TechSpot

Three Trojans stuck in System Registry

Inactive
By waveofbabies
Jan 11, 2012
  1. I have a combination of viruses that redirects my web browser to some nonsense news site along with causing general annoyances with anything internet related including crashing programs and lagging them up. AVG is the only program I have installed that detects them. Malwarebytes does not so the log makes it seem as though there are no more infections. According to AVG, the infections are Trojan Horse Crypt.ANVH (this also seemed to mess with GMER and DDS which is why I did not post a log from these programs), Trojan BackDoor.Generic14.BQGX, and finally Trojan Agent 3.WJV. Can you guys help me out and save me a format? Thanks.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===========================================================

    Explain please.
     
  3. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    Hey Broni. Thanks for the welcome. Come to think of it i think AVG might be causing the problem here. What I mean is when I try to run either GMER or DDS a warning pops up indicating that AVG has detected Trojan Horse Crypt and following that the program stops working.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Couple of steps ahead we'll have uninstall AVG anyway so you can do it as well now.
    Use AVG Remover: http://www.avg.com/us-en/utilities
    Make sure Windows firewall is ON.

    Download fresh copies of DDS and GMER.
    Try again.
     
  5. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    GMER and DDS both crash mid way through a scan. GMER actually gave me a blue screen on one attempt. I tired them both in safe mode with the same result. Also, when I go to the control panel while in safe mode, I cannot access widows firewall. It says that an unexpected problem is preventing display of widows firewall settings. Firefox continues to be redirected while browsing.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Did you uninstall AVG?

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===========================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    ============================================================

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  7. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    Here is the log from aswMBR ... looks disconcerting (there was a lot of red)

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-12 15:21:24
    -----------------------------
    15:21:24.343 OS Version: Windows 6.0.6002 Service Pack 2
    15:21:24.343 Number of processors: 2 586 0xF0B
    15:21:24.345 ComputerName: STEPHEN-PC UserName:
    15:21:33.567 Initialize success
    15:23:25.501 AVAST engine defs: 12011200
    15:23:41.477 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
    15:23:41.480 Disk 0 Vendor: WDC_WD32 12.0 Size: 305245MB BusType: 6
    15:23:41.482 Device \Device\00000041 -> \??\SCSI#Disk&Ven_WDC_WD32&Prod_00AAJS-00VWA#4&12a0b57c&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    15:23:41.486 Disk 0 MBR read error 0
    15:23:41.489 Disk 0 MBR scan
    15:23:41.493 Disk 0 unknown MBR code
    15:23:41.497 MBR BIOS signature not found 0
    15:23:41.500 Disk 0 scanning sectors +625139712
    15:23:41.535 Disk 0 scanning C:\Windows\system32\drivers
    15:23:41.970 File: C:\Windows\system32\drivers\afd.sys **INFECTED** Win32:Aluroot-B [Rtk]
    15:23:47.117 File: C:\Windows\system32\drivers\netbt.sys **INFECTED** Win32:Zeroot [Rtk]
    15:23:53.279 File: C:\Windows\system32\drivers\Wdf01000.sys **INFECTED** Win32:RLoader-B
    15:23:53.557 Disk 0 trace - called modules:
    15:23:53.574 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87f39ff0]<<
    15:23:53.582 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8634c8e0]
    15:23:53.591 3 CLASSPNP.SYS[8279f8b3] -> nt!IofCallDriver -> [0x87da32e8]
    15:23:53.599 \Driver\00001060[0x87da9478] -> IRP_MJ_CREATE -> 0x87f39ff0
    15:23:58.627 AVAST engine scan C:\Windows
    15:24:01.441 AVAST engine scan C:\Windows\system32
    15:35:01.341 AVAST engine scan C:\Windows\system32\drivers
    15:35:02.345 File: C:\Windows\system32\drivers\afd.sys **INFECTED** Win32:Aluroot-B [Rtk]
    15:35:12.982 File: C:\Windows\system32\drivers\netbt.sys **INFECTED** Win32:Zeroot [Rtk]
    15:35:20.792 File: C:\Windows\system32\drivers\Wdf01000.sys **INFECTED** Win32:RLoader-B
    15:35:24.407 AVAST engine scan C:\Users\Administrator
    15:37:38.530 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2441297853792215642.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
    15:37:38.685 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2546951413663940763.tmp **INFECTED** Win32:MalOb-GF [Cryp]
    15:37:38.736 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2740558627932482271.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
    15:37:38.935 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache4416902755111729394.tmp **INFECTED** Win32:Kryptik-DKN [Trj]
    15:37:39.177 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache5554113741605944304.tmp **INFECTED** Win32:MalOb-GS [Cryp]
    15:37:39.449 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache6855520816091083099.tmp **INFECTED** Win32:MalOb-GS [Cryp]
    15:37:39.552 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7262576682993569311.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
    15:37:39.661 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7309834498984758723.tmp **INFECTED** Win32:MalOb-GF [Cryp]
    15:37:39.753 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7645806635774182343.tmp **INFECTED** Win32:Renosa-J [Wrm]
    15:37:39.849 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache8500703002762741723.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
    15:43:42.294 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Documents\MBR.dat"
    15:43:42.376 The log file has been saved successfully to "C:\Users\Administrator\Documents\aswMBR.txt"

    For Bootkit Remover, I recieved the following error ATA_PASS_THROUGH_DIRECT is not supported by your disc controller
    SCSI_PASS_THROUGH_DIRECT will be use for disc I/O

    This is the log that appeared.

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    and FixedParts displayed this

    ListParts by Farbar
    Ran by Administrator on 12-01-2012 at 15:56:18
    Windows Vista (X86)
    Running From: C:\Users\Administrator\Downloads
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 73%
    Total physical RAM: 3070.45 MB
    Available physical RAM: 822.81 MB
    Total Pagefile: 6365.94 MB
    Available Pagefile: 3737.42 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1965.83 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:298.09 GB) (Free:38.58 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]

    There are no fixed disks to show.



    ****** End Of Log ******

    And yes AVG was uninstalled last night before using GMER and DDS.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Please download Farbar Service Scanner and run it on the computer with the issue.


    • Please run Farbar Service Scanner.
      Type the following in the edit box after "Search:".

      Wdf01000.sys;netbt.sys;afd.sys

      Click Search Files button and post the log (FSS.txt) it makes to your reply.
     
  9. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    During the scan i received a message saying "Host Process for Windows Service has stopped working"

    The log is as follows

    Farbar Service Scanner
    Ran by Administrator (administrator) on 12-01-2012 at 16:20:04
    Windows Vista (TM) Home Premium Service Pack 2 (X86)

    ************************************************
    ================== Search: "Wdf01000.sys;netbt.sys;afd.sys
    " ===================

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
    [2011-06-27 19:56] - [2011-04-21 08:28] - 0273920 ____A (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
    [2011-01-02 23:10] - [2009-04-10 23:47] - 0273920 ____A (Microsoft Corporation) A201207363AA900ABF1A388468688570

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys
    [2011-06-27 19:56] - [2011-04-21 08:12] - 0273920 ____A (Microsoft Corporation) C8AF25017CECB75906A571AC70D2D306

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
    [2011-06-27 19:56] - [2011-04-21 08:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
    [2011-01-01 07:31] - [2008-01-19 00:57] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys
    [2006-11-02 03:58] - [2006-11-02 03:58] - 0270336 ____A (Microsoft Corporation) 5D24CAF8EFD924A875698FF28384DB8B

    C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.20734_none_74da07c339f7e0f2\Wdf01000.sys
    [2010-12-31 09:59] - [2010-12-31 09:59] - 0495160 ____A (Microsoft Corporation) 42709BDB3FEB92FD7254A4005E1FFCAE

    C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.16609_none_7475dc2e20bd6c08\Wdf01000.sys
    [2010-12-31 09:59] - [2010-12-31 09:59] - 0495160 ____A (Microsoft Corporation) 7B5F66E4A2219C7D9DAF9E738480E534

    C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.16386_none_741c563e21010816\Wdf01000.sys
    [2006-11-02 03:54] - [2006-11-02 04:51] - 0492648 ____A (Microsoft Corporation) 5DFDBD5EF13E4D95BE6FC108E2ED4A67

    C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
    [2011-01-01 07:30] - [2008-01-19 00:55] - 0184320 ____A (Microsoft Corporation) 7C5FEE5B1C5728507CD96FB4A13E7A02

    C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys
    [2006-11-02 03:57] - [2006-11-02 03:57] - 0184320 ____A (Microsoft Corporation) E3A168912E7EEFC3BD3B814720D68B41

    C:\Windows\System32\drivers\afd.sys
    [2011-06-27 19:56] - [2011-04-21 08:58] - 0273408 ____A () 5385F6AD16BA53D984CF89AA0D796D97

    C:\Windows\System32\drivers\netbt.sys
    [2011-01-02 23:10] - [2009-04-10 23:45] - 0185856 ____A () 2EAEF370056496A971C1B043D37C970C

    C:\Windows\System32\drivers\Wdf01000.sys
    [2011-01-01 07:31] - [2008-01-19 02:43] - 0503864 ____A (Microsoft Corporation) A1BD4AD37B361199DC326CCCC9C179DE

    ====== End Of Search ======
     
  10. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Very well.

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
    C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys C:\Windows\System32\drivers\netbt.sys
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys C:\Windows\System32\drivers\afd.sys
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\

    Post new FSS log (same code).
     
  11. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys", destinationFile = "\??\c:\windows\system32\drivers\netbt.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
    CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys", destinationFile = "\??\c:\windows\system32\drivers\afd.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022

    Farbar Service Scanner
    Ran by Administrator (administrator) on 12-01-2012 at 17:23:16
    Windows Vista (TM) Home Premium Service Pack 2 (X86)

    ************************************************
    ================== Search: "Wdf01000.sys;netbt.sys;afd.sys" ===================

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
    [2011-06-27 19:56] - [2011-04-21 08:28] - 0273920 ____A (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
    [2011-01-02 23:10] - [2009-04-10 23:47] - 0273920 ____A (Microsoft Corporation) A201207363AA900ABF1A388468688570

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys
    [2011-06-27 19:56] - [2011-04-21 08:12] - 0273920 ____A (Microsoft Corporation) C8AF25017CECB75906A571AC70D2D306

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
    [2011-06-27 19:56] - [2011-04-21 08:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
    [2011-01-01 07:31] - [2008-01-19 00:57] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys
    [2006-11-02 03:58] - [2006-11-02 03:58] - 0270336 ____A (Microsoft Corporation) 5D24CAF8EFD924A875698FF28384DB8B

    C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.20734_none_74da07c339f7e0f2\Wdf01000.sys
    [2010-12-31 09:59] - [2010-12-31 09:59] - 0495160 ____A (Microsoft Corporation) 42709BDB3FEB92FD7254A4005E1FFCAE

    C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.16609_none_7475dc2e20bd6c08\Wdf01000.sys
    [2010-12-31 09:59] - [2010-12-31 09:59] - 0495160 ____A (Microsoft Corporation) 7B5F66E4A2219C7D9DAF9E738480E534

    C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.16386_none_741c563e21010816\Wdf01000.sys
    [2006-11-02 03:54] - [2006-11-02 04:51] - 0492648 ____A (Microsoft Corporation) 5DFDBD5EF13E4D95BE6FC108E2ED4A67

    C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
    [2011-01-01 07:30] - [2008-01-19 00:55] - 0184320 ____A (Microsoft Corporation) 7C5FEE5B1C5728507CD96FB4A13E7A02

    C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys
    [2006-11-02 03:57] - [2006-11-02 03:57] - 0184320 ____A (Microsoft Corporation) E3A168912E7EEFC3BD3B814720D68B41

    C:\Windows\System32\drivers\afd.sys
    [2011-06-27 19:56] - [2012-01-12 17:18] - 0000000 ____A ()

    C:\Windows\System32\drivers\netbt.sys
    [2011-01-02 23:10] - [2012-01-12 17:18] - 0000000 ____A ()

    C:\Windows\System32\drivers\Wdf01000.sys
    [2011-01-01 07:31] - [2008-01-19 02:43] - 0503864 ____A (Microsoft Corporation) A1BD4AD37B361199DC326CCCC9C179DE

    ====== End Of Search ======
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  13. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    I ran tdskiller and rebooted. Upon reboot, I did not have internet access and after maybe two minutes, I received a blue screen. The computer rebooted on its own and the same thing occured, ending with a blue screen and a restart. This occured a third time before I rebooted in safe mode w/ networking but still do not have internet access. I am now on a laptop posting this. I had to use a flash drive to get the log.

    17:55:49.0228 6784 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26
    17:55:49.0478 6784 ============================================================
    17:55:49.0478 6784 Current date / time: 2012/01/12 17:55:49.0478
    17:55:49.0478 6784 SystemInfo:
    17:55:49.0478 6784
    17:55:49.0478 6784 OS Version: 6.0.6002 ServicePack: 2.0
    17:55:49.0478 6784 Product type: Workstation
    17:55:49.0478 6784 ComputerName: STEPHEN-PC
    17:55:49.0478 6784 UserName: Administrator
    17:55:49.0478 6784 Windows directory: C:\Windows
    17:55:49.0478 6784 System windows directory: C:\Windows
    17:55:49.0478 6784 Processor architecture: Intel x86
    17:55:49.0478 6784 Number of processors: 2
    17:55:49.0478 6784 Page size: 0x1000
    17:55:49.0478 6784 Boot type: Normal boot
    17:55:49.0478 6784 ============================================================
    17:55:49.0790 6784 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000, SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000050
    17:55:49.0806 6784 Initialize success
    17:55:55.0968 5664 ============================================================
    17:55:55.0968 5664 Scan started
    17:55:55.0968 5664 Mode: Manual;
    17:55:55.0968 5664 ============================================================
    17:55:59.0134 5664 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    17:55:59.0134 5664 ACPI - ok
    17:55:59.0228 5664 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
    17:55:59.0244 5664 adp94xx - ok
    17:55:59.0337 5664 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
    17:55:59.0337 5664 adpahci - ok
    17:55:59.0400 5664 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
    17:55:59.0400 5664 adpu160m - ok
    17:55:59.0478 5664 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
    17:55:59.0478 5664 adpu320 - ok
    17:55:59.0556 5664 AFD - ok
    17:55:59.0680 5664 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
    17:55:59.0680 5664 agp440 - ok
    17:55:59.0774 5664 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    17:55:59.0774 5664 aic78xx - ok
    17:55:59.0836 5664 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
    17:55:59.0836 5664 aliide - ok
    17:55:59.0930 5664 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
    17:55:59.0930 5664 amdagp - ok
    17:56:00.0039 5664 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
    17:56:00.0055 5664 amdide - ok
    17:56:00.0133 5664 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
    17:56:00.0133 5664 AmdK7 - ok
    17:56:00.0304 5664 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
    17:56:00.0304 5664 AmdK8 - ok
    17:56:00.0382 5664 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
    17:56:00.0382 5664 arc - ok
    17:56:00.0476 5664 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
    17:56:00.0476 5664 arcsas - ok
    17:56:00.0585 5664 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    17:56:00.0585 5664 AsyncMac - ok
    17:56:00.0741 5664 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    17:56:00.0741 5664 atapi - ok
    17:56:00.0866 5664 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    17:56:00.0866 5664 Beep - ok
    17:56:00.0913 5664 blbdrive - ok
    17:56:01.0006 5664 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    17:56:01.0006 5664 bowser - ok
    17:56:01.0100 5664 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    17:56:01.0100 5664 BrFiltLo - ok
    17:56:01.0178 5664 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    17:56:01.0178 5664 BrFiltUp - ok
    17:56:01.0318 5664 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    17:56:01.0318 5664 Brserid - ok
    17:56:01.0365 5664 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    17:56:01.0365 5664 BrSerWdm - ok
    17:56:01.0428 5664 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    17:56:01.0428 5664 BrUsbMdm - ok
    17:56:01.0474 5664 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    17:56:01.0474 5664 BrUsbSer - ok
    17:56:01.0568 5664 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    17:56:01.0568 5664 BTHMODEM - ok
    17:56:01.0662 5664 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    17:56:01.0662 5664 cdfs - ok
    17:56:01.0771 5664 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    17:56:01.0771 5664 cdrom - ok
    17:56:01.0818 5664 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
    17:56:01.0833 5664 circlass - ok
    17:56:01.0896 5664 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    17:56:01.0896 5664 CLFS - ok
    17:56:01.0989 5664 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
    17:56:01.0989 5664 cmdide - ok
    17:56:02.0083 5664 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
    17:56:02.0083 5664 Compbatt - ok
    17:56:02.0145 5664 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
    17:56:02.0145 5664 crcdisk - ok
    17:56:02.0223 5664 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
    17:56:02.0223 5664 Crusoe - ok
    17:56:02.0332 5664 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    17:56:02.0332 5664 DfsC - ok
    17:56:02.0426 5664 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    17:56:02.0426 5664 disk - ok
    17:56:02.0504 5664 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    17:56:02.0504 5664 drmkaud - ok
    17:56:02.0582 5664 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    17:56:02.0598 5664 DXGKrnl - ok
    17:56:02.0676 5664 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
    17:56:02.0676 5664 E1G60 - ok
    17:56:02.0754 5664 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    17:56:02.0754 5664 Ecache - ok
    17:56:02.0847 5664 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) C:\Windows\system32\Drivers\ElbyCDIO.sys
    17:56:02.0847 5664 ElbyCDIO - ok
    17:56:02.0956 5664 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
    17:56:02.0956 5664 elxstor - ok
    17:56:03.0050 5664 ESEADriver2 (c8cb19c6b4dd77c54ed77e4b2ec03790) C:\Users\ADMINI~1\AppData\Local\Temp\ESEADriver2.sys
    17:56:03.0050 5664 ESEADriver2 - ok
    17:56:03.0159 5664 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    17:56:03.0159 5664 exfat - ok
    17:56:03.0268 5664 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    17:56:03.0268 5664 fastfat - ok
    17:56:03.0362 5664 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
    17:56:03.0362 5664 fdc - ok
    17:56:03.0456 5664 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    17:56:03.0456 5664 FileInfo - ok
    17:56:03.0534 5664 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    17:56:03.0534 5664 Filetrace - ok
    17:56:03.0736 5664 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
    17:56:03.0736 5664 flpydisk - ok
    17:56:03.0799 5664 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    17:56:03.0799 5664 FltMgr - ok
    17:56:03.0877 5664 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    17:56:03.0892 5664 Fs_Rec - ok
    17:56:03.0955 5664 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
    17:56:03.0955 5664 gagp30kx - ok
    17:56:04.0048 5664 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    17:56:04.0064 5664 GEARAspiWDM - ok
    17:56:04.0158 5664 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
    17:56:04.0158 5664 HdAudAddService - ok
    17:56:04.0251 5664 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    17:56:04.0251 5664 HDAudBus - ok
    17:56:04.0329 5664 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    17:56:04.0329 5664 HidBth - ok
    17:56:04.0407 5664 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    17:56:04.0407 5664 HidIr - ok
    17:56:04.0485 5664 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    17:56:04.0485 5664 HidUsb - ok
    17:56:04.0563 5664 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
    17:56:04.0563 5664 HpCISSs - ok
    17:56:04.0688 5664 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    17:56:04.0688 5664 HTTP - ok
    17:56:04.0766 5664 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
    17:56:04.0766 5664 i2omp - ok
    17:56:04.0875 5664 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    17:56:04.0891 5664 i8042prt - ok
    17:56:04.0969 5664 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
    17:56:04.0969 5664 iaStorV - ok
    17:56:05.0062 5664 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    17:56:05.0062 5664 iirsp - ok
    17:56:05.0172 5664 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
    17:56:05.0187 5664 intelide - ok
    17:56:05.0390 5664 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    17:56:05.0390 5664 intelppm - ok
    17:56:05.0468 5664 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    17:56:05.0468 5664 IpFilterDriver - ok
    17:56:05.0562 5664 IpInIp - ok
    17:56:05.0640 5664 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
    17:56:05.0640 5664 IPMIDRV - ok
    17:56:05.0718 5664 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    17:56:05.0718 5664 IPNAT - ok
    17:56:05.0811 5664 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    17:56:05.0811 5664 IRENUM - ok
    17:56:05.0874 5664 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
    17:56:05.0874 5664 isapnp - ok
    17:56:05.0967 5664 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    17:56:05.0967 5664 iScsiPrt - ok
    17:56:06.0030 5664 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    17:56:06.0030 5664 iteatapi - ok
    17:56:06.0108 5664 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    17:56:06.0108 5664 iteraid - ok
    17:56:06.0357 5664 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    17:56:06.0388 5664 kbdclass - ok
    17:56:06.0576 5664 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    17:56:06.0576 5664 kbdhid - ok
    17:56:06.0716 5664 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    17:56:06.0716 5664 KSecDD - ok
    17:56:06.0794 5664 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\Windows\system32\DRIVERS\L8042Kbd.sys
    17:56:06.0794 5664 L8042Kbd - ok
    17:56:06.0888 5664 L8042mou (8a5993705add14352c9a279fa8338334) C:\Windows\system32\DRIVERS\L8042mou.Sys
    17:56:06.0888 5664 L8042mou - ok
    17:56:06.0981 5664 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\Windows\system32\DRIVERS\LHidFilt.Sys
    17:56:06.0981 5664 LHidFilt - ok
    17:56:07.0059 5664 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    17:56:07.0059 5664 lltdio - ok
    17:56:07.0184 5664 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\Windows\system32\DRIVERS\LMouFilt.Sys
    17:56:07.0184 5664 LMouFilt - ok
    17:56:07.0309 5664 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\Windows\system32\DRIVERS\LMouKE.Sys
    17:56:07.0324 5664 LMouKE - ok
    17:56:07.0543 5664 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
    17:56:07.0605 5664 LSI_FC - ok
    17:56:07.0699 5664 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
    17:56:07.0699 5664 LSI_SAS - ok
    17:56:07.0839 5664 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
    17:56:07.0839 5664 LSI_SCSI - ok
    17:56:07.0933 5664 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    17:56:07.0933 5664 luafv - ok
    17:56:08.0011 5664 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\Windows\system32\Drivers\LUsbFilt.Sys
    17:56:08.0011 5664 LUsbFilt - ok
    17:56:08.0089 5664 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
    17:56:08.0089 5664 MBAMProtector - ok
    17:56:08.0229 5664 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
    17:56:08.0229 5664 megasas - ok
    17:56:08.0510 5664 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    17:56:08.0510 5664 Modem - ok
    17:56:08.0604 5664 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    17:56:08.0604 5664 monitor - ok
    17:56:08.0697 5664 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    17:56:08.0697 5664 mouclass - ok
    17:56:08.0775 5664 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    17:56:08.0775 5664 mouhid - ok
    17:56:08.0869 5664 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    17:56:08.0869 5664 MountMgr - ok
    17:56:08.0947 5664 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
    17:56:08.0962 5664 mpio - ok
    17:56:09.0150 5664 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    17:56:09.0150 5664 mpsdrv - ok
    17:56:09.0274 5664 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    17:56:09.0274 5664 Mraid35x - ok
    17:56:09.0493 5664 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    17:56:09.0524 5664 MRxDAV - ok
    17:56:09.0742 5664 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    17:56:09.0742 5664 mrxsmb - ok
    17:56:09.0836 5664 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    17:56:09.0836 5664 mrxsmb10 - ok
    17:56:10.0023 5664 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    17:56:10.0023 5664 mrxsmb20 - ok
    17:56:10.0086 5664 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
    17:56:10.0101 5664 msahci - ok
    17:56:10.0210 5664 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
    17:56:10.0242 5664 msdsm - ok
    17:56:10.0507 5664 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    17:56:10.0507 5664 Msfs - ok
    17:56:10.0756 5664 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    17:56:10.0756 5664 msisadrv - ok
    17:56:10.0959 5664 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    17:56:10.0959 5664 MSKSSRV - ok
    17:56:11.0053 5664 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    17:56:11.0053 5664 MSPCLOCK - ok
    17:56:11.0271 5664 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    17:56:11.0271 5664 MSPQM - ok
    17:56:11.0552 5664 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    17:56:11.0661 5664 MsRPC - ok
    17:56:11.0848 5664 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    17:56:11.0848 5664 mssmbios - ok
    17:56:12.0067 5664 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    17:56:12.0067 5664 MSTEE - ok
    17:56:12.0301 5664 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    17:56:12.0301 5664 Mup - ok
    17:56:12.0660 5664 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    17:56:12.0738 5664 NativeWifiP - ok
    17:56:13.0206 5664 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    17:56:13.0237 5664 NDIS - ok
    17:56:13.0346 5664 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    17:56:13.0346 5664 NdisTapi - ok
    17:56:13.0752 5664 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    17:56:13.0783 5664 Ndisuio - ok
    17:56:14.0158 5664 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    17:56:14.0205 5664 NdisWan - ok
    17:56:14.0611 5664 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    17:56:14.0611 5664 NDProxy - ok
    17:56:15.0172 5664 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    17:56:15.0204 5664 NetBIOS - ok
    17:56:15.0579 5664 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    17:56:15.0626 5664 nfrd960 - ok
    17:56:15.0813 5664 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    17:56:15.0813 5664 Npfs - ok
    17:56:15.0938 5664 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    17:56:15.0953 5664 nsiproxy - ok
    17:56:16.0062 5664 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    17:56:16.0109 5664 Ntfs - ok
    17:56:16.0172 5664 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    17:56:16.0172 5664 ntrigdigi - ok
    17:56:16.0250 5664 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    17:56:16.0250 5664 Null - ok
    17:56:16.0406 5664 NVENETFD (d958a2b5f6ad5c3b8ccdc4d7da62466c) C:\Windows\system32\DRIVERS\nvmfdx32.sys
    17:56:16.0437 5664 NVENETFD - ok
    17:56:16.0764 5664 nvlddmkm (66b4bf606fcc7f0622d4a21bb1461089) C:\Windows\system32\DRIVERS\nvlddmkm.sys
    17:56:16.0983 5664 nvlddmkm - ok
    17:56:17.0076 5664 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
    17:56:17.0076 5664 nvraid - ok
    17:56:17.0139 5664 nvstor (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\drivers\nvstor.sys
    17:56:17.0139 5664 nvstor - ok
    17:56:17.0201 5664 nvstor32 (dc5f166422beebf195e3e4bb8ab4ee22) C:\Windows\system32\DRIVERS\nvstor32.sys
    17:56:17.0201 5664 nvstor32 - ok
    17:56:17.0295 5664 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
    17:56:17.0295 5664 nv_agp - ok
    17:56:17.0357 5664 NwlnkFlt - ok
    17:56:17.0482 5664 NwlnkFwd - ok
    17:56:17.0950 5664 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
    17:56:17.0950 5664 ohci1394 - ok
    17:56:18.0215 5664 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
    17:56:18.0215 5664 Parport - ok
    17:56:18.0309 5664 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    17:56:18.0309 5664 partmgr - ok
    17:56:18.0605 5664 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
    17:56:18.0636 5664 Parvdm - ok
    17:56:19.0073 5664 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    17:56:19.0198 5664 pci - ok
    17:56:19.0900 5664 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
    17:56:19.0900 5664 pciide - ok
    17:56:20.0259 5664 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    17:56:20.0259 5664 pcmcia - ok
    17:56:20.0446 5664 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    17:56:20.0945 5664 PEAUTH - ok
    17:56:21.0304 5664 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    17:56:21.0304 5664 PptpMiniport - ok
    17:56:21.0616 5664 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
    17:56:21.0663 5664 Processor - ok
    17:56:22.0068 5664 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    17:56:22.0068 5664 PSched - ok
    17:56:22.0271 5664 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
    17:56:22.0302 5664 ql2300 - ok
    17:56:22.0396 5664 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    17:56:22.0396 5664 ql40xx - ok
    17:56:22.0490 5664 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    17:56:22.0568 5664 QWAVEdrv - ok
    17:56:23.0129 5664 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    17:56:23.0129 5664 RasAcd - ok
    17:56:23.0223 5664 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    17:56:23.0223 5664 Rasl2tp - ok
    17:56:23.0301 5664 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    17:56:23.0301 5664 RasPppoe - ok
    17:56:23.0379 5664 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    17:56:23.0379 5664 RasSstp - ok
    17:56:23.0457 5664 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    17:56:23.0472 5664 rdbss - ok
    17:56:23.0972 5664 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    17:56:23.0972 5664 RDPCDD - ok
    17:56:24.0299 5664 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
    17:56:24.0299 5664 rdpdr - ok
    17:56:24.0393 5664 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    17:56:24.0393 5664 RDPENCDD - ok
    17:56:24.0580 5664 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    17:56:24.0642 5664 RDPWD - ok
    17:56:25.0142 5664 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    17:56:25.0173 5664 rspndr - ok
    17:56:25.0485 5664 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    17:56:25.0532 5664 sbp2port - ok
    17:56:26.0078 5664 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\Windows\system32\drivers\SCDEmu.sys
    17:56:26.0078 5664 SCDEmu - ok
    17:56:26.0343 5664 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    17:56:26.0343 5664 secdrv - ok
    17:56:26.0670 5664 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
    17:56:26.0717 5664 Serenum - ok
    17:56:27.0138 5664 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
    17:56:27.0138 5664 Serial - ok
    17:56:27.0279 5664 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    17:56:27.0279 5664 sermouse - ok
    17:56:27.0450 5664 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
    17:56:27.0450 5664 sffdisk - ok
    17:56:27.0700 5664 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
    17:56:27.0731 5664 sffp_mmc - ok
    17:56:28.0324 5664 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
    17:56:28.0371 5664 sffp_sd - ok
    17:56:28.0464 5664 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    17:56:28.0464 5664 sfloppy - ok
    17:56:28.0542 5664 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
    17:56:28.0542 5664 sisagp - ok
    17:56:28.0776 5664 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
    17:56:28.0776 5664 SiSRaid2 - ok
    17:56:29.0541 5664 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
    17:56:29.0541 5664 SiSRaid4 - ok
    17:56:29.0962 5664 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    17:56:29.0993 5664 Smb - ok
    17:56:30.0399 5664 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    17:56:30.0430 5664 spldr - ok
    17:56:31.0085 5664 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    17:56:31.0382 5664 srv - ok
    17:56:31.0647 5664 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    17:56:31.0647 5664 srv2 - ok
    17:56:32.0115 5664 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    17:56:32.0146 5664 srvnet - ok
    17:56:32.0390 5664 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    17:56:32.0390 5664 swenum - ok
    17:56:32.0499 5664 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    17:56:32.0499 5664 Symc8xx - ok
    17:56:32.0811 5664 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    17:56:32.0811 5664 Sym_hi - ok
    17:56:32.0905 5664 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    17:56:32.0905 5664 Sym_u3 - ok
    17:56:33.0045 5664 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
    17:56:33.0092 5664 Tcpip - ok
    17:56:33.0201 5664 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
    17:56:33.0201 5664 Tcpip6 - ok
    17:56:33.0310 5664 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    17:56:33.0310 5664 tcpipreg - ok
    17:56:33.0388 5664 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    17:56:33.0388 5664 TDPIPE - ok
    17:56:33.0482 5664 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    17:56:33.0482 5664 TDTCP - ok
    17:56:33.0638 5664 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    17:56:33.0669 5664 tdx - ok
    17:56:34.0278 5664 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    17:56:34.0278 5664 TermDD - ok
    17:56:34.0574 5664 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    17:56:34.0574 5664 tssecsrv - ok
    17:56:35.0136 5664 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    17:56:35.0136 5664 tunmp - ok
    17:56:35.0276 5664 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    17:56:35.0276 5664 tunnel - ok
    17:56:35.0432 5664 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
    17:56:35.0432 5664 uagp35 - ok
    17:56:35.0604 5664 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    17:56:35.0619 5664 udfs - ok
    17:56:35.0962 5664 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
    17:56:36.0009 5664 uliagpkx - ok
    17:56:36.0243 5664 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
    17:56:36.0259 5664 uliahci - ok
    17:56:36.0337 5664 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    17:56:36.0337 5664 UlSata - ok
    17:56:36.0415 5664 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    17:56:36.0430 5664 ulsata2 - ok
    17:56:36.0508 5664 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    17:56:36.0508 5664 umbus - ok
    17:56:36.0649 5664 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
    17:56:36.0680 5664 USBAAPL - ok
    17:56:37.0179 5664 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    17:56:37.0257 5664 usbccgp - ok
    17:56:37.0694 5664 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    17:56:37.0741 5664 usbcir - ok
    17:56:38.0100 5664 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    17:56:38.0131 5664 usbehci - ok
    17:56:38.0630 5664 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    17:56:38.0755 5664 usbhub - ok
    17:56:39.0270 5664 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
    17:56:39.0270 5664 usbohci - ok
    17:56:39.0566 5664 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
    17:56:39.0566 5664 usbprint - ok
    17:56:39.0816 5664 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    17:56:39.0862 5664 USBSTOR - ok
    17:56:40.0346 5664 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
    17:56:40.0393 5664 usbuhci - ok
    17:56:40.0783 5664 VClone (fce98c43b5c5db8e0da8ea0e2b45e044) C:\Windows\system32\DRIVERS\VClone.sys
    17:56:40.0783 5664 VClone - ok
    17:56:41.0220 5664 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
    17:56:41.0251 5664 vga - ok
    17:56:41.0656 5664 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    17:56:41.0656 5664 VgaSave - ok
    17:56:41.0953 5664 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
    17:56:41.0968 5664 viaagp - ok
    17:56:42.0327 5664 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
    17:56:42.0374 5664 ViaC7 - ok
    17:56:42.0858 5664 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
    17:56:42.0858 5664 viaide - ok
    17:56:43.0372 5664 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    17:56:43.0388 5664 volmgr - ok
    17:56:44.0012 5664 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    17:56:44.0240 5664 volmgrx - ok
    17:56:44.0770 5664 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    17:56:44.0895 5664 volsnap - ok
    17:56:45.0316 5664 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
    17:56:45.0347 5664 vsmraid - ok
    17:56:45.0815 5664 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    17:56:45.0847 5664 WacomPen - ok
    17:56:46.0096 5664 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    17:56:46.0112 5664 Wanarp - ok
    17:56:46.0221 5664 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    17:56:46.0221 5664 Wanarpv6 - ok
    17:56:46.0736 5664 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
    17:56:46.0736 5664 Wd - ok
    17:56:47.0219 5664 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
    17:56:47.0219 5664 WmiAcpi - ok
    17:56:47.0516 5664 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    17:56:47.0531 5664 WpdUsb - ok
    17:56:48.0077 5664 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    17:56:48.0109 5664 ws2ifsl - ok
    17:56:48.0608 5664 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    17:56:48.0608 5664 WUDFRd - ok
    17:56:48.0701 5664 MBR (0x1B8) (4bf077b4df3f4f5483a79d4ce511c7f3) \Device\Harddisk0\DR0
    17:56:48.0764 5664 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    17:56:48.0764 5664 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    17:56:48.0779 5664 Boot (0x1200) (0709c36d0aadcf113d5f0c112d0f1566) \Device\Harddisk0\DR0\Partition0
    17:56:48.0779 5664 \Device\Harddisk0\DR0\Partition0 - ok
    17:56:48.0779 5664 ============================================================
    17:56:48.0779 5664 Scan finished
    17:56:48.0779 5664 ============================================================
    17:56:48.0795 4824 Detected object count: 1
    17:56:48.0795 4824 Actual detected object count: 1
    17:57:05.0022 4824 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    17:57:05.0022 4824 \Device\Harddisk0\DR0 - ok
    17:57:05.0022 4824 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    17:57:11.0233 18176 Deinitialize success
     
  14. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    That's actually good news because TDSSKiller killed a rootkit.

    Re-run aswMBR, post new log.

    Also....

    Re-run Farbar Service Scanner but this time....
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
     
  15. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    can i do this from safe mode?
     
  16. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Yes..............
     
  17. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    Farbar Service Scanner
    Ran by Administrator (administrator) on 12-01-2012 at 19:23:11
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Nerwork
    ****************************************************************

    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
    Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

    bfe Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
    Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

    mpsdrv Service is not running. Checking service configuration:
    The start type of mpsdrv service is OK.
    The ImagePath of mpsdrv service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.
    Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


    Windows Update:
    ===========
    wuauserv Service is not running. Checking service configuration:
    The start type of wuauserv service is OK.
    The ImagePath of wuauserv service is OK.
    The ServiceDll of wuauserv service is OK.

    BITS Service is not running. Checking service configuration:
    The start type of BITS service is OK.
    The ImagePath of BITS service is OK.
    The ServiceDll of BITS service is OK.
    Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.

    EventSystem Service is not running. Checking service configuration:
    The start type of EventSystem service is OK.
    The ImagePath of EventSystem service is OK.
    The ServiceDll of EventSystem service is OK.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys
    [2011-06-27 19:56] - [2012-01-12 17:18] - 0000000 ____A ()

    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll
    [2011-01-02 23:10] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll
    [2011-01-02 23:10] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

    C:\Windows\system32\es.dll
    [2011-01-02 23:10] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

    C:\Windows\system32\cryptsvc.dll
    [2011-01-02 23:10] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****

    aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-12 19:15:06
    -----------------------------
    19:15:06.141 OS Version: Windows 6.0.6002 Service Pack 2
    19:15:06.141 Number of processors: 2 586 0xF0B
    19:15:06.141 ComputerName: STEPHEN-PC UserName:
    19:15:07.030 Initialize success
    19:15:12.272 AVAST engine defs: 12011200
    19:15:14.861 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000041
    19:15:14.877 Disk 0 Vendor: WDC_WD32 12.0 Size: 305245MB BusType: 6
    19:15:14.893 Disk 0 MBR read successfully
    19:15:14.893 Disk 0 MBR scan
    19:15:14.893 Disk 0 Windows VISTA default MBR code
    19:15:14.908 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305243 MB offset 2048
    19:15:14.908 Disk 0 scanning sectors +625139712
    19:15:14.971 Disk 0 scanning C:\Windows\system32\drivers
    19:15:22.162 File: C:\Windows\system32\drivers\Wdf01000.sys **INFECTED** Win32:RLoader-B
    19:15:22.365 Disk 0 trace - called modules:
    19:15:22.381 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
    19:15:22.381 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85caeac8]
    19:15:22.396 3 CLASSPNP.SYS[8a3ac8b3] -> nt!IofCallDriver -> [0x8531ee00]
    19:15:22.396 5 acpi.sys[807bc6bc] -> nt!IofCallDriver -> \Device\00000041[0x8530fa08]
    19:15:23.535 AVAST engine scan C:\Windows
    19:15:26.125 AVAST engine scan C:\Windows\system32
    19:17:17.836 AVAST engine scan C:\Windows\system32\drivers
    19:17:25.059 File: C:\Windows\system32\drivers\Wdf01000.sys **INFECTED** Win32:RLoader-B
    19:17:26.198 AVAST engine scan C:\Users\Administrator
    19:18:15.369 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2441297853792215642.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
    19:18:15.416 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2546951413663940763.tmp **INFECTED** Win32:MalOb-GF [Cryp]
    19:18:15.463 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2740558627932482271.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
    19:18:15.603 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache4416902755111729394.tmp **INFECTED** Win32:Kryptik-DKN [Trj]
    19:18:15.790 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache5554113741605944304.tmp **INFECTED** Win32:MalOb-GS [Cryp]
    19:18:16.071 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache6855520816091083099.tmp **INFECTED** Win32:MalOb-GS [Cryp]
    19:18:16.165 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7262576682993569311.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
    19:18:16.243 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7309834498984758723.tmp **INFECTED** Win32:MalOb-GF [Cryp]
    19:18:16.305 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7645806635774182343.tmp **INFECTED** Win32:Renosa-J [Wrm]
    19:18:16.383 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache8500703002762741723.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
    19:21:15.065 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
    19:21:15.065 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"
     
  18. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    aswMBR log looks much better :)

    Re-run Blitzblank my post #10 with this code:

    Code:
    CopyFile:
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys C:\Windows\System32\drivers\afd.sys
    
    Post its log.
     
  19. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    For some reason, i am no longer able to open the flash drive on the pc with the viruses, but I was still able to send files to it thankfully. Upon reboot after running blitzblank, there was the blue screen again. Rebooted into safemode wiith networking. Here is the log.


    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys", destinationFile = "\??\c:\windows\system32\drivers\netbt.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
    CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys", destinationFile = "\??\c:\windows\system32\drivers\afd.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022


    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys", destinationFile = "\??\c:\windows\system32\drivers\afd.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
     
  20. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  21. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    Here is the long from Rkill

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/13/2012 at 15:36:25.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:



    Rkill completed on 01/13/2012 at 15:36:27.

    Combofix seemed to be working. Then a window popped up indicating that I had some sort of severe infection. I clicked ok and the blue window is still open. I'm not sure if it is still working or not.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    If your computer clock is running Combofix is still working.
     
  23. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    okay then we're good i think
     
  24. waveofbabies

    waveofbabies TS Rookie Topic Starter Posts: 20

    combofix asked me to reboot. I rebooted into safe mode but i cannot find the log.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,037   +255

    If it's not here: C:\combofix.txt re-run Combofix from safe mode.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.