TechSpot

Battling PC Peformance and Stability Analysis Report Virus

By Eric72
Nov 2, 2011
  1. I contracted the PC Performance and Stability Analysis Report Virus yesterday. After extensive searching on the topic, I've read most of the applicable threads in this forum. I've begun the initial 5-step process and am currently running the Malwarebytes program, in "Safe Mode with Networking" (virus prevents any activity in Normal Mode).

    Please confirm that I should continue through the initial 5-step process. Should I revert to normal mode after running Malwarebytes?

    Thanks a lot for the help!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot Eric. It would help to know what problems you're experiencing such as missing programs, file, icons? 'Error' and/or malware alerts?
    ----------------------------------
    Please do the following to help you run other programs:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ===============================
    This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.Save the log and include it in your next reply.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Do not reboot until instructed. as it will start the malware again
    ==================================
    Now try the Malwarebytes scan, after it updates, but this time, on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ========================================
    I'd also like you to run the DDS scan and leave the 2 logs.
    TDSSKiller
    RKill
    Malwarebytes Full Scan
    2 logs from DDS
     
  3. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    Thanks a lot, Bobbye.

    My initial symptoms included multiple windows with warnings and error messages related to my OS, hard drive, memory, etc; no visible icons on the desktop; no visible programs nested within the Start button; black desktop background.

    Since my first post, I have attempted to execute the initial 5-step process in Safe Mode with Networking (unable in normal mode), with the following results:
    - Left my current antivirus program (Verizon Internet Security Suite) in place
    - Successfully installed and ran Malwarebytes
    - Successfully installed and ran GMER
    - Successfully installed DDS, but it is unable to finish its scan. I'm not aware of any script blocking I have in place but am unsure how to determine that or turn it off

    Following your additional instructions above:
    - I installed TDSSKiller, but it will not run - nothing seems to happen when I launch it
    - Successfully installed and ran Rkill (from Rkill.com link)
    - Reran Malwarebytes (full scan)

    Follow this post, I will post the initial Malwarebytes log, the GMER log, and the second Malwarebytes log.

    Thanks for any additional guidance.
     
  4. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    First Malwarebytes log:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8068

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    11/2/2011 9:15:56 AM
    mbam-log-2011-11-02 (09-15-56).txt

    Scan type: Quick scan
    Objects scanned: 275140
    Time elapsed: 17 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 5
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\main.BHO.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\main.BHO (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyjyxdjbom (Rootkit.TDSS) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wLFPFmouqaYX.exe (Rogue.FakeAlert) -> Value: wLFPFmouqaYX.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} (Trojan.FakeAlert) -> Value: {E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} (Trojan.FakeAlert) -> Value: {E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\main.BHO.1\CLSID\(default) (Adware.DeepDive) -> Value: (default) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\main.BHO\CLSID\(default) (Adware.DeepDive) -> Value: (default) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\all users\application data\wlfpfmouqayx.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
    c:\documents and settings\all users\application data\1kalmig2kb7fzp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\downloads\europeanairwar-dm[1].exe (Adware.TryMedia) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\drivers\gasfkyynepsyav.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\gasfkykyxfeojt.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\gasfkyttmqsnto.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
     
  5. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    GMER log:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-02 10:29:24
    Windows 5.1.2600 Service Pack 3
    Running: y3wluwmo.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtdapod.sys


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom@start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom@type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom@group file system
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom@imagepath \systemroot\system32\drivers\gasfkyynepsyav.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main@aid 10096
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main@sid 0
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\connections (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\delete@C:\DOCUME~1\Gunnar\LOCALS~1\Temp\gasfkyipmpdwqjtn.tmp
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\delete@C:\DOCUME~1\Gunnar\LOCALS~1\Temp\gasfkytpfqxrgevp.tmp
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\injector@* gasfkywsp8y.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyynepsyav.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkycmd.dll \systemroot\system32\gasfkybafdkmrv.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkylog.dat \systemroot\system32\gasfkyttmqsnto.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkywsp.dll \systemroot\system32\gasfkyrpuhatve.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfky.dat \systemroot\system32\gasfkykyxfeojt.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyxfvaiidf.dll

    ---- EOF - GMER 1.0.15 ----
     
  6. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    Second Malwarebytes log:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8068

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    11/3/2011 9:54:34 AM
    mbam-log-2011-11-03 (09-54-34).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 515610
    Time elapsed: 1 hour(s), 20 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1280\A0131280.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1280\A0131281.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1280\A0131282.exe (Adware.TryMedia) -> Quarantined and deleted successfully.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, no new entries in Eset. System Volume is where restore points are kept. These are not active in the system and will be removed at the end of cleaning.
    =======================
    If you are still 'missing' icons, programs, desktop, etc., run the following: Note: this does not remove the malware- only the attributes that make icons, etc. appear missing.
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    =======================================
    What happens when you boot into Normal Mode?
    =====================================
    Let go through the following> if you can do this in Normal Mode, please do so:
    Follow this order
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    ===============================
    Run the TDSSKiller
    Run DDS
    =================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ========================================
    Are you getting a message about a proxy If yes, do the following:
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
    ========================================
    Anytime you can't run a scan, if you get any message, you need to let me know what it is.
    Logs for next reply:
    RKill
    TDSS Killer
    DDS> 2 logs
    Combofix
     
  8. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    When previously launching normal mode, I received an error message stating: "Error loading CTMBHA.DLL Invalid Access to Memory Location". I also had no visible icons in normal mode. Now that I've run Unhide.exe, icons are again visible. I also no longer see the memory access error.

    I've completed the following steps:
    - Successfully ran Unhide.exe
    - Successfully ran Rkill (log to follow)
    - Unable to download exeHelper, as if the link did not work
    - Successfully ran TDSSKiller (log to follow)
    - Launched DDS, but it again hangs up without completing (no error - just freezes up the computer; I did a hard reset after about 30-40 min)
    - Successfully downloaded Combofix, but it also hangs up during execution. I gave it an hour on the first run and about 45 min on the second try. Both iterations required a hard reset.
    - Noted no browser proxies in place

    Thanks again
     
  9. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    Rkill log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 11/07/2011 at 16:48:47.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 11/07/2011 at 16:48:54.
     
  10. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    TDSSKiller log:

    17:02:54.0062 0888 TDSS rootkit removing tool 2.6.16.0 Nov 7 2011 16:26:51
    17:02:54.0781 0888 ============================================================
    17:02:54.0796 0888 Current date / time: 2011/11/07 17:02:54.0781
    17:02:54.0796 0888 SystemInfo:
    17:02:54.0796 0888
    17:02:54.0796 0888 OS Version: 5.1.2600 ServicePack: 3.0
    17:02:54.0796 0888 Product type: Workstation
    17:02:54.0796 0888 ComputerName: OFFICE
    17:02:54.0812 0888 UserName: Erik
    17:02:54.0812 0888 Windows directory: C:\WINDOWS
    17:02:54.0812 0888 System windows directory: C:\WINDOWS
    17:02:54.0812 0888 Processor architecture: Intel x86
    17:02:54.0812 0888 Number of processors: 2
    17:02:54.0812 0888 Page size: 0x1000
    17:02:54.0812 0888 Boot type: Normal boot
    17:02:54.0812 0888 ============================================================
    17:02:55.0734 0888 Initialize success
    17:03:45.0171 1652 ============================================================
    17:03:45.0171 1652 Scan started
    17:03:45.0171 1652 Mode: Manual;
    17:03:45.0171 1652 ============================================================
    17:03:45.0718 1652 Abiosdsk - ok
    17:03:45.0781 1652 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    17:03:45.0890 1652 abp480n5 - ok
    17:03:46.0203 1652 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    17:03:46.0234 1652 ACPI - ok
    17:03:46.0390 1652 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    17:03:46.0390 1652 ACPIEC - ok
    17:03:46.0546 1652 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    17:03:46.0656 1652 adpu160m - ok
    17:03:46.0796 1652 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    17:03:46.0812 1652 aec - ok
    17:03:46.0890 1652 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    17:03:47.0015 1652 AegisP - ok
    17:03:47.0156 1652 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    17:03:47.0171 1652 AFD - ok
    17:03:47.0234 1652 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    17:03:47.0234 1652 agp440 - ok
    17:03:47.0265 1652 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    17:03:47.0281 1652 agpCPQ - ok
    17:03:47.0312 1652 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    17:03:47.0421 1652 Aha154x - ok
    17:03:47.0500 1652 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    17:03:47.0609 1652 aic78u2 - ok
    17:03:47.0625 1652 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    17:03:47.0734 1652 aic78xx - ok
    17:03:47.0765 1652 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    17:03:47.0875 1652 AliIde - ok
    17:03:47.0906 1652 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    17:03:47.0921 1652 alim1541 - ok
    17:03:47.0937 1652 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    17:03:47.0937 1652 amdagp - ok
    17:03:47.0968 1652 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    17:03:48.0031 1652 amsint - ok
    17:03:48.0062 1652 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    17:03:48.0125 1652 asc - ok
    17:03:48.0140 1652 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    17:03:48.0218 1652 asc3350p - ok
    17:03:48.0234 1652 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    17:03:48.0312 1652 asc3550 - ok
    17:03:48.0343 1652 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    17:03:48.0343 1652 AsyncMac - ok
    17:03:48.0375 1652 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    17:03:48.0375 1652 atapi - ok
    17:03:48.0390 1652 Atdisk - ok
    17:03:48.0437 1652 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    17:03:48.0609 1652 ati2mtag - ok
    17:03:48.0656 1652 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    17:03:48.0671 1652 Atmarpc - ok
    17:03:48.0703 1652 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    17:03:48.0718 1652 audstub - ok
    17:03:48.0750 1652 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    17:03:48.0765 1652 Beep - ok
    17:03:48.0796 1652 bvrp_pci - ok
    17:03:48.0828 1652 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    17:03:48.0828 1652 cbidf - ok
    17:03:48.0859 1652 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    17:03:48.0859 1652 cbidf2k - ok
    17:03:48.0906 1652 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    17:03:48.0906 1652 CCDECODE - ok
    17:03:48.0937 1652 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    17:03:49.0000 1652 cd20xrnt - ok
    17:03:49.0015 1652 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    17:03:49.0031 1652 Cdaudio - ok
    17:03:49.0062 1652 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    17:03:49.0078 1652 Cdfs - ok
    17:03:49.0093 1652 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    17:03:49.0093 1652 Cdrom - ok
    17:03:49.0140 1652 cfwids (142e4e00ad91600a2d20692ed52fafc8) C:\WINDOWS\system32\drivers\cfwids.sys
    17:03:49.0218 1652 cfwids - ok
    17:03:49.0218 1652 Changer - ok
    17:03:49.0250 1652 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    17:03:49.0265 1652 CmdIde - ok
    17:03:49.0281 1652 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    17:03:49.0296 1652 Cpqarray - ok
    17:03:49.0343 1652 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
    17:03:49.0421 1652 ctsfm2k - ok
    17:03:49.0437 1652 CTUSFSYN (4ee8822adb764edd28ce44e808097995) C:\WINDOWS\system32\drivers\ctusfsyn.sys
    17:03:49.0515 1652 CTUSFSYN - ok
    17:03:49.0546 1652 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    17:03:49.0562 1652 dac2w2k - ok
    17:03:49.0578 1652 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    17:03:49.0640 1652 dac960nt - ok
    17:03:49.0687 1652 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    17:03:49.0703 1652 Disk - ok
    17:03:49.0765 1652 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    17:03:49.0812 1652 dmboot - ok
    17:03:49.0812 1652 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    17:03:49.0828 1652 dmio - ok
    17:03:49.0843 1652 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    17:03:49.0843 1652 dmload - ok
    17:03:49.0875 1652 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    17:03:49.0875 1652 DMusic - ok
    17:03:49.0921 1652 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    17:03:49.0937 1652 dpti2o - ok
    17:03:49.0953 1652 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    17:03:49.0953 1652 drmkaud - ok
    17:03:50.0000 1652 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
    17:03:50.0078 1652 drvmcdb - ok
    17:03:50.0093 1652 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
    17:03:50.0171 1652 drvnddm - ok
    17:03:50.0296 1652 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    17:03:50.0359 1652 DSproct - ok
    17:03:50.0406 1652 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
    17:03:50.0406 1652 dsunidrv - ok
    17:03:50.0437 1652 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    17:03:50.0515 1652 E100B - ok
    17:03:50.0562 1652 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    17:03:50.0578 1652 Fastfat - ok
    17:03:50.0609 1652 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    17:03:50.0625 1652 Fdc - ok
    17:03:50.0656 1652 FilterService (a75ddc492d2d1d6558ad8003a4adb73a) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
    17:03:50.0781 1652 FilterService - ok
    17:03:50.0796 1652 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    17:03:50.0812 1652 Fips - ok
    17:03:50.0843 1652 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    17:03:50.0859 1652 Flpydisk - ok
    17:03:50.0890 1652 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    17:03:50.0890 1652 FltMgr - ok
    17:03:50.0906 1652 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    17:03:50.0921 1652 Fs_Rec - ok
    17:03:50.0921 1652 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    17:03:50.0937 1652 Ftdisk - ok
    17:03:50.0968 1652 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    17:03:51.0046 1652 GEARAspiWDM - ok
    17:03:51.0078 1652 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    17:03:51.0078 1652 Gpc - ok
    17:03:51.0109 1652 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
    17:03:51.0171 1652 GTNDIS5 - ok
    17:03:51.0234 1652 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    17:03:51.0250 1652 HDAudBus - ok
    17:03:51.0281 1652 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    17:03:51.0281 1652 HidUsb - ok
    17:03:51.0312 1652 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    17:03:51.0375 1652 hpn - ok
    17:03:51.0406 1652 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    17:03:51.0484 1652 HPZid412 - ok
    17:03:51.0500 1652 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    17:03:51.0562 1652 HPZipr12 - ok
    17:03:51.0593 1652 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    17:03:51.0656 1652 HPZius12 - ok
    17:03:51.0703 1652 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    17:03:51.0765 1652 HSFHWBS2 - ok
    17:03:51.0812 1652 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    17:03:51.0906 1652 HSF_DP - ok
    17:03:51.0953 1652 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    17:03:51.0968 1652 HTTP - ok
    17:03:52.0000 1652 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    17:03:52.0015 1652 i2omgmt - ok
    17:03:52.0031 1652 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    17:03:52.0031 1652 i2omp - ok
    17:03:52.0046 1652 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    17:03:52.0062 1652 i8042prt - ok
    17:03:52.0093 1652 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    17:03:52.0093 1652 Imapi - ok
    17:03:52.0140 1652 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    17:03:52.0203 1652 ini910u - ok
    17:03:52.0250 1652 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    17:03:52.0250 1652 IntelIde - ok
    17:03:52.0296 1652 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    17:03:52.0296 1652 intelppm - ok
    17:03:52.0328 1652 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    17:03:52.0328 1652 Ip6Fw - ok
    17:03:52.0359 1652 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    17:03:52.0375 1652 IpFilterDriver - ok
    17:03:52.0406 1652 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    17:03:52.0406 1652 IpInIp - ok
    17:03:52.0437 1652 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    17:03:52.0437 1652 IpNat - ok
    17:03:52.0468 1652 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    17:03:52.0468 1652 IPSec - ok
    17:03:52.0500 1652 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    17:03:52.0500 1652 IRENUM - ok
    17:03:52.0531 1652 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    17:03:52.0531 1652 isapnp - ok
    17:03:52.0546 1652 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    17:03:52.0546 1652 Kbdclass - ok
    17:03:52.0562 1652 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    17:03:52.0562 1652 kbdhid - ok
    17:03:52.0593 1652 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    17:03:52.0593 1652 kmixer - ok
    17:03:52.0640 1652 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    17:03:52.0640 1652 KSecDD - ok
    17:03:52.0734 1652 lac97inf - ok
    17:03:52.0750 1652 lbrtfdc - ok
    17:03:52.0796 1652 LVPr2Mon (c57c48fb9ae3efb9848af594e3123a63) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
    17:03:52.0937 1652 LVPr2Mon - ok
    17:03:52.0968 1652 LVRS (87ecce893d8aec5a9337b917742d339c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
    17:03:53.0109 1652 LVRS - ok
    17:03:53.0312 1652 LVUVC (291f69b3dda0f033d2490c5ba5179f7c) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
    17:03:53.0640 1652 LVUVC - ok
    17:03:53.0640 1652 MBAMSwissArmy - ok
    17:03:53.0718 1652 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    17:03:53.0781 1652 mdmxsdk - ok
    17:03:53.0875 1652 mfeapfk (c373a719d704d12f5a4503f6f10239ff) C:\WINDOWS\system32\drivers\mfeapfk.sys
    17:03:53.0968 1652 mfeapfk - ok
    17:03:54.0156 1652 mfeavfk (851ad52871b62457152a8acaff0c632d) C:\WINDOWS\system32\drivers\mfeavfk.sys
    17:03:54.0421 1652 mfeavfk - ok
    17:03:54.0687 1652 mfeavfk01 - ok
    17:03:54.0890 1652 mfebopk (5b9ffb027669a8ac30aac0b4996bc603) C:\WINDOWS\system32\drivers\mfebopk.sys
    17:03:54.0984 1652 mfebopk - ok
    17:03:55.0031 1652 mfefirek (2cabe72e53365834cb9969dde47bd690) C:\WINDOWS\system32\drivers\mfefirek.sys
    17:03:55.0125 1652 mfefirek - ok
    17:03:55.0171 1652 mfehidk (46db8f041e928bdc17b8daba249a2148) C:\WINDOWS\system32\drivers\mfehidk.sys
    17:03:55.0343 1652 mfehidk - ok
    17:03:55.0375 1652 mfendisk (348e3db31cf458adaa3798fb8af659c3) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    17:03:55.0453 1652 mfendisk - ok
    17:03:55.0468 1652 mfendiskmp (348e3db31cf458adaa3798fb8af659c3) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    17:03:55.0468 1652 mfendiskmp - ok
    17:03:55.0500 1652 mferkdet (316fd7c31cd57ca793fb10912aeeb2d2) C:\WINDOWS\system32\drivers\mferkdet.sys
    17:03:55.0578 1652 mferkdet - ok
    17:03:55.0625 1652 mfetdi2k (2026fe7c9e6b26ffeb08cd89c6326b91) C:\WINDOWS\system32\drivers\mfetdi2k.sys
    17:03:55.0703 1652 mfetdi2k - ok
    17:03:55.0750 1652 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
    17:03:55.0875 1652 MHNDRV - ok
    17:03:55.0890 1652 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    17:03:55.0890 1652 mnmdd - ok
    17:03:55.0937 1652 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    17:03:55.0937 1652 Modem - ok
    17:03:55.0953 1652 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    17:03:56.0031 1652 MODEMCSA - ok
    17:03:56.0062 1652 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    17:03:56.0078 1652 Mouclass - ok
    17:03:56.0109 1652 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    17:03:56.0109 1652 mouhid - ok
    17:03:56.0156 1652 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    17:03:56.0156 1652 MountMgr - ok
    17:03:56.0187 1652 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    17:03:56.0250 1652 mraid35x - ok
    17:03:56.0359 1652 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    17:03:56.0421 1652 MREMP50 - ok
    17:03:56.0421 1652 MREMPR5 - ok
    17:03:56.0421 1652 MRENDIS5 - ok
    17:03:56.0453 1652 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    17:03:56.0515 1652 MRESP50 - ok
    17:03:56.0593 1652 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    17:03:56.0609 1652 MRxDAV - ok
    17:03:56.0671 1652 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    17:03:56.0687 1652 MRxSmb - ok
    17:03:56.0765 1652 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    17:03:56.0781 1652 Msfs - ok
    17:03:56.0843 1652 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    17:03:56.0843 1652 MSKSSRV - ok
    17:03:56.0906 1652 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    17:03:56.0906 1652 MSPCLOCK - ok
    17:03:56.0953 1652 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    17:03:56.0968 1652 MSPQM - ok
    17:03:57.0000 1652 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    17:03:57.0015 1652 mssmbios - ok
    17:03:57.0046 1652 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    17:03:57.0062 1652 MSTEE - ok
    17:03:57.0109 1652 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    17:03:57.0109 1652 Mup - ok
    17:03:57.0171 1652 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    17:03:57.0171 1652 NABTSFEC - ok
    17:03:57.0218 1652 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    17:03:57.0234 1652 NDIS - ok
    17:03:57.0281 1652 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    17:03:57.0281 1652 NdisIP - ok
    17:03:57.0328 1652 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    17:03:57.0328 1652 NdisTapi - ok
    17:03:57.0375 1652 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    17:03:57.0375 1652 Ndisuio - ok
    17:03:57.0421 1652 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    17:03:57.0421 1652 NdisWan - ok
    17:03:57.0468 1652 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    17:03:57.0468 1652 NDProxy - ok
    17:03:57.0515 1652 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    17:03:57.0515 1652 NetBIOS - ok
    17:03:57.0562 1652 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    17:03:57.0562 1652 NetBT - ok
    17:03:57.0625 1652 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    17:03:57.0625 1652 Npfs - ok
    17:03:57.0703 1652 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    17:03:57.0718 1652 Ntfs - ok
    17:03:57.0781 1652 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    17:03:57.0796 1652 Null - ok
    17:03:57.0890 1652 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    17:03:57.0968 1652 nv - ok
    17:03:58.0031 1652 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    17:03:58.0031 1652 NwlnkFlt - ok
    17:03:58.0078 1652 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    17:03:58.0078 1652 NwlnkFwd - ok
    17:03:58.0171 1652 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
    17:03:58.0234 1652 ossrv - ok
    17:03:58.0328 1652 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    17:03:58.0328 1652 Parport - ok
    17:03:58.0375 1652 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    17:03:58.0375 1652 PartMgr - ok
    17:03:58.0421 1652 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    17:03:58.0421 1652 ParVdm - ok
    17:03:58.0468 1652 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    17:03:58.0468 1652 PCI - ok
    17:03:58.0500 1652 PCIDump - ok
    17:03:58.0531 1652 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    17:03:58.0546 1652 PCIIde - ok
    17:03:58.0609 1652 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    17:03:58.0609 1652 Pcmcia - ok
    17:03:58.0656 1652 PDCOMP - ok
    17:03:58.0687 1652 PDFRAME - ok
    17:03:58.0718 1652 PDRELI - ok
    17:03:58.0750 1652 PDRFRAME - ok
    17:03:58.0796 1652 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    17:03:58.0859 1652 perc2 - ok
    17:03:58.0921 1652 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    17:03:58.0937 1652 perc2hib - ok
    17:03:59.0015 1652 PfModNT (d9ed17ac15720096a9f92ff4ea587b09) C:\WINDOWS\system32\drivers\PfModNT.sys
    17:03:59.0093 1652 PfModNT - ok
    17:03:59.0171 1652 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    17:03:59.0187 1652 PptpMiniport - ok
    17:03:59.0218 1652 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    17:03:59.0234 1652 PSched - ok
    17:03:59.0296 1652 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    17:03:59.0296 1652 Ptilink - ok
    17:03:59.0328 1652 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    17:03:59.0343 1652 PxHelp20 - ok
    17:03:59.0375 1652 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    17:03:59.0390 1652 ql1080 - ok
    17:03:59.0453 1652 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    17:03:59.0468 1652 Ql10wnt - ok
    17:03:59.0515 1652 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    17:03:59.0531 1652 ql12160 - ok
    17:03:59.0578 1652 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    17:03:59.0578 1652 ql1240 - ok
    17:03:59.0625 1652 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    17:03:59.0640 1652 ql1280 - ok
    17:03:59.0703 1652 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    17:03:59.0703 1652 RasAcd - ok
    17:03:59.0781 1652 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    17:03:59.0781 1652 Rasl2tp - ok
    17:03:59.0812 1652 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    17:03:59.0828 1652 RasPppoe - ok
    17:03:59.0890 1652 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    17:03:59.0890 1652 Raspti - ok
    17:03:59.0921 1652 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    17:03:59.0937 1652 Rdbss - ok
    17:03:59.0968 1652 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    17:03:59.0984 1652 RDPCDD - ok
    17:04:00.0015 1652 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    17:04:00.0015 1652 rdpdr - ok
    17:04:00.0062 1652 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    17:04:00.0078 1652 RDPWD - ok
    17:04:00.0125 1652 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    17:04:00.0125 1652 redbook - ok
    17:04:00.0234 1652 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    17:04:00.0250 1652 Secdrv - ok
    17:04:00.0312 1652 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    17:04:00.0328 1652 serenum - ok
    17:04:00.0375 1652 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    17:04:00.0375 1652 Serial - ok
    17:04:00.0421 1652 sfdrv01 (9e7dee11fd5a4355941a45f13c0ed59a) C:\WINDOWS\system32\drivers\sfdrv01.sys
    17:04:00.0484 1652 sfdrv01 - ok
    17:04:00.0531 1652 sfhlp02 (ecefb59d2206d281e6d317af0ea0d8bd) C:\WINDOWS\system32\drivers\sfhlp02.sys
    17:04:00.0593 1652 sfhlp02 - ok
    17:04:00.0640 1652 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    17:04:00.0656 1652 Sfloppy - ok
    17:04:00.0750 1652 sigfilt (6bd3976b881888ac9a0ed3eb94e7fd38) C:\WINDOWS\system32\drivers\sigfilt.sys
    17:04:00.0859 1652 sigfilt - ok
    17:04:00.0890 1652 Simbad - ok
    17:04:00.0953 1652 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    17:04:00.0968 1652 sisagp - ok
    17:04:01.0015 1652 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    17:04:01.0031 1652 SLIP - ok
    17:04:01.0078 1652 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    17:04:01.0093 1652 Sparrow - ok
    17:04:01.0140 1652 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    17:04:01.0140 1652 splitter - ok
    17:04:01.0187 1652 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    17:04:01.0203 1652 sr - ok
    17:04:01.0265 1652 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    17:04:01.0265 1652 Srv - ok
    17:04:01.0328 1652 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
    17:04:01.0390 1652 sscdbhk5 - ok
    17:04:01.0437 1652 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
    17:04:01.0500 1652 ssrtln - ok
    17:04:01.0578 1652 STHDA (b95480c92c4c9c311be47b8a1ad73770) C:\WINDOWS\system32\drivers\sthda.sys
    17:04:01.0640 1652 STHDA - ok
    17:04:01.0718 1652 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    17:04:01.0718 1652 streamip - ok
    17:04:01.0765 1652 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    17:04:01.0781 1652 swenum - ok
    17:04:01.0812 1652 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    17:04:01.0812 1652 swmidi - ok
    17:04:01.0875 1652 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    17:04:01.0937 1652 symc810 - ok
    17:04:01.0984 1652 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    17:04:02.0062 1652 symc8xx - ok
    17:04:02.0109 1652 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    17:04:02.0125 1652 sym_hi - ok
    17:04:02.0171 1652 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    17:04:02.0250 1652 sym_u3 - ok
    17:04:02.0328 1652 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    17:04:02.0328 1652 sysaudio - ok
    17:04:02.0406 1652 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    17:04:02.0421 1652 Tcpip - ok
    17:04:02.0468 1652 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    17:04:02.0484 1652 TDPIPE - ok
    17:04:02.0531 1652 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    17:04:02.0531 1652 TDTCP - ok
    17:04:02.0578 1652 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    17:04:02.0578 1652 TermDD - ok
    17:04:02.0656 1652 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
    17:04:02.0718 1652 tfsnboio - ok
    17:04:02.0765 1652 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
    17:04:02.0843 1652 tfsncofs - ok
    17:04:02.0875 1652 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
    17:04:02.0953 1652 tfsndrct - ok
    17:04:02.0984 1652 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
    17:04:03.0046 1652 tfsndres - ok
    17:04:03.0078 1652 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
    17:04:03.0156 1652 tfsnifs - ok
    17:04:03.0187 1652 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
    17:04:03.0265 1652 tfsnopio - ok
    17:04:03.0312 1652 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
    17:04:03.0375 1652 tfsnpool - ok
    17:04:03.0406 1652 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
    17:04:03.0484 1652 tfsnudf - ok
    17:04:03.0531 1652 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
    17:04:03.0609 1652 tfsnudfa - ok
    17:04:03.0671 1652 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    17:04:03.0671 1652 TosIde - ok
    17:04:03.0765 1652 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    17:04:03.0765 1652 Udfs - ok
    17:04:03.0828 1652 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    17:04:03.0890 1652 ultra - ok
    17:04:03.0968 1652 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    17:04:03.0984 1652 Update - ok
    17:04:04.0078 1652 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
    17:04:04.0203 1652 USBAAPL - ok
    17:04:04.0281 1652 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    17:04:04.0281 1652 usbaudio - ok
    17:04:04.0343 1652 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    17:04:04.0343 1652 usbccgp - ok
    17:04:04.0406 1652 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    17:04:04.0421 1652 usbehci - ok
    17:04:04.0468 1652 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    17:04:04.0468 1652 usbhub - ok
    17:04:04.0515 1652 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    17:04:04.0531 1652 usbprint - ok
    17:04:04.0578 1652 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    17:04:04.0593 1652 usbscan - ok
    17:04:04.0640 1652 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    17:04:04.0640 1652 USBSTOR - ok
    17:04:04.0671 1652 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    17:04:04.0687 1652 usbuhci - ok
    17:04:04.0734 1652 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    17:04:04.0734 1652 usbvideo - ok
    17:04:04.0796 1652 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
    17:04:04.0796 1652 USB_RNDIS - ok
    17:04:04.0828 1652 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    17:04:04.0843 1652 VgaSave - ok
    17:04:04.0921 1652 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    17:04:04.0921 1652 viaagp - ok
    17:04:04.0984 1652 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    17:04:04.0984 1652 ViaIde - ok
    17:04:05.0031 1652 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    17:04:05.0031 1652 VolSnap - ok
    17:04:05.0093 1652 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    17:04:05.0093 1652 Wanarp - ok
    17:04:05.0125 1652 wanatw - ok
    17:04:05.0156 1652 WDICA - ok
    17:04:05.0203 1652 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    17:04:05.0218 1652 wdmaud - ok
    17:04:05.0296 1652 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    17:04:05.0328 1652 winachsf - ok
    17:04:05.0453 1652 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    17:04:05.0453 1652 WpdUsb - ok
    17:04:05.0500 1652 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    17:04:05.0500 1652 WS2IFSL - ok
    17:04:05.0562 1652 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    17:04:05.0562 1652 WSTCODEC - ok
    17:04:05.0640 1652 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    17:04:05.0656 1652 WudfPf - ok
    17:04:05.0703 1652 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    17:04:05.0703 1652 WudfRd - ok
    17:04:05.0750 1652 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
    17:04:05.0781 1652 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
    17:04:05.0781 1652 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
    17:04:05.0796 1652 Boot (0x1200) (1cb2e22ca6693b69d4566505529aa405) \Device\Harddisk0\DR0\Partition0
    17:04:05.0796 1652 \Device\Harddisk0\DR0\Partition0 - ok
    17:04:05.0796 1652 ============================================================
    17:04:05.0796 1652 Scan finished
    17:04:05.0796 1652 ============================================================
    17:04:05.0828 3312 Detected object count: 1
    17:04:05.0828 3312 Actual detected object count: 1
    17:05:16.0484 3312 \Device\Harddisk0\DR0 - copied to quarantine
    17:05:16.0562 3312 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
    17:05:16.0593 3312 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
    17:05:16.0609 3312 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
    17:05:16.0625 3312 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
    17:05:16.0625 3312 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
    17:05:16.0640 3312 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
    17:05:16.0703 3312 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
    17:05:16.0781 3312 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
    17:05:16.0828 3312 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
    17:05:16.0890 3312 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
    17:05:17.0875 3312 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
    17:05:17.0953 3312 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
    17:05:18.0234 3312 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
    17:05:18.0312 3312 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
    17:05:18.0328 3312 \Device\Harddisk0\DR0\TDLFS\info - copied to quarantine
    17:05:18.0359 3312 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
    17:05:18.0375 3312 \Device\Harddisk0\DR0\TDLFS\mainfb.script - copied to quarantine
    17:05:18.0468 3312 \Device\Harddisk0\DR0\TDLFS\com32 - copied to quarantine
    17:05:18.0562 3312 \Device\Harddisk0\DR0\TDLFS\bbr232 - copied to quarantine
    17:05:18.0640 3312 \Device\Harddisk0\DR0\TDLFS\serf_conf - copied to quarantine
    17:05:18.0750 3312 \Device\Harddisk0\DR0\TDLFS\bbr_conf - copied to quarantine
    17:05:18.0812 3312 \Device\Harddisk0\DR0\TDLFS\serf332 - copied to quarantine
    17:05:18.0968 3312 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Quarantine
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    ctmbha.dll is a Creative Filter AudioControlMB Module, related to Creative Audigy line of sound cards.Manufacturer: Creative Technology Ltd. With that type of message on startup, the process needing this can be remove from the Startup menu.
    =====================================
    It's important that you follow below in order given:

    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode.
    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    -------------------------------------
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 3 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Rkill instructions
    Once you've gotten one of them to run
    • immediately double click on friday.exe to run
    • If normal mode still doesn't work, run BOTH tools from safe mode.

    In you have done #2, please post BOTH logs, rKill and Combofix.
    ===================================
    You should be able to run DDS now.
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    We're going to have to look into your security- try to prevent the assortment of malware! I'll have you do a Bootkit scan after these.
     
  12. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    I'm still having some trouble running Combofix, despite several different attempts. In each case, I let it run for about an hour - one case for over two to ensure that I wasn't killing it too early. It consistently hangs up after the prompt saying that it should only take 10-20 minutes. In each case, I notice that the clock in the lower right of the screen freezes at the time of hang-up, up to five minutes after I've launched it.

    Also, Rkill did not produce a log every time I ran it, although I did always see the black DOS window flash briefly - did it still run properly in those cases?

    Here are the additional steps I've taken...

    In Normal Mode:
    - Ran Rkill, no log
    - Ran Exehelper
    - Ran Combofix but it hung up

    Rebooted into Safe Mode:
    - Ran Rkill.com, no log
    - Ran Rkill.scr, no log
    - Ran Rkill.exe, log produced
    - Ran Exehelper
    - Ran Combofix - it hung up

    Rebooted in Safe Mode:
    - Ran Rkill, no log
    - Ran Exehelper
    - Ran Combofix as "Friday.exe" according to the instructions, but it still got hung up

    Rebooted in Safe Mode:
    - Ran Rkill, no log
    - Ran Exehelper
    - Ran DDS - it locked up

    Rebooted in Safe Mode:
    - Ran Rkill, no log
    - Ran Exehelper
    - Ran ESET, log produced

    Following this post, I'll post the single Rkill log, the Exehelper log, and the ESET log

    Again, I appreciate the help!
     
  13. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    Rkill log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 11/09/2011 at 12:41:00.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\Documents and Settings\Administrator\Desktop\rkill.scr
    C:\Documents and Settings\Administrator\Desktop\rkill.exe


    Rkill completed on 11/09/2011 at 12:42:15.
     
  14. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    Exehelper log:

    exeHelper by Raktor
    Build 20100414
    Run at 11:19:24 on 11/09/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 12:43:42 on 11/09/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 14:25:42 on 11/09/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 14:40:12 on 11/09/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  15. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    ESET log:

    C:\Program Files\FoxTabAudioConverter\AudioConverter.exe a variant of Win32/InstallCore.A application
    C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Kryptik.UWS trojan
    C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmasco.V trojan
    C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0007.dta a variant of Win32/Olmasco.O trojan
    C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmasco.V trojan
    C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmasco.U trojan
    C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0015.dta a variant of Win32/Kryptik.UWS trojan
    C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0016.dta a variant of Win32/Kryptik.UWS trojan
    Operating memory a variant of Win32/Olmasco.Q trojan
     
  16. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    Bobbye - Any guidance on next steps?

    Just wanted to keep the thread active, in case the 5-day rule would shut it down tomorrow.

    Thanks,
    Eric
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm so sorry Eric- I wouldn't close the thread when it's my fault! I broke my left hand last week (I'm left handed) and couldn't type for a few days. Am now trying to catch up but still have to limit time on keyboard.=
    ========================================
    Run the following in Normal Mode, then leave the log:
    Bootkit Remover:

    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      (Vista/7 users,right click on remover.exe and click Run As Administrator.)
    3. You will see a black screen with data
    4. Right click on the screen and click Select All.
    5. Press CTRL+C
    6. Open a Notepad and press CTRL+V
    7. Paste the output in your next reply.
    =====================================
    The sequence of programs I gave you was not done correctly and were ineffective. Let's see what this show and I'll then decide how to proceed.

    In the meantime, please do not run any other cleaning or 'helper' scans.
     
  18. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    Gosh, sorry to hear about your hand, Bobbye - I hope it heals quickly!

    The provided link to bootkitremover.rar does not appear valid - I get a "file not found" error. I did find a bootkit_remover.zip program on the esagelab.com website, however - should I download and run that?

    Thanks,
    Eric
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for letting me know about URL. The zip one looks okay, so go ahead and download, save, extract and run:
    http://www.esagelab.com/files/bootkit_remover.zip

    Let me know if these is any problem with the zip version.

    Hand slowly getting better- still limited on keyboard/
     
  20. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    OK - here's the log:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good job! We found it!
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:

    Code:
    
    @ECHO OFF
    START remover.exe fix  \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • In the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double click on fixbat to run.
      You may see a black box appear; this is normal.
    • When done, run remover.exe again and post its output.

    When done, run remover.exe again and post its output.

    Did the zip download run smoothly?
     
  22. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    Sounds like good news!

    I followed your instructions, but when I double-click fix.bat, "remover.exe" cannot be found.

    I think the issue may be this: when I downloaded bootkit_remover.zip and extracted, the only executable file is called boot_cleaner. That's the file I ran to get the last log. Is that the file we should be executing with the code you provided? I know their output log specified "remover.exe", but perhaps that is simply incorrect. What do you think?

    The zip file did download and run just fine.
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I just downloded the bootkit zip. When you look at the download, you see 3 files. But you have to go through the zip wizard to make them active.

    Just click on 'extract all files'> follow the 'wizard'> then double click on the bootkit remover.exe to run. If you did not do this when you first downloaded it, then it's not actually usable.

    Download again if needed, walk with the wizard, run the program and use the same code I left for you. Let me know if there is a problem
     
  24. Eric72

    Eric72 TS Rookie Topic Starter Posts: 34

    The steps you list above are the same ones I followed when downloading the bootkit_remover.zip file. Of the 3 files extracted, only one is an executable file, named boot_cleaner.exe. Since there is no file named "remover.exe" the code you provided is returning an error. I went ahead and modified the code by replacing "remover.exe" with "boot_cleaner.exe", and the program produced the following log:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00
    Restoring boot code at \\.\PhysicalDrive0...
    OK

    Done;
    Press any key to quit...


    The program highly recommended a reboot after executing, which I allowed it to do. After the reboot, I ran boot_cleaner again, and it produced the following log:

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Eric, I managed to chase around for info on the bootkit scan. It appears the the rar version may have also included the remover.exe file when unzipped. But the URL you found does not include the file. I tried the downloads and it now includes 2 separate downloads> one for the scan itself and another with the remover.exe.

    I'm not comfortable using the zip scan, then using the second download. Although running the 2 does what we want, I am not clear on why all URL references to this program are still showing the original URL which is a 404.

    I'd like you to try the following instead:

    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.
    • It will show a Black screen with some information that will contain
      [o] Found non-standard or infected MBR.
      (you should see information about Physical Drive0 controlled by a rootkit as before)
    • Do you want to fix the MBR code? Type 'YES' > then Enter to continue.
    • Select 2: > (Restore the MBR of a physical disk with a standard boot code.)
    • Enter 0 for the physical disk number to fix> then enter .
    • For available MBR codes choose 1 for Windows XP> then enter
    • The program will prompt for confirmation. Type 'YES'> then Enter
    • Left click on the title bar (where program name and path is written).
    • Click on Edit -> Select All> Enter> Copy
    • Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
    • Important! Restart your PC for the fix to take effect.
    • Post the contents of the MBRCheck results log in your next reply.
    ======================================
    If you have any problem or if the information you get does not match the 'physical drive0, controlled by a rootkit, stop and let me know.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...