Solved How to delete Shetwirl.E virus found in MBR?

July 24, 2011 at 12:29:06
Specs: Windows 7, AMD Phenom Tri-core 2.10GHz/4GB RAM
My antivirus (Microsoft Security Essentials) has been frequently alerting me with having found a virus in my boot sector (says it's in "boot:\Device\Harddisk1\DR1" and "boot:\Device\Harddisk1\DR1\(MBR)"). The virus is called Trojan:DOS/Shetwirl.E. It seems to attempt to delete it but alerts me about it yet again shortly after. I have also tried Malarebytes and the Microsoft Malicious Software Remover tool except neither detect anything. As far as I can tell, the main (if not only) effects from this virus is that random pages I attempt to visit (such as found on search results, bookmarks, etc) load something broken with a strange url or otherwise different than the site I expected (also commonly template-like ad-filled pages); typically after noticing a blank page that says something like "redirecting you to search results..." while loading.

Also, I have a dual boot setup with Windows 7 (Ultimate SP1) as my main and also Windows XP (Pro SP2; both 32-bit. There is also a factory partition on the same physical drive as both OS's, and a second physical drive connected for storage purposes. I'd like to know about any specific removal tool that would (safely!) clean this sort of virus. I'd also like to know if this virus could possibly affect other storage devices connected to my PC or and/or other systems I have linked with it via wifi.


See More: How to delete Shetwirl.E virus found in MBR?

Report •


✔ Best Answer
July 26, 2011 at 18:47:43
Good job, Doot Doot!!!!

How is it going now?
Are you still having redirections?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.



#1
July 24, 2011 at 13:57:48
Doot Doot,

The dual boot situation is a complication here.

Checking some more info before posting a recommendation.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#2
July 24, 2011 at 21:24:26
Doot Doot,

Infected MBR's can be tough and the single most important thing to do is backup the existing MBR.

If something goes wrong with fixing the MBR, like the computer won't boot at all, at least the backed up MBR can be put back in place, and get the machine back up.


Please do the following:

Download aswMBR:
http://public.avast.com/~gmerek/asw...
Save it to your Desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to ‘Run as Administrator‘)

Click ‘Scan’

Upon completion of the scan, click ‘Save log’
Save it to your Desktop

>>Please post that log in your reply for review.<<

Note - do NOT attempt to Fix anything!!

Another file is created by aswMBR, and it is located on the Desktop. It is named MBR.dat.

Please store the MBR.dat file, to a USB flash drive for safe keeping.
This is very important!!

Now, download DDS from one of these locations:
http://download.bleepingcomputer.co...
http://download.bleepingcomputer.co...


Save it to your Desktop

Disable any script blocker, and then double-click dds.scr to run the tool.

When done, DDS opens two (2) logs:
DDS.txt
Attach.txt
Save both reports to your Desktop.

Since these reports are quite large, please go to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the DDS.txt, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)
Please copy the 'Download link'.

Do the same for the Attach.txt.

Please copy the 'Download link', for each report, and provide them in your reply.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#3
July 25, 2011 at 05:42:34
Copied the MBR.dat to a flashdrive as instructed. The results of the logs were as follows:


aswMBR version 0.9.8.977 Copyright(c) 2011 AVAST Software
Run date: 2011-07-25 06:27:21
-----------------------------
06:27:21.292 OS Version: Windows 6.1.7601 Service Pack 1
06:27:21.293 Number of processors: 3 586 0x203
06:27:21.294 ComputerName: OWNER-PC UserName:
06:27:23.498 Initialize success
06:29:30.867 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
06:29:30.872 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8
06:29:30.882 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000062
06:29:30.888 Disk 1 Vendor: WDC_WD10 01.0 Size: 953869MB BusType: 8
06:29:31.465 Disk 0 MBR read successfully
06:29:31.471 Disk 0 MBR scan
06:29:31.477 Disk 0 Windows 7 default MBR code
06:29:31.965 Disk 0 scanning sectors +1250258625
06:29:32.406 Disk 0 scanning C:\Windows\system32\drivers
06:31:25.735 Service scanning
06:31:26.267 Service MpKsl6732c894 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7D5E88DD-4E4F-4A02-8A58-B8BA5253EFFD}\MpKsl6732c894.sys **LOCKED** 32
06:31:26.277 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
06:31:27.009 Modules scanning
06:33:46.783 Disk 0 trace - called modules:
06:33:47.231 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor32.sys
06:33:47.238 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866413f0]
06:33:47.245 3 CLASSPNP.SYS[8c26559e] -> nt!IofCallDriver -> [0x85f4c2a0]
06:33:47.251 5 ACPI.sys[835a93d4] -> nt!IofCallDriver -> \Device\00000060[0x85fbbc00]
06:33:47.258 Scan finished successfully
06:34:49.352 Disk 0 MBR has been saved successfully to "C:\Users\Doot Doot\Desktop\MBR.dat"
06:34:49.444 The log file has been saved successfully to "C:\Users\Doot Doot\Desktop\aswMBR.txt"


http://uploading.com/files/6fa2e1dc...


http://uploading.com/files/b55d2858...


Report •

Related Solutions

#4
July 25, 2011 at 13:56:16
Thanks for the reports.

Taking a look at them and figuring out where we go from there.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#5
July 25, 2011 at 21:03:20
Doot Doot,

You have a rather unusual situation there, and it is difficult to interpret.

Q. Are you getting redirections in both Windows 7 and XP, or just in one of the dual boot OSs?

You may have run this tool before, however, need for you to do it again, as follows:

Download TDSSKiller
http://support.kaspersky.com/downlo...

Execute TDSSKiller.exe by double-clicking on it.

Click: ‘Start Scan’

If Malicious objects are found, DO NOT allow the tool to Cure.
Click the arrow next to 'Cure' and select Skip
We need to see the report first, as it may show false detections!!

Click Continue.

When the tool is done, a log is produced at the root drive which is typically C:\
For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt

Please post the log in your reply.


~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#6
July 26, 2011 at 09:52:54
I can't say that I've specifically noticed such redirects on Windows XP, but then again I don't use it that often anymore. Though I can say that the last time I've done any sort of virus/malware scans on there, it came up clean (only used Trend Micro Housecall, Malwarebytes). I hadn't turned up any sort of instances of infections since I installed Microsoft Security Essentials on Windows 7 a week or so ago (OS I am using now, and to do all these scans with). TDSSKiller just turned up a different name for the virus, though same location?

Edit: Looking over the log again, could it be detecting it as located on my second physical drive used for storage...? Only my drive with operating systems on it has three partitions; the second physical hard drive is just one big partition, no OS's.

2011/07/26 12:43:46.0252 4308 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/26 12:43:46.0613 4308 ================================================================================
2011/07/26 12:43:46.0614 4308 SystemInfo:
2011/07/26 12:43:46.0614 4308
2011/07/26 12:43:46.0614 4308 OS Version: 6.1.7601 ServicePack: 1.0
2011/07/26 12:43:46.0614 4308 Product type: Workstation
2011/07/26 12:43:46.0614 4308 ComputerName: OWNER-PC
2011/07/26 12:43:46.0614 4308 UserName: Doot Doot
2011/07/26 12:43:46.0614 4308 Windows directory: C:\Windows
2011/07/26 12:43:46.0614 4308 System windows directory: C:\Windows
2011/07/26 12:43:46.0615 4308 Processor architecture: Intel x86
2011/07/26 12:43:46.0615 4308 Number of processors: 3
2011/07/26 12:43:46.0615 4308 Page size: 0x1000
2011/07/26 12:43:46.0615 4308 Boot type: Normal boot
2011/07/26 12:43:46.0615 4308 ================================================================================
2011/07/26 12:43:48.0818 4308 Initialize success
2011/07/26 12:46:08.0007 3520 ================================================================================
2011/07/26 12:46:08.0007 3520 Scan started
2011/07/26 12:46:08.0007 3520 Mode: Manual;
2011/07/26 12:46:08.0007 3520 ================================================================================
2011/07/26 12:46:08.0437 3520 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
2011/07/26 12:46:08.0476 3520 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
2011/07/26 12:46:08.0541 3520 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
2011/07/26 12:46:08.0626 3520 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/07/26 12:46:08.0649 3520 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/07/26 12:46:08.0675 3520 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/07/26 12:46:08.0745 3520 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
2011/07/26 12:46:08.0779 3520 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
2011/07/26 12:46:08.0814 3520 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/07/26 12:46:08.0852 3520 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
2011/07/26 12:46:08.0879 3520 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
2011/07/26 12:46:08.0901 3520 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
2011/07/26 12:46:08.0924 3520 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/07/26 12:46:08.0954 3520 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/07/26 12:46:08.0976 3520 amdsata (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys
2011/07/26 12:46:09.0004 3520 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/07/26 12:46:09.0025 3520 amdxata (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys
2011/07/26 12:46:09.0056 3520 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
2011/07/26 12:46:09.0109 3520 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/07/26 12:46:09.0137 3520 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/07/26 12:46:09.0216 3520 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/26 12:46:09.0249 3520 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
2011/07/26 12:46:09.0302 3520 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/07/26 12:46:09.0348 3520 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/07/26 12:46:09.0386 3520 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/07/26 12:46:09.0422 3520 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/07/26 12:46:09.0463 3520 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/26 12:46:09.0478 3520 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/07/26 12:46:09.0496 3520 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/07/26 12:46:09.0532 3520 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/07/26 12:46:09.0553 3520 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/07/26 12:46:09.0571 3520 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/07/26 12:46:09.0590 3520 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/07/26 12:46:09.0609 3520 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/07/26 12:46:09.0655 3520 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/26 12:46:09.0688 3520 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
2011/07/26 12:46:09.0716 3520 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/07/26 12:46:09.0761 3520 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/07/26 12:46:09.0802 3520 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/07/26 12:46:09.0836 3520 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
2011/07/26 12:46:09.0868 3520 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/07/26 12:46:09.0894 3520 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/07/26 12:46:09.0933 3520 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
2011/07/26 12:46:09.0971 3520 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/07/26 12:46:10.0027 3520 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
2011/07/26 12:46:10.0115 3520 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
2011/07/26 12:46:10.0140 3520 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/07/26 12:46:10.0177 3520 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/07/26 12:46:10.0240 3520 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/07/26 12:46:10.0286 3520 dtsoftbus01 (555e54ac2f601a8821cef58961653991) C:\Windows\system32\DRIVERS\dtsoftbus01.sys
2011/07/26 12:46:10.0338 3520 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/26 12:46:10.0458 3520 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/07/26 12:46:10.0589 3520 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/07/26 12:46:10.0634 3520 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
2011/07/26 12:46:10.0674 3520 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/07/26 12:46:10.0701 3520 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/07/26 12:46:10.0731 3520 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/26 12:46:10.0777 3520 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/07/26 12:46:10.0799 3520 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/07/26 12:46:10.0824 3520 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/26 12:46:10.0855 3520 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/07/26 12:46:10.0898 3520 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/07/26 12:46:10.0920 3520 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/26 12:46:10.0963 3520 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
2011/07/26 12:46:11.0000 3520 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/07/26 12:46:11.0048 3520 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/07/26 12:46:11.0101 3520 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
2011/07/26 12:46:11.0155 3520 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
2011/07/26 12:46:11.0172 3520 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/07/26 12:46:11.0197 3520 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/07/26 12:46:11.0223 3520 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/07/26 12:46:11.0250 3520 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
2011/07/26 12:46:11.0294 3520 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
2011/07/26 12:46:11.0362 3520 HSF_DP (0f5ed510a6c361420bc319e0cf96c1dc) C:\Windows\system32\DRIVERS\HSX_DP.sys
2011/07/26 12:46:11.0421 3520 HSXHWBS2 (186c11d0ca0e53b1ee266633b9d8b393) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
2011/07/26 12:46:11.0476 3520 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
2011/07/26 12:46:11.0536 3520 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
2011/07/26 12:46:11.0576 3520 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
2011/07/26 12:46:11.0605 3520 iaStorV (a3cae5d281db4cff7cff8233507ee5ad) C:\Windows\system32\drivers\iaStorV.sys
2011/07/26 12:46:11.0658 3520 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/07/26 12:46:11.0704 3520 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
2011/07/26 12:46:11.0728 3520 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/26 12:46:11.0751 3520 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/26 12:46:11.0797 3520 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
2011/07/26 12:46:11.0815 3520 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/07/26 12:46:11.0862 3520 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/07/26 12:46:11.0905 3520 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
2011/07/26 12:46:12.0041 3520 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
2011/07/26 12:46:12.0082 3520 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
2011/07/26 12:46:12.0125 3520 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
2011/07/26 12:46:12.0169 3520 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/26 12:46:12.0192 3520 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
2011/07/26 12:46:12.0251 3520 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/26 12:46:12.0309 3520 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/07/26 12:46:12.0332 3520 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/07/26 12:46:12.0355 3520 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/07/26 12:46:12.0382 3520 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/07/26 12:46:12.0407 3520 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/07/26 12:46:12.0457 3520 ManyCam (c6d085c7045200143528136a43a65fde) C:\Windows\system32\DRIVERS\ManyCam.sys
2011/07/26 12:46:12.0503 3520 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\Windows\system32\drivers\mbam.sys
2011/07/26 12:46:12.0561 3520 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/07/26 12:46:12.0584 3520 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/07/26 12:46:12.0610 3520 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/07/26 12:46:12.0654 3520 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/07/26 12:46:12.0691 3520 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/26 12:46:12.0740 3520 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
2011/07/26 12:46:12.0770 3520 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/26 12:46:12.0805 3520 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
2011/07/26 12:46:12.0850 3520 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/07/26 12:46:12.0888 3520 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
2011/07/26 12:46:12.0994 3520 MpKslb1912b78 (5f53edfead46fa7adb78eee9ecce8fdf) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9DAA3A9D-D15A-427B-8AA1-47FEE055C23E}\MpKslb1912b78.sys
2011/07/26 12:46:13.0032 3520 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/07/26 12:46:13.0067 3520 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/26 12:46:13.0112 3520 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
2011/07/26 12:46:13.0183 3520 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/26 12:46:13.0226 3520 mrxsmb10 (a70c828a93cce4c11617f6249f4d87fc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/26 12:46:13.0250 3520 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/26 12:46:13.0284 3520 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
2011/07/26 12:46:13.0318 3520 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
2011/07/26 12:46:13.0361 3520 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/07/26 12:46:13.0386 3520 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/07/26 12:46:13.0426 3520 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
2011/07/26 12:46:13.0463 3520 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/26 12:46:13.0499 3520 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/26 12:46:13.0515 3520 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/07/26 12:46:13.0546 3520 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/07/26 12:46:13.0572 3520 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
2011/07/26 12:46:13.0598 3520 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/07/26 12:46:13.0615 3520 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/07/26 12:46:13.0642 3520 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/07/26 12:46:13.0685 3520 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/26 12:46:13.0741 3520 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
2011/07/26 12:46:13.0787 3520 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/07/26 12:46:13.0819 3520 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/26 12:46:13.0859 3520 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/26 12:46:13.0893 3520 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/26 12:46:13.0931 3520 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
2011/07/26 12:46:13.0957 3520 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/26 12:46:13.0993 3520 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/26 12:46:14.0076 3520 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/07/26 12:46:14.0113 3520 NisDrv (17e2c08c5ecfbe94a7c67b1c275ee9d9) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2011/07/26 12:46:14.0150 3520 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/07/26 12:46:14.0176 3520 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/26 12:46:14.0231 3520 Ntfs (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys
2011/07/26 12:46:14.0286 3520 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/07/26 12:46:14.0348 3520 NVENETFD (b5e37e31c053bc9950455a257526514b) C:\Windows\system32\DRIVERS\nvm62x32.sys
2011/07/26 12:46:14.0573 3520 nvlddmkm (b0881dda5a8160422561ffab7f0008b1) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/07/26 12:46:14.0798 3520 NVNET (5bf9c11586f4764446407f509f1beca8) C:\Windows\system32\DRIVERS\nvmf6232.sys
2011/07/26 12:46:14.0856 3520 nvraid (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys
2011/07/26 12:46:14.0883 3520 nvstor (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys
2011/07/26 12:46:14.0922 3520 nvstor32 (f73533d47857d819e082e42ea1300e50) C:\Windows\system32\DRIVERS\nvstor32.sys
2011/07/26 12:46:14.0967 3520 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
2011/07/26 12:46:15.0004 3520 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
2011/07/26 12:46:15.0081 3520 ovt519 (4cdadec3dc1300ee1d313ea5494e6472) C:\Windows\system32\Drivers\ov519vid.sys
2011/07/26 12:46:15.0133 3520 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/07/26 12:46:15.0171 3520 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
2011/07/26 12:46:15.0193 3520 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/07/26 12:46:15.0217 3520 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
2011/07/26 12:46:15.0254 3520 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
2011/07/26 12:46:15.0283 3520 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/07/26 12:46:15.0310 3520 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/07/26 12:46:15.0345 3520 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/07/26 12:46:15.0461 3520 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/26 12:46:15.0488 3520 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/07/26 12:46:15.0529 3520 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/26 12:46:15.0575 3520 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\Windows\system32\DRIVERS\PxHelp20.sys
2011/07/26 12:46:15.0624 3520 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/07/26 12:46:15.0697 3520 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/07/26 12:46:15.0730 3520 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/26 12:46:15.0756 3520 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/26 12:46:15.0785 3520 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/07/26 12:46:15.0817 3520 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/26 12:46:15.0854 3520 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/26 12:46:15.0881 3520 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/26 12:46:15.0923 3520 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/26 12:46:15.0951 3520 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/07/26 12:46:15.0988 3520 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/26 12:46:16.0032 3520 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
2011/07/26 12:46:16.0075 3520 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/26 12:46:16.0096 3520 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/07/26 12:46:16.0137 3520 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
2011/07/26 12:46:16.0172 3520 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
2011/07/26 12:46:16.0215 3520 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
2011/07/26 12:46:16.0273 3520 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/26 12:46:16.0315 3520 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
2011/07/26 12:46:16.0371 3520 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
2011/07/26 12:46:16.0400 3520 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
2011/07/26 12:46:16.0445 3520 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/07/26 12:46:16.0490 3520 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/07/26 12:46:16.0520 3520 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/07/26 12:46:16.0556 3520 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/07/26 12:46:16.0614 3520 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
2011/07/26 12:46:16.0631 3520 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
2011/07/26 12:46:16.0651 3520 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
2011/07/26 12:46:16.0679 3520 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/07/26 12:46:16.0732 3520 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
2011/07/26 12:46:16.0759 3520 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/07/26 12:46:16.0784 3520 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/07/26 12:46:16.0819 3520 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/07/26 12:46:16.0869 3520 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/07/26 12:46:16.0926 3520 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
2011/07/26 12:46:16.0955 3520 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/26 12:46:16.0994 3520 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/26 12:46:17.0028 3520 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/07/26 12:46:17.0072 3520 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
2011/07/26 12:46:17.0107 3520 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
2011/07/26 12:46:17.0140 3520 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
2011/07/26 12:46:17.0246 3520 Tcpip (24326784df8f3d5f5bbb9f878ce33c14) C:\Windows\system32\drivers\tcpip.sys
2011/07/26 12:46:17.0325 3520 TCPIP6 (24326784df8f3d5f5bbb9f878ce33c14) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/26 12:46:17.0384 3520 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/26 12:46:17.0428 3520 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
2011/07/26 12:46:17.0447 3520 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
2011/07/26 12:46:17.0485 3520 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/26 12:46:17.0509 3520 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
2011/07/26 12:46:17.0578 3520 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/26 12:46:17.0629 3520 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
2011/07/26 12:46:17.0701 3520 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/26 12:46:17.0733 3520 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/07/26 12:46:17.0778 3520 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/26 12:46:17.0833 3520 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
2011/07/26 12:46:17.0886 3520 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
2011/07/26 12:46:17.0918 3520 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/07/26 12:46:17.0966 3520 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
2011/07/26 12:46:18.0032 3520 usbaudio (1d9f2bd026e8e2d45033a4df3f16b78c) C:\Windows\system32\drivers\usbaudio.sys
2011/07/26 12:46:18.0061 3520 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/07/26 12:46:18.0100 3520 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
2011/07/26 12:46:18.0130 3520 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/26 12:46:18.0160 3520 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
2011/07/26 12:46:18.0189 3520 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\DRIVERS\usbohci.sys
2011/07/26 12:46:18.0214 3520 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/07/26 12:46:18.0261 3520 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
2011/07/26 12:46:18.0292 3520 USBSTOR (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/07/26 12:46:18.0318 3520 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
2011/07/26 12:46:18.0359 3520 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
2011/07/26 12:46:18.0388 3520 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/26 12:46:18.0409 3520 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/07/26 12:46:18.0456 3520 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
2011/07/26 12:46:18.0480 3520 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
2011/07/26 12:46:18.0502 3520 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/07/26 12:46:18.0518 3520 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
2011/07/26 12:46:18.0543 3520 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
2011/07/26 12:46:18.0565 3520 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
2011/07/26 12:46:18.0594 3520 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
2011/07/26 12:46:18.0619 3520 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/07/26 12:46:18.0649 3520 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
2011/07/26 12:46:18.0679 3520 vpcbus (b26536add1d748cda104d856c979ae79) C:\Windows\system32\DRIVERS\vpchbus.sys
2011/07/26 12:46:18.0725 3520 vpcnfltr (a0f7e923a6261760130f22b85df9040e) C:\Windows\system32\DRIVERS\vpcnfltr.sys
2011/07/26 12:46:18.0750 3520 vpcusb (5f4b55e91ce7e2523c9e1e0ece858869) C:\Windows\system32\DRIVERS\vpcusb.sys
2011/07/26 12:46:18.0781 3520 vpcvmm (b487191fe18d6863381a1ac55482469a) C:\Windows\system32\drivers\vpcvmm.sys
2011/07/26 12:46:18.0820 3520 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/07/26 12:46:18.0871 3520 VSTHWBS2 (682fcf7d2eb5158cd30408e976562408) C:\Windows\system32\DRIVERS\VSTBS23.SYS
2011/07/26 12:46:18.0911 3520 VST_DPV (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2011/07/26 12:46:18.0966 3520 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2011/07/26 12:46:19.0019 3520 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/07/26 12:46:19.0060 3520 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/26 12:46:19.0075 3520 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/26 12:46:19.0131 3520 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/07/26 12:46:19.0163 3520 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/26 12:46:19.0247 3520 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/07/26 12:46:19.0281 3520 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/07/26 12:46:19.0343 3520 winachsf (8b976d4ca270110111df4f313da0e6e8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/07/26 12:46:19.0445 3520 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
2011/07/26 12:46:19.0518 3520 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/26 12:46:19.0580 3520 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
2011/07/26 12:46:19.0606 3520 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/26 12:46:19.0644 3520 XAudio (894f963be999ba9db5aac3aed55b115d) C:\Windows\system32\DRIVERS\XAudio32.sys
2011/07/26 12:46:19.0681 3520 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/07/26 12:46:20.0191 3520 MBR (0x1B8) (d6244bbf65cbb08a2ca04b62edbed8cf) \Device\Harddisk1\DR1
2011/07/26 12:46:20.0202 3520 \Device\Harddisk1\DR1 - detected Trojan-Clicker.Win32.Wistler.a (0)
2011/07/26 12:46:20.0219 3520 Boot (0x1200) (bfc970e0ca4c9efe2997266c2ea7fe45) \Device\Harddisk0\DR0\Partition0
2011/07/26 12:46:20.0239 3520 Boot (0x1200) (fda9df8c78735ade7a2e43dbeac5599b) \Device\Harddisk0\DR0\Partition1
2011/07/26 12:46:20.0270 3520 Boot (0x1200) (46c1769436f18512a5d2d37ef8f444d2) \Device\Harddisk0\DR0\Partition2
2011/07/26 12:46:20.0308 3520 Boot (0x1200) (24659a7de5dfc19bf3a6a2c5c9ae8e9f) \Device\Harddisk0\DR0\Partition3
2011/07/26 12:46:20.0320 3520 Boot (0x1200) (d3c7005f83184d84c0551377e6baf2be) \Device\Harddisk1\DR1\Partition0
2011/07/26 12:46:20.0330 3520 ================================================================================
2011/07/26 12:46:20.0330 3520 Scan finished
2011/07/26 12:46:20.0330 3520 ================================================================================
2011/07/26 12:46:20.0349 6112 Detected object count: 1
2011/07/26 12:46:20.0349 6112 Actual detected object count: 1
2011/07/26 12:47:18.0441 6112 Trojan-Clicker.Win32.Wistler.a(\Device\Harddisk1\DR1) - User select action: Skip


Report •

#7
July 26, 2011 at 15:03:35
Doot Doot,

The diagnostics/tools run so far are showing a BootKit: Whistler
It is on Hrddsk1, in Windows 7.

Needless to say, there are risks when dealing with these situations. In your case, the issue is compounded by the dual-boot. However, the BootKit has to be removed.

We are going to use ComboFix, since it can handle Whistler, and does a back-up of the MBR to a convenient location. If there are problems, then, we can reach the back-up MBR via the Recovery Environment.

Please do the following:

Please download ComboFix:
http://download.bleepingcomputer.co...

Save ComboFix.exe to your Desktop!!


Make sure you disable your AntiVirus and AntiSpyware applications (MSE, and Windows Defender), usually via a right-click on the System Tray icon. They may otherwise interfere with the running of CF.

Note: If you are having difficulty properly disabling your protective programs, please refer to the information available through this link: http://www.bleepingcomputer.com/for...

Now, right-click on ComboFix.exe and select: Run as Administrator
Follow the prompts.

If offered the option, >skip< the Recovery Console part since you are running Windows 7.

Click on Yes, to continue scanning for malware.

When finished, CF produces a report.

Since this report can also be quite large, please go to the Uploading website:
http://uploading.com/files/upload/

In: Select files to upload, click 'Browse', and 'Look in' the Desktop.
Select the RU report, and click on 'Open'
You will see the following:
Your file has been uploaded successfully: (Name and size of the file)

Please copy the 'Download link', and provide it in your reply.

Notes:

1.Do not mouse-click the ComboFix window while it is running.
This action may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.

3. CF disconnects your machine from the Internet. However, the connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#8
July 26, 2011 at 17:15:45
Ok I ran combofix, here is the log

http://uploading.com/files/2cd471me...


Report •

#9
July 26, 2011 at 18:47:43
✔ Best Answer
Good job, Doot Doot!!!!

How is it going now?
Are you still having redirections?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#10
July 27, 2011 at 05:12:07
Haven't noticed at least so far. Combofix didn't seem to adversely affect my system either. MSE has not been alerting me anymore and scans from it are showing up clean now. Additionally I ran TDSSKiller a last time just to see what it'd say and it's also not showing up anything anymore. I think combofix did it?

Report •

#11
July 27, 2011 at 09:00:19
Glad the issue is taken care of.

Selecting to run CF was based on its use of an embedded mbr.exe that rewrites a standard Win7 MBR to the machine.

The boot order was not affected.

Thank you very much for your patience.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •


Ask Question