552 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
    2011/02/13 01:11:28.0681 3552 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
    2011/02/13 01:11:30.0373 3552 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
    2011/02/13 01:11:32.0055 3552 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/02/13 01:11:32.0286 3552 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/02/13 01:11:34.0018 3552 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
    2011/02/13 01:11:35.0871 3552 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    2011/02/13 01:11:38.0292 3552 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
    2011/02/13 01:11:39.0971 3552 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
    2011/02/13 01:11:41.0814 3552 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
    2011/02/13 01:11:43.0597 3552 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
    2011/02/13 01:11:45.0339 3552 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
    2011/02/13 01:11:47.0092 3552 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
    2011/02/13 01:11:47.0502 3552 ================================================================================
    2011/02/13 01:11:47.0502 3552 Scan finished
    2011/02/13 01:11:47.0502 3552 ================================================================================


    I did a serach for the EsetOnlineScanner\log.txt again and the same log came up as the one I already posted

    I then ran SystemLook for:
    :dir
    c:\windows\system32\New folder
    c:\windows\Panther

    here is the log:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 04:29 on 13/02/2011 by Antonio
    Administrator - Elevation successful

    ========== dir ==========

    c:\windows\system32\New folder - Parameters: "(none)"

    ---Files---
    None found.

    ---Folders---
    None found.

    c:\windows\Panther - Parameters: "(none)"

    ---Files---
    cbs.log --a---- 38040 bytes [21:11 05/02/2011] [21:11 05/02/2011]
    Contents0.dir --a---- 68 bytes [21:11 05/02/2011] [21:11 05/02/2011]
    Contents1.dir --a---- 68 bytes [13:17 05/02/2011] [13:17 05/02/2011]
    DDACLSys.log --a---- 920 bytes [13:16 05/02/2011] [13:16 05/02/2011]
    diagerr.xml --a---- 5718 bytes [21:11 05/02/2011] [13:17 05/02/2011]
    diagwrn.xml --a---- 16762 bytes [21:11 05/02/2011] [13:17 05/02/2011]
    MainQueueOnline0.que --a---- 28770 bytes [21:11 05/02/2011] [21:11 05/02/2011]
    MainQueueOnline1.que --a---- 27468 bytes [13:17 05/02/2011] [13:17 05/02/2011]
    setup.etl --a---- 335872 bytes [13:12 05/02/2011] [00:24 05/02/2011]
    setupact.log --a---- 801298 bytes [21:11 05/02/2011] [13:17 05/02/2011]
    setuperr.log --a---- 0 bytes [21:11 05/02/2011] [20:57 05/02/2011]
    setupinfo --a---- 188672 bytes [21:11 05/02/2011] [13:14 05/02/2011]

    ---Folders---
    setup.exe d------ [21:11 05/02/2011]
    UnattendGC d------ [13:13 05/02/2011]

    -= EOF =-


    ================================================================
    as for the directory c:\users\Antonio, I didn't put anything in it, there is nothing on the computer apart from the stuff you told me to download.
    so I ran SystemLook for:
    :dir
    c:\users\Antonio

    here is the log:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 04:31 on 13/02/2011 by Antonio
    Administrator - Elevation successful

    ========== dir ==========

    c:\users\Antonio - Parameters: "(none)"

    ---Files---
    NTUSER.DAT --ahs-- 786432 bytes [00:24 05/02/2011] [15:30 12/02/2011]
    ntuser.dat.LOG1 --ahs-- 262144 bytes [00:24 05/02/2011] [15:30 12/02/2011]
    ntuser.dat.LOG2 --ahs-- 0 bytes [00:24 05/02/2011] [00:24 05/02/2011]
    NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf --ahs-- 65536 bytes [00:24 05/02/2011] [00:27 05/02/2011]
    NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms --ahs-- 524288 bytes [00:24 05/02/2011] [00:27 05/02/2011]
    NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms --ahs-- 524288 bytes [00:24 05/02/2011] [00:27 05/02/2011]
    ntuser.ini ---hs-- 20 bytes [00:24 05/02/2011] [00:24 05/02/2011]

    ---Folders---
    AppData d--h--- [00:24 05/02/2011]
    Application Data d--hs-- [00:24 05/02/2011]
    Contacts dr----- [00:24 05/02/2011]
    Cookies d--hs-- [00:24 05/02/2011]
    Desktop dr----- [00:24 05/02/2011]
    Documents dr----- [00:24 05/02/2011]
    Downloads dr----- [00:24 05/02/2011]
    Favorites dr----- [00:24 05/02/2011]
    Links dr----- [00:24 05/02/2011]
    Local Settings d--hs-- [00:24 05/02/2011]
    Music dr----- [00:24 05/02/2011]
    My Documents d--hs-- [00:24 05/02/2011]
    NetHood d--hs-- [00:24 05/02/2011]
    Pictures dr----- [00:24 05/02/2011]
    PrintHood d--hs-- [00:24 05/02/2011]
    Recent d--hs-- [00:24 05/02/2011]
    Saved Games dr----- [00:24 05/02/2011]
    Searches dr----- [00:24 05/02/2011]
    SendTo d--hs-- [00:24 05/02/2011]
    Start Menu d--hs-- [00:24 05/02/2011]
    Templates d--hs-- [00:24 05/02/2011]
    Videos dr----- [00:24 05/02/2011]

    -= EOF =-


    ===============================================================

    What should I do now? The computer still acts on its own and opens up folders, their properties and flicks through the start menu and eventually shuts itself down.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please don't run scans that I don't direct you to do.
    I did get notice of reply and the PM. I will be back later thi afternoon to finish up.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Can you please tell me why you think there is a virus infection? Was there one before you reformatted? What was it?
  12. mazmac

    mazmac Newcomer, in training Topic Starter

    This was happening before I reformatted, and I don't know what virus it was cause whenever I tried to do a scan, the computer would go haywire and close the antivirus program, flicker through everything and then eventually shut itself down, thats why I reformatted, I thought it would disappear after that, but its still there.
    The laptop has never acted like this before and then out of the blue it goes mental, so if it isn't a virus, what is it? :S

    also sorry about running that scan, I just though it might help somehow, sorry and thanks again for helping me
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Please understand that you're there and I'm here> all I have to go on is what you tell me. The following 'descriptions' really don't tell me much:
    • the computer would go haywire > Please explain 'haywire.'
    • close the antivirus program > What happens when the AV program 'closes'. Do you get a message that it's not running? What is the message?
    • flicker through everything > What does it 'flicker' through?
    • out of the blue it goes mental ??????

    Most users don't know how to troubleshoot, so when something goes wrong or doesn't work right on their computer, they figure it has to be a 'virus.' With your descriptions-what I think they mean-it's entirely possible that the hard drive is failing. The following should have been you first clues that the problems could be hardware, not software.
    ==============================================
    I also noticed 2 of these entries:
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe


    conhost.exe> Console Windows Host: conhost.exe may appeared as a process when a video in SMPlayer is played. The process is killed immediately if the video player window is closed.

    Conhost.exe will also appear as a process in the task manager if a command line prompt is opened in Windows 7. The process is always started if a command line window (hidden or visible) is launched in Windows 7. So this would point to the fact that there are 2 command lines running.
     
  14. mazmac

    mazmac Newcomer, in training Topic Starter

    sorry for such a late reply..
    I'll try and explain what the laptop did before I reformatted and how it's currently acting.
    Before reformat, my boyfriend told me that he was getting some weird pop-up websites but I can't remember what they where off, I also remember that there was a couple of pornographic video clips scattered in the 'my documents' area, which i deleted but they returned, when I tried to do a normal scan using first Microsoft Security Essentials, the laptop started to act on its own and would literally flick through all the menus/tabs and after about 30 seconds into the scan it would close the program/scan, after that it would open the start menu and flicker through all the programs and then it would eventually shut itself down. The same would happen when I used Malwarebytes' Anti-Malware and AVG, however I do remember AVG finding some sort of Trojan/worm and removing it but I don't remember what it was called nor whether it made any difference because the laptop was still acting on its own account.
    It would open windows media center quite a lot of the time and when I would go online it would also flicker through all the tabs and make new bookmarks and duplicate the website already opened (in this case 'google'). On the desktop it would make New Folders by itself, but they never contained anything, overall before reformatting it was quite a stubborn 'virus' and it was really hard to keep a scan running and prevent it closing prematurely as well as stopping it to shut down.

    After I reformatted the first couple of times it was acting the same, but then other times it was normal like nothing ever happened but that would last for maybe half an hour and then it would start acting on its own again. However compared to before its now a little easier to battle it and prevent it from shutting down, thats how I was able to do a scan. The laptop still acts by itself but its not as 'violent' as before. So what it usually does now (when I don't try and prevent it) is it will open the start menu and flick/highlight programs (basically it looks like someone opens the start menu and holds the up/down arrow and just flicks through everything) but it doesn't open anything it just clicks on shut down and shuts down by itself. Also it would click on those quick buttons/'pinned' programs on the taskbar in this case windows media center and it would just open it and thats about it. On the desktop it still makes new folders containing nothing, when on the internet it still makes new bookmarks and duplicates websites already opened. It also, somehow 'blocks' the keyboard but that doesn't happen so often anymore, but when it does it inverts functions and whatever letter you press the only letters that come out is "Á, É, Í, and Ó"

    As for the partitions, he always had two, the second one had a small amount of memory, the reason I 'deleted' it and reformatted it was because he wanted me to.

    I don't really know what else to tell you.. I hope that my description will be off some help.

    and thank you again for re-activating this tread. :)
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Everything is way out of date now. And I am still having a problem understanding the descriptions of the problems. I'm getting this:
    1. it will open the start menu and flick/highlight programs
    2. it just clicks on shut down and shuts down by itself.
    I don't know that this is malware related, but we'll see if the scans turn up anything:
    ========================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  16. mazmac

    mazmac Newcomer, in training Topic Starter

    I've tried to run the scans but its no use.. every time I try to do either of the scans the laptop decides to act by itself, e.g. when I left click on something it opens up properties, new folders and their properties.. highlights half the desktop or opens the website 10 times etc.

    to be quite honest with you, I'm getting really fed up trying to fix this laptop, I mean i dunno.. as for the scans being out of date well they are but the last time the laptop was running was when you told me to run TDSSKiller, it has not been in use since then.. well it has now cause I tried to run those two scans again all day yesterday..

    I don't know what to do, I've tried at over 20 times now to run either of the scans and its just not happening, if you have another suggestion, great, if not I don't know I think I'll just leave it be until I actually get some money and then I'll try and give it to someone who might know how to fix it.

    Either way thanks a lot for trying to help me out, I really appreciate it :)
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I think you need to consider a hard drive failure. I don't know why the system seems to be acting on it's own. You can try another reformat/reinstall, but if it's the hard drive, you are going to end up right back where you are now.

    I m sorry I can't be of more help, but here, I can only go by what I see and your description. If you have some pennies saved up, you might reconsider taking it to the shop for hands on help. I don't think the problems are coming from any software- especially since you didn't see improvement after a reformat- that points to a hardware problem.

    I'm not sure what you actually managed to download, but do the following to clean up the tools we used:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

      Creating a Restore Point in Windows 7:
      • Click on Start> right click on Computer> Properties
      • Select System Protection
      • Click on the Create button (near bottom)
      • Type a name for the Restore Point
      • Click on Create again to save the restore point.

      Deleting all but the most recent System Protection point in Windows 7
      1. Click Start> Computer> right click the C Drive and choose Properties> enter.
      2. Click Disk Cleanup from there.
        [​IMG]
      3. Click Clean up system files
        This restarts Disk Cleanup to run in elevated mode.
      4. Click the More Options tab
        [​IMG]
      5. Click the Clean up under System Restore and Shadow Copies.
      6. Click OK.
      7. You will get a confirmation screen> Just click Delete.
      8. Click OK on the Disk Cleanup Screen.
      9. Click Delete Files on the Confirmation screen.
      [​IMG]
      It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
      Images courtesy lytebyte.

      Empty the Recycle Bin
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.