Inactive Three Trojans stuck in System Registry

waveofbabies

Posts: 20   +0
I have a combination of viruses that redirects my web browser to some nonsense news site along with causing general annoyances with anything internet related including crashing programs and lagging them up. AVG is the only program I have installed that detects them. Malwarebytes does not so the log makes it seem as though there are no more infections. According to AVG, the infections are Trojan Horse Crypt.ANVH (this also seemed to mess with GMER and DDS which is why I did not post a log from these programs), Trojan BackDoor.Generic14.BQGX, and finally Trojan Agent 3.WJV. Can you guys help me out and save me a format? Thanks.
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===========================================================

this also seemed to mess with GMER and DDS
Explain please.
 
Hey Broni. Thanks for the welcome. Come to think of it i think AVG might be causing the problem here. What I mean is when I try to run either GMER or DDS a warning pops up indicating that AVG has detected Trojan Horse Crypt and following that the program stops working.
 
GMER and DDS both crash mid way through a scan. GMER actually gave me a blue screen on one attempt. I tired them both in safe mode with the same result. Also, when I go to the control panel while in safe mode, I cannot access widows firewall. It says that an unexpected problem is preventing display of widows firewall settings. Firefox continues to be redirected while browsing.
 
Did you uninstall AVG?

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===========================================================

Download Bootkit Remover to your Desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

============================================================

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.
 
Here is the log from aswMBR ... looks disconcerting (there was a lot of red)

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-12 15:21:24
-----------------------------
15:21:24.343 OS Version: Windows 6.0.6002 Service Pack 2
15:21:24.343 Number of processors: 2 586 0xF0B
15:21:24.345 ComputerName: STEPHEN-PC UserName:
15:21:33.567 Initialize success
15:23:25.501 AVAST engine defs: 12011200
15:23:41.477 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
15:23:41.480 Disk 0 Vendor: WDC_WD32 12.0 Size: 305245MB BusType: 6
15:23:41.482 Device \Device\00000041 -> \??\SCSI#Disk&Ven_WDC_WD32&Prod_00AAJS-00VWA#4&12a0b57c&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
15:23:41.486 Disk 0 MBR read error 0
15:23:41.489 Disk 0 MBR scan
15:23:41.493 Disk 0 unknown MBR code
15:23:41.497 MBR BIOS signature not found 0
15:23:41.500 Disk 0 scanning sectors +625139712
15:23:41.535 Disk 0 scanning C:\Windows\system32\drivers
15:23:41.970 File: C:\Windows\system32\drivers\afd.sys **INFECTED** Win32:Aluroot-B [Rtk]
15:23:47.117 File: C:\Windows\system32\drivers\netbt.sys **INFECTED** Win32:Zeroot [Rtk]
15:23:53.279 File: C:\Windows\system32\drivers\Wdf01000.sys **INFECTED** Win32:RLoader-B
15:23:53.557 Disk 0 trace - called modules:
15:23:53.574 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87f39ff0]<<
15:23:53.582 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8634c8e0]
15:23:53.591 3 CLASSPNP.SYS[8279f8b3] -> nt!IofCallDriver -> [0x87da32e8]
15:23:53.599 \Driver\00001060[0x87da9478] -> IRP_MJ_CREATE -> 0x87f39ff0
15:23:58.627 AVAST engine scan C:\Windows
15:24:01.441 AVAST engine scan C:\Windows\system32
15:35:01.341 AVAST engine scan C:\Windows\system32\drivers
15:35:02.345 File: C:\Windows\system32\drivers\afd.sys **INFECTED** Win32:Aluroot-B [Rtk]
15:35:12.982 File: C:\Windows\system32\drivers\netbt.sys **INFECTED** Win32:Zeroot [Rtk]
15:35:20.792 File: C:\Windows\system32\drivers\Wdf01000.sys **INFECTED** Win32:RLoader-B
15:35:24.407 AVAST engine scan C:\Users\Administrator
15:37:38.530 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2441297853792215642.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
15:37:38.685 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2546951413663940763.tmp **INFECTED** Win32:MalOb-GF [Cryp]
15:37:38.736 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2740558627932482271.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
15:37:38.935 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache4416902755111729394.tmp **INFECTED** Win32:Kryptik-DKN [Trj]
15:37:39.177 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache5554113741605944304.tmp **INFECTED** Win32:MalOb-GS [Cryp]
15:37:39.449 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache6855520816091083099.tmp **INFECTED** Win32:MalOb-GS [Cryp]
15:37:39.552 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7262576682993569311.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
15:37:39.661 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7309834498984758723.tmp **INFECTED** Win32:MalOb-GF [Cryp]
15:37:39.753 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7645806635774182343.tmp **INFECTED** Win32:Renosa-J [Wrm]
15:37:39.849 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache8500703002762741723.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
15:43:42.294 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Documents\MBR.dat"
15:43:42.376 The log file has been saved successfully to "C:\Users\Administrator\Documents\aswMBR.txt"

For Bootkit Remover, I recieved the following error ATA_PASS_THROUGH_DIRECT is not supported by your disc controller
SCSI_PASS_THROUGH_DIRECT will be use for disc I/O

This is the log that appeared.

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

and FixedParts displayed this

ListParts by Farbar
Ran by Administrator on 12-01-2012 at 15:56:18
Windows Vista (X86)
Running From: C:\Users\Administrator\Downloads
************************************************************

========================= Memory info ======================

Percentage of memory in use: 73%
Total physical RAM: 3070.45 MB
Available physical RAM: 822.81 MB
Total Pagefile: 6365.94 MB
Available Pagefile: 3737.42 MB
Total Virtual: 2047.88 MB
Available Virtual: 1965.83 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:38.58 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]

There are no fixed disks to show.



****** End Of Log ******

And yes AVG was uninstalled last night before using GMER and DDS.
 
Please download Farbar Service Scanner and run it on the computer with the issue.


  • Please run Farbar Service Scanner.
    Type the following in the edit box after "Search:".

    Wdf01000.sys;netbt.sys;afd.sys

    Click Search Files button and post the log (FSS.txt) it makes to your reply.
 
During the scan i received a message saying "Host Process for Windows Service has stopped working"

The log is as follows

Farbar Service Scanner
Ran by Administrator (administrator) on 12-01-2012 at 16:20:04
Windows Vista (TM) Home Premium Service Pack 2 (X86)

************************************************
================== Search: "Wdf01000.sys;netbt.sys;afd.sys
" ===================

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
[2011-06-27 19:56] - [2011-04-21 08:28] - 0273920 ____A (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
[2011-01-02 23:10] - [2009-04-10 23:47] - 0273920 ____A (Microsoft Corporation) A201207363AA900ABF1A388468688570

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys
[2011-06-27 19:56] - [2011-04-21 08:12] - 0273920 ____A (Microsoft Corporation) C8AF25017CECB75906A571AC70D2D306

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
[2011-06-27 19:56] - [2011-04-21 08:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
[2011-01-01 07:31] - [2008-01-19 00:57] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys
[2006-11-02 03:58] - [2006-11-02 03:58] - 0270336 ____A (Microsoft Corporation) 5D24CAF8EFD924A875698FF28384DB8B

C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.20734_none_74da07c339f7e0f2\Wdf01000.sys
[2010-12-31 09:59] - [2010-12-31 09:59] - 0495160 ____A (Microsoft Corporation) 42709BDB3FEB92FD7254A4005E1FFCAE

C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.16609_none_7475dc2e20bd6c08\Wdf01000.sys
[2010-12-31 09:59] - [2010-12-31 09:59] - 0495160 ____A (Microsoft Corporation) 7B5F66E4A2219C7D9DAF9E738480E534

C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.16386_none_741c563e21010816\Wdf01000.sys
[2006-11-02 03:54] - [2006-11-02 04:51] - 0492648 ____A (Microsoft Corporation) 5DFDBD5EF13E4D95BE6FC108E2ED4A67

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
[2011-01-01 07:30] - [2008-01-19 00:55] - 0184320 ____A (Microsoft Corporation) 7C5FEE5B1C5728507CD96FB4A13E7A02

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys
[2006-11-02 03:57] - [2006-11-02 03:57] - 0184320 ____A (Microsoft Corporation) E3A168912E7EEFC3BD3B814720D68B41

C:\Windows\System32\drivers\afd.sys
[2011-06-27 19:56] - [2011-04-21 08:58] - 0273408 ____A () 5385F6AD16BA53D984CF89AA0D796D97

C:\Windows\System32\drivers\netbt.sys
[2011-01-02 23:10] - [2009-04-10 23:45] - 0185856 ____A () 2EAEF370056496A971C1B043D37C970C

C:\Windows\System32\drivers\Wdf01000.sys
[2011-01-01 07:31] - [2008-01-19 02:43] - 0503864 ____A (Microsoft Corporation) A1BD4AD37B361199DC326CCCC9C179DE

====== End Of Search ======
 
Very well.

Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

  • Click OK at the warning.
  • Click the Script tab and copy/paste the following text there:
Code:
CopyFile:
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys C:\Windows\System32\drivers\netbt.sys
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys C:\Windows\System32\drivers\afd.sys
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post the report created by Blitzblank.
    You can find it in the root of the drive, normally C:\

Post new FSS log (same code).
 
BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys", destinationFile = "\??\c:\windows\system32\drivers\netbt.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys", destinationFile = "\??\c:\windows\system32\drivers\afd.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022

Farbar Service Scanner
Ran by Administrator (administrator) on 12-01-2012 at 17:23:16
Windows Vista (TM) Home Premium Service Pack 2 (X86)

************************************************
================== Search: "Wdf01000.sys;netbt.sys;afd.sys" ===================

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_da4bc33774b91967\afd.sys
[2011-06-27 19:56] - [2011-04-21 08:28] - 0273920 ____A (Microsoft Corporation) 70EE0FC7A0F384DBD929A01384AEEB4B

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys
[2011-01-02 23:10] - [2009-04-10 23:47] - 0273920 ____A (Microsoft Corporation) A201207363AA900ABF1A388468688570

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_d876efff77862705\afd.sys
[2011-06-27 19:56] - [2011-04-21 08:12] - 0273920 ____A (Microsoft Corporation) C8AF25017CECB75906A571AC70D2D306

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_d7d0e0cc5e7d461c\afd.sys
[2011-06-27 19:56] - [2011-04-21 08:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_d7e842925e6d1f50\afd.sys
[2011-01-01 07:31] - [2008-01-19 00:57] - 0273920 ____A (Microsoft Corporation) 763E172A55177E478CB419F88FD0BA03

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys
[2006-11-02 03:58] - [2006-11-02 03:58] - 0270336 ____A (Microsoft Corporation) 5D24CAF8EFD924A875698FF28384DB8B

C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.20734_none_74da07c339f7e0f2\Wdf01000.sys
[2010-12-31 09:59] - [2010-12-31 09:59] - 0495160 ____A (Microsoft Corporation) 42709BDB3FEB92FD7254A4005E1FFCAE

C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.16609_none_7475dc2e20bd6c08\Wdf01000.sys
[2010-12-31 09:59] - [2010-12-31 09:59] - 0495160 ____A (Microsoft Corporation) 7B5F66E4A2219C7D9DAF9E738480E534

C:\Windows\winsxs\x86_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_6.0.6000.16386_none_741c563e21010816\Wdf01000.sys
[2006-11-02 03:54] - [2006-11-02 04:51] - 0492648 ____A (Microsoft Corporation) 5DFDBD5EF13E4D95BE6FC108E2ED4A67

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6001.18000_none_6064c861f7442765\netbt.sys
[2011-01-01 07:30] - [2008-01-19 00:55] - 0184320 ____A (Microsoft Corporation) 7C5FEE5B1C5728507CD96FB4A13E7A02

C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys
[2006-11-02 03:57] - [2006-11-02 03:57] - 0184320 ____A (Microsoft Corporation) E3A168912E7EEFC3BD3B814720D68B41

C:\Windows\System32\drivers\afd.sys
[2011-06-27 19:56] - [2012-01-12 17:18] - 0000000 ____A ()

C:\Windows\System32\drivers\netbt.sys
[2011-01-02 23:10] - [2012-01-12 17:18] - 0000000 ____A ()

C:\Windows\System32\drivers\Wdf01000.sys
[2011-01-01 07:31] - [2008-01-19 02:43] - 0503864 ____A (Microsoft Corporation) A1BD4AD37B361199DC326CCCC9C179DE

====== End Of Search ======
 
Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
I ran tdskiller and rebooted. Upon reboot, I did not have internet access and after maybe two minutes, I received a blue screen. The computer rebooted on its own and the same thing occured, ending with a blue screen and a restart. This occured a third time before I rebooted in safe mode w/ networking but still do not have internet access. I am now on a laptop posting this. I had to use a flash drive to get the log.

17:55:49.0228 6784 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26
17:55:49.0478 6784 ============================================================
17:55:49.0478 6784 Current date / time: 2012/01/12 17:55:49.0478
17:55:49.0478 6784 SystemInfo:
17:55:49.0478 6784
17:55:49.0478 6784 OS Version: 6.0.6002 ServicePack: 2.0
17:55:49.0478 6784 Product type: Workstation
17:55:49.0478 6784 ComputerName: STEPHEN-PC
17:55:49.0478 6784 UserName: Administrator
17:55:49.0478 6784 Windows directory: C:\Windows
17:55:49.0478 6784 System windows directory: C:\Windows
17:55:49.0478 6784 Processor architecture: Intel x86
17:55:49.0478 6784 Number of processors: 2
17:55:49.0478 6784 Page size: 0x1000
17:55:49.0478 6784 Boot type: Normal boot
17:55:49.0478 6784 ============================================================
17:55:49.0790 6784 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000, SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000050
17:55:49.0806 6784 Initialize success
17:55:55.0968 5664 ============================================================
17:55:55.0968 5664 Scan started
17:55:55.0968 5664 Mode: Manual;
17:55:55.0968 5664 ============================================================
17:55:59.0134 5664 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
17:55:59.0134 5664 ACPI - ok
17:55:59.0228 5664 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
17:55:59.0244 5664 adp94xx - ok
17:55:59.0337 5664 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
17:55:59.0337 5664 adpahci - ok
17:55:59.0400 5664 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
17:55:59.0400 5664 adpu160m - ok
17:55:59.0478 5664 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
17:55:59.0478 5664 adpu320 - ok
17:55:59.0556 5664 AFD - ok
17:55:59.0680 5664 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
17:55:59.0680 5664 agp440 - ok
17:55:59.0774 5664 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
17:55:59.0774 5664 aic78xx - ok
17:55:59.0836 5664 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
17:55:59.0836 5664 aliide - ok
17:55:59.0930 5664 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
17:55:59.0930 5664 amdagp - ok
17:56:00.0039 5664 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
17:56:00.0055 5664 amdide - ok
17:56:00.0133 5664 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
17:56:00.0133 5664 AmdK7 - ok
17:56:00.0304 5664 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
17:56:00.0304 5664 AmdK8 - ok
17:56:00.0382 5664 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
17:56:00.0382 5664 arc - ok
17:56:00.0476 5664 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
17:56:00.0476 5664 arcsas - ok
17:56:00.0585 5664 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
17:56:00.0585 5664 AsyncMac - ok
17:56:00.0741 5664 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
17:56:00.0741 5664 atapi - ok
17:56:00.0866 5664 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
17:56:00.0866 5664 Beep - ok
17:56:00.0913 5664 blbdrive - ok
17:56:01.0006 5664 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
17:56:01.0006 5664 bowser - ok
17:56:01.0100 5664 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
17:56:01.0100 5664 BrFiltLo - ok
17:56:01.0178 5664 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
17:56:01.0178 5664 BrFiltUp - ok
17:56:01.0318 5664 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
17:56:01.0318 5664 Brserid - ok
17:56:01.0365 5664 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
17:56:01.0365 5664 BrSerWdm - ok
17:56:01.0428 5664 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
17:56:01.0428 5664 BrUsbMdm - ok
17:56:01.0474 5664 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
17:56:01.0474 5664 BrUsbSer - ok
17:56:01.0568 5664 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
17:56:01.0568 5664 BTHMODEM - ok
17:56:01.0662 5664 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
17:56:01.0662 5664 cdfs - ok
17:56:01.0771 5664 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
17:56:01.0771 5664 cdrom - ok
17:56:01.0818 5664 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
17:56:01.0833 5664 circlass - ok
17:56:01.0896 5664 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
17:56:01.0896 5664 CLFS - ok
17:56:01.0989 5664 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
17:56:01.0989 5664 cmdide - ok
17:56:02.0083 5664 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
17:56:02.0083 5664 Compbatt - ok
17:56:02.0145 5664 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
17:56:02.0145 5664 crcdisk - ok
17:56:02.0223 5664 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
17:56:02.0223 5664 Crusoe - ok
17:56:02.0332 5664 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
17:56:02.0332 5664 DfsC - ok
17:56:02.0426 5664 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
17:56:02.0426 5664 disk - ok
17:56:02.0504 5664 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
17:56:02.0504 5664 drmkaud - ok
17:56:02.0582 5664 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
17:56:02.0598 5664 DXGKrnl - ok
17:56:02.0676 5664 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
17:56:02.0676 5664 E1G60 - ok
17:56:02.0754 5664 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
17:56:02.0754 5664 Ecache - ok
17:56:02.0847 5664 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) C:\Windows\system32\Drivers\ElbyCDIO.sys
17:56:02.0847 5664 ElbyCDIO - ok
17:56:02.0956 5664 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
17:56:02.0956 5664 elxstor - ok
17:56:03.0050 5664 ESEADriver2 (c8cb19c6b4dd77c54ed77e4b2ec03790) C:\Users\ADMINI~1\AppData\Local\Temp\ESEADriver2.sys
17:56:03.0050 5664 ESEADriver2 - ok
17:56:03.0159 5664 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
17:56:03.0159 5664 exfat - ok
17:56:03.0268 5664 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
17:56:03.0268 5664 fastfat - ok
17:56:03.0362 5664 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
17:56:03.0362 5664 fdc - ok
17:56:03.0456 5664 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
17:56:03.0456 5664 FileInfo - ok
17:56:03.0534 5664 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
17:56:03.0534 5664 Filetrace - ok
17:56:03.0736 5664 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
17:56:03.0736 5664 flpydisk - ok
17:56:03.0799 5664 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
17:56:03.0799 5664 FltMgr - ok
17:56:03.0877 5664 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
17:56:03.0892 5664 Fs_Rec - ok
17:56:03.0955 5664 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
17:56:03.0955 5664 gagp30kx - ok
17:56:04.0048 5664 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
17:56:04.0064 5664 GEARAspiWDM - ok
17:56:04.0158 5664 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
17:56:04.0158 5664 HdAudAddService - ok
17:56:04.0251 5664 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
17:56:04.0251 5664 HDAudBus - ok
17:56:04.0329 5664 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
17:56:04.0329 5664 HidBth - ok
17:56:04.0407 5664 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
17:56:04.0407 5664 HidIr - ok
17:56:04.0485 5664 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
17:56:04.0485 5664 HidUsb - ok
17:56:04.0563 5664 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
17:56:04.0563 5664 HpCISSs - ok
17:56:04.0688 5664 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
17:56:04.0688 5664 HTTP - ok
17:56:04.0766 5664 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
17:56:04.0766 5664 i2omp - ok
17:56:04.0875 5664 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
17:56:04.0891 5664 i8042prt - ok
17:56:04.0969 5664 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
17:56:04.0969 5664 iaStorV - ok
17:56:05.0062 5664 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
17:56:05.0062 5664 iirsp - ok
17:56:05.0172 5664 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
17:56:05.0187 5664 intelide - ok
17:56:05.0390 5664 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
17:56:05.0390 5664 intelppm - ok
17:56:05.0468 5664 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
17:56:05.0468 5664 IpFilterDriver - ok
17:56:05.0562 5664 IpInIp - ok
17:56:05.0640 5664 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
17:56:05.0640 5664 IPMIDRV - ok
17:56:05.0718 5664 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
17:56:05.0718 5664 IPNAT - ok
17:56:05.0811 5664 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
17:56:05.0811 5664 IRENUM - ok
17:56:05.0874 5664 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
17:56:05.0874 5664 isapnp - ok
17:56:05.0967 5664 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
17:56:05.0967 5664 iScsiPrt - ok
17:56:06.0030 5664 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
17:56:06.0030 5664 iteatapi - ok
17:56:06.0108 5664 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
17:56:06.0108 5664 iteraid - ok
17:56:06.0357 5664 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
17:56:06.0388 5664 kbdclass - ok
17:56:06.0576 5664 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
17:56:06.0576 5664 kbdhid - ok
17:56:06.0716 5664 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
17:56:06.0716 5664 KSecDD - ok
17:56:06.0794 5664 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\Windows\system32\DRIVERS\L8042Kbd.sys
17:56:06.0794 5664 L8042Kbd - ok
17:56:06.0888 5664 L8042mou (8a5993705add14352c9a279fa8338334) C:\Windows\system32\DRIVERS\L8042mou.Sys
17:56:06.0888 5664 L8042mou - ok
17:56:06.0981 5664 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\Windows\system32\DRIVERS\LHidFilt.Sys
17:56:06.0981 5664 LHidFilt - ok
17:56:07.0059 5664 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
17:56:07.0059 5664 lltdio - ok
17:56:07.0184 5664 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\Windows\system32\DRIVERS\LMouFilt.Sys
17:56:07.0184 5664 LMouFilt - ok
17:56:07.0309 5664 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\Windows\system32\DRIVERS\LMouKE.Sys
17:56:07.0324 5664 LMouKE - ok
17:56:07.0543 5664 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
17:56:07.0605 5664 LSI_FC - ok
17:56:07.0699 5664 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
17:56:07.0699 5664 LSI_SAS - ok
17:56:07.0839 5664 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
17:56:07.0839 5664 LSI_SCSI - ok
17:56:07.0933 5664 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
17:56:07.0933 5664 luafv - ok
17:56:08.0011 5664 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\Windows\system32\Drivers\LUsbFilt.Sys
17:56:08.0011 5664 LUsbFilt - ok
17:56:08.0089 5664 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
17:56:08.0089 5664 MBAMProtector - ok
17:56:08.0229 5664 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
17:56:08.0229 5664 megasas - ok
17:56:08.0510 5664 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
17:56:08.0510 5664 Modem - ok
17:56:08.0604 5664 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
17:56:08.0604 5664 monitor - ok
17:56:08.0697 5664 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
17:56:08.0697 5664 mouclass - ok
17:56:08.0775 5664 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
17:56:08.0775 5664 mouhid - ok
17:56:08.0869 5664 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
17:56:08.0869 5664 MountMgr - ok
17:56:08.0947 5664 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
17:56:08.0962 5664 mpio - ok
17:56:09.0150 5664 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
17:56:09.0150 5664 mpsdrv - ok
17:56:09.0274 5664 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
17:56:09.0274 5664 Mraid35x - ok
17:56:09.0493 5664 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
17:56:09.0524 5664 MRxDAV - ok
17:56:09.0742 5664 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
17:56:09.0742 5664 mrxsmb - ok
17:56:09.0836 5664 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
17:56:09.0836 5664 mrxsmb10 - ok
17:56:10.0023 5664 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
17:56:10.0023 5664 mrxsmb20 - ok
17:56:10.0086 5664 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
17:56:10.0101 5664 msahci - ok
17:56:10.0210 5664 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
17:56:10.0242 5664 msdsm - ok
17:56:10.0507 5664 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
17:56:10.0507 5664 Msfs - ok
17:56:10.0756 5664 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
17:56:10.0756 5664 msisadrv - ok
17:56:10.0959 5664 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
17:56:10.0959 5664 MSKSSRV - ok
17:56:11.0053 5664 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
17:56:11.0053 5664 MSPCLOCK - ok
17:56:11.0271 5664 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
17:56:11.0271 5664 MSPQM - ok
17:56:11.0552 5664 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
17:56:11.0661 5664 MsRPC - ok
17:56:11.0848 5664 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
17:56:11.0848 5664 mssmbios - ok
17:56:12.0067 5664 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
17:56:12.0067 5664 MSTEE - ok
17:56:12.0301 5664 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
17:56:12.0301 5664 Mup - ok
17:56:12.0660 5664 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
17:56:12.0738 5664 NativeWifiP - ok
17:56:13.0206 5664 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
17:56:13.0237 5664 NDIS - ok
17:56:13.0346 5664 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
17:56:13.0346 5664 NdisTapi - ok
17:56:13.0752 5664 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
17:56:13.0783 5664 Ndisuio - ok
17:56:14.0158 5664 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
17:56:14.0205 5664 NdisWan - ok
17:56:14.0611 5664 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
17:56:14.0611 5664 NDProxy - ok
17:56:15.0172 5664 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
17:56:15.0204 5664 NetBIOS - ok
17:56:15.0579 5664 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
17:56:15.0626 5664 nfrd960 - ok
17:56:15.0813 5664 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
17:56:15.0813 5664 Npfs - ok
17:56:15.0938 5664 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
17:56:15.0953 5664 nsiproxy - ok
17:56:16.0062 5664 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
17:56:16.0109 5664 Ntfs - ok
17:56:16.0172 5664 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
17:56:16.0172 5664 ntrigdigi - ok
17:56:16.0250 5664 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
17:56:16.0250 5664 Null - ok
17:56:16.0406 5664 NVENETFD (d958a2b5f6ad5c3b8ccdc4d7da62466c) C:\Windows\system32\DRIVERS\nvmfdx32.sys
17:56:16.0437 5664 NVENETFD - ok
17:56:16.0764 5664 nvlddmkm (66b4bf606fcc7f0622d4a21bb1461089) C:\Windows\system32\DRIVERS\nvlddmkm.sys
17:56:16.0983 5664 nvlddmkm - ok
17:56:17.0076 5664 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
17:56:17.0076 5664 nvraid - ok
17:56:17.0139 5664 nvstor (4a5fcab82d9bf6af8a023a66802fe9e9) C:\Windows\system32\drivers\nvstor.sys
17:56:17.0139 5664 nvstor - ok
17:56:17.0201 5664 nvstor32 (dc5f166422beebf195e3e4bb8ab4ee22) C:\Windows\system32\DRIVERS\nvstor32.sys
17:56:17.0201 5664 nvstor32 - ok
17:56:17.0295 5664 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
17:56:17.0295 5664 nv_agp - ok
17:56:17.0357 5664 NwlnkFlt - ok
17:56:17.0482 5664 NwlnkFwd - ok
17:56:17.0950 5664 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
17:56:17.0950 5664 ohci1394 - ok
17:56:18.0215 5664 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
17:56:18.0215 5664 Parport - ok
17:56:18.0309 5664 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
17:56:18.0309 5664 partmgr - ok
17:56:18.0605 5664 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
17:56:18.0636 5664 Parvdm - ok
17:56:19.0073 5664 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
17:56:19.0198 5664 pci - ok
17:56:19.0900 5664 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
17:56:19.0900 5664 pciide - ok
17:56:20.0259 5664 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
17:56:20.0259 5664 pcmcia - ok
17:56:20.0446 5664 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
17:56:20.0945 5664 PEAUTH - ok
17:56:21.0304 5664 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
17:56:21.0304 5664 PptpMiniport - ok
17:56:21.0616 5664 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
17:56:21.0663 5664 Processor - ok
17:56:22.0068 5664 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
17:56:22.0068 5664 PSched - ok
17:56:22.0271 5664 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
17:56:22.0302 5664 ql2300 - ok
17:56:22.0396 5664 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
17:56:22.0396 5664 ql40xx - ok
17:56:22.0490 5664 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
17:56:22.0568 5664 QWAVEdrv - ok
17:56:23.0129 5664 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
17:56:23.0129 5664 RasAcd - ok
17:56:23.0223 5664 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
17:56:23.0223 5664 Rasl2tp - ok
17:56:23.0301 5664 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
17:56:23.0301 5664 RasPppoe - ok
17:56:23.0379 5664 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
17:56:23.0379 5664 RasSstp - ok
17:56:23.0457 5664 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
17:56:23.0472 5664 rdbss - ok
17:56:23.0972 5664 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
17:56:23.0972 5664 RDPCDD - ok
17:56:24.0299 5664 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
17:56:24.0299 5664 rdpdr - ok
17:56:24.0393 5664 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
17:56:24.0393 5664 RDPENCDD - ok
17:56:24.0580 5664 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
17:56:24.0642 5664 RDPWD - ok
17:56:25.0142 5664 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
17:56:25.0173 5664 rspndr - ok
17:56:25.0485 5664 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
17:56:25.0532 5664 sbp2port - ok
17:56:26.0078 5664 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\Windows\system32\drivers\SCDEmu.sys
17:56:26.0078 5664 SCDEmu - ok
17:56:26.0343 5664 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
17:56:26.0343 5664 secdrv - ok
17:56:26.0670 5664 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
17:56:26.0717 5664 Serenum - ok
17:56:27.0138 5664 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
17:56:27.0138 5664 Serial - ok
17:56:27.0279 5664 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
17:56:27.0279 5664 sermouse - ok
17:56:27.0450 5664 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
17:56:27.0450 5664 sffdisk - ok
17:56:27.0700 5664 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
17:56:27.0731 5664 sffp_mmc - ok
17:56:28.0324 5664 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
17:56:28.0371 5664 sffp_sd - ok
17:56:28.0464 5664 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
17:56:28.0464 5664 sfloppy - ok
17:56:28.0542 5664 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
17:56:28.0542 5664 sisagp - ok
17:56:28.0776 5664 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
17:56:28.0776 5664 SiSRaid2 - ok
17:56:29.0541 5664 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
17:56:29.0541 5664 SiSRaid4 - ok
17:56:29.0962 5664 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
17:56:29.0993 5664 Smb - ok
17:56:30.0399 5664 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
17:56:30.0430 5664 spldr - ok
17:56:31.0085 5664 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
17:56:31.0382 5664 srv - ok
17:56:31.0647 5664 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
17:56:31.0647 5664 srv2 - ok
17:56:32.0115 5664 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
17:56:32.0146 5664 srvnet - ok
17:56:32.0390 5664 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
17:56:32.0390 5664 swenum - ok
17:56:32.0499 5664 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
17:56:32.0499 5664 Symc8xx - ok
17:56:32.0811 5664 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
17:56:32.0811 5664 Sym_hi - ok
17:56:32.0905 5664 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
17:56:32.0905 5664 Sym_u3 - ok
17:56:33.0045 5664 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
17:56:33.0092 5664 Tcpip - ok
17:56:33.0201 5664 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
17:56:33.0201 5664 Tcpip6 - ok
17:56:33.0310 5664 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
17:56:33.0310 5664 tcpipreg - ok
17:56:33.0388 5664 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
17:56:33.0388 5664 TDPIPE - ok
17:56:33.0482 5664 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
17:56:33.0482 5664 TDTCP - ok
17:56:33.0638 5664 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
17:56:33.0669 5664 tdx - ok
17:56:34.0278 5664 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
17:56:34.0278 5664 TermDD - ok
17:56:34.0574 5664 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
17:56:34.0574 5664 tssecsrv - ok
17:56:35.0136 5664 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
17:56:35.0136 5664 tunmp - ok
17:56:35.0276 5664 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
17:56:35.0276 5664 tunnel - ok
17:56:35.0432 5664 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
17:56:35.0432 5664 uagp35 - ok
17:56:35.0604 5664 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
17:56:35.0619 5664 udfs - ok
17:56:35.0962 5664 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
17:56:36.0009 5664 uliagpkx - ok
17:56:36.0243 5664 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
17:56:36.0259 5664 uliahci - ok
17:56:36.0337 5664 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
17:56:36.0337 5664 UlSata - ok
17:56:36.0415 5664 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
17:56:36.0430 5664 ulsata2 - ok
17:56:36.0508 5664 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
17:56:36.0508 5664 umbus - ok
17:56:36.0649 5664 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
17:56:36.0680 5664 USBAAPL - ok
17:56:37.0179 5664 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
17:56:37.0257 5664 usbccgp - ok
17:56:37.0694 5664 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
17:56:37.0741 5664 usbcir - ok
17:56:38.0100 5664 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
17:56:38.0131 5664 usbehci - ok
17:56:38.0630 5664 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
17:56:38.0755 5664 usbhub - ok
17:56:39.0270 5664 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
17:56:39.0270 5664 usbohci - ok
17:56:39.0566 5664 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
17:56:39.0566 5664 usbprint - ok
17:56:39.0816 5664 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
17:56:39.0862 5664 USBSTOR - ok
17:56:40.0346 5664 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
17:56:40.0393 5664 usbuhci - ok
17:56:40.0783 5664 VClone (fce98c43b5c5db8e0da8ea0e2b45e044) C:\Windows\system32\DRIVERS\VClone.sys
17:56:40.0783 5664 VClone - ok
17:56:41.0220 5664 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
17:56:41.0251 5664 vga - ok
17:56:41.0656 5664 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
17:56:41.0656 5664 VgaSave - ok
17:56:41.0953 5664 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
17:56:41.0968 5664 viaagp - ok
17:56:42.0327 5664 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
17:56:42.0374 5664 ViaC7 - ok
17:56:42.0858 5664 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
17:56:42.0858 5664 viaide - ok
17:56:43.0372 5664 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
17:56:43.0388 5664 volmgr - ok
17:56:44.0012 5664 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
17:56:44.0240 5664 volmgrx - ok
17:56:44.0770 5664 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
17:56:44.0895 5664 volsnap - ok
17:56:45.0316 5664 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
17:56:45.0347 5664 vsmraid - ok
17:56:45.0815 5664 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
17:56:45.0847 5664 WacomPen - ok
17:56:46.0096 5664 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
17:56:46.0112 5664 Wanarp - ok
17:56:46.0221 5664 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
17:56:46.0221 5664 Wanarpv6 - ok
17:56:46.0736 5664 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
17:56:46.0736 5664 Wd - ok
17:56:47.0219 5664 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
17:56:47.0219 5664 WmiAcpi - ok
17:56:47.0516 5664 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
17:56:47.0531 5664 WpdUsb - ok
17:56:48.0077 5664 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
17:56:48.0109 5664 ws2ifsl - ok
17:56:48.0608 5664 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
17:56:48.0608 5664 WUDFRd - ok
17:56:48.0701 5664 MBR (0x1B8) (4bf077b4df3f4f5483a79d4ce511c7f3) \Device\Harddisk0\DR0
17:56:48.0764 5664 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
17:56:48.0764 5664 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
17:56:48.0779 5664 Boot (0x1200) (0709c36d0aadcf113d5f0c112d0f1566) \Device\Harddisk0\DR0\Partition0
17:56:48.0779 5664 \Device\Harddisk0\DR0\Partition0 - ok
17:56:48.0779 5664 ============================================================
17:56:48.0779 5664 Scan finished
17:56:48.0779 5664 ============================================================
17:56:48.0795 4824 Detected object count: 1
17:56:48.0795 4824 Actual detected object count: 1
17:57:05.0022 4824 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
17:57:05.0022 4824 \Device\Harddisk0\DR0 - ok
17:57:05.0022 4824 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
17:57:11.0233 18176 Deinitialize success
 
That's actually good news because TDSSKiller killed a rootkit.

Re-run aswMBR, post new log.

Also....

Re-run Farbar Service Scanner but this time....
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
 
Farbar Service Scanner
Ran by Administrator (administrator) on 12-01-2012 at 19:23:11
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Nerwork
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Checking LEGACY_BITS: Attention! Unable to open LEGACY_BITS\0000 registry key. The key does not exist.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2011-06-27 19:56] - [2012-01-12 17:18] - 0000000 ____A ()

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll
[2011-01-02 23:10] - [2009-04-11 01:28] - 0061440 ____A (Microsoft Corporation) 1CA6C40261DDC0425987980D0CD2AAAB

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2011-01-02 23:10] - [2009-04-11 01:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll
[2011-01-02 23:10] - [2009-04-11 01:28] - 0268800 ____A (Microsoft Corporation) 67058C46504BC12D821F38CF99B7B28F

C:\Windows\system32\cryptsvc.dll
[2011-01-02 23:10] - [2009-04-11 01:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-12 19:15:06
-----------------------------
19:15:06.141 OS Version: Windows 6.0.6002 Service Pack 2
19:15:06.141 Number of processors: 2 586 0xF0B
19:15:06.141 ComputerName: STEPHEN-PC UserName:
19:15:07.030 Initialize success
19:15:12.272 AVAST engine defs: 12011200
19:15:14.861 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000041
19:15:14.877 Disk 0 Vendor: WDC_WD32 12.0 Size: 305245MB BusType: 6
19:15:14.893 Disk 0 MBR read successfully
19:15:14.893 Disk 0 MBR scan
19:15:14.893 Disk 0 Windows VISTA default MBR code
19:15:14.908 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305243 MB offset 2048
19:15:14.908 Disk 0 scanning sectors +625139712
19:15:14.971 Disk 0 scanning C:\Windows\system32\drivers
19:15:22.162 File: C:\Windows\system32\drivers\Wdf01000.sys **INFECTED** Win32:RLoader-B
19:15:22.365 Disk 0 trace - called modules:
19:15:22.381 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
19:15:22.381 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85caeac8]
19:15:22.396 3 CLASSPNP.SYS[8a3ac8b3] -> nt!IofCallDriver -> [0x8531ee00]
19:15:22.396 5 acpi.sys[807bc6bc] -> nt!IofCallDriver -> \Device\00000041[0x8530fa08]
19:15:23.535 AVAST engine scan C:\Windows
19:15:26.125 AVAST engine scan C:\Windows\system32
19:17:17.836 AVAST engine scan C:\Windows\system32\drivers
19:17:25.059 File: C:\Windows\system32\drivers\Wdf01000.sys **INFECTED** Win32:RLoader-B
19:17:26.198 AVAST engine scan C:\Users\Administrator
19:18:15.369 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2441297853792215642.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
19:18:15.416 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2546951413663940763.tmp **INFECTED** Win32:MalOb-GF [Cryp]
19:18:15.463 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache2740558627932482271.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
19:18:15.603 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache4416902755111729394.tmp **INFECTED** Win32:Kryptik-DKN [Trj]
19:18:15.790 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache5554113741605944304.tmp **INFECTED** Win32:MalOb-GS [Cryp]
19:18:16.071 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache6855520816091083099.tmp **INFECTED** Win32:MalOb-GS [Cryp]
19:18:16.165 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7262576682993569311.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
19:18:16.243 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7309834498984758723.tmp **INFECTED** Win32:MalOb-GF [Cryp]
19:18:16.305 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache7645806635774182343.tmp **INFECTED** Win32:Renosa-J [Wrm]
19:18:16.383 File: C:\Users\Administrator\AppData\Local\Temp\jar_cache8500703002762741723.tmp **INFECTED** Win32:Kryptik-DJD [Trj]
19:21:15.065 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
19:21:15.065 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"
 
aswMBR log looks much better :)

Re-run Blitzblank my post #10 with this code:

Code:
CopyFile:
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys C:\Windows\System32\drivers\afd.sys

Post its log.
 
For some reason, i am no longer able to open the flash drive on the pc with the viruses, but I was still able to send files to it thankfully. Upon reboot after running blitzblank, there was the blue screen again. Rebooted into safemode wiith networking. Here is the log.


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6000.16386_none_5e2e0665fa591691\netbt.sys", destinationFile = "\??\c:\windows\system32\drivers\netbt.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys", destinationFile = "\??\c:\windows\system32\drivers\afd.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022


BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6000.16386_none_d5b1809661820e7c\afd.sys", destinationFile = "\??\c:\windows\system32\drivers\afd.sys"GetDataFromFile: ZwOpenFile failed: status = c0000022
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Here is the long from Rkill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/13/2012 at 15:36:25.
Operating System: Windows Vista (TM) Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 01/13/2012 at 15:36:27.

Combofix seemed to be working. Then a window popped up indicating that I had some sort of severe infection. I clicked ok and the blue window is still open. I'm not sure if it is still working or not.
 
Back