Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown virus redirects internet explorer to random websites


  • This topic is locked This topic is locked
40 replies to this topic

#1 tom348

tom348

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 06 May 2011 - 01:05 PM

Have tried scanning with Malawarebytes, Spybot, and AVAST in regular mode and safe mode and they did not find anything.

DDS Text Log

DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by rachel at 9:13:32.03 on Fri 05/06/2011
Internet Explorer: 7.0.6000.17037
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1015.426 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\helppane.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\rachel\Documents\Antivirus\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
TB: Mininova-Vuze Toolbar: {d51d388b-f5dc-471a-a1ce-5e2d671091c0} - c:\program files\mininova-vuze\tbMin0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6.6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.30618; .NET CLR 3.5.30729)" -"http://www.bbc.co.uk/education/mathsfile/shockwave/games/gridgame.html"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se ver.5\transfer utility\CameraMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://rosscafe-west.ros.com/dana-cached/sc/JuniperSetupClient.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.pandasecurity.com
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2007-6-1 252416]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\SymcPCCULaunchSvc.exe [2009-12-27 120248]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\norton pc checkup\engine\2.0.2.506\ccSvcHst.exe [2009-12-27 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-25 1153368]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-6-18 19456]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-9 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]
S3 TDEIO;TDEIO;c:\windows\system32\sysprep\TdeIo.sys [2007-8-9 16512]
.
=============== Created Last 30 ================
.
2011-05-06 06:41:11 388096 ----a-r- c:\users\rachel\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-06 06:41:10 -------- d-----w- c:\program files\Trend Micro
2011-05-04 05:22:26 -------- d-----w- c:\program files\AVAST Software
2011-05-04 05:22:26 -------- d-----w- c:\progra~2\AVAST Software
2011-04-25 23:27:51 -------- d-----w- c:\users\rachel\appdata\roaming\Malwarebytes
2011-04-25 23:27:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-25 23:27:34 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-25 23:27:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-25 23:27:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-25 21:54:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-25 21:54:09 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-04-09 16:55:15 -------- d-----w- c:\program files\iPod
2011-04-09 16:29:27 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-02-18 23:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
============= FINISH: 9:15:20.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 PM

Posted 14 May 2011 - 08:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 tom348

tom348
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 14 May 2011 - 11:40 PM

I am here - thanks for your help

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 PM

Posted 15 May 2011 - 08:00 AM

Let's start by seeing what it is that's doing the redirecting.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 tom348

tom348
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 15 May 2011 - 11:05 PM

OK. I ran aswMBR and the results are as follows:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-15 20:54:20
-----------------------------
20:54:20.554 OS Version: Windows 6.0.6000
20:54:20.554 Number of processors: 2 586 0xF0D
20:54:20.554 ComputerName: RACHELS-PC UserName: rachel
20:54:48.806 Initialize success
20:55:03.720 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
20:55:03.720 Disk 0 Vendor: TOSHIBA_ DL23 Size: 76319MB BusType: 3
20:55:03.735 Disk 0 MBR read successfully
20:55:03.751 Disk 0 MBR scan
20:55:03.751 Disk 0 unknown MBR code
20:55:03.766 Disk 0 scanning sectors +156299264
20:55:03.844 Disk 0 scanning C:\Windows\system32\drivers
20:55:23.906 Service scanning
20:55:26.870 Disk 0 trace - called modules:
20:55:26.979 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll acpi.sys iaStor.sys
20:55:26.979 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83d66ad8]
20:55:26.995 3 ntkrnlpa.exe[81cb07e2] -> nt!IofCallDriver -> [0x8336c7a8]
20:55:26.995 5 acpi.sys[8046932a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8336e030]
20:55:27.010 Scan finished successfully
20:57:26.208 Disk 0 MBR has been saved successfully to "C:\Users\rachel\Documents\Antivirus\MBR.dat"
20:57:26.224 The log file has been saved successfully to "C:\Users\rachel\Documents\Antivirus\aswMBR.txt"
20:58:41.480 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
20:58:41.511 The log file has been saved successfully to "E:\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 PM

Posted 16 May 2011 - 01:32 PM

That looks clean. Please run Combofix and see if we can find the culprit

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 tom348

tom348
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 17 May 2011 - 12:53 PM

I was not able to see icons for the Antivirus and Anti-spyware in order to disable them, so I uninstalled them instead. I then downloaded ComboFix, renaming it to comfix, saved it to my desktop and ran it. It went through the 50 stages and then showed the following messages:

System file is infected!! Attempting to restore
"C:\Windows\explorer.exe"
Successfully restored:

Deleting Files:
C:\USERS\PUBLIC\SETUP_FLIPSHARE.exe
C:\USERS\ (I was unable to copy the rest of this string before the screen changed)

System file is infected!! Attempting to restore
"C:\Windows\System32\wininit.exe"
Successfully restored:

Rebooting

At this point, the computer hung on the "Logging Off" screen.
I shut it down manually and tried to reboot
During the reboot the following message was displayed

explorer.exe - Ordinal Not Found
The ordinal 874 could not be located in the dynamic link library SHELL32.dll

After this, the desktop would not come up. I got nothing but a blank screen. I was not able to get to the point where ComboFix creates a log, beacuse the computer hung on the restart.

I used ctrl-alt-del to shut it down and rebooted in safe mode. I then did a system restore to a point before I ran ComboFix and got the computer to boot. I tried running ComboFix again and the same thing happened.

What should I do next?

tom348

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 PM

Posted 17 May 2011 - 06:03 PM

It looks like Combofix fixing the infected files is damaging the explorer.exe process causing the non-boot. System Restore is fine because you can now boot but those files are back. Let's try an alternative way of removing the threat before we attempt a manual removal and avoid Combofix.

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#9 tom348

tom348
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 17 May 2011 - 09:41 PM

I ran TDSSKiller and it said that no threats were found. Below is the report:

2011/05/17 19:36:04.0292 2500 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/17 19:36:04.0931 2500 ================================================================================
2011/05/17 19:36:04.0931 2500 SystemInfo:
2011/05/17 19:36:04.0931 2500
2011/05/17 19:36:04.0931 2500 OS Version: 6.0.6000 ServicePack: 0.0
2011/05/17 19:36:04.0931 2500 Product type: Workstation
2011/05/17 19:36:04.0931 2500 ComputerName: RACHELS-PC
2011/05/17 19:36:04.0931 2500 UserName: rachel
2011/05/17 19:36:04.0931 2500 Windows directory: C:\Windows
2011/05/17 19:36:04.0931 2500 System windows directory: C:\Windows
2011/05/17 19:36:04.0931 2500 Processor architecture: Intel x86
2011/05/17 19:36:04.0931 2500 Number of processors: 2
2011/05/17 19:36:04.0931 2500 Page size: 0x1000
2011/05/17 19:36:04.0931 2500 Boot type: Normal boot
2011/05/17 19:36:04.0931 2500 ================================================================================
2011/05/17 19:36:05.0446 2500 Initialize success
2011/05/17 19:36:07.0287 3664 ================================================================================
2011/05/17 19:36:07.0287 3664 Scan started
2011/05/17 19:36:07.0287 3664 Mode: Manual;
2011/05/17 19:36:07.0287 3664 ================================================================================
2011/05/17 19:36:07.0895 3664 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
2011/05/17 19:36:08.0020 3664 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/05/17 19:36:08.0161 3664 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/05/17 19:36:08.0223 3664 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/05/17 19:36:08.0285 3664 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/05/17 19:36:08.0473 3664 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
2011/05/17 19:36:08.0629 3664 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/05/17 19:36:08.0863 3664 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/05/17 19:36:08.0909 3664 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/05/17 19:36:08.0972 3664 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/05/17 19:36:09.0019 3664 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/05/17 19:36:09.0143 3664 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/05/17 19:36:09.0268 3664 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/05/17 19:36:09.0315 3664 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/05/17 19:36:09.0502 3664 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/05/17 19:36:09.0580 3664 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/05/17 19:36:09.0752 3664 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/17 19:36:09.0814 3664 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
2011/05/17 19:36:10.0017 3664 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
2011/05/17 19:36:10.0267 3664 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/17 19:36:10.0376 3664 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/05/17 19:36:10.0423 3664 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/05/17 19:36:10.0485 3664 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/05/17 19:36:10.0594 3664 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/05/17 19:36:10.0641 3664 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/05/17 19:36:10.0735 3664 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/05/17 19:36:10.0828 3664 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/05/17 19:36:10.0906 3664 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/17 19:36:10.0969 3664 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/17 19:36:11.0109 3664 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/05/17 19:36:11.0249 3664 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
2011/05/17 19:36:11.0390 3664 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/05/17 19:36:11.0483 3664 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/05/17 19:36:11.0530 3664 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/05/17 19:36:11.0624 3664 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/05/17 19:36:11.0686 3664 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/05/17 19:36:11.0842 3664 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
2011/05/17 19:36:11.0998 3664 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
2011/05/17 19:36:12.0154 3664 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
2011/05/17 19:36:12.0248 3664 dsNcAdpt (4823163c246868863d41a2f5ee06a21e) C:\Windows\system32\DRIVERS\dsNcAdpt.sys
2011/05/17 19:36:12.0451 3664 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/17 19:36:12.0607 3664 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/05/17 19:36:12.0700 3664 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
2011/05/17 19:36:12.0809 3664 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/05/17 19:36:12.0965 3664 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
2011/05/17 19:36:13.0059 3664 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/17 19:36:13.0153 3664 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
2011/05/17 19:36:13.0246 3664 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
2011/05/17 19:36:13.0449 3664 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/17 19:36:13.0558 3664 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
2011/05/17 19:36:13.0683 3664 FlyUsb (85e5ad3a9d56fd6f92db5fc9ca62e2e4) C:\Windows\system32\DRIVERS\FlyUsb.sys
2011/05/17 19:36:13.0777 3664 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/17 19:36:13.0870 3664 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/05/17 19:36:13.0964 3664 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2011/05/17 19:36:14.0229 3664 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/05/17 19:36:14.0291 3664 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/05/17 19:36:14.0338 3664 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/05/17 19:36:14.0385 3664 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/05/17 19:36:14.0557 3664 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/17 19:36:14.0603 3664 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/05/17 19:36:14.0681 3664 HTTP (3c3cba3ce1a66439a960d4531a167c39) C:\Windows\system32\drivers\HTTP.sys
2011/05/17 19:36:14.0744 3664 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/05/17 19:36:14.0947 3664 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/05/17 19:36:15.0071 3664 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\DRIVERS\iaStor.sys
2011/05/17 19:36:15.0227 3664 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/05/17 19:36:15.0446 3664 igfx (c134e69ce901422d1f2d7ea8d69098fe) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/05/17 19:36:15.0617 3664 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/05/17 19:36:15.0851 3664 IntcAzAudAddService (6f62bafe6150f3952f877051c65786fe) C:\Windows\system32\drivers\RTKVHDA.sys
2011/05/17 19:36:16.0070 3664 intelide (988981c840084f480ba9e3319cebde1b) C:\Windows\system32\drivers\intelide.sys
2011/05/17 19:36:16.0117 3664 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/17 19:36:16.0273 3664 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/17 19:36:16.0429 3664 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/05/17 19:36:16.0491 3664 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
2011/05/17 19:36:16.0569 3664 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
2011/05/17 19:36:16.0678 3664 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/05/17 19:36:16.0772 3664 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/05/17 19:36:16.0819 3664 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/05/17 19:36:16.0912 3664 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/05/17 19:36:16.0975 3664 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/05/17 19:36:17.0099 3664 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\drivers\kbdhid.sys
2011/05/17 19:36:17.0255 3664 KR10I (e8ca038f51f7761bd6e3a3b0b8014263) C:\Windows\system32\drivers\kr10i.sys
2011/05/17 19:36:17.0318 3664 KR10N (6a4adb9186dd0e114e623daf57e42b31) C:\Windows\system32\drivers\kr10n.sys
2011/05/17 19:36:17.0427 3664 KR3NPXP (485e005cd51ff502fb16483eb4b69c17) C:\Windows\system32\drivers\kr3npxp.sys
2011/05/17 19:36:17.0567 3664 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/17 19:36:17.0739 3664 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/17 19:36:17.0864 3664 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/05/17 19:36:17.0926 3664 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/05/17 19:36:18.0051 3664 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/05/17 19:36:18.0129 3664 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
2011/05/17 19:36:18.0238 3664 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\Windows\system32\drivers\MCSTRM.sys
2011/05/17 19:36:18.0316 3664 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/05/17 19:36:18.0425 3664 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
2011/05/17 19:36:18.0503 3664 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/17 19:36:18.0566 3664 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/17 19:36:18.0659 3664 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/17 19:36:18.0800 3664 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
2011/05/17 19:36:18.0925 3664 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/05/17 19:36:18.0987 3664 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/17 19:36:19.0096 3664 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/05/17 19:36:19.0174 3664 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
2011/05/17 19:36:19.0252 3664 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/17 19:36:19.0346 3664 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/17 19:36:19.0393 3664 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/17 19:36:19.0517 3664 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/05/17 19:36:19.0627 3664 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/05/17 19:36:19.0720 3664 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
2011/05/17 19:36:19.0845 3664 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
2011/05/17 19:36:20.0017 3664 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/17 19:36:20.0110 3664 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/17 19:36:20.0141 3664 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
2011/05/17 19:36:20.0204 3664 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
2011/05/17 19:36:20.0297 3664 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/05/17 19:36:20.0407 3664 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
2011/05/17 19:36:20.0469 3664 MTsensor (97affa9d95ffe20eee6229bc6be166cf) C:\Windows\system32\DRIVERS\ATKACPI.sys
2011/05/17 19:36:20.0563 3664 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
2011/05/17 19:36:20.0672 3664 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/17 19:36:20.0828 3664 NDIS (fffe00134c554e113ee186eeddb0ff30) C:\Windows\system32\drivers\ndis.sys
2011/05/17 19:36:20.0999 3664 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/17 19:36:21.0077 3664 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/17 19:36:21.0140 3664 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/17 19:36:21.0249 3664 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
2011/05/17 19:36:21.0374 3664 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/17 19:36:21.0436 3664 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/17 19:36:21.0592 3664 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/05/17 19:36:21.0670 3664 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
2011/05/17 19:36:21.0717 3664 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/17 19:36:21.0873 3664 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
2011/05/17 19:36:21.0998 3664 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/05/17 19:36:22.0107 3664 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
2011/05/17 19:36:22.0185 3664 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/05/17 19:36:22.0232 3664 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/05/17 19:36:22.0357 3664 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/05/17 19:36:22.0559 3664 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/05/17 19:36:22.0747 3664 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/05/17 19:36:22.0825 3664 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
2011/05/17 19:36:22.0871 3664 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/05/17 19:36:22.0981 3664 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
2011/05/17 19:36:23.0059 3664 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2011/05/17 19:36:23.0183 3664 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/05/17 19:36:23.0324 3664 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/05/17 19:36:23.0573 3664 PptpMiniport (6c359ac71d7b550a0d41f9db4563ce05) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/17 19:36:23.0667 3664 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/05/17 19:36:23.0776 3664 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/17 19:36:23.0823 3664 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
2011/05/17 19:36:23.0979 3664 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/05/17 19:36:24.0119 3664 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/05/17 19:36:24.0229 3664 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/17 19:36:24.0275 3664 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/17 19:36:24.0338 3664 Rasl2tp (88587dd843e2059848995b407b67f6cf) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/17 19:36:24.0509 3664 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/17 19:36:24.0603 3664 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/17 19:36:24.0650 3664 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/17 19:36:24.0775 3664 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/05/17 19:36:24.0868 3664 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/17 19:36:24.0962 3664 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
2011/05/17 19:36:25.0133 3664 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\Windows\system32\DRIVERS\rimmptsk.sys
2011/05/17 19:36:25.0196 3664 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\Windows\system32\DRIVERS\rimsptsk.sys
2011/05/17 19:36:25.0258 3664 rismxdp (2a2554cb24506e0a0508fc395c4a1b42) C:\Windows\system32\DRIVERS\rixdptsk.sys
2011/05/17 19:36:25.0430 3664 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/17 19:36:25.0523 3664 RTL8023xp (5c5612756b380bcedbf566a780ff9afe) C:\Windows\system32\DRIVERS\Rtnicxp.sys
2011/05/17 19:36:25.0664 3664 RTL8187B (67e7822975985016fdce01635fbdbbf9) C:\Windows\system32\DRIVERS\RTL8187B.sys
2011/05/17 19:36:25.0773 3664 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/05/17 19:36:26.0007 3664 sdbus (7b3973cc28b8aa3e9e2e5d53e720e2c9) C:\Windows\system32\DRIVERS\sdbus.sys
2011/05/17 19:36:26.0069 3664 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/17 19:36:26.0147 3664 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/05/17 19:36:26.0210 3664 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/05/17 19:36:26.0272 3664 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
2011/05/17 19:36:26.0475 3664 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/05/17 19:36:26.0522 3664 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/17 19:36:26.0569 3664 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/17 19:36:26.0631 3664 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/05/17 19:36:26.0709 3664 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/05/17 19:36:26.0849 3664 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/05/17 19:36:26.0912 3664 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/05/17 19:36:27.0021 3664 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
2011/05/17 19:36:27.0099 3664 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
2011/05/17 19:36:27.0286 3664 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
2011/05/17 19:36:27.0364 3664 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/17 19:36:27.0442 3664 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/17 19:36:27.0567 3664 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
2011/05/17 19:36:27.0676 3664 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/05/17 19:36:27.0723 3664 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/05/17 19:36:27.0785 3664 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/05/17 19:36:27.0926 3664 SynTP (baa29028e7db52837198465c5c53a2f0) C:\Windows\system32\DRIVERS\SynTP.sys
2011/05/17 19:36:28.0129 3664 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
2011/05/17 19:36:28.0253 3664 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/17 19:36:28.0316 3664 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/17 19:36:28.0409 3664 tdcmdpst (1825bceb47bf41c5a9f0e44de82fc27a) C:\Windows\system32\DRIVERS\tdcmdpst.sys
2011/05/17 19:36:28.0503 3664 TDEIO (3b69c95d5902e72ff3a1fa51e755d99b) C:\WINDOWS\SYSTEM32\SYSPREP\tdeio.sys
2011/05/17 19:36:28.0659 3664 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
2011/05/17 19:36:28.0706 3664 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
2011/05/17 19:36:28.0753 3664 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/17 19:36:28.0815 3664 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
2011/05/17 19:36:29.0065 3664 tos_sps32 (1ea5f27c29405bf49799feca77186da9) C:\Windows\system32\DRIVERS\tos_sps32.sys
2011/05/17 19:36:29.0158 3664 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/17 19:36:29.0283 3664 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
2011/05/17 19:36:29.0408 3664 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/17 19:36:29.0470 3664 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/05/17 19:36:29.0564 3664 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/17 19:36:29.0689 3664 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/17 19:36:29.0782 3664 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/05/17 19:36:29.0860 3664 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/05/17 19:36:29.0969 3664 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/05/17 19:36:30.0063 3664 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
2011/05/17 19:36:30.0172 3664 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\Windows\system32\Drivers\usbaapl.sys
2011/05/17 19:36:30.0281 3664 usbccgp (8bd3ae150d97ba4e633c6c5c51b41ae1) C:\Windows\system32\drivers\usbccgp.sys
2011/05/17 19:36:30.0375 3664 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/05/17 19:36:30.0453 3664 usbehci (0e3c51bafaa9e00a870ed20adfdc28e7) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/17 19:36:30.0609 3664 usbhub (ec74d1322d1fbff709bdcbe20c703e1b) C:\Windows\system32\DRIVERS\usbhub.sys
2011/05/17 19:36:30.0703 3664 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/05/17 19:36:30.0749 3664 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/05/17 19:36:30.0827 3664 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/17 19:36:30.0921 3664 usbuhci (c6b35b6c43751867d95752f1c5c8a3f2) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/17 19:36:31.0061 3664 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/17 19:36:31.0124 3664 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
2011/05/17 19:36:31.0217 3664 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/05/17 19:36:31.0280 3664 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/05/17 19:36:31.0358 3664 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/05/17 19:36:31.0420 3664 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
2011/05/17 19:36:31.0561 3664 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
2011/05/17 19:36:31.0685 3664 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
2011/05/17 19:36:31.0748 3664 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/05/17 19:36:31.0919 3664 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/05/17 19:36:32.0013 3664 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/17 19:36:32.0044 3664 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/17 19:36:32.0122 3664 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/05/17 19:36:32.0247 3664 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/17 19:36:32.0575 3664 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/05/17 19:36:32.0809 3664 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/05/17 19:36:32.0855 3664 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/17 19:36:33.0043 3664 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/17 19:36:33.0448 3664 ================================================================================
2011/05/17 19:36:33.0448 3664 Scan finished
2011/05/17 19:36:33.0448 3664 ================================================================================

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 PM

Posted 18 May 2011 - 11:50 AM

Let's find copies of the infected files and then attempt to replace them

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    explorer.exe
    wininit.exe
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#11 tom348

tom348
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 18 May 2011 - 08:33 PM

Following is the log from SystemLook

SystemLook 04.09.10 by jpshortstuff
Log created at 18:16 on 18/05/2011 by rachel
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\Windows\explorer.exe --a---- 2923520 bytes [19:02 11/12/2008] [06:20 29/10/2008] 7C6605BB051B385CA3A3AA02902C83BA
C:\Windows\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe --a---- 2927104 bytes [00:13 01/07/2008] [07:33 19/01/2008] FFA764631CB70A30065C12EF8E174F9F
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe --a---- 2923520 bytes [08:47 02/11/2006] [09:45 02/11/2006] FD8C53FB002217F6F888BCF6F5D7084D
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe --a---- 2923520 bytes [02:30 26/12/2007] [02:30 26/12/2007] 6D06CD98D954FE87FB2DB8108793B399
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe --a---- 2923520 bytes [19:02 11/12/2008] [06:20 29/10/2008] 37440D09DEAE0B672A04DCCF7ABF06BE
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe --a---- 2923520 bytes [02:30 26/12/2007] [02:30 26/12/2007] BD06F0BF753BC704B653C3A50F89D362
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe --a---- 2923520 bytes [19:02 11/12/2008] [02:15 28/10/2008] E7156B0B74762D9DE0E66BDCDE06E5FB
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe --a---- 2927104 bytes [19:02 11/12/2008] [06:29 29/10/2008] 4F554999D7D5F05DAAEBBA7B5BA1089D
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe --a---- 2927616 bytes [19:02 11/12/2008] [03:59 30/10/2008] 50BA5850147410CDE89C523AD3BC606E

Searching for "wininit.exe"
C:\Windows\SoftwareDistribution\Download\a58fa8f1a78b89e6c2a670e288053b8b\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe --a---- 96768 bytes [00:12 01/07/2008] [07:33 19/01/2008] 101BA3EA053480BB5D957EF37C06B5ED
C:\Windows\System32\wininit.exe --a---- 95744 bytes [08:44 02/11/2006] [09:45 02/11/2006] EF6B49C09CD11474D0EABEDB3B126019
C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe --a---- 95744 bytes [08:44 02/11/2006] [09:45 02/11/2006] D4385B03E8CCCEE6F0EE249F827C1F3E

-= EOF =-

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 PM

Posted 19 May 2011 - 05:12 PM

Okay, this is the manual fix. It is the most likely fix but it is quite complicated. Please come back to me if you are not sure or get stuck.

We are going to copy backup files to the root:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16386_none_4f7de5167cd15deb\explorer.exe C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Do the same with the next file:

    copy C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6000.16386_none_2ebbf6d3076595ce\wininit.exe C:\ /y
  • Exit the Command Prompt window.

Now we need to boot into the Recovery Environment:

Reboot your computer.

Tap F8 on startup and select Repair your computer from the list of startup options.

If Repair your computer is not an option on the Advanced Startup menu, insert your Windows Vista dvd and restart the computer, then when prompted, select Repair your computer

  • Select your keyboard layout
  • Enter your username and password (if you use one)
  • Then the System Recovery Options menu comes up
  • Select Command Prompt

It will open to an x:\sources> prompt

(this may vary depending if you boot from cd or an installed RE)


at the X:\sources prompt type the following (pressing enter after each line)

ren C:\Windows\System32\explorer.exe explorer.old
copy c:\explorer.exe C:\Windows\System32\explorer.exe

You should receive a message that "1 file" has been copied.

If you do not receive a message that 1 file has been copied, the file will need to be renamed back - type
ren c:\windows\explorer.old explorer.exe

This will rename the old file back, reboot the system normally and report this to me.


Now do the same with the other file.

ren C:\Windows\System32\wininit.exe wininit.old
copy c:\wininit.exe C:\Windows\System32\wininit.exe


Select Restart on the System Recovery Options menu

Boot normally.
Posted Image
m0le is a proud member of UNITE

#13 tom348

tom348
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 19 May 2011 - 09:38 PM

OK - Here is what happened.

I ran the cmd command and copied the blue text in and got a message saying 1 file copied for both the the explorer.exe and wininit.exe files

I then rebooted into the recovery mode and tried to rename the explorer.exe file using the command you gave me. I got a message back saying "the system cannot find the file specified"

I then tried to copy the explorer.exe file using the command you gave me and got the same message.

I tried to rename the wininit.exe file using the command you gave me and it seemed to work OK. But then when I tried to copy the wininit.exe file, I got "the system cannot find the file specified" message again. So, I changed the wininit.old name back to wininit.exe.

I tried this several times to make sure I didn't spell a word wrong, but got the same result.

I then rebooted and tried to run the cmd command again, thinking that maybe I did something wrong the first time I did it. This time I got a message back saying "Access Denied"

I'm positive that I did everything exactly as you said and I proofread the commands several times before I entered them.


Sure is confusing ...

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 PM

Posted 20 May 2011 - 05:28 PM

That is confusing. Please rerun Combofix as before, and report its findings.
Posted Image
m0le is a proud member of UNITE

#15 tom348

tom348
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 21 May 2011 - 12:48 AM

I ran ComboFix and got the following messages:

System file is infected!! Attempting to restore
"C:\Windows\explorer.exe"

(After this, there was no message indicating that it had been successfully restored)

Deleting Files:
C:\USERS\PUBLIC\SETUP_FLIPSHARE.exe
C:\USERS\rachel\AppData\Roaming\Microsoft\Windows\Recent\ComfyCakes.pic

System file is infected!! Attempting to restore
"C:\Windows\System32\wininit.exe"
Successfully restored:

Rebooting

At this point, the computer again hung on the "Logging Off" screen.
I shut it down manually and tried to reboot
During the reboot the following message was displayed

explorer.exe - Ordinal Not Found
The ordinal 874 could not be located in the dynamic link library SHELL32.dll

I then got a message saying
Windows Explorer has stopped working
A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.

After this, the desktop would not come up. I got nothing but a blank screen. I was not able to get to the point where ComboFix creates a log, beacuse the computer hung on the restart.

I used ctrl-alt-del to shut it down and rebooted in safe mode. I then did a system restore to the restore point created by ComboFix.

I checked Internet Explorer after this to see if it is still being redirected and it is.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users