Jump to content

resident shield alert & D: drive issues


Recommended Posts

So after being out of town for a week I return home last night and see windows wants to install some updates so I hit that sleep button that installs the updates and let the updates do their work. When I turn my computer back on, a Windows Vista Repair virus quickly make a mess of things and I had to shut down. After a bit of rooting around the internet late at night I download StopZilla and use it to remove the virus (didn't realize til after 1-2 hours of it searching through my computer that i had to pay for it, i was frustrated).

I thought everything was fixed after this, but there are still a number of problems with my computer and I would appreciate any help y'all can offer.

The Windows vista Repair virus made everything on my desktop disappear, and not everything has returned with the virus removed. A number of files and programs seem to be gone from my computer now (mostly games, like Starcraft II or Fallout NV) and a number of my pictures have been turned into hidden files (which I found instructions on how to un-hide, but they still appear ghost-like in their folders).

Also, I can't launch anything from my D drive. When i put a disk in and try to launch it I get an error "Windows cannot access the specified device, path, or file. you may not have the appropriate permission to access this item." and then I get a resident shield alert saying it detected a threat called "D:\installer.exe" which is says is a trojan horse (I close this popup without clicking it, as i think its another virus like the windows vista repair that wrecked me last night).

(on a side note, i always closed windows vista repair without clicking on it when it would try to pop up while searching the internet over the past months as well. not sure how it got in...)

additionally, my computer's no longer keeping tabs on recent documents or programs when i click on the windows symbol in the bottom left corner. While going through the "i'm infected" instructions, I wasn't able to make the DeFogger or the DDS work. (not sure why the defogger didn't work, it just seemed to stop what it was doing in the middle of doing it. When i tried to use DDS I got blocked for not having "administrative access" and it wanted me to provide some kind of login name and pw to use, which i didn't have)

I've run a second StopZilla scan, which says I'm clean, Malwarbytes said i'm clean, ad-aware is still ongoing in his scan, but something is clearly still wrong.

Any help would be GREATLY appreciated.

Here's the requested scan logs:

MALWAREBYTES LOG:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 7004

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

7/2/2011 1:18:52 PM

mbam-log-2011-07-02 (13-18-51).txt

Scan type: Quick scan

Objects scanned: 163304

Time elapsed: 22 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

no DDS logs because the program wouldn't run.

My ark.txt doesn't have the option to compress like shown in the picture, but you're not missing out on much there because it came up with nothing when it finished. (the log is a blank, empty document.)

Thanks again for the help, folks. :)

Link to post
Share on other sites

  • Replies 75
  • Created
  • Last Reply

Top Posters In This Topic

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

My computer won't me run combofix.exe.

The first time i ran it it stopped in the middle of its first scan (the loading bar it shows when you first open it, at least) and closed.

The second time i ran it it stopped near the end of its first scan and then a popup told me I didn't have the administrative power to run it (I'm the only person using this computer...)

The third time I ran it i got a new popup at roughly the same place as before, this time titled "Error - Win32 only" and reading "Incompatible OS. ComboFix only works for workstations with Windows 200 and XP." (it says this 8 times in 8 different languages.)

The fourth time, I tried using combofix.exe from the second download link. This time the popup that stopped it in its tracks was titled "Error" and read "!! ALERT !! It is NOT SAFE to continue! The conents of the ComboFix package has been compromised. Please download a fresh copy from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus 'Virut'"

So... What now?

Link to post
Share on other sites

Please download Dr.Web CureIt . Save it to your desktop:

  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
  • This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Please post the Dr.Web.txt report in your next reply
  • Close Dr.Web Cureit.
    Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

Link to post
Share on other sites

Well, the express scan found nothing. I then did the complete scan and it took 11 hours. When I got home from work and saw that the complete scan, too, came up negative, I accidentally closed it before remembering to save the log. :(

Should I run it again in the morning and give you the log tomorrow evening? Or shall we move on to the next test.

On another note, since my first post on here, but before you're response, new virus's continue to pop up on my computer just about every time I turn it on. (StopZilla always detects them and then says it's removed them. They're always variants of that fake security software virus.) So I feel like something has to be hiding here beyond our detection...

Link to post
Share on other sites

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

About to begin the process you just laid out for me. First I'll let you know how the computer is behaving beforehand. When I turned it on today the StopZilla antivirus popped up immidiately saying it had found "Google redirector X2, System tool 2011 X3, Gen Malware Detection.00, and System Policies.Disable Registry tools X2" (X being how many entry's of each virus were found.)

Then, out of curiosity, I looked over the stopzilla log to see how many viruses have been removed since I installed it 6 days ago, and the number is 136. Computer seems to be acting fine at the moment though. I'll begin the above instructions now. Thanks!

Link to post
Share on other sites

Also, I just noticed a number of new files have appeared on my computer to wish access is denied.

Under Desktop>User>

folders labeled:

Application Data

Cookies

Local Settings

My Documents

NetHood

PrintHood

Recent

SentTo

Start Menu

Templates

Have all appeared. They all have a little box holding a blue arrow in the corner of their icon. And to all of them, access is denied. These were not present when I turned my computer off last night.

And now I'll begin your step from above.

Link to post
Share on other sites

Nothing found and no reboot required. Here's the report:

2011/07/07 10:39:52.0439 1888 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21

2011/07/07 10:39:53.0197 1888 ================================================================================

2011/07/07 10:39:53.0197 1888 SystemInfo:

2011/07/07 10:39:53.0197 1888

2011/07/07 10:39:53.0197 1888 OS Version: 6.0.6002 ServicePack: 2.0

2011/07/07 10:39:53.0197 1888 Product type: Workstation

2011/07/07 10:39:53.0197 1888 ComputerName: KENNYRYAN-PC

2011/07/07 10:39:53.0197 1888 UserName: kenny ryan

2011/07/07 10:39:53.0197 1888 Windows directory: C:\Windows

2011/07/07 10:39:53.0197 1888 System windows directory: C:\Windows

2011/07/07 10:39:53.0197 1888 Running under WOW64

2011/07/07 10:39:53.0197 1888 Processor architecture: Intel x64

2011/07/07 10:39:53.0197 1888 Number of processors: 2

2011/07/07 10:39:53.0197 1888 Page size: 0x1000

2011/07/07 10:39:53.0197 1888 Boot type: Normal boot

2011/07/07 10:39:53.0197 1888 ================================================================================

2011/07/07 10:39:54.0098 1888 Initialize success

2011/07/07 10:40:08.0514 5564 ================================================================================

2011/07/07 10:40:08.0514 5564 Scan started

2011/07/07 10:40:08.0514 5564 Mode: Manual;

2011/07/07 10:40:08.0514 5564 ================================================================================

2011/07/07 10:40:09.0479 5564 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys

2011/07/07 10:40:09.0539 5564 ADIHdAudAddService (9c2430847d0d7df0cb60eface1aa453a) C:\Windows\system32\drivers\ADIHdAud.sys

2011/07/07 10:40:09.0590 5564 adp94xx (9137451d37ba1c325cd6c2def3d2d692) C:\Windows\system32\drivers\adp94xx.sys

2011/07/07 10:40:09.0643 5564 adpahci (01f80898df5cc7df19b3b11351846263) C:\Windows\system32\drivers\adpahci.sys

2011/07/07 10:40:09.0680 5564 adpu160m (da001db13fff45dfe9109936e265b7cc) C:\Windows\system32\drivers\adpu160m.sys

2011/07/07 10:40:09.0710 5564 adpu320 (2b10c35c5b7c5c0c28f572e035319602) C:\Windows\system32\drivers\adpu320.sys

2011/07/07 10:40:09.0763 5564 AFD (0cc146c4addea45791b18b1e2659f4a9) C:\Windows\system32\drivers\afd.sys

2011/07/07 10:40:09.0804 5564 agp440 (5ccdd13bc602ae33cd8b62d33c29ab72) C:\Windows\system32\drivers\agp440.sys

2011/07/07 10:40:09.0839 5564 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys

2011/07/07 10:40:09.0863 5564 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys

2011/07/07 10:40:09.0885 5564 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys

2011/07/07 10:40:09.0909 5564 AmdK8 (de55dc52f7ceb89a967572d6b491ada2) C:\Windows\system32\drivers\amdk8.sys

2011/07/07 10:40:10.0051 5564 amdkmdag (3d07f9c090c7a1d76d624972a5384471) C:\Windows\system32\DRIVERS\atikmdag.sys

2011/07/07 10:40:10.0245 5564 amdkmdap (99ab7e4b24c80155dc4296f657faf3c7) C:\Windows\system32\DRIVERS\atikmpag.sys

2011/07/07 10:40:10.0317 5564 arc (2e8623f2fed998a97129a3db919551c8) C:\Windows\system32\drivers\arc.sys

2011/07/07 10:40:10.0356 5564 arcsas (741a003c041a3ec480a2e71af71e9654) C:\Windows\system32\drivers\arcsas.sys

2011/07/07 10:40:10.0416 5564 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys

2011/07/07 10:40:10.0440 5564 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys

2011/07/07 10:40:10.0621 5564 atikmdag (3d07f9c090c7a1d76d624972a5384471) C:\Windows\system32\DRIVERS\atikmdag.sys

2011/07/07 10:40:10.0740 5564 AvgLdx64 (276c5b14336452c8ce547ed5d00e0e62) C:\Windows\System32\Drivers\avgldx64.sys

2011/07/07 10:40:10.0796 5564 AvgMfx64 (b9c21c3753dcbccac6b62e1a560eb6f7) C:\Windows\System32\Drivers\avgmfx64.sys

2011/07/07 10:40:10.0829 5564 AvgTdiA (86d08cf28005f7f626a84d512f84d6c2) C:\Windows\System32\Drivers\avgtdia.sys

2011/07/07 10:40:10.0892 5564 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys

2011/07/07 10:40:10.0912 5564 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys

2011/07/07 10:40:10.0938 5564 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys

2011/07/07 10:40:10.0965 5564 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys

2011/07/07 10:40:10.0987 5564 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys

2011/07/07 10:40:11.0009 5564 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys

2011/07/07 10:40:11.0028 5564 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys

2011/07/07 10:40:11.0047 5564 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys

2011/07/07 10:40:11.0087 5564 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys

2011/07/07 10:40:11.0112 5564 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys

2011/07/07 10:40:11.0128 5564 circlass (f28f00596824058bc61d5edf434c9b82) C:\Windows\system32\drivers\circlass.sys

2011/07/07 10:40:11.0169 5564 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys

2011/07/07 10:40:11.0197 5564 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys

2011/07/07 10:40:11.0216 5564 Compbatt (0e77a445640bf310817f60941c50560c) C:\Windows\system32\drivers\compbatt.sys

2011/07/07 10:40:11.0239 5564 crcdisk (b1192dcd5b9cf46beed0e2a9e5bcf59a) C:\Windows\system32\drivers\crcdisk.sys

2011/07/07 10:40:11.0285 5564 CSC (f60f50c8ed3fcbe358430b95fe27d09c) C:\Windows\system32\drivers\csc.sys

2011/07/07 10:40:11.0354 5564 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys

2011/07/07 10:40:11.0394 5564 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys

2011/07/07 10:40:11.0427 5564 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys

2011/07/07 10:40:11.0462 5564 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys

2011/07/07 10:40:11.0504 5564 E1G60 (d57fe09b575545738a73a0c193d0616a) C:\Windows\system32\DRIVERS\E1G6032E.sys

2011/07/07 10:40:11.0540 5564 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys

2011/07/07 10:40:11.0583 5564 EIO64 (be9eeea2a8cac5f6cd92c97f234e2fe1) C:\Windows\system32\DRIVERS\EIO64.sys

2011/07/07 10:40:11.0606 5564 elxstor (3d6298aff3fe06c0616ce5d090a3eeaa) C:\Windows\system32\drivers\elxstor.sys

2011/07/07 10:40:11.0676 5564 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys

2011/07/07 10:40:11.0714 5564 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys

2011/07/07 10:40:11.0753 5564 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys

2011/07/07 10:40:11.0787 5564 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys

2011/07/07 10:40:11.0821 5564 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys

2011/07/07 10:40:11.0861 5564 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

2011/07/07 10:40:11.0900 5564 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys

2011/07/07 10:40:11.0981 5564 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys

2011/07/07 10:40:12.0023 5564 fvevol (849e38db7d829962d0233a0a252b60c3) C:\Windows\system32\DRIVERS\fvevol.sys

2011/07/07 10:40:12.0043 5564 gagp30kx (b54520cc7b4b55134d7527b1cd3fc1f2) C:\Windows\system32\drivers\gagp30kx.sys

2011/07/07 10:40:12.0094 5564 HdAudAddService (68e732382b32417ff61fd663259b4b09) C:\Windows\system32\drivers\HdAudio.sys

2011/07/07 10:40:12.0142 5564 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys

2011/07/07 10:40:12.0190 5564 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys

2011/07/07 10:40:12.0213 5564 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys

2011/07/07 10:40:12.0237 5564 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys

2011/07/07 10:40:12.0263 5564 HpCISSs (8edc820115df1e04763b2923676ea5b2) C:\Windows\system32\drivers\hpcisss.sys

2011/07/07 10:40:12.0309 5564 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys

2011/07/07 10:40:12.0337 5564 i2omp (f2901763845570ecac48e6a50ec50812) C:\Windows\system32\drivers\i2omp.sys

2011/07/07 10:40:12.0374 5564 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys

2011/07/07 10:40:12.0394 5564 iaStorV (72c3ee7ea3cd75a772e62ae0e5df8b8c) C:\Windows\system32\drivers\iastorv.sys

2011/07/07 10:40:12.0441 5564 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys

2011/07/07 10:40:12.0470 5564 intelide (36a266c673812878996f72b200203fbb) C:\Windows\system32\drivers\intelide.sys

2011/07/07 10:40:12.0502 5564 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys

2011/07/07 10:40:12.0534 5564 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys

2011/07/07 10:40:12.0604 5564 IPMIDRV (eacdbbe429c6d170bdeee0effcbc317b) C:\Windows\system32\drivers\ipmidrv.sys

2011/07/07 10:40:12.0627 5564 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys

2011/07/07 10:40:12.0645 5564 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys

2011/07/07 10:40:12.0685 5564 isapnp (d3bb520b31f28c1a065cd058e762ee73) C:\Windows\system32\drivers\isapnp.sys

2011/07/07 10:40:12.0723 5564 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys

2011/07/07 10:40:12.0736 5564 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys

2011/07/07 10:40:12.0779 5564 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys

2011/07/07 10:40:12.0808 5564 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys

2011/07/07 10:40:12.0832 5564 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys

2011/07/07 10:40:12.0870 5564 KSecDD (476e2c1dcea45895994bef11c2a98715) C:\Windows\system32\Drivers\ksecdd.sys

2011/07/07 10:40:12.0914 5564 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys

2011/07/07 10:40:12.0946 5564 L8042Kbd (bbd9bbed0de036b2297e6434b26d1ae9) C:\Windows\system32\DRIVERS\L8042Kbd.sys

2011/07/07 10:40:13.0012 5564 Lavasoft Kernexplorer (9a7fa6371f68335fd3c3d6488bc5a9f8) C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys

2011/07/07 10:40:13.0055 5564 LHidFilt (aa3d903c5a7538803f2400a8391f1881) C:\Windows\system32\DRIVERS\LHidFilt.Sys

2011/07/07 10:40:13.0130 5564 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys

2011/07/07 10:40:13.0191 5564 LMouFilt (90b4b2b0b5f05abb9fb365405a7b825b) C:\Windows\system32\DRIVERS\LMouFilt.Sys

2011/07/07 10:40:13.0267 5564 LSI_FC (1572f8d999c0ab4376afdce058a78df9) C:\Windows\system32\drivers\lsi_fc.sys

2011/07/07 10:40:13.0286 5564 LSI_SAS (64470979c3e3c9ff60edfb5230c56e0e) C:\Windows\system32\drivers\lsi_sas.sys

2011/07/07 10:40:13.0312 5564 LSI_SCSI (4ced7d3b54bfc5bbae75c4a73c7f7428) C:\Windows\system32\drivers\lsi_scsi.sys

2011/07/07 10:40:13.0346 5564 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys

2011/07/07 10:40:13.0383 5564 megasas (2f631c2939d5f2e8958935ee701d70d7) C:\Windows\system32\drivers\megasas.sys

2011/07/07 10:40:13.0431 5564 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys

2011/07/07 10:40:13.0464 5564 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys

2011/07/07 10:40:13.0495 5564 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys

2011/07/07 10:40:13.0522 5564 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys

2011/07/07 10:40:13.0555 5564 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys

2011/07/07 10:40:13.0579 5564 mpio (ed48eac719ee28db773359eb1b06e2b5) C:\Windows\system32\drivers\mpio.sys

2011/07/07 10:40:13.0614 5564 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys

2011/07/07 10:40:13.0642 5564 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys

2011/07/07 10:40:13.0677 5564 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys

2011/07/07 10:40:13.0702 5564 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys

2011/07/07 10:40:13.0719 5564 mrxsmb10 (6dc9461915a551c2a625986f5fb3b851) C:\Windows\system32\DRIVERS\mrxsmb10.sys

2011/07/07 10:40:13.0741 5564 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys

2011/07/07 10:40:13.0798 5564 msahci (eeadf970795148bfbb1db3abcc89c16b) C:\Windows\system32\drivers\msahci.sys

2011/07/07 10:40:13.0825 5564 msdsm (96d7c0a1b98434c6e4ff0c2e26a0e20a) C:\Windows\system32\drivers\msdsm.sys

2011/07/07 10:40:13.0869 5564 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys

2011/07/07 10:40:13.0902 5564 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys

2011/07/07 10:40:13.0927 5564 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys

2011/07/07 10:40:13.0961 5564 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys

2011/07/07 10:40:13.0976 5564 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys

2011/07/07 10:40:14.0007 5564 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys

2011/07/07 10:40:14.0029 5564 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys

2011/07/07 10:40:14.0052 5564 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys

2011/07/07 10:40:14.0078 5564 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys

2011/07/07 10:40:14.0118 5564 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys

2011/07/07 10:40:14.0170 5564 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys

2011/07/07 10:40:14.0213 5564 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys

2011/07/07 10:40:14.0244 5564 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys

2011/07/07 10:40:14.0279 5564 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys

2011/07/07 10:40:14.0312 5564 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys

2011/07/07 10:40:14.0366 5564 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys

2011/07/07 10:40:14.0410 5564 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys

2011/07/07 10:40:14.0451 5564 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys

2011/07/07 10:40:14.0491 5564 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys

2011/07/07 10:40:14.0529 5564 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys

2011/07/07 10:40:14.0584 5564 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys

2011/07/07 10:40:14.0624 5564 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys

2011/07/07 10:40:14.0857 5564 nvlddmkm (e55cab397f77d5208db18a78b1b7c0d5) C:\Windows\system32\DRIVERS\nvlddmkm.sys

2011/07/07 10:40:15.0044 5564 nvraid (840eeb44dc49317a6161961f7682cd99) C:\Windows\system32\drivers\nvraid.sys

2011/07/07 10:40:15.0074 5564 nvstor (94c5334040a5d500897f4c5fd12aeede) C:\Windows\system32\drivers\nvstor.sys

2011/07/07 10:40:15.0102 5564 nv_agp (aa1b6c86a4763502e20b65c025f39bad) C:\Windows\system32\drivers\nv_agp.sys

2011/07/07 10:40:15.0156 5564 ohci1394 (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys

2011/07/07 10:40:15.0236 5564 PAC207 (3a6dceb1848470320e4a3c12d7a35b1c) C:\Windows\system32\DRIVERS\PFC027.SYS

2011/07/07 10:40:15.0292 5564 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys

2011/07/07 10:40:15.0346 5564 partmgr (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys

2011/07/07 10:40:15.0365 5564 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys

2011/07/07 10:40:15.0391 5564 pciide (2657f6c0b78c36d95034be109336e382) C:\Windows\system32\drivers\pciide.sys

2011/07/07 10:40:15.0413 5564 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys

2011/07/07 10:40:15.0454 5564 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys

2011/07/07 10:40:15.0548 5564 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys

2011/07/07 10:40:15.0567 5564 Processor (6bc78e5f12cbb74e7930aaaa4a0db387) C:\Windows\system32\drivers\processr.sys

2011/07/07 10:40:15.0612 5564 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys

2011/07/07 10:40:15.0650 5564 ql2300 (4a29d25704917161bad9b4659a248dfd) C:\Windows\system32\drivers\ql2300.sys

2011/07/07 10:40:15.0692 5564 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys

2011/07/07 10:40:15.0727 5564 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys

2011/07/07 10:40:15.0756 5564 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys

2011/07/07 10:40:15.0777 5564 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys

2011/07/07 10:40:15.0815 5564 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys

2011/07/07 10:40:15.0858 5564 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys

2011/07/07 10:40:15.0892 5564 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys

2011/07/07 10:40:15.0916 5564 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys

2011/07/07 10:40:15.0954 5564 rdpdr (ae23e79b13feb62939e2ca1189e71735) C:\Windows\system32\DRIVERS\rdpdr.sys

2011/07/07 10:40:15.0974 5564 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys

2011/07/07 10:40:16.0008 5564 RDPWD (b1d741c87cea8d7282146366cc9c3f81) C:\Windows\system32\drivers\RDPWD.sys

2011/07/07 10:40:16.0071 5564 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys

2011/07/07 10:40:16.0109 5564 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys

2011/07/07 10:40:16.0155 5564 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

2011/07/07 10:40:16.0178 5564 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys

2011/07/07 10:40:16.0200 5564 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys

2011/07/07 10:40:16.0230 5564 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys

2011/07/07 10:40:16.0261 5564 sffdisk (541b32f8d6b2dcb92ec43bab267e79ea) C:\Windows\system32\drivers\sffdisk.sys

2011/07/07 10:40:16.0282 5564 sffp_mmc (446e7cca3325c7e0ae0fde7f73cdd9c2) C:\Windows\system32\drivers\sffp_mmc.sys

2011/07/07 10:40:16.0303 5564 sffp_sd (67edc221348911e895af51c57d9a3725) C:\Windows\system32\drivers\sffp_sd.sys

2011/07/07 10:40:16.0323 5564 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys

2011/07/07 10:40:16.0347 5564 SiSRaid2 (08dda16573fa44f8b13afe74597ad2e5) C:\Windows\system32\drivers\sisraid2.sys

2011/07/07 10:40:16.0368 5564 SiSRaid4 (c52259e9daaf3890d572d87ffee0979e) C:\Windows\system32\drivers\sisraid4.sys

2011/07/07 10:40:16.0402 5564 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys

2011/07/07 10:40:16.0431 5564 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys

2011/07/07 10:40:16.0467 5564 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys

2011/07/07 10:40:16.0526 5564 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys

2011/07/07 10:40:16.0553 5564 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys

2011/07/07 10:40:16.0605 5564 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys

2011/07/07 10:40:16.0627 5564 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys

2011/07/07 10:40:16.0648 5564 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys

2011/07/07 10:40:16.0673 5564 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys

2011/07/07 10:40:16.0736 5564 Tcpip (973658a2ea9c06b2976884b9046dfc6c) C:\Windows\system32\drivers\tcpip.sys

2011/07/07 10:40:16.0786 5564 Tcpip6 (973658a2ea9c06b2976884b9046dfc6c) C:\Windows\system32\DRIVERS\tcpip.sys

2011/07/07 10:40:16.0820 5564 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys

2011/07/07 10:40:16.0842 5564 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys

2011/07/07 10:40:16.0871 5564 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys

2011/07/07 10:40:16.0905 5564 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys

2011/07/07 10:40:16.0925 5564 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys

2011/07/07 10:40:16.0968 5564 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys

2011/07/07 10:40:17.0007 5564 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys

2011/07/07 10:40:17.0060 5564 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys

2011/07/07 10:40:17.0108 5564 uagp35 (e4722dfbd6232acf17543ef2c2dce8d2) C:\Windows\system32\drivers\uagp35.sys

2011/07/07 10:40:17.0146 5564 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys

2011/07/07 10:40:17.0182 5564 uliagpkx (5663d7696abbe71f8c9d915c5374118a) C:\Windows\system32\drivers\uliagpkx.sys

2011/07/07 10:40:17.0211 5564 uliahci (6030b68e86a30d1b315b51c4d7778b16) C:\Windows\system32\drivers\uliahci.sys

2011/07/07 10:40:17.0234 5564 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys

2011/07/07 10:40:17.0258 5564 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys

2011/07/07 10:40:17.0300 5564 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys

2011/07/07 10:40:17.0345 5564 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys

2011/07/07 10:40:17.0355 5564 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys

2011/07/07 10:40:17.0383 5564 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys

2011/07/07 10:40:17.0403 5564 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys

2011/07/07 10:40:17.0414 5564 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys

2011/07/07 10:40:17.0437 5564 usbprint (acfee697af477021bb3ec78c5431fed2) C:\Windows\system32\drivers\usbprint.sys

2011/07/07 10:40:17.0458 5564 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS

2011/07/07 10:40:17.0490 5564 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys

2011/07/07 10:40:17.0528 5564 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys

2011/07/07 10:40:17.0558 5564 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys

2011/07/07 10:40:17.0567 5564 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys

2011/07/07 10:40:17.0598 5564 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys

2011/07/07 10:40:17.0625 5564 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys

2011/07/07 10:40:17.0681 5564 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys

2011/07/07 10:40:17.0708 5564 vsmraid (410ae2c141142c58bc617fc2c677f8b0) C:\Windows\system32\drivers\vsmraid.sys

2011/07/07 10:40:17.0748 5564 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys

2011/07/07 10:40:17.0784 5564 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys

2011/07/07 10:40:17.0798 5564 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys

2011/07/07 10:40:17.0824 5564 Wd (59b501b0a04c9672142b7ffa2bdbf663) C:\Windows\system32\drivers\wd.sys

2011/07/07 10:40:17.0867 5564 WDC_SAM (a3d04ebf5227886029b4532f20d026f7) C:\Windows\system32\DRIVERS\wdcsam64.sys

2011/07/07 10:40:17.0914 5564 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys

2011/07/07 10:40:18.0018 5564 WmiAcpi (ae34218455d5dc12d1e45de85f160346) C:\Windows\system32\drivers\wmiacpi.sys

2011/07/07 10:40:18.0083 5564 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys

2011/07/07 10:40:18.0108 5564 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys

2011/07/07 10:40:18.0157 5564 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys

2011/07/07 10:40:18.0187 5564 yukonx64 (07f7285220307aafb755d890295f0f9a) C:\Windows\system32\DRIVERS\yk60x64.sys

2011/07/07 10:40:18.0204 5564 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0

2011/07/07 10:40:18.0215 5564 Boot (0x1200) (446707ef9eed4afbd78c18acbd759077) \Device\Harddisk0\DR0\Partition0

2011/07/07 10:40:18.0220 5564 ================================================================================

2011/07/07 10:40:18.0221 5564 Scan finished

2011/07/07 10:40:18.0221 5564 ================================================================================

2011/07/07 10:40:18.0227 5912 Detected object count: 0

2011/07/07 10:40:18.0227 5912 Actual detected object count: 0

Also, firefox is no longer saving my tabs when I close it and youtube videos no longer have sound.

Other than that, I'm not really trying to do much with this computer right now so I'm not noticing any other symptoms.

Link to post
Share on other sites

http://www.bleepingcomputer.com/forums/topic355166.html

Virut or Ramnit

.exe/.com/.scr/.htm/.html/.xml/.zip/.rar files

Virut

IF You are infected with a polymorphic file infector.

This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html.

you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

[*]Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.

[*]Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.

[*]Consider what other private information could possibly have been taken from your computer and take appropriate steps

the best thing you can do is to backup, preferably to CD, all your important data, documents, pictures, movies, and songs.

DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:

•.exe

•.scr

•.htm

•.html

•.xml

•.zip

•.rar

Please see this information by miekiemoes:

http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Link to post
Share on other sites

Thank you very much for the info. I haven't used any sensitive passwords on this computer (banking etc) since before the virus, so those should still be safe, right? Or, if i've done some online banking a month ago, should I still be worried about those passwords?

Thanks for all the help!

Link to post
Share on other sites

If CF still doesn't run, try this:

Download Combofix from any of the links below but rename it to Iexplorer.com before saving it to your desktop.

Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

* IMPORTANT !!! Save Iexplorer.com to your Desktop

Link 1

Link 2<--Right Click and use Save As if using this link.

Double click on the Iexplorer.com ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Note:

If combofix (Iexplorer.com) won't run from the desktop, try running it from the USB device.

Link to post
Share on other sites

I followed your instructions and ran Iexplorer.com ComboFix but it still wouldn't work. The initial scan/load thing reached the 70% mark then closed, though this time my pop-up reason for why it closed was at least consistent. Trying it twice from my desktop and once from the flash drive, I was stopped each time with an error that read:

"ComboFix cannot run when AVG is installed.

This si due to AVG's targeting of ComboFix's files/processes.

It would be dangerous to continue.

Please uninstall AVG or use another tool."

As per your instructions from earlier, I'd turned off AVG and my other antivirus programs prior to launching Combofix. I checked Task Manager and didn't see AVG running anywhere, though it is on my computer.

Link to post
Share on other sites

The first time I ran Combofix I got the following error's in 3 consecutive popups when my scan/load bar was 90% complete.

"Windows cannot find 'NIRCMD'. Make sure you typed the name correctly, and then try again."

"Windows cannot find 'HIDEC'. Make sure you typed the name correctly, and then try again."

"Windows cannot find 'NIRCMD'. Make sure you typed the name correctly, and then try again."

The second time I ran it I got the below popup at the 90% load/scan point.

"ComboFix has detected the following real time scanner(s) to be active:

Antispyware: STOPzilla Anti-Spyware

Antivirus and intrusion prevention programs are known to interfere with ComboFix's running. this may lead to unpredictable results of possible machine damage.

Plesae disable these scanners before clicking 'OK'."

(I'd turned STOPzilla off via the tray in the bottom right before running the scan.)

It then said it would run ComboFix anyway but could potentially damage my machine so I stopped it. Do I need to uninstall Stopzilla before attempting ComboFix again, or should I be ok?

Link to post
Share on other sites

After the reset and as the log was being prepared I got the 'NIRCD' popups again. Other than that, things seemed to work without a hitch.

Here's the ComboFix log:

ComboFix 11-07-07.04 - kenny ryan 07/07/2011 15:53:17.1.2 - x64

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.4094.2164 [GMT -5:00]

Running from: c:\users\kenny ryan\Desktop\Iexplorer.com

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: STOPzilla Anti-Spyware *Enabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\IExplorer

c:\iexplorer\CF17178.cfxxe

c:\iexplorer\en-US\ATTRIB.cfxxe.mui

c:\iexplorer\en-US\CF17178.cfxxe.mui

c:\iexplorer\en-US\cmd.cfxxe.mui

c:\iexplorer\en-US\CSCRIPT.cfxxe.mui

c:\iexplorer\en-US\PING.cfxxe.mui

c:\iexplorer\en-US\REGT.cfxxe.mui

c:\iexplorer\en-US\ROUTE.cfxxe.mui

.

.

((((((((((((((((((((((((( Files Created from 2011-06-07 to 2011-07-07 )))))))))))))))))))))))))))))))

.

.

2011-07-07 21:02 . 2011-07-07 21:02 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-07-07 20:51 . 2011-07-07 20:51 -------- d-----w- C:\Iexplorer4389I

2011-07-07 20:46 . 2011-07-07 20:46 -------- d-----w- C:\Iexplorer4696I

2011-07-06 15:27 . 2011-07-06 15:27 -------- d-----w- c:\users\kenny ryan\DoctorWeb

2011-07-06 14:34 . 2011-07-06 14:34 -------- d-----w- c:\users\kenny ryan\AppData\Local\Western_Digital

2011-07-06 13:40 . 2011-07-06 13:40 -------- d-----w- c:\programdata\Western Digital

2011-07-06 13:39 . 2011-07-06 13:39 -------- d-----w- c:\program files\Western Digital

2011-07-06 13:39 . 2011-07-06 13:39 -------- d-----w- c:\program files (x86)\Western Digital

2011-07-06 13:38 . 2011-07-06 13:38 -------- d-----w- c:\users\kenny ryan\AppData\Local\Western Digital

2011-07-05 13:39 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4CA3231C-1668-49ED-86F2-64B0A769684A}\mpengine.dll

2011-07-03 20:01 . 2011-07-03 20:01 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-07-03 20:00 . 2010-01-01 08:00 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll

2011-07-03 20:00 . 2010-01-01 08:00 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll

2011-07-02 17:55 . 2011-07-02 17:55 -------- d-----w- c:\users\kenny ryan\AppData\Roaming\Malwarebytes

2011-07-02 17:55 . 2011-05-29 14:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-07-02 17:55 . 2011-07-02 17:55 -------- d-----w- c:\programdata\Malwarebytes

2011-07-02 17:55 . 2011-07-02 17:55 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-07-02 17:55 . 2011-05-29 14:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-02 16:55 . 2011-07-02 16:55 -------- d-----w- c:\users\kenny ryan\SC2-WingsOfLiberty-enUS-Installer

2011-07-02 05:23 . 2011-07-02 05:23 -------- d-----w- c:\program files (x86)\STOPzilla!

2011-07-02 05:23 . 2011-07-07 21:05 -------- d-----w- c:\programdata\STOPzilla!

2011-07-02 05:23 . 2011-07-02 05:23 -------- d-----w- c:\program files (x86)\Common Files\iS3

2011-07-01 19:39 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll

2011-07-01 19:39 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll

2011-06-30 23:13 . 2011-06-30 23:13 546256 ----a-r- c:\windows\SysWow64\SZComp5.dll

2011-06-30 23:13 . 2011-06-30 23:13 456144 ----a-r- c:\windows\SysWow64\SZBase5.dll

2011-06-30 23:13 . 2011-06-30 23:13 22992 ----a-r- c:\windows\SysWow64\SZIO5.dll

2011-06-30 23:13 . 2011-06-30 23:13 132560 ----a-r- c:\windows\SysWow64\IS3HTUI5.dll

2011-06-30 23:13 . 2011-06-30 23:13 99792 ----a-r- c:\windows\SysWow64\IS3Svc5.dll

2011-06-30 23:13 . 2011-06-30 23:13 99792 ----a-r- c:\windows\SysWow64\IS3Inet5.dll

2011-06-30 23:13 . 2011-06-30 23:13 67024 ----a-r- c:\windows\SysWow64\IS3Hks5.dll

2011-06-30 23:13 . 2011-06-30 23:13 398800 ----a-r- c:\windows\SysWow64\IS3DBA5.dll

2011-06-30 23:13 . 2011-06-30 23:13 28624 ----a-r- c:\windows\SysWow64\IS3XDat5.dll

2011-06-30 23:13 . 2011-06-30 23:13 738768 ----a-r- c:\windows\SysWow64\IS3Base5.dll

2011-06-30 23:13 . 2011-06-30 23:13 390608 ----a-r- c:\windows\SysWow64\IS3UI5.dll

2011-06-30 23:13 . 2011-06-30 23:13 230864 ----a-r- c:\windows\SysWow64\IS3Win325.dll

2011-06-17 04:38 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-06-17 04:38 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-06-17 04:38 . 2011-04-21 14:20 405504 ----a-w- c:\windows\system32\drivers\afd.sys

2011-06-17 04:38 . 2010-12-20 16:59 847360 ----a-w- c:\windows\system32\oleaut32.dll

2011-06-17 04:38 . 2010-12-20 16:35 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-06-17 04:38 . 2011-04-29 13:39 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-06-17 04:38 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-06-17 04:38 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-06-17 04:38 . 2011-05-18 13:56 2762752 ----a-w- c:\windows\system32\win32k.sys

2011-06-17 04:38 . 2011-04-14 15:14 97792 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-06-17 04:38 . 2011-05-02 17:16 739328 ----a-w- c:\windows\SysWow64\inetcomm.dll

2011-06-17 04:38 . 2011-05-02 17:13 975360 ----a-w- c:\windows\system32\inetcomm.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-01 19:36 . 2010-11-06 17:01 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-02 17:58 . 2011-06-02 17:58 74768 ----a-r- c:\windows\SysWow64\drivers\SZKG64.sys

2011-06-02 17:58 . 2011-06-02 17:58 74768 ----a-r- c:\windows\SysWow64\drivers\is3srv64.sys

2011-05-25 00:14 . 2009-10-08 23:25 270720 ------w- c:\windows\system32\MpSigStub.exe

2011-05-13 16:41 . 2011-05-13 16:41 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll

2011-05-13 16:41 . 2011-05-13 16:41 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe

2011-05-13 16:41 . 2011-05-13 16:41 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe

2011-05-13 16:41 . 2011-05-13 16:41 63488 ----a-w- c:\windows\SysWow64\tdc.ocx

2011-05-13 16:41 . 2011-05-13 16:41 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll

2011-05-13 16:41 . 2011-05-13 16:41 161792 ----a-w- c:\windows\SysWow64\msls31.dll

2011-05-13 16:41 . 2011-05-13 16:41 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-05-13 16:41 . 2011-05-13 16:41 74752 ----a-w- c:\windows\SysWow64\iesetup.dll

2011-05-13 16:41 . 2011-05-13 16:41 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2011-05-13 16:41 . 2011-05-13 16:41 367104 ----a-w- c:\windows\SysWow64\html.iec

2011-05-13 16:41 . 2011-05-13 16:41 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll

2011-05-13 16:41 . 2011-05-13 16:41 152064 ----a-w- c:\windows\SysWow64\wextract.exe

2011-05-13 16:41 . 2011-05-13 16:41 150528 ----a-w- c:\windows\SysWow64\iexpress.exe

2011-05-13 16:41 . 2011-05-13 16:41 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2011-05-13 16:41 . 2011-05-13 16:41 35840 ----a-w- c:\windows\SysWow64\imgutil.dll

2011-05-13 16:41 . 2011-05-13 16:41 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2011-05-13 16:41 . 2011-05-13 16:41 11776 ----a-w- c:\windows\SysWow64\mshta.exe

2011-05-13 16:41 . 2011-05-13 16:41 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll

2011-05-13 16:41 . 2011-05-13 16:41 101888 ----a-w- c:\windows\SysWow64\admparse.dll

2011-05-13 16:40 . 2011-05-13 16:40 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2011-05-13 16:40 . 2011-05-13 16:40 222208 ----a-w- c:\windows\system32\msls31.dll

2011-05-13 16:40 . 2011-05-13 16:40 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-05-13 16:40 . 2011-05-13 16:40 12288 ----a-w- c:\windows\system32\mshta.exe

2011-05-13 16:40 . 2011-05-13 16:40 114176 ----a-w- c:\windows\system32\admparse.dll

2011-05-13 16:40 . 2011-05-13 16:40 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2011-05-13 16:40 . 2011-05-13 16:40 49664 ----a-w- c:\windows\system32\imgutil.dll

2011-05-13 16:40 . 2011-05-13 16:40 135168 ----a-w- c:\windows\system32\IEAdvpack.dll

2011-05-13 16:40 . 2011-05-13 16:40 48640 ----a-w- c:\windows\system32\mshtmler.dll

2011-05-13 16:40 . 2011-05-13 16:40 85504 ----a-w- c:\windows\system32\iesetup.dll

2011-05-13 16:40 . 2011-05-13 16:40 76800 ----a-w- c:\windows\system32\tdc.ocx

2011-05-13 16:40 . 2011-05-13 16:40 448512 ----a-w- c:\windows\system32\html.iec

2011-05-13 16:40 . 2011-05-13 16:40 1492992 ----a-w- c:\windows\system32\inetcpl.cpl

2011-05-13 16:40 . 2011-05-13 16:40 111616 ----a-w- c:\windows\system32\iesysprep.dll

2011-05-13 16:40 . 2011-05-13 16:40 603648 ----a-w- c:\windows\system32\vbscript.dll

2011-05-13 16:40 . 2011-05-13 16:40 30720 ----a-w- c:\windows\system32\licmgr10.dll

2011-05-13 16:40 . 2011-05-13 16:40 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2011-05-13 16:40 . 2011-05-13 16:40 165888 ----a-w- c:\windows\system32\iexpress.exe

2011-05-13 16:40 . 2011-05-13 16:40 160256 ----a-w- c:\windows\system32\wextract.exe

2011-05-13 16:39 . 2011-05-13 16:39 979456 ----a-w- c:\windows\SysWow64\MFH264Dec.dll

2011-05-13 16:39 . 2011-05-13 16:39 98816 ----a-w- c:\windows\SysWow64\mfps.dll

2011-05-13 16:39 . 2011-05-13 16:39 428544 ----a-w- c:\windows\system32\MFHEAACdec.dll

2011-05-13 16:39 . 2011-05-13 16:39 377344 ----a-w- c:\windows\system32\mfmp4src.dll

2011-05-13 16:39 . 2011-05-13 16:39 357376 ----a-w- c:\windows\SysWow64\MFHEAACdec.dll

2011-05-13 16:39 . 2011-05-13 16:39 3548672 ----a-w- c:\windows\system32\mf.dll

2011-05-13 16:39 . 2011-05-13 16:39 345088 ----a-w- c:\windows\system32\mfreadwrite.dll

2011-05-13 16:39 . 2011-05-13 16:39 34304 ----a-w- c:\windows\system32\mfpmp.exe

2011-05-13 16:39 . 2011-05-13 16:39 302592 ----a-w- c:\windows\SysWow64\mfmp4src.dll

2011-05-13 16:39 . 2011-05-13 16:39 2873344 ----a-w- c:\windows\SysWow64\mf.dll

2011-05-13 16:39 . 2011-05-13 16:39 261632 ----a-w- c:\windows\SysWow64\mfreadwrite.dll

2011-05-13 16:39 . 2011-05-13 16:39 195072 ----a-w- c:\windows\system32\mfps.dll

2011-05-13 16:39 . 2011-05-13 16:39 1257984 ----a-w- c:\windows\system32\MFH264Dec.dll

2011-05-13 16:39 . 2011-05-13 16:39 748544 ----a-w- c:\windows\system32\stobject.dll

2011-05-13 16:39 . 2011-05-13 16:39 586240 ----a-w- c:\windows\SysWow64\stobject.dll

2011-05-13 16:39 . 2011-05-13 16:39 278528 ----a-w- c:\windows\system32\mfplat.dll

2011-05-13 16:39 . 2011-05-13 16:39 209920 ----a-w- c:\windows\SysWow64\mfplat.dll

2011-05-13 16:39 . 2011-05-13 16:39 834048 ----a-w- c:\windows\system32\d2d1.dll

2011-05-13 16:39 . 2011-05-13 16:39 683008 ----a-w- c:\windows\SysWow64\d2d1.dll

2011-05-13 16:39 . 2011-05-13 16:39 566272 ----a-w- c:\windows\system32\d3d10level9.dll

2011-05-13 16:39 . 2011-05-13 16:39 486400 ----a-w- c:\windows\SysWow64\d3d10level9.dll

2011-05-13 16:39 . 2011-05-13 16:39 479744 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-05-13 16:39 . 2011-05-13 16:39 231936 ----a-w- c:\windows\system32\XpsRasterService.dll

2011-05-13 16:39 . 2011-05-13 16:39 1555968 ----a-w- c:\windows\system32\DWrite.dll

2011-05-13 16:39 . 2011-05-13 16:39 1147904 ----a-w- c:\windows\system32\FntCache.dll

2011-05-13 16:39 . 2011-05-13 16:39 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll

2011-05-13 16:39 . 2011-05-13 16:39 900480 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2011-05-13 16:39 . 2011-05-13 16:39 625152 ----a-w- c:\windows\system32\dxgi.dll

2011-05-13 16:39 . 2011-05-13 16:39 478720 ----a-w- c:\windows\SysWow64\dxgi.dll

2011-05-13 16:39 . 2011-05-13 16:39 47104 ----a-w- c:\windows\system32\cdd.dll

2011-05-13 16:39 . 2011-05-13 16:39 366592 ----a-w- c:\windows\system32\winspool.drv

2011-05-13 16:39 . 2011-05-13 16:39 327680 ----a-w- c:\windows\system32\d3d10_1core.dll

2011-05-13 16:39 . 2011-05-13 16:39 287232 ----a-w- c:\windows\system32\d3d10core.dll

2011-05-13 16:39 . 2011-05-13 16:39 258048 ----a-w- c:\windows\SysWow64\winspool.drv

2011-05-13 16:39 . 2011-05-13 16:39 219648 ----a-w- c:\windows\SysWow64\d3d10_1core.dll

2011-05-13 16:39 . 2011-05-13 16:39 2002944 ----a-w- c:\windows\system32\d3d10warp.dll

2011-05-13 16:39 . 2011-05-13 16:39 196096 ----a-w- c:\windows\system32\d3d10_1.dll

2011-05-13 16:39 . 2011-05-13 16:39 189952 ----a-w- c:\windows\SysWow64\d3d10core.dll

2011-05-13 16:39 . 2011-05-13 16:39 160768 ----a-w- c:\windows\SysWow64\d3d10_1.dll

2011-05-13 16:39 . 2011-05-13 16:39 1268224 ----a-w- c:\windows\system32\d3d10.dll

2011-05-13 16:39 . 2011-05-13 16:39 1172480 ----a-w- c:\windows\SysWow64\d3d10warp.dll

2011-05-13 16:39 . 2011-05-13 16:39 1029120 ----a-w- c:\windows\SysWow64\d3d10.dll

2011-05-13 16:39 . 2011-05-13 16:39 876032 ----a-w- c:\windows\SysWow64\XpsPrint.dll

2011-05-13 16:39 . 2011-05-13 16:39 847360 ----a-w- c:\windows\SysWow64\OpcServices.dll

2011-05-13 16:39 . 2011-05-13 16:39 35840 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll

2011-05-13 16:39 . 2011-05-13 16:39 3068416 ----a-w- c:\windows\system32\xpsservices.dll

2011-05-13 16:39 . 2011-05-13 16:39 288768 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll

2011-05-13 16:39 . 2011-05-13 16:39 1653760 ----a-w- c:\windows\system32\XpsPrint.dll

2011-05-13 16:39 . 2011-05-13 16:39 1554432 ----a-w- c:\windows\SysWow64\xpsservices.dll

2011-05-13 16:39 . 2011-05-13 16:39 1461760 ----a-w- c:\windows\system32\OpcServices.dll

2011-05-13 16:39 . 2011-05-13 16:39 135680 ----a-w- c:\windows\SysWow64\XpsRasterService.dll

2011-05-13 16:39 . 2011-05-13 16:39 1032192 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe

2011-05-04 09:52 . 2010-07-25 15:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-04-18 10:23 . 2010-08-28 21:53 16432 ----a-w- c:\windows\system32\lsdelete.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 138240]

"ASUS SmartDoctor"="c:\program files (x86)\ASUS\SmartDoctor\SmartDoctor.exe" [2008-05-29 1150976]

"Aim"="c:\program files (x86)\AIM\aim.exe" [2010-05-21 3824472]

"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-01-26 15026056]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2008-09-06 413696]

"TkBellExe"="c:\program files (x86)\Common Files\Real\Update_OB\realsched.exe" [2009-09-12 198160]

"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2007-06-06 1261568]

"SoundTray"="c:\program files (x86)\Analog Devices\SoundMAX\SoundTray.exe" [2007-05-21 49152]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Icatch(VI) SnapDetect.lnk - c:\windows\Twain_32\CA561A\SnapDetect.exe [2010-9-3 65536]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-12 1196048]

WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 4236288]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

R0 is3srv;is3srv;c:\windows\SySWOW64\drivers\is3srv64.sys [2011-06-02 74768]

R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]

S0 szkg5;szkg5;c:\windows\SySWOW64\DRIVERS\szkg64.sys [2011-06-02 74768]

S1 EIO64;EIO Driver;c:\windows\system32\DRIVERS\EIO64.sys [x]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-06-28 2151640]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]

S2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2011-03-09 288768]

S2 WDFME;WD File Management Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [2011-03-09 1066896]

S2 WDSC;WD File Management Shadow Engine;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [2011-03-09 491920]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-02-04 17152]

S3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [x]

S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk60x64.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - LAVASOFT_KERNEXPLORER

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 242192]

"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x1

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\kenny ryan\AppData\Roaming\Mozilla\Firefox\Profiles\17fsb67h.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe

AddRemove-Driver Cleaner Pro - c:\users\kenny ryan\Desktop\Driver Cleaner Pro\Uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10a.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10a.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10a.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]

@Denied: (A 2) (Everyone)

@="IFlashBroker2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Kodak\KODAK Share Button App\Listener.exe

c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe

c:\program files\Logitech\SetPoint\x86\SetPoint32.exe

.

**************************************************************************

.

Completion time: 2011-07-07 16:10:22 - machine was rebooted

ComboFix-quarantined-files.txt 2011-07-07 21:10

.

Pre-Run: 83,746,983,936 bytes free

Post-Run: 83,906,883,584 bytes free

.

- - End Of File - - 85C07DF0D91FAA253F3A4AFC8C17133D

Also, i noticed there is now a Windows Security Alerts icon on the bottom right toolbar and an icon labeled "The Internet" with an IE-looking tooltip has appeared on my desktop.

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Folder::
C:\Iexplorer4389I
C:\Iexplorer4696I

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.