Inactive Help! Virus still on Laptop after reformat.?

Status
Not open for further replies.
M

mazmac

hi, I really hope someone can help me :)
my boyfriend somehow managed to get a really aggressive virus on his laptop and I've been trying to get rid of it but no luck!
what the virus does is it closes all the antivirus programs after a couple of seconds, makes new folders, takes control of the start menu, opens/loads other folders and then shuts itself down.
I've tried to manually remove it using safe mode and deleting bits of it in regedit, but no luck.. it even blocks the keyboard.. its mental!
luckily before the virus appeared we saved all his files on my external hd.
so I decided to reform his whole laptop and reinstall windows 7.. he had two partitions and I formated both and deleted both so he now has one partition and the installed windows.. I took a long time and afterwards the same things start to happen.. so I did it again and there were two partitions again, so i reformatted and deleted both and reinstalled windows but the same thing.(I've done this about 4 times now)
what I've also realised is that while the laptop loads up the keyboard sometimes blocks and I can't press enter or go into BIOS etc.
I don't know what to do anymore and its really annoying!

The laptop has not been connected to the internet since the virus came.
Also the windows 7 installation disc is a legitimate copy.

So can anyone help me? please?!?! thanks in advance :)
 
Welcome to TechSpot!
Welcome_crash.gif

(Image courtesy animationplayhouse.com)

I'll try to help you find the source of the problem. A word of Warning! Stay out of the BIOS or any other system processes. You can end up making the matter much worse.

I will need information about what is on the system. If you cannot access the internet from the problem computer, you can download the scanning programs to a flash drive, then install and run on the problem computer:

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

An additional note: It is very possible that a file or folder you backed up was infected with malware. IF you reformatted/reinstalled, then put the file back on to the computer, you may have reinfected it. For now, please do not put any of the backups back onto the system> particularly if they are .exe files.
 
thats the thing i haven't added anything back on it after i reformatted it.
I did the back up of his things prob a month before the virus so his files aren't infected..

I've used the following antivirus programs and they shut down after a couple of seconds:

Microsoft Security Essentials
Malwarebytes' Anti-Malware
AVG
and another one but I can't remember the name.

Also the first two where already installed before the virus


the windows disk is an original retail disk so it can't be from that..
when I reinstalled windows I did a custom install - format then deleted everything.

also I can't take it to the store where my boyfriends step-dad purchased it from cause that is in Sweden and I live in Croatia, and his laptop is about 4 years old..
 
ok I followed all the instructions on "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions"

1. I installed Avira Free, it managed to do a quick scan and reported that there were no infected files, then when I tried to do a full scan the whole system went haywire and shut itself down.

2. I ran TFC but not much happened it removed a very small amount of files and then I restarted it.

3. surprisingly I managed to run a full scan with Malwarebytes' Anti-Malware before I reformated the laptop it would close the antivirus program in a matter off seconds and then switch the laptop off.. however the scan didn't find anything.
Here is the log mbam-log-2011-02-05 (22-06-50):

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

05/02/2011 22:06:50
mbam-log-2011-02-05 (22-06-50).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 166843
Time elapsed: 39 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


4. I ran GMER and the first time I ran it halfway through the laptop when crazy and shut itself off, it then took me a good 10 minutes to get the system to switch on cause the keyboard gets blocked and I can't select enter for windows to resume normally then somehow after restarting it a couple of times it was ok.
I then tried to ran it again and it froze and then third time lucky :)
here is the log gmer:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-05 22:54:52
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST950212A rev.3.05
Running: wzpj3in2.exe; Driver: C:\Users\Antonio\AppData\Local\Temp\axldqfog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 828698E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 828893B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000040 halacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlId 9
Reg HKLM\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex@pkm:catalog:LastCatalogCrawlModified 3
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@CrawlType 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@InProgress 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@DoneAddingCrawlSeeds 1
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@IsCatalogLevel 0
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\10@LogStartAddId 2
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2@CrawlNumberInProgress 10

---- EOF - GMER 1.0.15 ----


5. I ran DDS striagth after gmer and here are the logs DDS and Attach:

DDS log:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Antonio at 22:55:44.54 on 05/02/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.736.366 [GMT 13:00]

AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Antonio\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-2-5 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-2-5 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-2-5 61960]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

=============== Created Last 30 ================

2011-02-05 21:11:49 -------- d-----w- c:\windows\Panther
2011-02-05 09:28:26 -------- d-----w- c:\windows\system32\New folder
2011-02-05 08:26:20 -------- d-----w- c:\users\antonio\appdata\roaming\Malwarebytes
2011-02-05 08:26:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-05 08:26:14 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-05 08:26:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-05 08:26:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-05 08:16:31 -------- d-----w- c:\users\antonio\appdata\local\ElevatedDiagnostics
2011-02-05 07:21:42 -------- d-----w- c:\users\antonio\appdata\roaming\Avira
2011-02-05 07:19:14 -------- d-----w- c:\windows\system32\wbem\Performance
2011-02-05 07:18:46 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-05 07:18:45 -------- d-----w- c:\program files\Avira
2011-02-05 07:18:45 -------- d-----w- c:\progra~2\Avira
2011-02-05 07:17:23 -------- d-sh--w- c:\windows\Installer

==================== Find3M ====================


============= FINISH: 22:56:28.40 ===============


Attach log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 05/02/2011 13:24:07
System Uptime: 05/02/2011 22:35:42 (0 hours ago)

Motherboard: NEC COMPUTERS INTERNATIONAL | | Rhea B
Processor: Intel(R) Celeron(R) M processor 1.30GHz | mPGA478 | 1294/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 46 GiB total, 39.581 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_3582&SUBSYS_D0041631&REV_02\3&18D45AA6&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_3582&SUBSYS_D0041631&REV_02\3&18D45AA6&0&11
Service:

Class GUID:
Description:
Device ID: ACPI\MTC0003\4&69EE968&0
Manufacturer:
Name:
PNP Device ID: ACPI\MTC0003\4&69EE968&0
Service:

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_D0041631&REV_03\3&18D45AA6&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24C5&SUBSYS_D0041631&REV_03\3&18D45AA6&0&FD
Service:

Class GUID:
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_D0041631&REV_03\3&18D45AA6&0&FE
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_24C6&SUBSYS_D0041631&REV_03\3&18D45AA6&0&FE
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Avira AntiVir Personal - Free Antivirus
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

==== Event Viewer Messages From Past Week ========

05/02/2011 22:35:46, Error: Microsoft-Windows-Kernel-Processor-Power [6] - Some processor performance power management features have been disabled due to a known firmware problem. Check with the computer manufacturer for updated firmware.

==== End Of File ===========================



I hope you can help me fix the laptop..

btw I forgot to mention earlier that when I start the laptop up it sometimes produces these really high pitch sounds and freezes for a bit and then I have to restart it but then sometimes it only does it for a second and then continues normally.

also the keyboard during start up rarely gives any sign of life but then when it gets to the desktop it sometimes works fine and then sometimes is goes all crazy and inverts everything and the only letters it can type are Á É Í Ó.

thanks in advance for any other help :)
 
A few questions come to mind:
1. Do you have another language other than English on the system?
2. I have some concern about all the reformats/reinstalls you've done and the fact that you wanted to access the BIOS> what did you want to do in the BIOS?
3. Are you using the touchpad or a USB mouse for the laptop?
4. Your description of what the keyboard is doing-or isn't doing is system related. Have you ever gone into the Control Panel > typed keyboard in the search and double click the keyboard icon when it displays and checked the settings?
Windows 7 has some keyboard tweaks such as changing how fast the keys repeat when you hold them down. And if the keyboard has extra buttons along the top, you will need to install the keyboard's software to make them work.
=====================================
As for the screaming startup, never a good sign! I'd like you to run the following 2 scan, without doing anything else to the system.

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
===============================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
no I don't have another language installed, when I was installing Windows 7 the keyboard language I chose was English, and I haven't installed any other language after that.

as for the Bios, I didn't do anything to it, nor did I enter it I was just stating the fact that during start up the keyboard blocks and I can't enter bios, boot on network nor select anything after that, i.e. resume windows etc.

I use a touchpad and the keyboard doesn't have any extra buttons

the " the screaming startup" only happens maybe 2/10 times

I ran the Eset NOD32 Online AntiVirus scan and the first time it got to 99% and then the computer went mental and shut down.. the second time I tried it froze and then the third time it managed to do the scan but I had to constantly close folders and properties of folders and stop it from shutting down, during the scan it created about 12 'New Folders', however the scan didn't find any infected items and when I tried to find the log report I wasn't sure if this was the right one but nevertheless here is the log I found:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251

I then ran Combofix and here is the log:

ComboFix 11-02-05.01 - Antonio 07/02/2011 3:01.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.736.335 [GMT 13:00]
Running from: c:\users\Antonio\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy5_!Windows!System32!drivers!atapi.sys

.
((((((((((((((((((((((((( Files Created from 2011-01-06 to 2011-02-06 )))))))))))))))))))))))))))))))
.

2011-02-06 14:25 . 2011-02-06 14:25 -------- d-----w- c:\windows\system32\Wat
2011-02-06 14:15 . 2011-02-06 14:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-06 14:05 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2011-02-06 14:03 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys
2011-02-06 13:15 . 2010-08-21 05:36 224256 ----a-w- c:\windows\system32\schannel.dll
2011-02-06 13:13 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2011-02-06 13:13 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
2011-02-06 13:13 . 2010-08-31 04:32 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-02-06 13:13 . 2010-08-31 04:32 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-02-06 13:13 . 2010-09-01 04:26 164864 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-02-06 13:13 . 2010-09-01 04:23 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2011-02-06 13:11 . 2010-01-18 23:29 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2011-02-06 13:08 . 2011-02-02 04:10 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A1817E31-0F49-40E3-9C03-C609D2981685}\mpengine.dll
2011-02-06 13:08 . 2011-02-02 04:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-06 12:58 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-02-06 12:58 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-06 12:58 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-06 12:58 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-06 12:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2011-02-06 12:56 . 2010-10-20 03:00 2327552 ----a-w- c:\windows\system32\win32k.sys
2011-02-06 12:36 . 2011-02-06 12:36 -------- d-----w- c:\program files\ESET
2011-02-05 23:40 . 2011-02-05 23:40 -------- d-----w- c:\program files\Belkin
2011-02-05 23:23 . 2011-02-05 23:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-02-05 23:21 . 2011-02-05 23:33 -------- d-----w- c:\program files\Common Files\InstallShield
2011-02-05 21:11 . 2011-02-05 00:24 -------- d-----w- c:\windows\Panther
2011-02-05 09:28 . 2011-02-05 09:28 -------- d-----w- c:\windows\system32\New folder
2011-02-05 08:26 . 2010-12-20 05:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-05 08:26 . 2011-02-05 08:26 -------- d-----w- c:\programdata\Malwarebytes
2011-02-05 08:26 . 2011-02-05 08:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-05 08:26 . 2010-12-20 05:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-05 07:19 . 2011-02-06 13:57 -------- d-----w- c:\windows\system32\wbem\Performance
2011-02-05 07:18 . 2011-01-10 01:23 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-02-05 07:18 . 2011-01-10 01:23 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-02-05 07:18 . 2011-02-05 07:18 -------- d-----w- c:\programdata\Avira
2011-02-05 07:18 . 2011-02-05 07:18 -------- d-----w- c:\program files\Avira
2011-02-05 07:17 . 2011-02-05 23:40 -------- d-sh--w- c:\windows\Installer
2011-02-05 00:24 . 2011-02-05 00:24 -------- d-----w- c:\users\Antonio
2011-02-05 00:24 . 2011-02-05 00:24 -------- d-----w- C:\Recovery

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrowserChoice"="c:\windows\System32\browserchoice.exe" [2010-02-11 293376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-02-06 1343400]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-01-10 135336]
S3 kbd;Keyboard;c:\windows\system32\DRIVERS\kbd.sys [2005-09-29 21504]

.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\System32\mshta.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\vssvc.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\system32\DrvInst.exe
.
**************************************************************************
.
Completion time: 2011-02-07 03:36:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-06 14:36

Pre-Run: 40,792,735,744 bytes free
Post-Run: 40,068,767,744 bytes free

- - End Of File - - 9D58F6ABD7F6A24A1BE88B0F53A37EC6



What do I need to do now? or is the problem sorted? thanks for all the help so far :)
 
Didn't get email feedback of reply- sorry.

Due to the finding and replacing of the infected atapi file, We need to look for a rootkit:
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result. Please paste the log into next reply.
  • A reboot is required after disinfection.

There are several files, folders and directories in the Combofix log which I need to set up to view the contents.

Please do a search on the system for C:\Program Files\EsetOnlineScanner\log.txt. If found, please post the full log.
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :dir
c:\windows\system32\New folder
c:\windows\Panther
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
========================================
What did you put in this directory?> 2011-02-05 00:24 -------- d-----w- c:\users\Antonio
I don't want to open it like the 2 above and have hundreds of files and folders listed!
======================================
during start up the keyboard blocks
Click to expand...
Since you mention the keyboard specifically and I don't know whether it's not working because it's USB, or malware, I wanted to bring this to your attention: The keyboard driver below is dated 2005. It's possible it may need a driver update:
S3 kbd;Keyboard;c:\windows\system32\DRIVERS\kbd.sys [2005-09-29 21504]
 
I ran TDSSKiller but it didn't find any threats, and there is no quarantine log either just a normal log:


2011/02/13 01:02:18.0688 3880 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/13 01:02:19.0199 3880 ================================================================================
2011/02/13 01:02:19.0199 3880 SystemInfo:
2011/02/13 01:02:19.0199 3880
2011/02/13 01:02:19.0199 3880 OS Version: 6.1.7600 ServicePack: 0.0
2011/02/13 01:02:19.0199 3880 Product type: Workstation
2011/02/13 01:02:19.0199 3880 ComputerName: ANTONIO-PC
2011/02/13 01:02:19.0199 3880 UserName: Antonio
2011/02/13 01:02:19.0199 3880 Windows directory: C:\Windows
2011/02/13 01:02:19.0199 3880 System windows directory: C:\Windows
2011/02/13 01:02:19.0199 3880 Processor architecture: Intel x86
2011/02/13 01:02:19.0199 3880 Number of processors: 1
2011/02/13 01:02:19.0199 3880 Page size: 0x1000
2011/02/13 01:02:19.0199 3880 Boot type: Normal boot
2011/02/13 01:02:19.0199 3880 ================================================================================
2011/02/13 01:02:21.0292 3880 Initialize success
2011/02/13 01:02:38.0817 3552 ================================================================================
2011/02/13 01:02:38.0817 3552 Scan started
2011/02/13 01:02:38.0817 3552 Mode: Manual;
2011/02/13 01:02:38.0817 3552 ================================================================================
2011/02/13 01:02:59.0306 3552 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/02/13 01:03:01.0379 3552 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2011/02/13 01:03:03.0111 3552 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/02/13 01:03:05.0264 3552 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/02/13 01:03:07.0337 3552 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/02/13 01:03:09.0270 3552 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/02/13 01:03:11.0113 3552 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
2011/02/13 01:03:16.0410 3552 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2011/02/13 01:03:17.0772 3552 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/02/13 01:03:21.0037 3552 ALCXWDM (7997b6f02cbda0e31fa18cc85871b938) C:\Windows\system32\drivers\RTKVAC.SYS
2011/02/13 01:03:23.0480 3552 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2011/02/13 01:03:25.0353 3552 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2011/02/13 01:03:27.0646 3552 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2011/02/13 01:03:30.0170 3552 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/02/13 01:03:31.0842 3552 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/02/13 01:03:33.0264 3552 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
2011/02/13 01:03:34.0376 3552 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/02/13 01:03:35.0387 3552 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
2011/02/13 01:03:36.0649 3552 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2011/02/13 01:03:37.0851 3552 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/02/13 01:03:39.0283 3552 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/02/13 01:03:40.0505 3552 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/02/13 01:03:42.0758 3552 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2011/02/13 01:03:44.0551 3552 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/02/13 01:03:47.0695 3552 avipbb (da39805e2bad99d37fce9477dd94e7f2) C:\Windows\system32\DRIVERS\avipbb.sys
2011/02/13 01:03:51.0430 3552 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/02/13 01:03:55.0867 3552 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/02/13 01:03:59.0793 3552 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/02/13 01:04:03.0207 3552 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/02/13 01:04:06.0212 3552 BLKWGU(Belkin) (ed910b63a75863a89aab65f2763d5b71) C:\Windows\system32\DRIVERS\BLKWGU.sys
2011/02/13 01:04:08.0856 3552 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
2011/02/13 01:04:12.0311 3552 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/02/13 01:04:15.0725 3552 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/02/13 01:04:19.0341 3552 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/02/13 01:04:22.0465 3552 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/02/13 01:04:26.0773 3552 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/02/13 01:04:30.0398 3552 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/02/13 01:04:33.0703 3552 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/02/13 01:04:37.0759 3552 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/02/13 01:04:40.0783 3552 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2011/02/13 01:04:43.0197 3552 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/02/13 01:04:44.0999 3552 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/02/13 01:04:47.0943 3552 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/02/13 01:04:50.0717 3552 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2011/02/13 01:04:53.0251 3552 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/02/13 01:04:55.0687 3552 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/02/13 01:04:57.0850 3552 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/02/13 01:05:00.0154 3552 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/02/13 01:05:02.0888 3552 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
2011/02/13 01:05:05.0989 3552 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
2011/02/13 01:05:08.0115 3552 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/02/13 01:05:10.0949 3552 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/02/13 01:05:13.0293 3552 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/02/13 01:05:15.0496 3552 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
2011/02/13 01:05:20.0072 3552 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/02/13 01:05:23.0337 3552 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/02/13 01:05:25.0951 3552 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2011/02/13 01:05:28.0494 3552 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/02/13 01:05:31.0118 3552 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/02/13 01:05:33.0361 3552 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/02/13 01:05:35.0565 3552 FETNDIS (f5cb6cb6d12f495516be27cffccde4bf) C:\Windows\system32\DRIVERS\fetnd6.sys
2011/02/13 01:05:38.0100 3552 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/02/13 01:05:40.0003 3552 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/02/13 01:05:42.0066 3552 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/02/13 01:05:44.0199 3552 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/02/13 01:05:46.0331 3552 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/02/13 01:05:49.0215 3552 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/02/13 01:05:52.0888 3552 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
2011/02/13 01:05:55.0522 3552 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/02/13 01:05:58.0215 3552 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/02/13 01:06:00.0489 3552 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/02/13 01:06:02.0832 3552 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/02/13 01:06:06.0768 3552 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/02/13 01:06:09.0942 3552 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/02/13 01:06:14.0449 3552 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2011/02/13 01:06:17.0133 3552 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/02/13 01:06:19.0426 3552 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2011/02/13 01:06:21.0619 3552 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2011/02/13 01:06:23.0652 3552 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/02/13 01:06:26.0236 3552 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/02/13 01:06:28.0088 3552 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/02/13 01:06:29.0791 3552 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2011/02/13 01:06:31.0603 3552 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/02/13 01:06:33.0626 3552 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/02/13 01:06:36.0350 3552 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/02/13 01:06:38.0874 3552 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/02/13 01:06:41.0498 3552 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/02/13 01:06:44.0141 3552 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2011/02/13 01:06:47.0156 3552 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/02/13 01:06:50.0501 3552 kbd (25e069d51596b9c77ea8e0bf51cf0f59) C:\Windows\system32\DRIVERS\kbd.sys
2011/02/13 01:06:53.0485 3552 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/02/13 01:06:56.0569 3552 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/02/13 01:06:59.0403 3552 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2011/02/13 01:07:02.0969 3552 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
2011/02/13 01:07:07.0645 3552 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/02/13 01:07:10.0039 3552 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/02/13 01:07:12.0542 3552 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/02/13 01:07:14.0675 3552 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/02/13 01:07:17.0149 3552 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/02/13 01:07:20.0674 3552 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/02/13 01:07:23.0178 3552 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/02/13 01:07:25.0451 3552 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/02/13 01:07:27.0554 3552 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/02/13 01:07:29.0537 3552 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/02/13 01:07:31.0760 3552 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2011/02/13 01:07:33.0693 3552 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/02/13 01:07:35.0896 3552 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2011/02/13 01:07:37.0678 3552 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2011/02/13 01:07:39.0671 3552 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/02/13 01:07:41.0734 3552 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2011/02/13 01:07:43.0877 3552 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/02/13 01:07:45.0980 3552 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/02/13 01:07:47.0543 3552 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/02/13 01:07:49.0195 3552 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
2011/02/13 01:07:51.0188 3552 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2011/02/13 01:07:52.0940 3552 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/02/13 01:07:54.0983 3552 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/02/13 01:07:56.0836 3552 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/02/13 01:07:58.0629 3552 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/02/13 01:08:00.0341 3552 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/02/13 01:08:02.0063 3552 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/02/13 01:08:03.0986 3552 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/02/13 01:08:05.0789 3552 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/02/13 01:08:07.0481 3552 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/02/13 01:08:09.0344 3552 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/02/13 01:08:10.0966 3552 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/02/13 01:08:12.0569 3552 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/02/13 01:08:14.0712 3552 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
2011/02/13 01:08:16.0334 3552 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/02/13 01:08:18.0016 3552 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/02/13 01:08:19.0839 3552 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/02/13 01:08:21.0612 3552 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/02/13 01:08:23.0635 3552 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2011/02/13 01:08:25.0507 3552 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/02/13 01:08:27.0039 3552 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2011/02/13 01:08:28.0732 3552 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/02/13 01:08:30.0394 3552 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/02/13 01:08:32.0077 3552 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/02/13 01:08:33.0919 3552 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
2011/02/13 01:08:35.0972 3552 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/02/13 01:08:38.0546 3552 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/02/13 01:08:40.0128 3552 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
2011/02/13 01:08:41.0871 3552 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/02/13 01:08:43.0613 3552 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/02/13 01:08:45.0416 3552 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/02/13 01:08:47.0319 3552 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2011/02/13 01:08:49.0071 3552 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/02/13 01:08:50.0924 3552 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2011/02/13 01:08:52.0616 3552 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2011/02/13 01:08:54.0249 3552 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/02/13 01:08:56.0141 3552 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/02/13 01:08:58.0074 3552 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/02/13 01:09:00.0237 3552 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/02/13 01:09:02.0671 3552 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/02/13 01:09:04.0443 3552 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/02/13 01:09:06.0446 3552 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/02/13 01:09:08.0519 3552 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/02/13 01:09:10.0532 3552 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/02/13 01:09:12.0455 3552 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/02/13 01:09:14.0067 3552 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/02/13 01:09:15.0689 3552 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/02/13 01:09:17.0482 3552 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/02/13 01:09:19.0134 3552 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/02/13 01:09:20.0967 3552 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2011/02/13 01:09:22.0930 3552 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/02/13 01:09:24.0622 3552 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/02/13 01:09:26.0325 3552 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
2011/02/13 01:09:27.0967 3552 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/02/13 01:09:29.0589 3552 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/02/13 01:09:31.0272 3552 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2011/02/13 01:09:33.0094 3552 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2011/02/13 01:09:34.0847 3552 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/02/13 01:09:36.0900 3552 rt2500usb (0f82a97056ea208183c0085589f83050) C:\Windows\system32\DRIVERS\rt2500usb.sys
2011/02/13 01:09:38.0622 3552 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
2011/02/13 01:09:40.0285 3552 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/02/13 01:09:43.0189 3552 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2011/02/13 01:09:44.0901 3552 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/02/13 01:09:46.0414 3552 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/02/13 01:09:47.0665 3552 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/02/13 01:09:48.0687 3552 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/02/13 01:09:52.0332 3552 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/02/13 01:09:53.0694 3552 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/02/13 01:09:54.0966 3552 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/02/13 01:09:55.0897 3552 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/02/13 01:09:58.0200 3552 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2011/02/13 01:09:59.0723 3552 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/02/13 01:10:02.0246 3552 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/02/13 01:10:03.0448 3552 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/02/13 01:10:04.0790 3552 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/02/13 01:10:06.0352 3552 srv (2dbedfb1853f06110ec2aa7f3213c89f) C:\Windows\system32\DRIVERS\srv.sys
2011/02/13 01:10:10.0318 3552 srv2 (db37131d1027c50ea7ee21c8bb4536aa) C:\Windows\system32\DRIVERS\srv2.sys
2011/02/13 01:10:12.0892 3552 srvnet (f5980b74124db9233b33f86fc5ebbb4f) C:\Windows\system32\DRIVERS\srvnet.sys
2011/02/13 01:10:15.0395 3552 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2011/02/13 01:10:17.0178 3552 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/02/13 01:10:19.0281 3552 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
2011/02/13 01:10:20.0793 3552 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
2011/02/13 01:10:22.0826 3552 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2011/02/13 01:10:25.0360 3552 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\drivers\tcpip.sys
2011/02/13 01:10:28.0564 3552 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\DRIVERS\tcpip.sys
2011/02/13 01:10:30.0837 3552 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2011/02/13 01:10:32.0930 3552 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2011/02/13 01:10:34.0713 3552 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2011/02/13 01:10:36.0225 3552 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2011/02/13 01:10:38.0028 3552 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2011/02/13 01:10:40.0171 3552 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/02/13 01:10:41.0823 3552 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2011/02/13 01:10:43.0526 3552 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/02/13 01:10:45.0208 3552 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
2011/02/13 01:10:47.0081 3552 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/02/13 01:10:48.0543 3552 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2011/02/13 01:10:50.0235 3552 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/02/13 01:10:52.0008 3552 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/02/13 01:10:53.0740 3552 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2011/02/13 01:10:55.0513 3552 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2011/02/13 01:10:57.0726 3552 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
2011/02/13 01:10:59.0849 3552 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2011/02/13 01:11:01.0411 3552 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/02/13 01:11:03.0134 3552 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/02/13 01:11:04.0696 3552 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/02/13 01:11:06.0489 3552 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/02/13 01:11:08.0151 3552 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/02/13 01:11:09.0793 3552 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/02/13 01:11:11.0486 3552 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/02/13 01:11:13.0128 3552 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2011/02/13 01:11:14.0841 3552 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/02/13 01:11:16.0463 3552 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2011/02/13 01:11:18.0326 3552 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
2011/02/13 01:11:20.0098 3552 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
2011/02/13 01:11:21.0751 3552 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/02/13 01:11:23.0463 3552 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/02/13 01:11:25.0206 3552 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2011/02/13 01:11:26.0988 3552 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/02/13 01:11:28.0681 3552 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2011/02/13 01:11:30.0373 3552 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/02/13 01:11:32.0055 3552 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/02/13 01:11:32.0286 3552 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/02/13 01:11:34.0018 3552 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/02/13 01:11:35.0871 3552 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/02/13 01:11:38.0292 3552 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/02/13 01:11:39.0971 3552 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/02/13 01:11:41.0814 3552 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/02/13 01:11:43.0597 3552 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/02/13 01:11:45.0339 3552 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2011/02/13 01:11:47.0092 3552 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/02/13 01:11:47.0502 3552 ================================================================================
2011/02/13 01:11:47.0502 3552 Scan finished
2011/02/13 01:11:47.0502 3552 ================================================================================


I did a serach for the EsetOnlineScanner\log.txt again and the same log came up as the one I already posted

I then ran SystemLook for:
:dir
c:\windows\system32\New folder
c:\windows\Panther

here is the log:

SystemLook 04.09.10 by jpshortstuff
Log created at 04:29 on 13/02/2011 by Antonio
Administrator - Elevation successful

========== dir ==========

c:\windows\system32\New folder - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

c:\windows\Panther - Parameters: "(none)"

---Files---
cbs.log --a---- 38040 bytes [21:11 05/02/2011] [21:11 05/02/2011]
Contents0.dir --a---- 68 bytes [21:11 05/02/2011] [21:11 05/02/2011]
Contents1.dir --a---- 68 bytes [13:17 05/02/2011] [13:17 05/02/2011]
DDACLSys.log --a---- 920 bytes [13:16 05/02/2011] [13:16 05/02/2011]
diagerr.xml --a---- 5718 bytes [21:11 05/02/2011] [13:17 05/02/2011]
diagwrn.xml --a---- 16762 bytes [21:11 05/02/2011] [13:17 05/02/2011]
MainQueueOnline0.que --a---- 28770 bytes [21:11 05/02/2011] [21:11 05/02/2011]
MainQueueOnline1.que --a---- 27468 bytes [13:17 05/02/2011] [13:17 05/02/2011]
setup.etl --a---- 335872 bytes [13:12 05/02/2011] [00:24 05/02/2011]
setupact.log --a---- 801298 bytes [21:11 05/02/2011] [13:17 05/02/2011]
setuperr.log --a---- 0 bytes [21:11 05/02/2011] [20:57 05/02/2011]
setupinfo --a---- 188672 bytes [21:11 05/02/2011] [13:14 05/02/2011]

---Folders---
setup.exe d------ [21:11 05/02/2011]
UnattendGC d------ [13:13 05/02/2011]

-= EOF =-


================================================================
as for the directory c:\users\Antonio, I didn't put anything in it, there is nothing on the computer apart from the stuff you told me to download.
so I ran SystemLook for:
:dir
c:\users\Antonio

here is the log:

SystemLook 04.09.10 by jpshortstuff
Log created at 04:31 on 13/02/2011 by Antonio
Administrator - Elevation successful

========== dir ==========

c:\users\Antonio - Parameters: "(none)"

---Files---
NTUSER.DAT --ahs-- 786432 bytes [00:24 05/02/2011] [15:30 12/02/2011]
ntuser.dat.LOG1 --ahs-- 262144 bytes [00:24 05/02/2011] [15:30 12/02/2011]
ntuser.dat.LOG2 --ahs-- 0 bytes [00:24 05/02/2011] [00:24 05/02/2011]
NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf --ahs-- 65536 bytes [00:24 05/02/2011] [00:27 05/02/2011]
NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms --ahs-- 524288 bytes [00:24 05/02/2011] [00:27 05/02/2011]
NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms --ahs-- 524288 bytes [00:24 05/02/2011] [00:27 05/02/2011]
ntuser.ini ---hs-- 20 bytes [00:24 05/02/2011] [00:24 05/02/2011]

---Folders---
AppData d--h--- [00:24 05/02/2011]
Application Data d--hs-- [00:24 05/02/2011]
Contacts dr----- [00:24 05/02/2011]
Cookies d--hs-- [00:24 05/02/2011]
Desktop dr----- [00:24 05/02/2011]
Documents dr----- [00:24 05/02/2011]
Downloads dr----- [00:24 05/02/2011]
Favorites dr----- [00:24 05/02/2011]
Links dr----- [00:24 05/02/2011]
Local Settings d--hs-- [00:24 05/02/2011]
Music dr----- [00:24 05/02/2011]
My Documents d--hs-- [00:24 05/02/2011]
NetHood d--hs-- [00:24 05/02/2011]
Pictures dr----- [00:24 05/02/2011]
PrintHood d--hs-- [00:24 05/02/2011]
Recent d--hs-- [00:24 05/02/2011]
Saved Games dr----- [00:24 05/02/2011]
Searches dr----- [00:24 05/02/2011]
SendTo d--hs-- [00:24 05/02/2011]
Start Menu d--hs-- [00:24 05/02/2011]
Templates d--hs-- [00:24 05/02/2011]
Videos dr----- [00:24 05/02/2011]

-= EOF =-


===============================================================

What should I do now? The computer still acts on its own and opens up folders, their properties and flicks through the start menu and eventually shuts itself down.
 
Please don't run scans that I don't direct you to do.
What did you put in this directory?> 2011-02-05 00:24 -------- d-----w- c:\users\Antonio
I don't want to open it like the 2 above and have hundreds of files and folders listed!
Click to expand...

I did get notice of reply and the PM. I will be back later thi afternoon to finish up.
 
The computer still acts on its own and opens up folders, their properties and flicks through the start menu and eventually shuts itself down.
Click to expand...

Can you please tell me why you think there is a virus infection? Was there one before you reformatted? What was it?
 
This was happening before I reformatted, and I don't know what virus it was cause whenever I tried to do a scan, the computer would go haywire and close the antivirus program, flicker through everything and then eventually shut itself down, thats why I reformatted, I thought it would disappear after that, but its still there.
The laptop has never acted like this before and then out of the blue it goes mental, so if it isn't a virus, what is it? :S

also sorry about running that scan, I just though it might help somehow, sorry and thanks again for helping me
 
Please understand that you're there and I'm here> all I have to go on is what you tell me. The following 'descriptions' really don't tell me much:
  • the computer would go haywire > Please explain 'haywire.'
  • close the antivirus program > What happens when the AV program 'closes'. Do you get a message that it's not running? What is the message?
  • flicker through everything > What does it 'flicker' through?
  • out of the blue it goes mental ??????

so if it isn't a virus, what is it? :S
Click to expand...
Most users don't know how to troubleshoot, so when something goes wrong or doesn't work right on their computer, they figure it has to be a 'virus.' With your descriptions-what I think they mean-it's entirely possible that the hard drive is failing. The following should have been you first clues that the problems could be hardware, not software.
I formated both and deleted both so he now has one partition and the installed windows.. I took a long time and afterwards the same things start to happen.. so I did it again and there were two partitions again, so i reformatted and deleted both and reinstalled windows but the same thing.(I've done this about 4 times now)
Click to expand...
really high pitch sounds and freezes for a bit and then I have to restart it but then sometimes it only does it for a second and then continues normally.
Click to expand...
==============================================
I also noticed 2 of these entries:
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe

conhost.exe> Console Windows Host: conhost.exe may appeared as a process when a video in SMPlayer is played. The process is killed immediately if the video player window is closed.

Conhost.exe will also appear as a process in the task manager if a command line prompt is opened in Windows 7. The process is always started if a command line window (hidden or visible) is launched in Windows 7. So this would point to the fact that there are 2 command lines running.
 
sorry for such a late reply..
I'll try and explain what the laptop did before I reformatted and how it's currently acting.
Before reformat, my boyfriend told me that he was getting some weird pop-up websites but I can't remember what they where off, I also remember that there was a couple of pornographic video clips scattered in the 'my documents' area, which i deleted but they returned, when I tried to do a normal scan using first Microsoft Security Essentials, the laptop started to act on its own and would literally flick through all the menus/tabs and after about 30 seconds into the scan it would close the program/scan, after that it would open the start menu and flicker through all the programs and then it would eventually shut itself down. The same would happen when I used Malwarebytes' Anti-Malware and AVG, however I do remember AVG finding some sort of Trojan/worm and removing it but I don't remember what it was called nor whether it made any difference because the laptop was still acting on its own account.
It would open windows media center quite a lot of the time and when I would go online it would also flicker through all the tabs and make new bookmarks and duplicate the website already opened (in this case 'google'). On the desktop it would make New Folders by itself, but they never contained anything, overall before reformatting it was quite a stubborn 'virus' and it was really hard to keep a scan running and prevent it closing prematurely as well as stopping it to shut down.

After I reformatted the first couple of times it was acting the same, but then other times it was normal like nothing ever happened but that would last for maybe half an hour and then it would start acting on its own again. However compared to before its now a little easier to battle it and prevent it from shutting down, thats how I was able to do a scan. The laptop still acts by itself but its not as 'violent' as before. So what it usually does now (when I don't try and prevent it) is it will open the start menu and flick/highlight programs (basically it looks like someone opens the start menu and holds the up/down arrow and just flicks through everything) but it doesn't open anything it just clicks on shut down and shuts down by itself. Also it would click on those quick buttons/'pinned' programs on the taskbar in this case windows media center and it would just open it and thats about it. On the desktop it still makes new folders containing nothing, when on the internet it still makes new bookmarks and duplicates websites already opened. It also, somehow 'blocks' the keyboard but that doesn't happen so often anymore, but when it does it inverts functions and whatever letter you press the only letters that come out is "Á, É, Í, and Ó"

As for the partitions, he always had two, the second one had a small amount of memory, the reason I 'deleted' it and reformatted it was because he wanted me to.

I don't really know what else to tell you.. I hope that my description will be off some help.

and thank you again for re-activating this tread. :)
 
Everything is way out of date now. And I am still having a problem understanding the descriptions of the problems. I'm getting this:
1. it will open the start menu and flick/highlight programs
2. it just clicks on shut down and shuts down by itself.
I don't know that this is malware related, but we'll see if the scans turn up anything:
========================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
===================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
I've tried to run the scans but its no use.. every time I try to do either of the scans the laptop decides to act by itself, e.g. when I left click on something it opens up properties, new folders and their properties.. highlights half the desktop or opens the website 10 times etc.

to be quite honest with you, I'm getting really fed up trying to fix this laptop, I mean i dunno.. as for the scans being out of date well they are but the last time the laptop was running was when you told me to run TDSSKiller, it has not been in use since then.. well it has now cause I tried to run those two scans again all day yesterday..

I don't know what to do, I've tried at over 20 times now to run either of the scans and its just not happening, if you have another suggestion, great, if not I don't know I think I'll just leave it be until I actually get some money and then I'll try and give it to someone who might know how to fix it.

Either way thanks a lot for trying to help me out, I really appreciate it :)
 
The laptop has never acted like this before and then out of the blue it goes mental, so if it isn't a virus, what is it? :S
Click to expand...

I think you need to consider a hard drive failure. I don't know why the system seems to be acting on it's own. You can try another reformat/reinstall, but if it's the hard drive, you are going to end up right back where you are now.

I m sorry I can't be of more help, but here, I can only go by what I see and your description. If you have some pennies saved up, you might reconsider taking it to the shop for hands on help. I don't think the problems are coming from any software- especially since you didn't see improvement after a reformat- that points to a hardware problem.

I'm not sure what you actually managed to download, but do the following to clean up the tools we used:

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

    Creating a Restore Point in Windows 7:
    • Click on Start> right click on Computer> Properties
    • Select System Protection
    • Click on the Create button (near bottom)
    • Type a name for the Restore Point
    • Click on Create again to save the restore point.

    Deleting all but the most recent System Protection point in Windows 7
    1. Click Start> Computer> right click the C Drive and choose Properties> enter.
    2. Click Disk Cleanup from there.
      image2.png
    3. Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
    4. Click the More Options tab
      w7-srp2.png
    5. Click the Clean up under System Restore and Shadow Copies.
    6. Click OK.
    7. You will get a confirmation screen> Just click Delete.
    8. Click OK on the Disk Cleanup Screen.
    9. Click Delete Files on the Confirmation screen.
    image6.png

    It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
 
Status
Not open for further replies.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
476
eriksnyman1
E
Jess_123
My num pad + doesn't work ...
Replies
0
Views
280
Jess_123
Jess_123
M
Virus warning popup
Replies
1
Views
540
Mark Fuller
M

Latest posts

Back