TechSpot

Whistler.a bootkit -- am I now clean?

By Seb7
Mar 13, 2012
  1. OS: Vista Business 32-bit SP2
    H/W: Dell Optiplex 755
    RAM: 4G

    Symptoms:
    =========
    None now. Previously, when connected to the network, AVG Network scanner Service would take a lot of CPU cycles (but not 50 or 100%). This would start a few seconds after being connected to the network (and thus the Internet) and stop when the NIC was disabled or unplugged. The (dual-core) system became so sluggish that the mouse cursor would stop responding for minutes at a time, sometimes the screen would go black for a few seconds and Windows would then display a balloon notification saying 'Display driver amdkmdap stopped responding and has successfully recovered.' I would guess there to be a high priority (possibly invisible) process using most of the CPU as Task Manger and System Explorer would not show any process using all the CPU cycles. Prior to these systems, the System would blue screen a minute or so after booting up, whether or not the machines was logged on.

    History
    =====
    On 06-Mar-12, an up-to-date (in terms of definititions - obviously it is deprecated) AVG 9 detected Win32/Cryptor located in an EXE file %TEMP% where the process was javaw.exe. 1 second later, same virus, same file but the process was regsvr32.exe. 13 seconds later, the same virus in a different exe in C:\Windows\Temp (which is not an environment variable). Then the machine blue-screened. So:
    Code:
    "Virus found Win32/Cryptor";"c:\Users\%USERNAME%.%USERDOMAIN%\AppData\Local\Temp\0.5944445455683106g8j8.exe";"Infected";"06/03/2012, 11:42:45";"file";"C:\Program Files\Java\jre6\bin\javaw.exe"
    "Virus found Win32/Cryptor";"c:\Users\%USERNAME%.%USERDOMAIN%\AppData\Local\Temp\0.5944445455683106g8j8.exe";"Infected";"06/03/2012, 11:42:46";"file";"C:\Windows\system32\regsvr32.exe"
    "Virus found Win32/Cryptor";"c:\Windows\Temp\_ex-68.exe";"Infected";"06/03/2012, 11:42:59";"file";"C:\Users\JAMES~1.SYN\AppData\Local\Temp\0.2252302422435205g8j8.exe"
    The previous system shutdown at 11:43:08 on 06/03/2012 was unexpected.
    The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xfffffffe, 0x00000001, 0x89d5c7ff, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP.
    
    A few more blue screens followed and then I was told about the situation by the user. I immediately unplugged the machine from the network and determined that the machine would blue screen a few minutes after booting without logging it on. I asked my colleague what happened and he said that AVG had briefly popped up some virus alerts about a Cryptor virus and then the machine had blue screened. So I rebooted it in Safe Mode without problems at 12:24 and starting investigating. I ran a command-line AVG scan and it found the above two infected files and moved them to Virus Vault (Quarantine). While it was scanning I looked around myself found several files in %TEMP% and C:\Windows\Temp created at 11:42 and so after the scan had finished I renamed all of them prefixing their filenames with "Suspect ". I also looked in Task Manager and searched the registry. I found a registry entry pointing at
    \??\%TEMP%\5689.sys
    in:
    HKLM\System\ControlSet???(various)\Services\5689. This made me sure that at least one of these files was a virus that AVG9 was not picking up. As I had renamed it, I knew it would not start, so I didn't touch the registry. I rebooted in Normal Mode, and the machine no longer blue screened. As expected:
    The 5689 service failed to start due to the following error:
    The system cannot find the file specified.
    As I wanted Internet access to update virus definititions, etc., I put the computer an an isolated VLAN where it's Internet access was going through a firewall with only output access allowed to selected DNS servers, port 80 and 443. The firewall was running Snort with all categories enabled. I also changed its DNS servers to the openDNS ones (via DHCP).
    The next day I uploaded the 5689.sys file to VirusTotal but only 2 scanners detected it (Dr. Web and Sophos) with generic type names. It is now detected by 13 but still not AVG:
    https://www.virustotal.com/file/09f1512461887659ce803d17772075261bb5f6536f08a8d7afe6eef543e0829c/analysis/1331573345/
    I also uploaded the other files and some were detected by a few scanners, increasing in number over the past week. Most relevant is probably E.class, detected by some as Exploit.Java.CVE-2011-3544.P (AVG did not detect it). This is obviously how the machine got the Cryptor virus and disabled UAC).
    But I also saw this later in the AVG Resident Shield logs:
    Code:
    "Trojan horse Agent3.WJV";"c:\Windows\System32\drivers\Wdf01000.sys";"Object is white-listed (critical/system file that should not be removed)";"06/03/2012, 15:58:15";"file";"System"
    I ran a manual scan and it no longer found any problem with Wdf01000.sys.
    I uploaded the file to VirusTotal but it was not detected as suspicious. I tried SFC /SCANNOW and it did not find any problems except tcpmon.ini being corrupt. (IIRC) I took the hashes of the file and googled them and people thought it was OK. I googled the tcpmon.ini issue and someone said it was OK and that SFC /SCANNOW had problems with it. Ref I installed System Explorer and did a Security Scan and nearly all the process came back OK, and I looked into the others and they all had a right to be there. As Sophos was one of the only scanners that seemed to detecting some of the suspected files I submitted to VirusTotal I installed their free manual scanning tool. It picked up 3 of the files I had already renamed, but not the Wdf01000.sys file. So I began to think I was clean. But I noticed that I was getting alerts from Snort saying things like executable code had been downloaded as well as other ones. I ran Wireshark on the PC and saw it was downloading lots of updates from various legitimate update software. But I also noticed that from time to time AVG would tell me that there were tracking cookies used by iexplore.exe. As I was using Firefox and Internet Explorer did not seem to be running, this was weird. I installed ThreatFire and it almost immediately told me there was a hidden iexplore.exe process running and did I want it to continue. I had seen that some service on the computer was doing GETs on IP address within the network that the machine had been on before I isolated it, so I assumed that that service may be using iexplore.exe to perform those GETs for the reporting that it does. Legitimate. However, I stopped that service and the AVG warnings continued. So I told Threatfire to block hidden iexplore.exe processes and it all quietened down.

    I noticed that if I connected to the machine via Remote Desktop, it was barely usable (CPU loaded so much) so I reverted to the local console. It seemed it may be connected to a cheduled Task that runs when someone connects to the machine. *(The machine no longer has this unresponsiveness problem today.)

    At some point, I rebooted the machine as I thought it was clean. I also updated Java, installed a Windows Update and installed the NoScript add-on for Firefox (enabling scripts globally but disabling plug-ins).

    At some point, it became apparent that whenever the machine was connected the network it became unresponsive, lots of CPU cycles would be taken by AVG Network Scanner, possibly even more by something hidden, and the hidden iexplore.exe was still starting up if I removed the allow from ThreatFire. Wireshark would just show what looked to be normal stuff, but analysis today of all websites visited on Friday showed 1 suspicious one (with the current Firefox User-Agent). I visited the URL myself on my PC and Firefox+NoScript tried to download the photos.jsp file that contained obfuscated HTML. Rather not the HTML was obfuscated, but what would be visibly displayed in a browser was unintelligable to me. I assumed it was very suspicious and so I googled the domain name. McAfee SiteAdvisor said it was risky I googled "solutionadnet.com photos.jsp" (without quotes) and found a page asking the op to download and run TDSSKiller. As this was made by Kaspersky and came with instructions from them, I decided that running it myself was not too risky. I downloaded it to my PC, immunized a USB stick, copied it onto the USB stick, ran it on the infected PC and it detected and fixed after a reboot:
    Wdf01000 ( Virus.Win32.Rloader.a ) - infected
    \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - infected

    I will post the full log below.

    After the reboot, I wanted to see if the suspicious behaviour had gone so I removed the Threatfire rules on iexplore.exe and reconnected to the network. It no longer went unresponsive. iexplore.exe no longer starts up. I can now connect via Remote Desktop without unresponsivel behaviour. So is the machine clean?

    Looking back now, I can see something suspicious that may need looking at:
    When I booted into Safe Mode, this was one of the System errors in the EventLog:
    Source: sptd
    Driver detected an internal error in its data structures for .
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I must let you know that if you want such detailed help, you will need to have either the office IT if this is for work, or a tech that you pay at a shop.

    Help on free internet computer boards is all done by volunteers. We are so busy in the forum and while all of your documentation is probably very good, it is way more detailed than we can deal with. It's not your history that we need, but rather what is the status of the system now. For that>>

    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    We will go from what I see in the current logs. Please don't do anymore yourself while I am helping you.
    ====================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
     
  3. Seb7

    Seb7 TS Rookie Topic Starter

    OK, I didn't have room to post my logs before. Here they are:

    This sptd is also listed in TDSSKiller:

    13:49:02.0447 2656 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
    13:49:02.0493 2656 ============================================================
    13:49:02.0493 2656 Current date / time: 2012/03/12 13:49:02.0493
    13:49:02.0493 2656 SystemInfo:
    13:49:02.0493 2656
    13:49:02.0493 2656 OS Version: 6.0.6002 ServicePack: 2.0
    13:49:02.0493 2656 Product type: Workstation
    13:49:02.0493 2656 ComputerName: JAMES-PC
    13:49:02.0494 2656 UserName: James
    13:49:02.0494 2656 Windows directory: C:\Windows
    13:49:02.0494 2656 System windows directory: C:\Windows
    13:49:02.0494 2656 Processor architecture: Intel x86
    13:49:02.0494 2656 Number of processors: 2
    13:49:02.0494 2656 Page size: 0x1000
    13:49:02.0494 2656 Boot type: Normal boot
    13:49:02.0494 2656 ============================================================
    13:49:03.0433 2656 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
    13:49:03.0497 2656 Drive \Device\Harddisk5\DR6 - Size: 0x7A80000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    13:49:03.0498 2656 \Device\Harddisk0\DR0:
    13:49:03.0498 2656 MBR used
    13:49:03.0498 2656 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2F800, BlocksNum 0x1400000
    13:49:03.0498 2656 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x142F800, BlocksNum 0x1BD79000
    13:49:03.0498 2656 \Device\Harddisk5\DR6:
    13:49:03.0499 2656 MBR used
    13:49:03.0499 2656 \Device\Harddisk5\DR6\Partition0: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0x3AD2F
    13:49:03.0555 2656 Initialize success
    13:49:03.0555 2656 ============================================================
    13:49:10.0151 5348 ============================================================
    13:49:10.0151 5348 Scan started
    13:49:10.0151 5348 Mode: Manual; SigCheck; TDLFS;
    13:49:10.0151 5348 ============================================================
    13:49:11.0483 5348 5689 - ok
    13:49:11.0646 5348 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    13:49:11.0816 5348 ACPI - ok
    13:49:12.0093 5348 ADIHdAudAddService (3db3fb83217627d9a0cb8bae6cc5b491) C:\Windows\system32\drivers\ADIHdAud.sys
    13:49:12.0150 5348 ADIHdAudAddService - ok
    13:49:12.0278 5348 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
    13:49:12.0298 5348 adp94xx - ok
    13:49:12.0420 5348 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
    13:49:12.0437 5348 adpahci - ok
    13:49:12.0556 5348 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
    13:49:12.0573 5348 adpu160m - ok
    13:49:12.0650 5348 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
    13:49:12.0667 5348 adpu320 - ok
    13:49:12.0816 5348 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
    13:49:12.0904 5348 AFD - ok
    13:49:13.0137 5348 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
    13:49:13.0154 5348 agp440 - ok
    13:49:13.0202 5348 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    13:49:13.0222 5348 aic78xx - ok
    13:49:13.0254 5348 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
    13:49:13.0271 5348 aliide - ok
    13:49:13.0357 5348 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
    13:49:13.0397 5348 amdagp - ok
    13:49:13.0452 5348 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
    13:49:13.0469 5348 amdide - ok
    13:49:13.0548 5348 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
    13:49:13.0613 5348 AmdK7 - ok
    13:49:13.0674 5348 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
    13:49:13.0719 5348 AmdK8 - ok
    13:49:14.0562 5348 amdkmdag (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    13:49:14.0962 5348 amdkmdag - ok
    13:49:15.0050 5348 amdkmdap (46a3f55772fd2d1526994693ae352579) C:\Windows\system32\DRIVERS\atikmpag.sys
    13:49:15.0081 5348 amdkmdap - ok
    13:49:15.0259 5348 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
    13:49:15.0275 5348 arc - ok
    13:49:15.0473 5348 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
    13:49:15.0491 5348 arcsas - ok
    13:49:15.0571 5348 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    13:49:15.0635 5348 AsyncMac - ok
    13:49:15.0712 5348 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    13:49:15.0731 5348 atapi - ok
    13:49:15.0846 5348 AtiHDAudioService (8579387516ec86d76404ddffc22214c4) C:\Windows\system32\drivers\AtihdLH3.sys
    13:49:15.0958 5348 AtiHDAudioService - ok
    13:49:16.0044 5348 AtiHdmiService (d7672d90ef03d0e2efdb02df5045a359) C:\Windows\system32\drivers\AtiHdmi.sys
    13:49:16.0057 5348 AtiHdmiService - ok
    13:49:16.0403 5348 atikmdag (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    13:49:16.0603 5348 atikmdag - ok
    13:49:16.0877 5348 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\Windows\System32\Drivers\avgldx86.sys
    13:49:16.0895 5348 AvgLdx86 - ok
    13:49:16.0985 5348 AvgMfx86 (80ff2b1b7eeda966394f0baa895bbf4b) C:\Windows\System32\Drivers\avgmfx86.sys
    13:49:16.0999 5348 AvgMfx86 - ok
    13:49:17.0155 5348 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\Windows\System32\Drivers\avgtdix.sys
    13:49:17.0170 5348 AvgTdiX - ok
    13:49:17.0451 5348 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    13:49:17.0506 5348 Beep - ok
    13:49:17.0623 5348 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
    13:49:17.0661 5348 blbdrive - ok
    13:49:17.0849 5348 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    13:49:17.0911 5348 bowser - ok
    13:49:18.0308 5348 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    13:49:18.0380 5348 BrFiltLo - ok
    13:49:18.0510 5348 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    13:49:18.0563 5348 BrFiltUp - ok
    13:49:18.0705 5348 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    13:49:18.0950 5348 Brserid - ok
    13:49:19.0309 5348 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    13:49:19.0379 5348 BrSerWdm - ok
    13:49:19.0479 5348 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    13:49:19.0534 5348 BrUsbMdm - ok
    13:49:19.0576 5348 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    13:49:19.0640 5348 BrUsbSer - ok
    13:49:19.0855 5348 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    13:49:19.0907 5348 BTHMODEM - ok
    13:49:20.0133 5348 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    13:49:20.0168 5348 cdfs - ok
    13:49:20.0422 5348 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    13:49:20.0465 5348 cdrom - ok
    13:49:20.0557 5348 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
    13:49:20.0602 5348 circlass - ok
    13:49:20.0667 5348 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    13:49:20.0694 5348 CLFS - ok
    13:49:20.0835 5348 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
    13:49:20.0846 5348 cmdide - ok
    13:49:21.0493 5348 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
    13:49:21.0506 5348 Compbatt - ok
    13:49:21.0847 5348 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
    13:49:21.0861 5348 crcdisk - ok
    13:49:21.0877 5348 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
    13:49:21.0924 5348 Crusoe - ok
    13:49:22.0781 5348 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
    13:49:22.0908 5348 CSC - ok
    13:49:23.0291 5348 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    13:49:23.0401 5348 DfsC - ok
    13:49:23.0645 5348 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    13:49:23.0664 5348 disk - ok
    13:49:23.0795 5348 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    13:49:23.0831 5348 drmkaud - ok
    13:49:24.0262 5348 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    13:49:24.0291 5348 DSproct ( UnsignedFile.Multi.Generic ) - warning
    13:49:24.0291 5348 DSproct - detected UnsignedFile.Multi.Generic (1)
    13:49:24.0409 5348 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\dsunidrv.sys
    13:49:24.0473 5348 dsunidrv - ok
    13:49:24.0577 5348 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    13:49:24.0649 5348 DXGKrnl - ok
    13:49:24.0806 5348 e1express (04944f4fc4f0477185f5d26ae0ddb90e) C:\Windows\system32\DRIVERS\e1e6032.sys
    13:49:24.0820 5348 e1express - ok
    13:49:24.0861 5348 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
    13:49:24.0886 5348 E1G60 - ok
    13:49:25.0045 5348 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    13:49:25.0061 5348 Ecache - ok
    13:49:25.0130 5348 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
    13:49:25.0174 5348 elxstor - ok
    13:49:25.0241 5348 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
    13:49:25.0287 5348 ErrDev - ok
    13:49:25.0318 5348 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    13:49:25.0373 5348 exfat - ok
    13:49:25.0464 5348 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    13:49:25.0518 5348 fastfat - ok
    13:49:25.0560 5348 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    13:49:25.0612 5348 fdc - ok
    13:49:25.0787 5348 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    13:49:25.0804 5348 FileInfo - ok
    13:49:25.0830 5348 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    13:49:25.0888 5348 Filetrace - ok
    13:49:25.0945 5348 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    13:49:26.0070 5348 flpydisk - ok
    13:49:26.0144 5348 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    13:49:26.0165 5348 FltMgr - ok
    13:49:26.0267 5348 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    13:49:26.0313 5348 Fs_Rec - ok
    13:49:26.0375 5348 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
    13:49:26.0392 5348 gagp30kx - ok
    13:49:26.0516 5348 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    13:49:26.0531 5348 GEARAspiWDM - ok
    13:49:26.0601 5348 GemCCID (86d3d834d35ebe920d85ffedcef79faf) C:\Windows\system32\Drivers\GemCCID.sys
    13:49:26.0683 5348 GemCCID - ok
    13:49:26.0854 5348 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    13:49:26.0947 5348 HdAudAddService - ok
    13:49:26.0980 5348 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    13:49:27.0041 5348 HDAudBus - ok
    13:49:27.0121 5348 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\Windows\system32\DRIVERS\HECI.sys
    13:49:27.0176 5348 HECI - ok
    13:49:27.0307 5348 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    13:49:27.0370 5348 HidBth - ok
    13:49:27.0407 5348 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    13:49:27.0466 5348 HidIr - ok
    13:49:27.0537 5348 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    13:49:27.0583 5348 HidUsb - ok
    13:49:27.0628 5348 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
    13:49:27.0672 5348 HpCISSs - ok
    13:49:27.0838 5348 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    13:49:27.0924 5348 HTTP - ok
    13:49:28.0075 5348 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
    13:49:28.0092 5348 i2omp - ok
    13:49:28.0150 5348 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    13:49:28.0214 5348 i8042prt - ok
    13:49:28.0324 5348 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\Windows\system32\drivers\iastor.sys
    13:49:28.0346 5348 iaStor - ok
    13:49:28.0377 5348 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
    13:49:28.0398 5348 iaStorV - ok
    13:49:28.0544 5348 igfx (a03b37dbc601c35de9591b6aa1a20c22) C:\Windows\system32\DRIVERS\igdkmd32.sys
    13:49:28.0697 5348 igfx - ok
    13:49:28.0809 5348 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    13:49:28.0826 5348 iirsp - ok
    13:49:28.0868 5348 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
    13:49:28.0884 5348 intelide - ok
    13:49:28.0953 5348 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    13:49:29.0004 5348 intelppm - ok
    13:49:29.0087 5348 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    13:49:29.0144 5348 IpFilterDriver - ok
    13:49:29.0220 5348 IpInIp - ok
    13:49:29.0275 5348 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
    13:49:29.0330 5348 IPMIDRV - ok
    13:49:29.0527 5348 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    13:49:29.0587 5348 IPNAT - ok
    13:49:29.0774 5348 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    13:49:29.0826 5348 IRENUM - ok
    13:49:29.0896 5348 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
    13:49:29.0914 5348 isapnp - ok
    13:49:29.0958 5348 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    13:49:29.0979 5348 iScsiPrt - ok
    13:49:30.0024 5348 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    13:49:30.0035 5348 iteatapi - ok
    13:49:30.0077 5348 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    13:49:30.0088 5348 iteraid - ok
    13:49:30.0153 5348 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    13:49:30.0164 5348 kbdclass - ok
    13:49:30.0223 5348 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    13:49:30.0254 5348 kbdhid - ok
    13:49:30.0293 5348 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
    13:49:30.0323 5348 KSecDD - ok
    13:49:30.0440 5348 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    13:49:30.0516 5348 lltdio - ok
    13:49:30.0544 5348 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
    13:49:30.0558 5348 LSI_FC - ok
    13:49:30.0603 5348 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
    13:49:30.0617 5348 LSI_SAS - ok
    13:49:30.0722 5348 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
    13:49:30.0738 5348 LSI_SCSI - ok
    13:49:30.0858 5348 LTXMD_VAC (6e4880018d99b7f041a8d0b3f7f43b72) C:\Windows\system32\drivers\lmvac.sys
    13:49:30.0948 5348 LTXMD_VAC - ok
    13:49:31.0009 5348 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    13:49:31.0053 5348 luafv - ok
    13:49:31.0158 5348 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\Windows\system32\DRIVERS\lvpopflt.sys
    13:49:31.0176 5348 lvpopflt - ok
    13:49:31.0227 5348 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\Windows\system32\Drivers\LVPr2Mon.sys
    13:49:31.0245 5348 LVPr2Mon - ok
    13:49:31.0294 5348 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\Windows\system32\DRIVERS\lvrs.sys
    13:49:31.0315 5348 LVRS - ok
    13:49:31.0679 5348 LVUVC (44876e70e07e9a653bbe423dbfa35a1a) C:\Windows\system32\DRIVERS\lvuvc.sys
    13:49:31.0932 5348 LVUVC - ok
    13:49:32.0036 5348 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
    13:49:32.0053 5348 megasas - ok
    13:49:32.0105 5348 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
    13:49:32.0129 5348 MegaSR - ok
    13:49:32.0208 5348 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    13:49:32.0252 5348 Modem - ok
    13:49:32.0275 5348 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    13:49:32.0316 5348 monitor - ok
    13:49:32.0387 5348 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    13:49:32.0417 5348 mouclass - ok
    13:49:32.0473 5348 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    13:49:32.0532 5348 mouhid - ok
    13:49:32.0609 5348 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    13:49:32.0627 5348 MountMgr - ok
    13:49:32.0645 5348 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
    13:49:32.0671 5348 mpio - ok
    13:49:32.0689 5348 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    13:49:32.0718 5348 mpsdrv - ok
    13:49:32.0820 5348 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    13:49:32.0832 5348 Mraid35x - ok
    13:49:32.0859 5348 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    13:49:32.0898 5348 MRxDAV - ok
    13:49:32.0974 5348 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    13:49:33.0025 5348 mrxsmb - ok
    13:49:33.0071 5348 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    13:49:33.0087 5348 mrxsmb10 - ok
    13:49:33.0153 5348 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    13:49:33.0178 5348 mrxsmb20 - ok
    13:49:33.0199 5348 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
    13:49:33.0210 5348 msahci - ok
    13:49:33.0225 5348 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
    13:49:33.0237 5348 msdsm - ok
    13:49:33.0321 5348 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    13:49:33.0355 5348 Msfs - ok
    13:49:33.0578 5348 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    13:49:33.0592 5348 msisadrv - ok
    13:49:33.0666 5348 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    13:49:33.0705 5348 MSKSSRV - ok
    13:49:33.0760 5348 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    13:49:33.0799 5348 MSPCLOCK - ok
    13:49:33.0846 5348 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    13:49:33.0876 5348 MSPQM - ok
    13:49:33.0899 5348 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    13:49:33.0917 5348 MsRPC - ok
    13:49:33.0959 5348 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    13:49:33.0973 5348 mssmbios - ok
    13:49:34.0058 5348 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    13:49:34.0102 5348 MSTEE - ok
    13:49:34.0142 5348 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    13:49:34.0161 5348 Mup - ok
    13:49:34.0243 5348 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    13:49:34.0268 5348 NativeWifiP - ok
    13:49:34.0343 5348 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    13:49:34.0373 5348 NDIS - ok
    13:49:34.0476 5348 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    13:49:34.0545 5348 NdisTapi - ok
    13:49:34.0676 5348 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    13:49:34.0729 5348 Ndisuio - ok
    13:49:34.0769 5348 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    13:49:34.0820 5348 NdisWan - ok
    13:49:34.0899 5348 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    13:49:34.0931 5348 NDProxy - ok
    13:49:34.0955 5348 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    13:49:35.0013 5348 NetBIOS - ok
    13:49:35.0095 5348 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    13:49:35.0150 5348 netbt - ok
    13:49:35.0211 5348 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    13:49:35.0228 5348 nfrd960 - ok
    13:49:35.0308 5348 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\Windows\system32\drivers\npf.sys
    13:49:35.0325 5348 NPF - ok
    13:49:35.0351 5348 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    13:49:35.0388 5348 Npfs - ok
    13:49:35.0433 5348 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    13:49:35.0476 5348 nsiproxy - ok
    13:49:35.0662 5348 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    13:49:35.0722 5348 Ntfs - ok
    13:49:35.0803 5348 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    13:49:35.0916 5348 ntrigdigi - ok
    13:49:35.0925 5348 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    13:49:35.0988 5348 Null - ok
    13:49:36.0030 5348 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
    13:49:36.0048 5348 nvraid - ok
    13:49:36.0094 5348 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
    13:49:36.0111 5348 nvstor - ok
    13:49:36.0130 5348 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
    13:49:36.0148 5348 nv_agp - ok
    13:49:36.0187 5348 NwlnkFlt - ok
    13:49:36.0198 5348 NwlnkFwd - ok
    13:49:36.0255 5348 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
    13:49:36.0305 5348 ohci1394 - ok
    13:49:36.0395 5348 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
    13:49:36.0429 5348 Parport - ok
    13:49:36.0476 5348 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    13:49:36.0489 5348 partmgr - ok
    13:49:36.0604 5348 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
    13:49:36.0644 5348 Parvdm - ok
    13:49:36.0703 5348 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    13:49:36.0719 5348 pci - ok
    13:49:36.0809 5348 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
    13:49:36.0823 5348 pciide - ok
    13:49:36.0863 5348 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    13:49:36.0878 5348 pcmcia - ok
    13:49:36.0948 5348 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    13:49:37.0027 5348 PEAUTH - ok
    13:49:37.0111 5348 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    13:49:37.0148 5348 PptpMiniport - ok
    13:49:37.0183 5348 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
    13:49:37.0225 5348 Processor - ok
    13:49:37.0308 5348 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    13:49:37.0346 5348 PSched - ok
    13:49:37.0435 5348 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
    13:49:37.0452 5348 PxHelp20 - ok
    13:49:37.0544 5348 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
    13:49:37.0666 5348 ql2300 - ok
    13:49:37.0751 5348 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    13:49:37.0770 5348 ql40xx - ok
    13:49:37.0834 5348 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    13:49:37.0885 5348 QWAVEdrv - ok
    13:49:38.0077 5348 R300 (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    13:49:38.0388 5348 R300 - ok
    13:49:38.0561 5348 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
    13:49:38.0583 5348 RapportCerberus_34302 - ok
    13:49:38.0620 5348 RapportEI (34992b59780a8a227a9eb54c97dc4608) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
    13:49:38.0638 5348 RapportEI - ok
    13:49:38.0818 5348 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\programdata\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
    13:49:38.0836 5348 RapportIaso - ok
    13:49:38.0949 5348 RapportKELL (a231b5552148ade82ed3dfba25919b75) C:\Windows\system32\Drivers\RapportKELL.sys
    13:49:38.0967 5348 RapportKELL - ok
    13:49:39.0086 5348 RapportPG (060f8e34707d68178a564935ce4546eb) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    13:49:39.0106 5348 RapportPG - ok
    13:49:39.0166 5348 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    13:49:39.0214 5348 RasAcd - ok
    13:49:39.0301 5348 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    13:49:39.0342 5348 Rasl2tp - ok
    13:49:39.0387 5348 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    13:49:39.0421 5348 RasPppoe - ok
    13:49:39.0496 5348 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    13:49:39.0511 5348 RasSstp - ok
    13:49:39.0541 5348 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    13:49:39.0570 5348 rdbss - ok
    13:49:39.0608 5348 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    13:49:39.0635 5348 RDPCDD - ok
    13:49:39.0730 5348 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
    13:49:39.0764 5348 rdpdr - ok
    13:49:39.0772 5348 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    13:49:39.0800 5348 RDPENCDD - ok
    13:49:39.0831 5348 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    13:49:39.0872 5348 RDPWD - ok
    13:49:39.0970 5348 RimUsb (92d33f76769a028ddc54a863eb7de4a2) C:\Windows\system32\Drivers\RimUsb.sys
    13:49:40.0009 5348 RimUsb - ok
    13:49:40.0073 5348 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
    13:49:40.0118 5348 RimVSerPort - ok
    13:49:40.0171 5348 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
    13:49:40.0210 5348 ROOTMODEM - ok
    13:49:40.0262 5348 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    13:49:40.0295 5348 rspndr - ok
    13:49:40.0391 5348 SAVOnAccess (127e21305c1880b550bea4b0adfd9d94) C:\Windows\system32\DRIVERS\savonaccess.sys
    13:49:40.0425 5348 SAVOnAccess ( UnsignedFile.Multi.Generic ) - warning
    13:49:40.0426 5348 SAVOnAccess - detected UnsignedFile.Multi.Generic (1)
    13:49:40.0544 5348 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    13:49:40.0561 5348 sbp2port - ok
    13:49:40.0625 5348 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    13:49:40.0696 5348 secdrv - ok
    13:49:40.0769 5348 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
    13:49:40.0812 5348 Serenum - ok
    13:49:40.0850 5348 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
    13:49:40.0886 5348 Serial - ok
    13:49:40.0932 5348 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    13:49:40.0978 5348 sermouse - ok
    13:49:41.0022 5348 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
    13:49:41.0061 5348 sffdisk - ok
    13:49:41.0112 5348 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
    13:49:41.0177 5348 sffp_mmc - ok
    13:49:41.0211 5348 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
    13:49:41.0256 5348 sffp_sd - ok
    13:49:41.0422 5348 sfloppy (c33bfbd6e9e41fcd9ffef9729e9faed6) C:\Windows\system32\DRIVERS\sfloppy.sys
    13:49:41.0472 5348 sfloppy - ok
    13:49:41.0538 5348 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
    13:49:41.0554 5348 sisagp - ok
    13:49:41.0642 5348 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
    13:49:41.0658 5348 SiSRaid2 - ok
    13:49:41.0671 5348 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
    13:49:41.0689 5348 SiSRaid4 - ok
    13:49:41.0723 5348 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    13:49:41.0760 5348 Smb - ok
    13:49:41.0816 5348 SophosBootDriver (6de03cbac3139d2fd8fba4aab4ac5bd0) C:\Windows\system32\DRIVERS\SophosBootDriver.sys
    13:49:41.0826 5348 SophosBootDriver ( UnsignedFile.Multi.Generic ) - warning
    13:49:41.0826 5348 SophosBootDriver - detected UnsignedFile.Multi.Generic (1)
    13:49:41.0879 5348 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    13:49:41.0895 5348 spldr - ok
    13:49:42.0001 5348 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
    13:49:42.0002 5348 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    13:49:42.0004 5348 sptd ( LockedFile.Multi.Generic ) - warning
    13:49:42.0004 5348 sptd - detected LockedFile.Multi.Generic (1)
    13:49:42.0073 5348 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    13:49:42.0124 5348 srv - ok
    13:49:42.0183 5348 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    13:49:42.0230 5348 srv2 - ok
    13:49:42.0290 5348 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    13:49:42.0320 5348 srvnet - ok
    13:49:42.0464 5348 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
    13:49:42.0514 5348 StillCam - ok
    13:49:42.0609 5348 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    13:49:42.0619 5348 swenum - ok
    13:49:42.0664 5348 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    13:49:42.0675 5348 Symc8xx - ok
    13:49:42.0696 5348 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    13:49:42.0707 5348 Sym_hi - ok
    13:49:42.0792 5348 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    13:49:42.0803 5348 Sym_u3 - ok
    13:49:42.0897 5348 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
    13:49:42.0927 5348 Tcpip - ok
    13:49:42.0997 5348 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
    13:49:43.0030 5348 Tcpip6 - ok
    13:49:43.0062 5348 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    13:49:43.0100 5348 tcpipreg - ok
    13:49:43.0157 5348 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    13:49:43.0197 5348 TDPIPE - ok
    13:49:43.0245 5348 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    13:49:43.0276 5348 TDTCP - ok
    13:49:43.0330 5348 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    13:49:43.0367 5348 tdx - ok
    13:49:43.0477 5348 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    13:49:43.0497 5348 TermDD - ok
    13:49:43.0541 5348 TfFsMon (a56ec942ecabfb7849bfa76060f929fb) C:\Windows\system32\drivers\TfFsMon.sys
    13:49:43.0555 5348 TfFsMon - ok
    13:49:43.0591 5348 TfNetMon (917ef522563f6047685486efa486fb3c) C:\Windows\system32\drivers\TfNetMon.sys
    13:49:43.0608 5348 TfNetMon - ok
    13:49:43.0638 5348 TfSysMon (57edbb5fe7ff09bb21121d13bb950ba5) C:\Windows\system32\drivers\TfSysMon.sys
    13:49:43.0653 5348 TfSysMon - ok
    13:49:43.0746 5348 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    13:49:43.0795 5348 tssecsrv - ok
    13:49:43.0817 5348 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    13:49:43.0869 5348 tunmp - ok
    13:49:43.0958 5348 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    13:49:43.0990 5348 tunnel - ok
    13:49:44.0014 5348 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
    13:49:44.0031 5348 uagp35 - ok
    13:49:44.0114 5348 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    13:49:44.0146 5348 udfs - ok
    13:49:44.0175 5348 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
    13:49:44.0192 5348 uliagpkx - ok
    13:49:44.0217 5348 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
    13:49:44.0237 5348 uliahci - ok
    13:49:44.0309 5348 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    13:49:44.0327 5348 UlSata - ok
    13:49:44.0347 5348 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    13:49:44.0365 5348 ulsata2 - ok
    13:49:44.0402 5348 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    13:49:44.0498 5348 umbus - ok
    13:49:44.0610 5348 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
    13:49:44.0657 5348 usbaudio - ok
    13:49:44.0692 5348 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    13:49:44.0722 5348 usbccgp - ok
    13:49:44.0810 5348 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    13:49:44.0901 5348 usbcir - ok
    13:49:44.0986 5348 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    13:49:45.0047 5348 usbehci - ok
    13:49:45.0090 5348 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    13:49:45.0148 5348 usbhub - ok
    13:49:45.0223 5348 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    13:49:45.0295 5348 usbohci - ok
    13:49:45.0334 5348 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    13:49:45.0380 5348 usbprint - ok
    13:49:45.0465 5348 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    13:49:45.0509 5348 USBSTOR - ok
    13:49:45.0552 5348 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    13:49:45.0579 5348 usbuhci - ok
    13:49:45.0638 5348 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
    13:49:45.0662 5348 usbvideo - ok
    13:49:45.0723 5348 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    13:49:45.0746 5348 vga - ok
    13:49:45.0771 5348 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    13:49:45.0802 5348 VgaSave - ok
    13:49:45.0819 5348 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
    13:49:45.0830 5348 viaagp - ok
    13:49:45.0849 5348 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
    13:49:45.0872 5348 ViaC7 - ok
    13:49:45.0932 5348 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
    13:49:45.0971 5348 viaide - ok
    13:49:46.0010 5348 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    13:49:46.0023 5348 volmgr - ok
    13:49:46.0063 5348 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    13:49:46.0081 5348 volmgrx - ok
    13:49:46.0148 5348 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    13:49:46.0164 5348 volsnap - ok
    13:49:46.0220 5348 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
    13:49:46.0236 5348 vsmraid - ok
    13:49:46.0263 5348 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    13:49:46.0322 5348 WacomPen - ok
    13:49:46.0357 5348 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    13:49:46.0384 5348 Wanarp - ok
    13:49:46.0409 5348 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    13:49:46.0437 5348 Wanarpv6 - ok
    13:49:46.0491 5348 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
    13:49:46.0505 5348 Wd - ok
    13:49:46.0545 5348 Wdf01000 (73c5809c82828e34232f9811cb51490e) C:\Windows\system32\drivers\Wdf01000.sys
    13:49:46.0551 5348 Suspicious file (Forged): C:\Windows\system32\drivers\Wdf01000.sys. Real md5: 73c5809c82828e34232f9811cb51490e, Fake md5: 9950e3d0f08141c7e89e64456ae7dc73
    13:49:46.0553 5348 Wdf01000 ( Virus.Win32.Rloader.a ) - infected
    13:49:46.0553 5348 Wdf01000 - detected Virus.Win32.Rloader.a (0)
    13:49:46.0711 5348 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
    13:49:46.0741 5348 WmiAcpi - ok
    13:49:46.0779 5348 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    13:49:46.0824 5348 ws2ifsl - ok
    13:49:46.0929 5348 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
    13:49:46.0965 5348 WSDPrintDevice - ok
    13:49:47.0023 5348 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    13:49:47.0073 5348 WUDFRd - ok
    13:49:47.0100 5348 MBR (0x1B8) (3dfbd33517922022aab2367021b4bbec) \Device\Harddisk0\DR0
    13:49:47.0127 5348 \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - infected
    13:49:47.0127 5348 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Wistler.a (0)
    13:49:47.0178 5348 MBR (0x1B8) (973e9ba32fdbb305c552ed3e1ebf0686) \Device\Harddisk5\DR6
    13:49:47.0271 5348 \Device\Harddisk5\DR6 - ok
    13:49:47.0305 5348 Boot (0x1200) (47b7c63b1ff6106e81d91108af21ffb5) \Device\Harddisk0\DR0\Partition0
    13:49:47.0306 5348 \Device\Harddisk0\DR0\Partition0 - ok
    13:49:47.0322 5348 Boot (0x1200) (2550465ec1fd92fcd2071b2e5e16973e) \Device\Harddisk0\DR0\Partition1
    13:49:47.0323 5348 \Device\Harddisk0\DR0\Partition1 - ok
    13:49:47.0328 5348 Boot (0x1200) (0699ecf2d19793bd3c482ffc9ff40d56) \Device\Harddisk5\DR6\Partition0
    13:49:47.0329 5348 \Device\Harddisk5\DR6\Partition0 - ok
    13:49:47.0331 5348 ============================================================
    13:49:47.0331 5348 Scan finished
    13:49:47.0331 5348 ============================================================
    13:49:47.0344 2568 Detected object count: 6
    13:49:47.0344 2568 Actual detected object count: 6
    13:55:49.0632 2568 DSproct ( UnsignedFile.Multi.Generic ) - skipped by user
    13:55:49.0632 2568 DSproct ( UnsignedFile.Multi.Generic ) - User select action: Skip
    13:55:49.0634 2568 SAVOnAccess ( UnsignedFile.Multi.Generic ) - skipped by user
    13:55:49.0634 2568 SAVOnAccess ( UnsignedFile.Multi.Generic ) - User select action: Skip
    13:55:49.0635 2568 SophosBootDriver ( UnsignedFile.Multi.Generic ) - skipped by user
    13:55:49.0636 2568 SophosBootDriver ( UnsignedFile.Multi.Generic ) - User select action: Skip
    13:55:49.0637 2568 sptd ( LockedFile.Multi.Generic ) - skipped by user
    13:55:49.0637 2568 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
    13:55:49.0861 2568 C:\Windows\system32\drivers\Wdf01000.sys - copied to quarantine
    13:55:56.0307 2568 Backup copy not found, trying to cure infected file..
    13:55:56.0311 2568 Cure success, using it..
    13:55:56.0324 2568 C:\Windows\system32\drivers\Wdf01000.sys - will be cured on reboot
    13:55:56.0324 2568 Wdf01000 ( Virus.Win32.Rloader.a ) - User select action: Cure
    13:55:56.0506 2568 \Device\Harddisk0\DR0\# - copied to quarantine
    13:55:56.0506 2568 \Device\Harddisk0\DR0 - copied to quarantine
    13:55:56.0512 2568 \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - will be cured on reboot
    13:55:56.0512 2568 \Device\Harddisk0\DR0 - ok
    13:55:56.0512 2568 \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - User select action: Cure
    13:59:40.0563 4684 Deinitialize success
     
  4. Seb7

    Seb7 TS Rookie Topic Starter

    After the reboot I ran it again:

    14:09:00.0660 4440 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
    14:09:00.0685 4440 ============================================================
    14:09:00.0685 4440 Current date / time: 2012/03/12 14:09:00.0685
    14:09:00.0685 4440 SystemInfo:
    14:09:00.0685 4440
    14:09:00.0685 4440 OS Version: 6.0.6002 ServicePack: 2.0
    14:09:00.0685 4440 Product type: Workstation
    14:09:00.0685 4440 ComputerName: JAMES-PC
    14:09:00.0685 4440 UserName: James
    14:09:00.0685 4440 Windows directory: C:\Windows
    14:09:00.0685 4440 System windows directory: C:\Windows
    14:09:00.0685 4440 Processor architecture: Intel x86
    14:09:00.0685 4440 Number of processors: 2
    14:09:00.0685 4440 Page size: 0x1000
    14:09:00.0685 4440 Boot type: Normal boot
    14:09:00.0685 4440 ============================================================
    14:09:01.0243 4440 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
    14:09:01.0248 4440 Drive \Device\Harddisk1\DR1 - Size: 0x7A80000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    14:09:01.0292 4440 \Device\Harddisk0\DR0:
    14:09:01.0292 4440 MBR used
    14:09:01.0292 4440 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2F800, BlocksNum 0x1400000
    14:09:01.0292 4440 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x142F800, BlocksNum 0x1BD79000
    14:09:01.0292 4440 \Device\Harddisk1\DR1:
    14:09:01.0293 4440 MBR used
    14:09:01.0293 4440 \Device\Harddisk1\DR1\Partition0: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0x3AD2F
    14:09:01.0415 4440 Initialize success
    14:09:01.0415 4440 ============================================================
    14:09:09.0224 5844 ============================================================
    14:09:09.0224 5844 Scan started
    14:09:09.0224 5844 Mode: Manual; SigCheck; TDLFS;
    14:09:09.0224 5844 ============================================================
    14:09:10.0178 5844 5689 - ok
    14:09:10.0322 5844 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    14:09:10.0447 5844 ACPI - ok
    14:09:10.0653 5844 ADIHdAudAddService (3db3fb83217627d9a0cb8bae6cc5b491) C:\Windows\system32\drivers\ADIHdAud.sys
    14:09:10.0722 5844 ADIHdAudAddService - ok
    14:09:10.0936 5844 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
    14:09:10.0961 5844 adp94xx - ok
    14:09:11.0147 5844 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
    14:09:11.0164 5844 adpahci - ok
    14:09:11.0191 5844 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
    14:09:11.0206 5844 adpu160m - ok
    14:09:11.0494 5844 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
    14:09:11.0511 5844 adpu320 - ok
    14:09:11.0694 5844 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
    14:09:11.0721 5844 AFD - ok
    14:09:11.0922 5844 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
    14:09:11.0938 5844 agp440 - ok
    14:09:12.0012 5844 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    14:09:12.0030 5844 aic78xx - ok
    14:09:12.0248 5844 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
    14:09:12.0262 5844 aliide - ok
    14:09:12.0467 5844 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
    14:09:12.0490 5844 amdagp - ok
    14:09:12.0695 5844 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
    14:09:12.0710 5844 amdide - ok
    14:09:12.0916 5844 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
    14:09:12.0952 5844 AmdK7 - ok
    14:09:13.0133 5844 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
    14:09:13.0182 5844 AmdK8 - ok
    14:09:13.0558 5844 amdkmdag (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    14:09:13.0811 5844 amdkmdag - ok
    14:09:13.0952 5844 amdkmdap (46a3f55772fd2d1526994693ae352579) C:\Windows\system32\DRIVERS\atikmpag.sys
    14:09:13.0999 5844 amdkmdap - ok
    14:09:14.0227 5844 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
    14:09:14.0244 5844 arc - ok
    14:09:14.0475 5844 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
    14:09:14.0492 5844 arcsas - ok
    14:09:14.0656 5844 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    14:09:14.0691 5844 AsyncMac - ok
    14:09:14.0906 5844 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    14:09:14.0923 5844 atapi - ok
    14:09:15.0106 5844 AtiHDAudioService (8579387516ec86d76404ddffc22214c4) C:\Windows\system32\drivers\AtihdLH3.sys
    14:09:15.0151 5844 AtiHDAudioService - ok
    14:09:15.0268 5844 AtiHdmiService (d7672d90ef03d0e2efdb02df5045a359) C:\Windows\system32\drivers\AtiHdmi.sys
    14:09:15.0285 5844 AtiHdmiService - ok
    14:09:16.0241 5844 atikmdag (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    14:09:16.0572 5844 atikmdag - ok
    14:09:16.0762 5844 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\Windows\System32\Drivers\avgldx86.sys
    14:09:16.0783 5844 AvgLdx86 - ok
    14:09:16.0845 5844 AvgMfx86 (80ff2b1b7eeda966394f0baa895bbf4b) C:\Windows\System32\Drivers\avgmfx86.sys
    14:09:16.0857 5844 AvgMfx86 - ok
    14:09:16.0940 5844 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\Windows\System32\Drivers\avgtdix.sys
    14:09:16.0952 5844 AvgTdiX - ok
    14:09:17.0019 5844 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    14:09:17.0042 5844 Beep - ok
    14:09:17.0118 5844 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
    14:09:17.0146 5844 blbdrive - ok
    14:09:17.0317 5844 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    14:09:17.0354 5844 bowser - ok
    14:09:17.0468 5844 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    14:09:17.0490 5844 BrFiltLo - ok
    14:09:17.0811 5844 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    14:09:17.0840 5844 BrFiltUp - ok
    14:09:17.0957 5844 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    14:09:18.0035 5844 Brserid - ok
    14:09:18.0160 5844 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    14:09:18.0218 5844 BrSerWdm - ok
    14:09:18.0347 5844 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    14:09:18.0409 5844 BrUsbMdm - ok
    14:09:18.0561 5844 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    14:09:18.0619 5844 BrUsbSer - ok
    14:09:18.0732 5844 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    14:09:18.0793 5844 BTHMODEM - ok
    14:09:18.0893 5844 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    14:09:18.0916 5844 cdfs - ok
    14:09:18.0965 5844 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    14:09:18.0986 5844 cdrom - ok
    14:09:19.0192 5844 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
    14:09:19.0217 5844 circlass - ok
    14:09:19.0286 5844 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    14:09:19.0309 5844 CLFS - ok
    14:09:19.0403 5844 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
    14:09:19.0415 5844 cmdide - ok
    14:09:19.0451 5844 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
    14:09:19.0463 5844 Compbatt - ok
    14:09:19.0490 5844 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
    14:09:19.0503 5844 crcdisk - ok
    14:09:19.0529 5844 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
    14:09:19.0560 5844 Crusoe - ok
    14:09:19.0650 5844 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
    14:09:19.0698 5844 CSC - ok
    14:09:19.0786 5844 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    14:09:19.0834 5844 DfsC - ok
    14:09:20.0304 5844 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    14:09:20.0325 5844 disk - ok
    14:09:20.0456 5844 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    14:09:20.0480 5844 drmkaud - ok
    14:09:20.0598 5844 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    14:09:20.0602 5844 DSproct ( UnsignedFile.Multi.Generic ) - warning
    14:09:20.0602 5844 DSproct - detected UnsignedFile.Multi.Generic (1)
    14:09:20.0728 5844 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\dsunidrv.sys
    14:09:20.0761 5844 dsunidrv - ok
    14:09:20.0866 5844 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    14:09:20.0899 5844 DXGKrnl - ok
    14:09:21.0125 5844 e1express (04944f4fc4f0477185f5d26ae0ddb90e) C:\Windows\system32\DRIVERS\e1e6032.sys
    14:09:21.0196 5844 e1express - ok
    14:09:21.0363 5844 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
    14:09:21.0394 5844 E1G60 - ok
    14:09:21.0464 5844 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    14:09:21.0484 5844 Ecache - ok
    14:09:21.0583 5844 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
    14:09:21.0634 5844 elxstor - ok
    14:09:21.0677 5844 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
    14:09:21.0711 5844 ErrDev - ok
    14:09:21.0915 5844 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    14:09:21.0941 5844 exfat - ok
    14:09:22.0100 5844 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    14:09:22.0130 5844 fastfat - ok
    14:09:22.0437 5844 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    14:09:22.0472 5844 fdc - ok
    14:09:22.0614 5844 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    14:09:22.0630 5844 FileInfo - ok
    14:09:22.0899 5844 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    14:09:22.0936 5844 Filetrace - ok
    14:09:23.0072 5844 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    14:09:23.0095 5844 flpydisk - ok
    14:09:23.0464 5844 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    14:09:23.0479 5844 FltMgr - ok
    14:09:23.0602 5844 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    14:09:23.0624 5844 Fs_Rec - ok
    14:09:23.0694 5844 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
    14:09:23.0706 5844 gagp30kx - ok
    14:09:23.0802 5844 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    14:09:23.0813 5844 GEARAspiWDM - ok
    14:09:23.0876 5844 GemCCID (86d3d834d35ebe920d85ffedcef79faf) C:\Windows\system32\Drivers\GemCCID.sys
    14:09:23.0893 5844 GemCCID - ok
    14:09:24.0148 5844 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    14:09:24.0210 5844 HdAudAddService - ok
    14:09:24.0300 5844 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    14:09:24.0383 5844 HDAudBus - ok
    14:09:24.0682 5844 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\Windows\system32\DRIVERS\HECI.sys
    14:09:24.0716 5844 HECI - ok
    14:09:24.0901 5844 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    14:09:24.0966 5844 HidBth - ok
    14:09:25.0159 5844 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    14:09:25.0234 5844 HidIr - ok
    14:09:25.0439 5844 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    14:09:25.0468 5844 HidUsb - ok
    14:09:25.0613 5844 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
    14:09:25.0629 5844 HpCISSs - ok
    14:09:25.0789 5844 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    14:09:25.0849 5844 HTTP - ok
    14:09:26.0060 5844 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
    14:09:26.0076 5844 i2omp - ok
    14:09:26.0168 5844 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    14:09:26.0198 5844 i8042prt - ok
    14:09:26.0309 5844 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\Windows\system32\drivers\iastor.sys
    14:09:26.0329 5844 iaStor - ok
    14:09:26.0387 5844 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
    14:09:26.0405 5844 iaStorV - ok
    14:09:26.0729 5844 igfx (a03b37dbc601c35de9591b6aa1a20c22) C:\Windows\system32\DRIVERS\igdkmd32.sys
    14:09:26.0781 5844 igfx - ok
    14:09:26.0944 5844 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    14:09:26.0960 5844 iirsp - ok
    14:09:27.0095 5844 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
    14:09:27.0110 5844 intelide - ok
    14:09:27.0196 5844 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    14:09:27.0230 5844 intelppm - ok
    14:09:27.0356 5844 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    14:09:27.0391 5844 IpFilterDriver - ok
    14:09:27.0584 5844 IpInIp - ok
    14:09:27.0785 5844 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
    14:09:27.0835 5844 IPMIDRV - ok
    14:09:28.0004 5844 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    14:09:28.0048 5844 IPNAT - ok
    14:09:28.0193 5844 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    14:09:28.0227 5844 IRENUM - ok
    14:09:28.0531 5844 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
    14:09:28.0551 5844 isapnp - ok
    14:09:28.0634 5844 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    14:09:28.0654 5844 iScsiPrt - ok
    14:09:28.0726 5844 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    14:09:28.0747 5844 iteatapi - ok
    14:09:28.0903 5844 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    14:09:28.0925 5844 iteraid - ok
    14:09:29.0054 5844 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    14:09:29.0070 5844 kbdclass - ok
    14:09:29.0183 5844 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    14:09:29.0210 5844 kbdhid - ok
    14:09:29.0412 5844 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
    14:09:29.0448 5844 KSecDD - ok
    14:09:29.0650 5844 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    14:09:29.0685 5844 lltdio - ok
    14:09:29.0913 5844 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
    14:09:29.0931 5844 LSI_FC - ok
    14:09:30.0163 5844 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
    14:09:30.0180 5844 LSI_SAS - ok
    14:09:30.0290 5844 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
    14:09:30.0310 5844 LSI_SCSI - ok
    14:09:30.0401 5844 LTXMD_VAC (6e4880018d99b7f041a8d0b3f7f43b72) C:\Windows\system32\drivers\lmvac.sys
    14:09:30.0465 5844 LTXMD_VAC - ok
    14:09:30.0652 5844 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    14:09:30.0687 5844 luafv - ok
    14:09:30.0826 5844 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\Windows\system32\DRIVERS\lvpopflt.sys
    14:09:30.0852 5844 lvpopflt - ok
    14:09:30.0879 5844 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\Windows\system32\Drivers\LVPr2Mon.sys
    14:09:30.0893 5844 LVPr2Mon - ok
    14:09:31.0150 5844 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\Windows\system32\DRIVERS\lvrs.sys
    14:09:31.0169 5844 LVRS - ok
    14:09:32.0063 5844 LVUVC (44876e70e07e9a653bbe423dbfa35a1a) C:\Windows\system32\DRIVERS\lvuvc.sys
    14:09:32.0506 5844 LVUVC - ok
    14:09:32.0696 5844 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
    14:09:32.0711 5844 megasas - ok
    14:09:32.0955 5844 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
    14:09:32.0977 5844 MegaSR - ok
    14:09:33.0159 5844 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    14:09:33.0186 5844 Modem - ok
    14:09:33.0351 5844 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    14:09:33.0380 5844 monitor - ok
    14:09:33.0563 5844 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    14:09:33.0578 5844 mouclass - ok
    14:09:33.0682 5844 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    14:09:33.0717 5844 mouhid - ok
    14:09:33.0894 5844 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    14:09:33.0910 5844 MountMgr - ok
    14:09:34.0013 5844 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
    14:09:34.0031 5844 mpio - ok
    14:09:34.0090 5844 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    14:09:34.0118 5844 mpsdrv - ok
    14:09:34.0271 5844 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    14:09:34.0288 5844 Mraid35x - ok
    14:09:34.0460 5844 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    14:09:34.0482 5844 MRxDAV - ok
    14:09:34.0642 5844 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    14:09:34.0688 5844 mrxsmb - ok
    14:09:34.0855 5844 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    14:09:34.0887 5844 mrxsmb10 - ok
    14:09:35.0063 5844 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    14:09:35.0085 5844 mrxsmb20 - ok
    14:09:35.0175 5844 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
    14:09:35.0190 5844 msahci - ok
    14:09:35.0252 5844 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
    14:09:35.0268 5844 msdsm - ok
    14:09:35.0497 5844 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    14:09:35.0532 5844 Msfs - ok
    14:09:35.0662 5844 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    14:09:35.0677 5844 msisadrv - ok
    14:09:35.0792 5844 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    14:09:35.0827 5844 MSKSSRV - ok
    14:09:35.0961 5844 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    14:09:35.0996 5844 MSPCLOCK - ok
    14:09:36.0155 5844 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    14:09:36.0204 5844 MSPQM - ok
    14:09:36.0306 5844 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    14:09:36.0325 5844 MsRPC - ok
    14:09:36.0376 5844 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    14:09:36.0391 5844 mssmbios - ok
    14:09:36.0501 5844 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    14:09:36.0523 5844 MSTEE - ok
    14:09:36.0626 5844 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    14:09:36.0638 5844 Mup - ok
    14:09:36.0752 5844 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    14:09:36.0768 5844 NativeWifiP - ok
    14:09:36.0885 5844 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    14:09:36.0914 5844 NDIS - ok
    14:09:37.0169 5844 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    14:09:37.0195 5844 NdisTapi - ok
    14:09:37.0351 5844 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    14:09:37.0381 5844 Ndisuio - ok
    14:09:37.0536 5844 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    14:09:37.0567 5844 NdisWan - ok
    14:09:37.0767 5844 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    14:09:37.0797 5844 NDProxy - ok
    14:09:37.0928 5844 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    14:09:37.0965 5844 NetBIOS - ok
    14:09:38.0171 5844 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    14:09:38.0202 5844 netbt - ok
    14:09:38.0545 5844 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    14:09:38.0560 5844 nfrd960 - ok
    14:09:38.0700 5844 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\Windows\system32\drivers\npf.sys
    14:09:38.0715 5844 NPF - ok
    14:09:38.0885 5844 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    14:09:38.0914 5844 Npfs - ok
    14:09:39.0017 5844 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    14:09:39.0052 5844 nsiproxy - ok
    14:09:39.0163 5844 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    14:09:39.0219 5844 Ntfs - ok
    14:09:39.0362 5844 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    14:09:39.0422 5844 ntrigdigi - ok
    14:09:39.0589 5844 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    14:09:39.0626 5844 Null - ok
    14:09:39.0748 5844 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
    14:09:39.0764 5844 nvraid - ok
    14:09:39.0961 5844 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
    14:09:39.0977 5844 nvstor - ok
    14:09:40.0147 5844 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
    14:09:40.0164 5844 nv_agp - ok
    14:09:40.0331 5844 NwlnkFlt - ok
    14:09:40.0427 5844 NwlnkFwd - ok
    14:09:40.0514 5844 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
    14:09:40.0573 5844 ohci1394 - ok
    14:09:40.0879 5844 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
    14:09:40.0917 5844 Parport - ok
    14:09:41.0202 5844 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    14:09:41.0219 5844 partmgr - ok
    14:09:41.0537 5844 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
    14:09:41.0571 5844 Parvdm - ok
    14:09:41.0725 5844 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    14:09:41.0744 5844 pci - ok
    14:09:41.0984 5844 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
    14:09:42.0002 5844 pciide - ok
    14:09:42.0261 5844 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    14:09:42.0279 5844 pcmcia - ok
    14:09:42.0499 5844 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    14:09:42.0664 5844 PEAUTH - ok
    14:09:42.0836 5844 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    14:09:42.0877 5844 PptpMiniport - ok
    14:09:43.0117 5844 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
    14:09:43.0155 5844 Processor - ok
    14:09:43.0458 5844 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    14:09:43.0488 5844 PSched - ok
    14:09:43.0762 5844 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
    14:09:43.0778 5844 PxHelp20 - ok
    14:09:44.0062 5844 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
    14:09:44.0140 5844 ql2300 - ok
    14:09:44.0601 5844 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    14:09:44.0617 5844 ql40xx - ok
    14:09:44.0784 5844 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    14:09:44.0805 5844 QWAVEdrv - ok
    14:09:45.0543 5844 R300 (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    14:09:45.0804 5844 R300 - ok
    14:09:46.0145 5844 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
    14:09:46.0165 5844 RapportCerberus_34302 - ok
    14:09:46.0378 5844 RapportEI (34992b59780a8a227a9eb54c97dc4608) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
    14:09:46.0394 5844 RapportEI - ok
    14:09:46.0568 5844 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\programdata\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
    14:09:46.0585 5844 RapportIaso - ok
    14:09:46.0766 5844 RapportKELL (a231b5552148ade82ed3dfba25919b75) C:\Windows\system32\Drivers\RapportKELL.sys
    14:09:46.0783 5844 RapportKELL - ok
    14:09:46.0936 5844 RapportPG (060f8e34707d68178a564935ce4546eb) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    14:09:46.0953 5844 RapportPG - ok
    14:09:47.0147 5844 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    14:09:47.0181 5844 RasAcd - ok
    14:09:47.0526 5844 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    14:09:47.0562 5844 Rasl2tp - ok
    14:09:47.0728 5844 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    14:09:47.0757 5844 RasPppoe - ok
    14:09:47.0845 5844 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    14:09:47.0867 5844 RasSstp - ok
    14:09:47.0925 5844 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    14:09:47.0956 5844 rdbss - ok
    14:09:48.0105 5844 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    14:09:48.0147 5844 RDPCDD - ok
    14:09:48.0214 5844 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
    14:09:48.0246 5844 rdpdr - ok
    14:09:48.0464 5844 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    14:09:48.0518 5844 RDPENCDD - ok
    14:09:48.0614 5844 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    14:09:48.0644 5844 RDPWD - ok
    14:09:48.0761 5844 RimUsb (92d33f76769a028ddc54a863eb7de4a2) C:\Windows\system32\Drivers\RimUsb.sys
    14:09:48.0779 5844 RimUsb - ok
    14:09:48.0981 5844 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
    14:09:49.0026 5844 RimVSerPort - ok
    14:09:49.0171 5844 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
    14:09:49.0205 5844 ROOTMODEM - ok
    14:09:49.0354 5844 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    14:09:49.0449 5844 rspndr - ok
    14:09:49.0549 5844 SAVOnAccess (127e21305c1880b550bea4b0adfd9d94) C:\Windows\system32\DRIVERS\savonaccess.sys
    14:09:49.0562 5844 SAVOnAccess ( UnsignedFile.Multi.Generic ) - warning
    14:09:49.0562 5844 SAVOnAccess - detected UnsignedFile.Multi.Generic (1)
    14:09:49.0718 5844 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    14:09:49.0735 5844 sbp2port - ok
    14:09:49.0949 5844 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    14:09:50.0006 5844 secdrv - ok
    14:09:50.0211 5844 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
    14:09:50.0245 5844 Serenum - ok
    14:09:50.0491 5844 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
    14:09:50.0542 5844 Serial - ok
    14:09:50.0623 5844 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    14:09:50.0658 5844 sermouse - ok
    14:09:50.0755 5844 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
    14:09:50.0784 5844 sffdisk - ok
    14:09:50.0878 5844 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
    14:09:50.0913 5844 sffp_mmc - ok
    14:09:51.0127 5844 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
    14:09:51.0163 5844 sffp_sd - ok
    14:09:51.0364 5844 sfloppy (c33bfbd6e9e41fcd9ffef9729e9faed6) C:\Windows\system32\DRIVERS\sfloppy.sys
    14:09:51.0398 5844 sfloppy - ok
    14:09:51.0504 5844 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
    14:09:51.0520 5844 sisagp - ok
    14:09:51.0650 5844 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
    14:09:51.0665 5844 SiSRaid2 - ok
    14:09:51.0779 5844 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
    14:09:51.0798 5844 SiSRaid4 - ok
    14:09:52.0014 5844 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    14:09:52.0045 5844 Smb - ok
    14:09:52.0307 5844 SophosBootDriver (6de03cbac3139d2fd8fba4aab4ac5bd0) C:\Windows\system32\DRIVERS\SophosBootDriver.sys
    14:09:52.0319 5844 SophosBootDriver ( UnsignedFile.Multi.Generic ) - warning
    14:09:52.0319 5844 SophosBootDriver - detected UnsignedFile.Multi.Generic (1)
    14:09:52.0603 5844 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    14:09:52.0618 5844 spldr - ok
    14:09:52.0869 5844 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
    14:09:52.0871 5844 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    14:09:52.0872 5844 sptd ( LockedFile.Multi.Generic ) - warning
    14:09:52.0872 5844 sptd - detected LockedFile.Multi.Generic (1)
    14:09:53.0039 5844 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    14:09:53.0088 5844 srv - ok
    14:09:53.0191 5844 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    14:09:53.0236 5844 srv2 - ok
    14:09:53.0347 5844 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    14:09:53.0369 5844 srvnet - ok
    14:09:53.0555 5844 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
    14:09:53.0586 5844 StillCam - ok
    14:09:53.0800 5844 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    14:09:53.0814 5844 swenum - ok
    14:09:54.0339 5844 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    14:09:54.0354 5844 Symc8xx - ok
    14:09:54.0404 5844 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    14:09:54.0419 5844 Sym_hi - ok
    14:09:54.0683 5844 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    14:09:54.0698 5844 Sym_u3 - ok
    14:09:55.0180 5844 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
    14:09:55.0470 5844 Tcpip - ok
    14:09:55.0897 5844 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
    14:09:55.0934 5844 Tcpip6 - ok
    14:09:56.0236 5844 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    14:09:56.0259 5844 tcpipreg - ok
    14:09:56.0364 5844 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    14:09:56.0387 5844 TDPIPE - ok
    14:09:56.0486 5844 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    14:09:56.0512 5844 TDTCP - ok
    14:09:56.0820 5844 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    14:09:56.0841 5844 tdx - ok
    14:09:57.0384 5844 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    14:09:57.0399 5844 TermDD - ok
    14:09:57.0906 5844 TfFsMon (a56ec942ecabfb7849bfa76060f929fb) C:\Windows\system32\drivers\TfFsMon.sys
    14:09:57.0920 5844 TfFsMon - ok
    14:09:58.0057 5844 TfNetMon (917ef522563f6047685486efa486fb3c) C:\Windows\system32\drivers\TfNetMon.sys
    14:09:58.0068 5844 TfNetMon - ok
    14:09:58.0378 5844 TfSysMon (57edbb5fe7ff09bb21121d13bb950ba5) C:\Windows\system32\drivers\TfSysMon.sys
    14:09:58.0391 5844 TfSysMon - ok
    14:09:58.0862 5844 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    14:09:58.0895 5844 tssecsrv - ok
    14:09:58.0998 5844 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    14:09:59.0057 5844 tunmp - ok
    14:09:59.0473 5844 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    14:09:59.0492 5844 tunnel - ok
    14:09:59.0979 5844 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
    14:09:59.0994 5844 uagp35 - ok
    14:10:00.0170 5844 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    14:10:00.0201 5844 udfs - ok
    14:10:00.0423 5844 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
    14:10:00.0439 5844 uliagpkx - ok
    14:10:01.0021 5844 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
    14:10:01.0040 5844 uliahci - ok
    14:10:01.0341 5844 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    14:10:01.0357 5844 UlSata - ok
    14:10:01.0703 5844 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    14:10:01.0720 5844 ulsata2 - ok
    14:10:02.0241 5844 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    14:10:02.0276 5844 umbus - ok
    14:10:02.0649 5844 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
    14:10:02.0678 5844 usbaudio - ok
    14:10:02.0956 5844 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    14:10:02.0985 5844 usbccgp - ok
    14:10:03.0083 5844 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    14:10:03.0144 5844 usbcir - ok
    14:10:03.0342 5844 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    14:10:03.0376 5844 usbehci - ok
    14:10:03.0513 5844 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    14:10:03.0544 5844 usbhub - ok
    14:10:03.0788 5844 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    14:10:03.0848 5844 usbohci - ok
    14:10:04.0023 5844 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    14:10:04.0059 5844 usbprint - ok
    14:10:04.0450 5844 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    14:10:04.0529 5844 USBSTOR - ok
    14:10:04.0733 5844 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    14:10:04.0763 5844 usbuhci - ok
    14:10:04.0969 5844 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
    14:10:05.0007 5844 usbvideo - ok
    14:10:05.0129 5844 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    14:10:05.0184 5844 vga - ok
    14:10:05.0210 5844 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    14:10:05.0244 5844 VgaSave - ok
    14:10:05.0408 5844 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
    14:10:05.0425 5844 viaagp - ok
    14:10:05.0663 5844 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
    14:10:05.0714 5844 ViaC7 - ok
    14:10:05.0955 5844 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
    14:10:05.0992 5844 viaide - ok
    14:10:06.0139 5844 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    14:10:06.0155 5844 volmgr - ok
    14:10:06.0203 5844 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    14:10:06.0224 5844 volmgrx - ok
    14:10:06.0670 5844 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    14:10:06.0691 5844 volsnap - ok
    14:10:07.0151 5844 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
    14:10:07.0168 5844 vsmraid - ok
    14:10:07.0260 5844 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    14:10:07.0318 5844 WacomPen - ok
    14:10:07.0471 5844 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    14:10:07.0501 5844 Wanarp - ok
    14:10:07.0529 5844 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    14:10:07.0557 5844 Wanarpv6 - ok
    14:10:07.0697 5844 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
    14:10:07.0713 5844 Wd - ok
    14:10:07.0970 5844 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    14:10:08.0009 5844 Wdf01000 - ok
    14:10:08.0350 5844 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
    14:10:08.0379 5844 WmiAcpi - ok
    14:10:08.0526 5844 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    14:10:08.0561 5844 ws2ifsl - ok
    14:10:08.0685 5844 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
    14:10:08.0714 5844 WSDPrintDevice - ok
    14:10:08.0846 5844 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    14:10:08.0880 5844 WUDFRd - ok
    14:10:08.0913 5844 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
    14:10:09.0445 5844 \Device\Harddisk0\DR0 - ok
    14:10:09.0454 5844 MBR (0x1B8) (973e9ba32fdbb305c552ed3e1ebf0686) \Device\Harddisk1\DR1
    14:10:09.0546 5844 \Device\Harddisk1\DR1 - ok
    14:10:09.0568 5844 Boot (0x1200) (47b7c63b1ff6106e81d91108af21ffb5) \Device\Harddisk0\DR0\Partition0
    14:10:09.0597 5844 \Device\Harddisk0\DR0\Partition0 - ok
    14:10:09.0611 5844 Boot (0x1200) (2550465ec1fd92fcd2071b2e5e16973e) \Device\Harddisk0\DR0\Partition1
    14:10:09.0633 5844 \Device\Harddisk0\DR0\Partition1 - ok
    14:10:09.0638 5844 Boot (0x1200) (0699ecf2d19793bd3c482ffc9ff40d56) \Device\Harddisk1\DR1\Partition0
    14:10:09.0639 5844 \Device\Harddisk1\DR1\Partition0 - ok
    14:10:09.0640 5844 ============================================================
    14:10:09.0640 5844 Scan finished
    14:10:09.0640 5844 ============================================================
    14:10:09.0695 5676 Detected object count: 4
    14:10:09.0695 5676 Actual detected object count: 4
    14:17:30.0186 5676 DSproct ( UnsignedFile.Multi.Generic ) - skipped by user
    14:17:30.0186 5676 DSproct ( UnsignedFile.Multi.Generic ) - User select action: Skip
    14:17:30.0188 5676 SAVOnAccess ( UnsignedFile.Multi.Generic ) - skipped by user
    14:17:30.0188 5676 SAVOnAccess ( UnsignedFile.Multi.Generic ) - User select action: Skip
    14:17:30.0190 5676 SophosBootDriver ( UnsignedFile.Multi.Generic ) - skipped by user
    14:17:30.0190 5676 SophosBootDriver ( UnsignedFile.Multi.Generic ) - User select action: Skip
    14:17:30.0192 5676 sptd ( LockedFile.Multi.Generic ) - skipped by user
    14:17:30.0192 5676 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
    14:17:40.0604 6120 Deinitialize success

    What I'm not sure about is if sptd is installed as part of Sage Line 50. I can't find anything to suggest that it is. And I can't see any software installed like Daemon Tools or Alcohol that bundles it. Anyway, on to the other logs...
     
  5. Seb7

    Seb7 TS Rookie Topic Starter

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.13.02

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19190
    James :: JAMES-PC [administrator]

    13/03/2012 11:38:42
    mbam-log-2012-03-13 (11-38-42).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 221611
    Time elapsed: 8 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
    [/CODE]
    Code:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-03-13 11:57:27
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.GM2O
    Running: mq075dc5.exe; Driver: C:\Users\JAMES~1.SYN\AppData\Local\Temp\fgloypow.sys
    
    
    ---- Devices - GMER 1.0.15 ----
    
    Device          \Driver\iaStor \Device\Ide\iaStor0             [8D8E0580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device          \Driver\atapi \Device\Ide\IdePort0             882F11F8
    Device          \Driver\atapi \Device\Ide\IdePort1             882F11F8
    Device          \Driver\iaStor \Device\Ide\IAAStorageDevice-0  [8D8E0580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device          \Driver\iaStor \Device\Ide\IAAStorageDevice-1  [8D8E0580] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device          \FileSystem\Ntfs \Ntfs                         882F21F8
    
    AttachedDevice  \FileSystem\Ntfs \Ntfs                         TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
    
    Device          \FileSystem\fastfat \Fat                       8A947500
    
    AttachedDevice  \FileSystem\fastfat \Fat                       fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice  \Driver\tdx \Device\Ip                         avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice  \Driver\tdx \Device\Tcp                        avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice  \Driver\tdx \Device\Udp                        avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice  \Driver\tdx \Device\RawIp                      avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    
    ---- EOF - GMER 1.0.15 ----
    
    
    DDS (Ver_2011-08-26.01) - NTFSx86 
    Internet Explorer: 8.0.6001.19190  BrowserJavaVersion: 1.6.0_31
    Run by James at 11:58:09 on 2012-03-13
    Microsoft® Windows Vista™ Business   6.0.6002.2.1252.44.1033.18.3325.1642 [GMT 0:00]
    .
    AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\DYMO\DYMO Label Software\DymoPnpService.exe
    C:\Program Files\Gemalto\Classic Client\BIN\GslShmSrvc.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Program Files\ThreatFire\TFService.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Windows\System32\ico.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Gemalto\Classic Client\BIN\RegTool.exe
    C:\Program Files\ScanSoft\OmniPage15.0\OpWare15.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\ThreatFire\TFTray.exe
    C:\Program Files\Sophos\AutoUpdate\ALMon.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.syntec.co.uk/stats/userLogin.asp?&reCook=t
    uWindow Title = Internet Explorer provided by Dell
    uDefault_Page_URL = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
    mDefault_Page_URL = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    EB: Syntec Agent Bar: {46eeac90-055e-1b18-4d54-57696c4a6f6e} - Shdocvw.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [DymoQuickPrint] "c:\program files\dymo\dymo label software\DymoQuickPrint.exe" /startup
    uRun: [OpAgent] "c:\program files\scansoft\omnipage15.0\OpAgent.exe" /agent
    uRun: [SystemExplorerAutoStart] "c:\program files\system explorer\SystemExplorer.exe" /TRAY
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [PMX Daemon] ICO.EXE
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [KeePass 2 PreLoad] "c:\program files\keepass password safe 2\KeePass.exe" --preload
    mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [DLSService] "c:\program files\dymo\dymo label software\DLSService.exe"
    mRun: [RegTool] c:\program files\gemalto\classic client\bin\RegTool.exe
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [Opware15] "c:\program files\scansoft\omnipage15.0\Opware15.exe"
    mRun: [OpScheduler] "c:\program files\scansoft\omnipage15.0\OpScheduler.exe"
    mRun: [PDF3 Registry Controller] "c:\program files\scansoft\omnipage15.0\pdfconverter3\\RegistryController.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
    StartupFolder: c:\users\james~1.syn\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\james.syntec_dom1\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\users\james~1.syn\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\ereg\eReg.exe
    StartupFolder: c:\users\james~1.syn\appdata\roaming\micros~1\windows\startm~1\programs\startup\passwo~1.lnk - c:\program files\password safe\pwsafe.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hwg-pd~1.lnk - c:\program files\hw group\hwg-pdms\HWg-PDMS_tools.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
    IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
    Trusted Zone: bacs.co.uk\paymentservices
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
    TCP: Interfaces\{F895C86E-833A-4E7A-BE37-94E4F10C03C4} : DhcpNameServer = 208.67.222.222 208.67.220.220
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: avgrsstx.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\james.syntec_dom1\appdata\roaming\mozilla\firefox\profiles\34edju4i.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.syntec.co.uk/stats/userLogin.asp?&reCook=t
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: c:\users\james.syntec_dom1\appdata\roaming\mozilla\firefox\profiles\34edju4i.default\extensions\{548f6736-8fe4-4680-82f2-170d6c07e1d2}\components\FFExternalAlert.dll
    FF - component: c:\users\james.syntec_dom1\appdata\roaming\mozilla\firefox\profiles\34edju4i.default\extensions\{548f6736-8fe4-4680-82f2-170d6c07e1d2}\components\RadioWMPCore.dll
    FF - component: c:\users\james.syntec_dom1\appdata\roaming\mozilla\firefox\profiles\34edju4i.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\dymo\dymo label software\framework\npDYMOLabelFramework.dll
    FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npClassicESigner.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\nos\bin\np_gp.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\users\james.syntec_dom1\appdata\roaming\mozilla\firefox\profiles\34edju4i.default\extensions\support@ancestry.com\plugins\npImgCtl.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2012-1-25 56208]
    R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2012-3-8 51984]
    R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2012-3-8 69392]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-4 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-4 29712]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-4 243152]
    R1 RapportCerberus_34302;RapportCerberus_34302;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\34302\RapportCerberus32_34302.sys [2011-12-15 228208]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2012-1-25 71440]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2012-1-25 164112]
    R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2012-3-7 85312]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-8-26 176128]
    R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-1-23 133968]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
    R2 DymoPnpService;DYMO PnP Service;c:\program files\dymo\dymo label software\DymoPnpService.exe [2011-1-28 32336]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 GslShmSrvc;GSL Share Memory;c:\program files\gemalto\classic client\bin\GslShmSrvc.exe [2010-7-6 84992]
    R2 msftesql$WASPDBEXPRESS;SQL Server FullText Search (WASPDBEXPRESS);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2010-3-26 91992]
    R2 MSSQL$WASPDBEXPRESS;SQL Server (WASPDBEXPRESS);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2012-1-25 931640]
    R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-12-9 69632]
    R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-12-9 98304]
    R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-6-26 172032]
    R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-8-24 2358656]
    R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-8-26 6380032]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-8-26 221696]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2011-1-17 99344]
    R3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\system32\drivers\lmvac.sys [2010-8-12 18944]
    R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\28896\RapportIaso.sys [2011-8-7 21520]
    R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2012-3-8 33552]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 GemCCID;GemCCID;c:\windows\system32\drivers\GemCCID.sys [2009-8-10 89600]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-21 136176]
    S3 SystemExplorerHelpService;System Explorer Service;c:\program files\system explorer\service\SystemExplorerService.exe [2012-3-9 536208]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-21 16896]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-21 136176]
    S4 HWg_PDMS_Service;HWg-PDMS Service;c:\program files\hw group\hwg-pdms\HWg-PDMS_srv.exe [2011-5-9 1178472]
    S4 HWg_PDMS_WEB_Service;HWg-PDMS WEBserver;c:\program files\hw group\hwg-pdms\HWg-PDMS_web.exe [2011-6-13 745832]
    S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2012-3-7 20288]
    .
    =============== Created Last 30 ================
    .
    2012-03-13 11:37:13	--------	d-----w-	c:\users\james.syntec_dom1\appdata\roaming\Malwarebytes
    2012-03-13 11:37:03	20464	----a-w-	c:\windows\system32\drivers\mbam.sys
    2012-03-13 11:37:03	--------	d-----w-	c:\programdata\Malwarebytes
    2012-03-13 11:37:03	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
    2012-03-12 13:55:49	--------	d-----w-	C:\TDSSKiller_Quarantine
    2012-03-09 14:25:38	--------	d-----w-	c:\program files\Macrovision Corporation
    2012-03-09 12:42:20	--------	d-----w-	c:\programdata\SystemExplorer
    2012-03-09 12:42:16	--------	d-----w-	c:\program files\System Explorer
    2012-03-08 12:54:15	69392	----a-w-	c:\windows\system32\drivers\TfSysMon.sys
    2012-03-08 12:54:15	51984	----a-w-	c:\windows\system32\drivers\TfFsMon.sys
    2012-03-08 12:54:15	33552	----a-w-	c:\windows\system32\drivers\TfNetMon.sys
    2012-03-08 12:54:14	--------	d-----w-	c:\programdata\PC Tools
    2012-03-08 12:54:14	--------	d-----w-	c:\program files\ThreatFire
    2012-03-07 18:43:09	--------	d-----w-	c:\users\james.syntec_dom1\appdata\local\Sophos
    2012-03-07 18:37:04	130088	---ha-w-	c:\windows\system32\6c3e6b0a.stf
    2012-03-07 18:37:04	130088	---ha-w-	c:\windows\system32\044f1164.stf
    2012-03-07 18:37:04	130088	----a-w-	c:\windows\system32\sdccoinstaller.dll
    2012-03-07 18:35:58	--------	d-----w-	c:\program files\common files\Cisco Systems
    2012-03-07 18:35:36	23552	----a-w-	c:\windows\system32\SophosBootTasks.exe
    2012-03-07 18:35:22	--------	d-----w-	c:\programdata\Sophos
    2012-03-07 18:35:22	--------	d-----w-	c:\program files\Sophos
    2012-03-07 18:33:17	85312	----a-w-	c:\windows\system32\drivers\savonaccess.sys
    2012-03-07 18:33:17	20288	----a-w-	c:\windows\system32\drivers\SophosBootDriver.sys
    2012-03-07 18:33:13	--------	d-----w-	C:\stdtsa
    2012-02-17 03:07:45	--------	d-----w-	C:\d00dc5d831cca01b31
    2012-02-14 19:36:50	--------	d-sh--w-	c:\windows\system32\%APPDATA%
    .
    ==================== Find3M  ====================
    .
    2012-03-12 14:02:30	445008	----a-w-	c:\windows\system32\drivers\Wdf01000.sys
    2012-03-08 11:26:29	472808	----a-w-	c:\windows\system32\deployJava1.dll
    2012-01-25 10:16:44	56208	----a-w-	c:\windows\system32\drivers\RapportKELL.sys
    2012-01-12 19:52:56	2044416	----a-w-	c:\windows\system32\win32k.sys
    2011-12-15 06:22:01	916992	----a-w-	c:\windows\system32\wininet.dll
    2011-12-15 06:18:03	43520	----a-w-	c:\windows\system32\licmgr10.dll
    2011-12-15 06:17:51	1469440	----a-w-	c:\windows\system32\inetcpl.cpl
    2011-12-15 06:17:35	71680	----a-w-	c:\windows\system32\iesetup.dll
    2011-12-15 06:17:35	109056	----a-w-	c:\windows\system32\iesysprep.dll
    2011-12-15 05:21:27	385024	----a-w-	c:\windows\system32\html.iec
    2011-12-15 04:45:13	133632	----a-w-	c:\windows\system32\ieUnatt.exe
    2011-12-15 04:43:48	1638912	----a-w-	c:\windows\system32\mshtml.tlb
    2011-12-14 16:17:47	680448	----a-w-	c:\windows\system32\msvcrt.dll
    .
    ============= FINISH: 11:58:48.93 ===============
    
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Business 
    Boot Device: \Device\HarddiskVolume3
    Install Date: 22/10/2008 14:10:56
    System Uptime: 12/03/2012 14:02:19 (21 hours ago)
    .
    Motherboard: Dell Inc. |  | 0GM819
    Processor: Intel(R) Core(TM)2 Duo CPU     E7200  @ 2.53GHz | CPU | 1867/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 223 GiB total, 87.892 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 5.685 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1096: 01/03/2012 00:00:01 - Scheduled Checkpoint
    RP1097: 02/03/2012 00:26:56 - Scheduled Checkpoint
    RP1098: 03/03/2012 00:00:01 - Scheduled Checkpoint
    RP1099: 04/03/2012 00:00:01 - Scheduled Checkpoint
    RP1100: 05/03/2012 00:00:03 - Scheduled Checkpoint
    RP1101: 05/03/2012 23:54:22 - Scheduled Checkpoint
    RP1102: 06/03/2012 22:25:37 - Scheduled Checkpoint
    RP1103: 07/03/2012 18:34:50 - Installed Sophos Anti-Virus
    RP1104: 07/03/2012 18:38:35 - Installed Sophos AutoUpdate
    RP1105: 08/03/2012 03:00:12 - Windows Update
    RP1106: 08/03/2012 11:24:55 - Installed Java(TM) 6 Update 31
    RP1107: 08/03/2012 13:15:40 - Windows Update
    RP1108: 10/03/2012 00:15:08 - Scheduled Checkpoint
    RP1109: 10/03/2012 03:00:12 - Windows Update
    RP1110: 11/03/2012 - Scheduled Checkpoint
    RP1111: 12/03/2012 - Scheduled Checkpoint
    RP1112: 12/03/2012 23:41:31 - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    ABC Amber BlackBerry Converter
    Acrobat.com
    Active@ ISO Burner
    ACTWinSmart v1.1
    Adobe AIR
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.0.1)
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI AVIVO Codecs
    ATI Catalyst Install Manager
    Audacity 1.2.6
    AVG Free 9.0
    BlackBerry Desktop Software 6.0.1
    Bonjour
    CameraHelperMsi
    Canon MF Toolbox 4.9.1.1.mf12
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Classic Client 6.0 SP1 Patch1
    Color Network ScanGear Ver.2.71
    Compatibility Pack for the 2007 Office system
    Crystal Reports Basic Runtime for Visual Studio 2008
    Dell ETS Factory Installation
    Dell Getting Started Guide
    DellSupport
    Dropbox
    DYMO Label v.8
    EDocs
    erLT
    eSigner 4.1 Is
    Express Burn Disc Burning Software
    Google Chrome
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HWg-PDMS 1.6.0
    HWg STE Tools 1.0.2
    HydraVision
    Intel(R) Matrix Storage Manager
    Intel(R) PRO Alerting Agent
    Intel(R) PRO Network Connections 12.1.12.4
    InventoryControl
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 31
    KeePass Password Safe 2.13
    Labeler
    Logitech Vid HD
    Logitech Webcam Software
    Logitech Webcam Software Driver Package
    LWS Facebook
    LWS Gallery
    LWS Help_main
    LWS Launcher
    LWS Motion Detection
    LWS Pictures And Video
    LWS Video Mask Maker
    LWS VideoEffects
    LWS Webcam Software
    LWS WLM Plugin
    LWS YouTube Plugin
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft SQL Server 2000
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 (WASPDBEXPRESS)
    Microsoft SQL Server 2005 Tools
    Microsoft SQL Server Management Studio Express
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
    MixPad Audio Mixer
    MobileAsset
    Mouse Suite for Desktop Computers
    Mozilla Firefox 10.0.2 (x86 en-GB)
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MySQL Tools for 5.0
    NCH Tone Generator
    Netiom Interface
    Opengear SDTConnector
    Password Safe
    PayAway-IP
    PowerDVD
    Protected Music Converter 1.4.2
    PuTTY version 0.60
    QuickTime
    Quintum Tenor Configuration Manager
    Rapport
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Sage Line 50 7.01
    ScanSoft OmniPage 15.0
    ScanSoft PDF Converter 3.0
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Skype™ 4.2
    Sonic CinePlayer Decoder Pack
    Sophos Anti-Virus
    Sophos AutoUpdate
    Spelling Dictionaries Support For Adobe Reader 9
    Storage System Console
    Switch Sound File Converter
    System Explorer 3.8.5
    TeamViewer 6
    Telesoft Design Ltd Element Manager
    TextPad 5
    ThreatFire
    TortoiseSVN 1.5.10.16879 (32 bit)
    UDP Config 4.9.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    VNC Free Edition 4.1.3
    WavePad Sound Editor
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    WinPcap 4.1.2
    WinSCP 4.1.9
    Wireshark 1.4.4
    .
    ==== Event Viewer Messages From Past Week ========
    .
    13/03/2012 09:18:54, Error: NETLOGON [5719]  - This computer was not able to set up a secure session with a domain controller in domain SYNTEC_DOM1 due to the following:  There are currently no logon servers available to service the logon request.  This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    13/03/2012 02:07:43, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067]  - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
    12/03/2012 14:10:40, Error: Microsoft-Windows-DistributedCOM [10000]  - Unable to start a DCOM Server: {4F5E3A76-F453-4882-AB42-7224F3310DE7}. The error: "0" Happened while starting this command: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe -Embedding
    12/03/2012 14:04:23, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    12/03/2012 14:03:33, Error: Service Control Manager [7000]  - The 5689 service failed to start due to the following error:  The system cannot find the file specified.
    10/03/2012 07:28:13, Error: EventLog [6008]  - The previous system shutdown at 07:25:41 on 10/03/2012 was unexpected.
    09/03/2012 20:24:43, Error: Service Control Manager [7034]  - The Sophos AutoUpdate Service service terminated unexpectedly.  It has done this 1 time(s).
    09/03/2012 19:46:14, Error: EventLog [6008]  - The previous system shutdown at 19:43:42 on 09/03/2012 was unexpected.
    09/03/2012 16:11:43, Error: Microsoft-Windows-DistributedCOM [10000]  - Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}. The error: "0" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    09/03/2012 16:01:01, Error: EventLog [6008]  - The previous system shutdown at 15:59:04 on 09/03/2012 was unexpected.
    08/03/2012 13:27:11, Error: PlugPlayManager [12]  - The device 'RapportIaso' (Root\LEGACY_RAPPORTIASO\0000) disappeared from the system without first being prepared for removal.
    08/03/2012 12:55:42, Error: Service Control Manager [7030]  - The ThreatFire service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
    07/03/2012 18:39:27, Error: Service Control Manager [7030]  - The Sophos AutoUpdate Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
    07/03/2012 13:51:47, Error: TermDD [56]  - The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
    06/03/2012 17:49:56, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.
    06/03/2012 16:58:17, Error: Microsoft-Windows-Dhcp-Client [1002]  - The IP address lease 129.178.88.142 for the Network Card with network address 00219B4CCD5B has been denied by the DHCP server 192.168.254.2 (The DHCP Server sent a DHCPNACK message).
    06/03/2012 15:30:08, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    06/03/2012 12:29:57, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:29:56, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    06/03/2012 12:29:21, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    06/03/2012 12:29:21, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    06/03/2012 12:29:19, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    06/03/2012 12:29:11, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    06/03/2012 12:26:30, Error: Service Control Manager [7001]  - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:25:33, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD AvgLdx86 AvgMfx86 AvgTdiX CSC DfsC NetBIOS netbt nsiproxy PSched RapportKELL RasAcd rdbss Smb spldr sptd tdx Wanarpv6
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error:  A device attached to the system is not functioning.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The Netlogon service depends on the Workstation service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
    06/03/2012 12:25:33, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
    06/03/2012 12:24:30, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048]  - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
    06/03/2012 12:24:30, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    06/03/2012 12:24:29, Error: EventLog [6008]  - The previous system shutdown at 12:22:50 on 06/03/2012 was unexpected.
    06/03/2012 12:23:39, Error: sptd [4]  - Driver detected an internal error in its data structures for .
    06/03/2012 12:22:07, Error: EventLog [6008]  - The previous system shutdown at 11:53:14 on 06/03/2012 was unexpected.
    06/03/2012 11:52:32, Error: EventLog [6008]  - The previous system shutdown at 11:49:11 on 06/03/2012 was unexpected.
    06/03/2012 11:48:32, Error: EventLog [6008]  - The previous system shutdown at 11:46:25 on 06/03/2012 was unexpected.
    06/03/2012 11:45:46, Error: EventLog [6008]  - The previous system shutdown at 11:43:08 on 06/03/2012 was unexpected.
    06/03/2012 07:50:19, Error: EventLog [6008]  - The previous system shutdown at 07:49:05 on 06/03/2012 was unexpected.
    .
    ==== End Of File ===========================
    
    Also, I have pcap files if needed.
    
    So is the PC clean?  Do I need to worry about SPTD?
    
    Many thanks!
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please don't use code boxes or quote boxes for the logs. They may look nice, but it takes up a considerably large amount of the 'real estate.'

    From the preliminary thread I referred you to:
    =============================================
    The TDSSKiller scan is not in my directions- why did you run it? And having run it anyway, why did you decide to skip removal of entries? It is important that you only run what I instruct you to.
    Malware cleaning is an orderly process and it's important that you use my instructions only while I'm helping you.
    =====================================
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  7. Seb7

    Seb7 TS Rookie Topic Starter

    Hi Bobbye,

    Sorry about the code boxes. I thought they would reduce the amount of screen real estate used and therefore make the thread easier to navigate.

    I read the preliminary thread some time before my post so I probably forgot about the not using code boxes when I came to write my post.

    I used TDSSKiller before I found this forum. I just took the default actions as I felt this was safest. The default actions were to skip these objects. Remember, this PC was unusable while connected to the Internet before I ran TDSSKiller.

    I uninstalled AVG using AppRemover (having backup the programdata and virus vault so I can restore the history if needed).
    I installed Microsoft Security Essentials.
    I ran a newly downloaded copy of ComboFix.

    ComboFix 12-03-13.01 - James 13/03/2012 18:58:26.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3325.1635 [GMT 0:00]
    Running from: c:\users\James.SYNTEC_DOM1\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\windows\system32\~GLH0024.TMP
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-13 19:13 . 2012-03-13 19:13 -------- d-----w- c:\users\JAMES~1~SYN\AppData\Local\temp
    2012-03-13 19:13 . 2012-03-13 19:13 -------- d-----w- c:\users\James\AppData\Local\temp
    2012-03-13 19:13 . 2012-03-13 19:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-03-13 18:43 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-03-13 18:40 . 2012-03-13 18:40 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4ED5EEC7-2861-4FEA-86C4-BB6E9C7848BA}\offreg.dll
    2012-03-13 18:40 . 2012-03-13 18:40 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4ED5EEC7-2861-4FEA-86C4-BB6E9C7848BA}\MpKsl684936a2.sys
    2012-03-13 18:33 . 2012-02-09 13:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{499C004E-5986-4D55-8194-C8A62B2EEF80}\gapaengine.dll
    2012-03-13 18:33 . 2012-03-01 14:34 6552120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4ED5EEC7-2861-4FEA-86C4-BB6E9C7848BA}\mpengine.dll
    2012-03-13 17:18 . 2012-03-13 17:18 -------- d-----w- c:\program files\Microsoft Security Client
    2012-03-13 17:17 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
    2012-03-13 16:49 . 2012-03-13 16:49 -------- d-----w- C:\$AVG - Copy
    2012-03-13 16:48 . 2012-03-13 16:48 -------- d-----w- c:\programdata\avg9 - Copy
    2012-03-13 11:37 . 2012-03-13 11:37 -------- d-----w- c:\users\James.SYNTEC_DOM1\AppData\Roaming\Malwarebytes
    2012-03-13 11:37 . 2012-03-13 11:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-03-13 11:37 . 2012-03-13 11:37 -------- d-----w- c:\programdata\Malwarebytes
    2012-03-13 11:37 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-12 13:55 . 2012-03-12 13:55 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-03-11 13:48 . 2012-03-11 13:48 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2012-03-09 14:25 . 2012-03-09 14:25 -------- d-----w- c:\program files\Macrovision Corporation
    2012-03-09 12:42 . 2012-03-09 12:45 -------- d-----w- c:\programdata\SystemExplorer
    2012-03-09 12:42 . 2012-03-09 12:42 -------- d-----w- c:\program files\System Explorer
    2012-03-08 12:54 . 2011-02-22 13:57 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
    2012-03-08 12:54 . 2011-02-22 13:57 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
    2012-03-08 12:54 . 2011-02-22 13:57 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
    2012-03-08 12:54 . 2012-03-08 12:54 -------- d-----w- c:\program files\ThreatFire
    2012-03-08 12:54 . 2012-03-08 12:54 -------- d-----w- c:\programdata\PC Tools
    2012-03-08 11:27 . 2012-03-08 11:27 -------- d-----w- c:\program files\Common Files\Java
    2012-03-07 18:43 . 2012-03-07 18:43 -------- d-----w- c:\users\James.SYNTEC_DOM1\AppData\Local\Sophos
    2012-03-07 18:37 . 2008-12-10 09:21 130088 ---ha-w- c:\windows\system32\54e12fbe.stf
    2012-03-07 18:37 . 2008-12-10 09:21 130088 ----a-w- c:\windows\system32\sdccoinstaller.dll
    2012-03-07 18:35 . 2012-03-07 18:35 -------- d-----w- c:\program files\Common Files\Cisco Systems
    2012-03-07 18:35 . 2008-12-09 17:10 23552 ----a-w- c:\windows\system32\SophosBootTasks.exe
    2012-03-07 18:35 . 2012-03-07 18:39 -------- d-----w- c:\program files\Sophos
    2012-03-07 18:35 . 2012-03-07 18:39 -------- d-----w- c:\programdata\Sophos
    2012-03-07 18:33 . 2008-07-18 11:50 85312 ----a-w- c:\windows\system32\drivers\savonaccess.sys
    2012-03-07 18:33 . 2008-05-23 08:39 20288 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
    2012-03-07 18:33 . 2012-03-07 18:33 -------- d-----w- C:\stdtsa
    2012-02-23 17:35 . 2012-02-23 18:51 -------- d-----w- c:\users\James.SYNTEC_DOM1\AppData\Roaming\Download Manager
    2012-02-17 03:07 . 2012-02-17 03:10 -------- d-----w- C:\d00dc5d831cca01b31
    2012-02-14 19:36 . 2012-02-14 19:36 -------- d-sh--w- c:\windows\system32\%APPDATA%
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-12 14:02 . 2011-02-07 16:56 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2012-03-08 11:26 . 2011-01-17 12:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-17 17:31 . 2011-09-20 18:22 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2008-01-16 16:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\James.SYNTEC_DOM1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\James.SYNTEC_DOM1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\James.SYNTEC_DOM1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "DymoQuickPrint"="c:\program files\DYMO\DYMO Label Software\DymoQuickPrint.exe" [2011-01-28 1825360]
    "OpAgent"="c:\program files\ScanSoft\OmniPage15.0\OpAgent.exe" [2005-08-11 155648]
    "SystemExplorerAutoStart"="c:\program files\System Explorer\SystemExplorer.exe" [2012-02-21 2630800]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-15 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-15 154392]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-15 138008]
    "PMX Daemon"="ICO.EXE" [2006-11-08 49152]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
    "KeePass 2 PreLoad"="c:\program files\KeePass Password Safe 2\KeePass.exe" [2010-09-05 1655296]
    "LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-25 98304]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-25 1282048]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "RegTool"="c:\program files\Gemalto\Classic Client\BIN\RegTool.exe" [2010-09-27 897536]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
    "Opware15"="c:\program files\ScanSoft\OmniPage15.0\Opware15.exe" [2005-08-11 69632]
    "PDF3 Registry Controller"="c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe" [2005-04-26 106496]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2011-02-22 378128]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
    .
    c:\users\James.SYNTEC_DOM1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\James.SYNTEC_DOM1\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
    Logitech . Product Registration.lnk - c:\program files\Logitech\Ereg\eReg.exe [2009-11-16 517384]
    Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2010-7-26 2568192]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-6-21 245760]
    HWg-PDMS Systray.lnk - c:\program files\HW group\HWg-PDMS\HWg-PDMS_tools.exe [2011-5-9 1389416]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
    @="service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R2 5689;5689;c:\users\JAMES~1.SYN\AppData\Local\Temp\5689.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MPKSL684936A2
    *NewlyCreated* - MPNWMON
    *NewlyCreated* - NISDRV
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-21 20:32]
    .
    2012-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-03-21 20:32]
    .
    2012-03-13 c:\windows\Tasks\User_Feed_Synchronization-{0977CED3-F5E0-4B1C-8756-11FCD3F890CB}.job
    - c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.syntec.co.uk/stats/userLogin.asp?&reCook=t
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
    Trusted Zone: bacs.co.uk\paymentservices
    TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
    FF - ProfilePath - c:\users\James.SYNTEC_DOM1\AppData\Roaming\Mozilla\Firefox\Profiles\34edju4i.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.syntec.co.uk/stats/userLogin.asp?&reCook=t
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-DLSService - c:\program files\DYMO\DYMO Label Software\DLSService.exe
    HKLM-Run-OpScheduler - c:\program files\ScanSoft\OmniPage15.0\OpScheduler.exe
    SafeBoot-84879748.sys
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper_3004.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-13 19:13
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$WASPDBEXPRESS]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:WASPDBEXPRESS"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ThreatFire]
    "AlternateImagePath"=""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e1,e0,7e,ed,65,74,9b,4f,a9,64,9f,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e1,e0,7e,ed,65,74,9b,4f,a9,64,9f,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(3628)
    c:\program files\ThreatFire\TfWah.dll
    .
    - - - - - - - > 'lsass.exe'(772)
    c:\program files\ThreatFire\TFWAH.dll
    .
    - - - - - - - > 'Explorer.exe'(464)
    c:\program files\ThreatFire\TfWah.dll
    c:\program files\ScanSoft\OmniPage15.0\OpHook15.dll
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    c:\program files\TortoiseSVN\bin\TortoiseStub.dll
    c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
    c:\program files\TortoiseSVN\bin\libdb44.dll
    c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
    c:\users\James.SYNTEC_DOM1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    c:\windows\System32\cscui.dll
    c:\windows\System32\npmproxy.dll
    c:\windows\System32\srchadmin.dll
    .
    Completion time: 2012-03-13 19:21:53
    ComboFix-quarantined-files.txt 2012-03-13 19:21
    .
    Pre-Run: 95,586,664,448 bytes free
    Post-Run: 95,021,539,328 bytes free
    .
    - - End Of File - - F9E5C7841D0DA77FC951FCC816C824AB



    A few notes on the ComboFix log that might be relevant:
    c:\windows\system32\drivers\Wdf01000.sys was the file that TDSSKiller 'cured' in 12.03.2012_13.49.02 log.
    c:\users\JAMES~1.SYN\AppData\Local\Temp\5689.sys is the file that I renamed to "Suspect 5689.sys" while in Safe Mode originally (along with some other files). I left the registry entry intact.

    I ran the Eset Smart Installer as described. The log:

    C:\Users\James.SYNTEC_DOM1\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe Win32/Toggle application
    C:\winnt\system32\repl\import\scripts.V2\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe Win32/Toggle application

    While checking this machine last Wednesday I realized that this user had a roaming profile set to:
    C:\winnt\system32\repl\import\scripts
    I immediately removed this configuration as it looked like an error, but this PC has been isolated so has not picked up the new config. This means that there is currently a partial backup of the main user profile for this PC from the last logoff time. %TEMP% (or indeed %LOCALAPPDATA%) is not one of the folders replicated.

    Also, while ESET was scanning, MSE popped up an alert saying that C:\TDSSKiller_Quarantine\12.03.2012_13.49.02\rtkt0000\svc0000\tsk0000.dta contained Trojan:WinNT/Simda.gen!A and a link to http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aWinNT%2fSimda.gen!A&threatid=2147650329
    I chose to Allow this so that ESET could scan it, but I guess that ESET may have skipped past this file in the meantime.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It's important that you stop making decisions about what you think is right while I am helping you. Please do only what I instruct you to do. One inherent problem of running malware scans on your own is that you may not know what to do with the results. So Please run the following again:
    • Download the file TDSSKiller.zip and save to the desktop.
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
      [*] Select the action Quarantine to quarantine detected objects.

      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please save the log and include it in your next reply.
    • A reboot is required after disinfection.
    ===========================================
    You have virtually smothered the system in antivirus programs: This can cause a conflict that leaves the system more vulnerable, not less. It can also noticeably slow the system down.
    AVG Free 9.0
    Microsoft Security Essentials
    Sophos Anti-Virus
    ThreatFire

    ---------------------
    - - - - - - - > 'winlogon.exe'(3628)
    c:\program files\ThreatFire\TfWah.dll
    .
    - - - - - - - > 'lsass.exe'(772)
    c:\program files\ThreatFire\TFWAH.dll
    .
    - - - - - - - > 'Explorer.exe'(464)
    c:\program files\ThreatFire\TfWah.dll
    ------------------------------
    It appears that AVG Free 9.0 was the original AV.
    You uninstalled AVG and installed MSE>> 2012-03-13

    You have ThreatFire installed and running.> 2012-03-08 12:54 and TF shows an original date of "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2011-02-22 378128]
    You have Sophos installed and running.>> 2012-03-07 18:39

    At this point, you have MSE, Sophos and Threat Fire loading and running.
    When I had you remove AVG and gave you a choice of 3 AV programs to use while AVG was uninstalled, you should not have gone ahead and installed MSE since you still had 2 other AV programs running.

    And you have Threat Fire set to run under the following processes:
    - - - - - - - > 'winlogon.exe'(3628)
    c:\program files\ThreatFire\TfWah.dll
    .
    - - - - - - - > 'lsass.exe'(772)
    c:\program files\ThreatFire\TFWAH.dll
    .
    - - - - - - - > 'Explorer.exe'(464)
    c:\program files\ThreatFire\TfWah.dll

    Please decide which AV you are going to keep and remove the others. If you plan to put AVG back on the system when we have finished, keep either MSE or Sophos or Threat File on the system and remove the others. If you put AVG back on the system later, whatever you have kept as the temporary AV will need to be uninstalled.

    Reboot when finished.
    =========================================
    You also have RegTool [2010-09-27 897536] running from the registry. Please take this program off of the Startup Menu- even better, uninstall it. We do not recommend registry cleaner to anyone. The risk surpasses any small benefit to might get.I think this is part of Advanced System Tool.

    Note: I will remove the registry entry.
    =============================================
    Do not do anything else! Stay out of the registry. Don't take it upon yourself to delete any files other than ones I have specified or ones that are handled in the scans.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For the Eset entries:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files
      :Processes 
      C:\Users\James.SYNTEC_DOM1\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe 
      C:\winnt\system32\repl\import\scripts.V2\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  10. Seb7

    Seb7 TS Rookie Topic Starter

    Hi, I redownloaded TDSSKiller and ran it as per your instructions:

    18:41:32.0365 4028 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
    18:41:34.0370 4028 ============================================================
    18:41:34.0370 4028 Current date / time: 2012/03/15 18:41:34.0370
    18:41:34.0370 4028 SystemInfo:
    18:41:34.0370 4028
    18:41:34.0370 4028 OS Version: 6.0.6002 ServicePack: 2.0
    18:41:34.0370 4028 Product type: Workstation
    18:41:34.0370 4028 ComputerName: JAMES-PC
    18:41:34.0370 4028 UserName: James
    18:41:34.0370 4028 Windows directory: C:\Windows
    18:41:34.0370 4028 System windows directory: C:\Windows
    18:41:34.0371 4028 Processor architecture: Intel x86
    18:41:34.0371 4028 Number of processors: 2
    18:41:34.0371 4028 Page size: 0x1000
    18:41:34.0371 4028 Boot type: Normal boot
    18:41:34.0371 4028 ============================================================
    18:41:59.0366 4028 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
    18:41:59.0397 4028 Drive \Device\Harddisk1\DR1 - Size: 0x7A80000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    18:41:59.0476 4028 \Device\Harddisk0\DR0:
    18:41:59.0476 4028 MBR used
    18:41:59.0476 4028 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2F800, BlocksNum 0x1400000
    18:41:59.0476 4028 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x142F800, BlocksNum 0x1BD79000
    18:41:59.0476 4028 \Device\Harddisk1\DR1:
    18:41:59.0477 4028 MBR used
    18:41:59.0477 4028 \Device\Harddisk1\DR1\Partition0: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0x3AD2F
    18:41:59.0564 4028 Initialize success
    18:41:59.0564 4028 ============================================================
    18:42:18.0577 3808 ============================================================
    18:42:18.0577 3808 Scan started
    18:42:18.0577 3808 Mode: Manual;
    18:42:18.0577 3808 ============================================================
    18:42:19.0187 3808 5689 - ok
    18:42:19.0411 3808 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    18:42:19.0434 3808 ACPI - ok
    18:42:19.0525 3808 ADIHdAudAddService (3db3fb83217627d9a0cb8bae6cc5b491) C:\Windows\system32\drivers\ADIHdAud.sys
    18:42:19.0531 3808 ADIHdAudAddService - ok
    18:42:19.0610 3808 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
    18:42:19.0617 3808 adp94xx - ok
    18:42:19.0669 3808 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
    18:42:19.0674 3808 adpahci - ok
    18:42:19.0704 3808 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
    18:42:19.0707 3808 adpu160m - ok
    18:42:19.0757 3808 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
    18:42:19.0760 3808 adpu320 - ok
    18:42:19.0976 3808 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
    18:42:19.0981 3808 AFD - ok
    18:42:20.0077 3808 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
    18:42:20.0079 3808 agp440 - ok
    18:42:20.0134 3808 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    18:42:20.0136 3808 aic78xx - ok
    18:42:20.0186 3808 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
    18:42:20.0187 3808 aliide - ok
    18:42:20.0255 3808 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
    18:42:20.0257 3808 amdagp - ok
    18:42:20.0300 3808 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
    18:42:20.0302 3808 amdide - ok
    18:42:20.0321 3808 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
    18:42:20.0322 3808 AmdK7 - ok
    18:42:20.0347 3808 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
    18:42:20.0348 3808 AmdK8 - ok
    18:42:20.0571 3808 amdkmdag (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    18:42:20.0706 3808 amdkmdag - ok
    18:42:20.0824 3808 amdkmdap (46a3f55772fd2d1526994693ae352579) C:\Windows\system32\DRIVERS\atikmpag.sys
    18:42:20.0828 3808 amdkmdap - ok
    18:42:20.0982 3808 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
    18:42:20.0984 3808 arc - ok
    18:42:21.0039 3808 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
    18:42:21.0041 3808 arcsas - ok
    18:42:21.0145 3808 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    18:42:21.0174 3808 AsyncMac - ok
    18:42:21.0236 3808 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    18:42:21.0237 3808 atapi - ok
    18:42:21.0595 3808 AtiHDAudioService (8579387516ec86d76404ddffc22214c4) C:\Windows\system32\drivers\AtihdLH3.sys
    18:42:21.0620 3808 AtiHDAudioService - ok
    18:42:21.0690 3808 AtiHdmiService (d7672d90ef03d0e2efdb02df5045a359) C:\Windows\system32\drivers\AtiHdmi.sys
    18:42:21.0692 3808 AtiHdmiService - ok
    18:42:22.0980 3808 atikmdag (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    18:42:23.0027 3808 atikmdag - ok
    18:42:23.0132 3808 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    18:42:23.0134 3808 Beep - ok
    18:42:23.0164 3808 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
    18:42:23.0165 3808 blbdrive - ok
    18:42:23.0247 3808 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    18:42:23.0249 3808 bowser - ok
    18:42:23.0315 3808 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    18:42:23.0316 3808 BrFiltLo - ok
    18:42:23.0333 3808 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    18:42:23.0334 3808 BrFiltUp - ok
    18:42:23.0396 3808 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    18:42:23.0398 3808 Brserid - ok
    18:42:23.0449 3808 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    18:42:23.0451 3808 BrSerWdm - ok
    18:42:23.0469 3808 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    18:42:23.0470 3808 BrUsbMdm - ok
    18:42:23.0483 3808 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    18:42:23.0484 3808 BrUsbSer - ok
    18:42:23.0579 3808 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    18:42:23.0580 3808 BTHMODEM - ok
    18:42:23.0661 3808 catchme - ok
    18:42:23.0757 3808 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    18:42:23.0759 3808 cdfs - ok
    18:42:23.0813 3808 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    18:42:23.0815 3808 cdrom - ok
    18:42:23.0839 3808 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
    18:42:23.0841 3808 circlass - ok
    18:42:23.0925 3808 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    18:42:23.0929 3808 CLFS - ok
    18:42:24.0026 3808 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
    18:42:24.0027 3808 cmdide - ok
    18:42:24.0056 3808 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
    18:42:24.0057 3808 Compbatt - ok
    18:42:24.0104 3808 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
    18:42:24.0105 3808 crcdisk - ok
    18:42:24.0142 3808 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
    18:42:24.0144 3808 Crusoe - ok
    18:42:24.0306 3808 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
    18:42:24.0311 3808 CSC - ok
    18:42:24.0366 3808 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    18:42:24.0368 3808 DfsC - ok
    18:42:24.0493 3808 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    18:42:24.0495 3808 disk - ok
    18:42:24.0670 3808 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    18:42:24.0671 3808 drmkaud - ok
    18:42:24.0770 3808 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    18:42:24.0771 3808 DSproct - ok
    18:42:24.0883 3808 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\dsunidrv.sys
    18:42:24.0884 3808 dsunidrv - ok
    18:42:24.0925 3808 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    18:42:24.0933 3808 DXGKrnl - ok
    18:42:25.0056 3808 e1express (04944f4fc4f0477185f5d26ae0ddb90e) C:\Windows\system32\DRIVERS\e1e6032.sys
    18:42:25.0060 3808 e1express - ok
    18:42:25.0127 3808 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
    18:42:25.0130 3808 E1G60 - ok
    18:42:25.0236 3808 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    18:42:25.0240 3808 Ecache - ok
    18:42:25.0305 3808 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
    18:42:25.0311 3808 elxstor - ok
    18:42:25.0391 3808 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
    18:42:25.0392 3808 ErrDev - ok
    18:42:25.0468 3808 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    18:42:25.0471 3808 exfat - ok
    18:42:25.0489 3808 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    18:42:25.0492 3808 fastfat - ok
    18:42:25.0543 3808 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
    18:42:25.0544 3808 fdc - ok
    18:42:25.0604 3808 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    18:42:25.0605 3808 FileInfo - ok
    18:42:25.0621 3808 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    18:42:25.0623 3808 Filetrace - ok
    18:42:25.0670 3808 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
    18:42:25.0671 3808 flpydisk - ok
    18:42:25.0777 3808 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    18:42:25.0780 3808 FltMgr - ok
    18:42:26.0141 3808 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    18:42:26.0168 3808 Fs_Rec - ok
    18:42:26.0225 3808 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
    18:42:26.0226 3808 gagp30kx - ok
    18:42:26.0316 3808 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    18:42:26.0343 3808 GEARAspiWDM - ok
    18:42:26.0407 3808 GemCCID (86d3d834d35ebe920d85ffedcef79faf) C:\Windows\system32\Drivers\GemCCID.sys
    18:42:26.0409 3808 GemCCID - ok
    18:42:26.0812 3808 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    18:42:26.0836 3808 HdAudAddService - ok
    18:42:27.0429 3808 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    18:42:27.0437 3808 HDAudBus - ok
    18:42:27.0512 3808 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\Windows\system32\DRIVERS\HECI.sys
    18:42:27.0514 3808 HECI - ok
    18:42:27.0540 3808 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    18:42:27.0541 3808 HidBth - ok
    18:42:27.0598 3808 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    18:42:27.0600 3808 HidIr - ok
    18:42:27.0670 3808 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    18:42:27.0671 3808 HidUsb - ok
    18:42:27.0728 3808 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
    18:42:27.0729 3808 HpCISSs - ok
    18:42:27.0761 3808 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    18:42:27.0768 3808 HTTP - ok
    18:42:27.0891 3808 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
    18:42:27.0893 3808 i2omp - ok
    18:42:27.0941 3808 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    18:42:27.0943 3808 i8042prt - ok
    18:42:28.0049 3808 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\Windows\system32\drivers\iastor.sys
    18:42:28.0051 3808 iaStor - ok
    18:42:28.0076 3808 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
    18:42:28.0081 3808 iaStorV - ok
    18:42:28.0210 3808 igfx (a03b37dbc601c35de9591b6aa1a20c22) C:\Windows\system32\DRIVERS\igdkmd32.sys
    18:42:28.0233 3808 igfx - ok
    18:42:28.0309 3808 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    18:42:28.0310 3808 iirsp - ok
    18:42:28.0359 3808 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
    18:42:28.0361 3808 intelide - ok
    18:42:28.0461 3808 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    18:42:28.0462 3808 intelppm - ok
    18:42:28.0504 3808 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    18:42:28.0505 3808 IpFilterDriver - ok
    18:42:28.0546 3808 IpInIp - ok
    18:42:28.0566 3808 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
    18:42:28.0568 3808 IPMIDRV - ok
    18:42:28.0610 3808 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    18:42:28.0612 3808 IPNAT - ok
    18:42:28.0724 3808 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    18:42:28.0725 3808 IRENUM - ok
    18:42:28.0746 3808 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
    18:42:28.0747 3808 isapnp - ok
    18:42:28.0782 3808 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    18:42:28.0786 3808 iScsiPrt - ok
    18:42:28.0857 3808 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    18:42:28.0859 3808 iteatapi - ok
    18:42:28.0901 3808 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    18:42:28.0903 3808 iteraid - ok
    18:42:28.0927 3808 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    18:42:28.0929 3808 kbdclass - ok
    18:42:28.0998 3808 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    18:42:28.0999 3808 kbdhid - ok
    18:42:29.0035 3808 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
    18:42:29.0043 3808 KSecDD - ok
    18:42:29.0140 3808 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    18:42:29.0162 3808 lltdio - ok
    18:42:29.0327 3808 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
    18:42:29.0355 3808 LSI_FC - ok
    18:42:29.0411 3808 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
    18:42:29.0414 3808 LSI_SAS - ok
    18:42:29.0480 3808 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
    18:42:29.0482 3808 LSI_SCSI - ok
    18:42:29.0574 3808 LTXMD_VAC (6e4880018d99b7f041a8d0b3f7f43b72) C:\Windows\system32\drivers\lmvac.sys
    18:42:29.0613 3808 LTXMD_VAC - ok
    18:42:29.0651 3808 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    18:42:29.0653 3808 luafv - ok
    18:42:29.0775 3808 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\Windows\system32\DRIVERS\lvpopflt.sys
    18:42:29.0803 3808 lvpopflt - ok
    18:42:29.0852 3808 LVPr2Mon (8be71d7edb8c7494913722059f760dd0) C:\Windows\system32\Drivers\LVPr2Mon.sys
    18:42:29.0853 3808 LVPr2Mon - ok
    18:42:30.0202 3808 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\Windows\system32\DRIVERS\lvrs.sys
    18:42:30.0206 3808 LVRS - ok
    18:42:30.0537 3808 LVUVC (44876e70e07e9a653bbe423dbfa35a1a) C:\Windows\system32\DRIVERS\lvuvc.sys
    18:42:30.0688 3808 LVUVC - ok
    18:42:30.0802 3808 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
    18:42:30.0804 3808 megasas - ok
    18:42:30.0854 3808 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
    18:42:30.0861 3808 MegaSR - ok
    18:42:30.0949 3808 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    18:42:30.0951 3808 Modem - ok
    18:42:31.0016 3808 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    18:42:31.0018 3808 monitor - ok
    18:42:31.0037 3808 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    18:42:31.0038 3808 mouclass - ok
    18:42:31.0081 3808 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    18:42:31.0082 3808 mouhid - ok
    18:42:31.0101 3808 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    18:42:31.0103 3808 MountMgr - ok
    18:42:31.0202 3808 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\Windows\system32\DRIVERS\MpFilter.sys
    18:42:31.0205 3808 MpFilter - ok
    18:42:31.0286 3808 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
    18:42:31.0289 3808 mpio - ok
    18:42:31.0353 3808 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\Windows\system32\DRIVERS\MpNWMon.sys
    18:42:31.0354 3808 MpNWMon - ok
    18:42:31.0397 3808 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    18:42:31.0399 3808 mpsdrv - ok
    18:42:31.0470 3808 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    18:42:31.0472 3808 Mraid35x - ok
    18:42:31.0526 3808 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    18:42:31.0529 3808 MRxDAV - ok
    18:42:31.0591 3808 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    18:42:31.0594 3808 mrxsmb - ok
    18:42:31.0654 3808 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    18:42:31.0658 3808 mrxsmb10 - ok
    18:42:31.0695 3808 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    18:42:31.0697 3808 mrxsmb20 - ok
    18:42:31.0765 3808 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
    18:42:31.0767 3808 msahci - ok
    18:42:31.0817 3808 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
    18:42:31.0819 3808 msdsm - ok
    18:42:31.0887 3808 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    18:42:31.0889 3808 Msfs - ok
    18:42:31.0978 3808 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    18:42:31.0979 3808 msisadrv - ok
    18:42:32.0216 3808 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    18:42:32.0217 3808 MSKSSRV - ok
    18:42:32.0285 3808 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    18:42:32.0286 3808 MSPCLOCK - ok
    18:42:32.0337 3808 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    18:42:32.0339 3808 MSPQM - ok
    18:42:32.0365 3808 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    18:42:32.0368 3808 MsRPC - ok
    18:42:32.0417 3808 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    18:42:32.0418 3808 mssmbios - ok
    18:42:32.0516 3808 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    18:42:32.0518 3808 MSTEE - ok
    18:42:32.0575 3808 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    18:42:32.0577 3808 Mup - ok
    18:42:32.0659 3808 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    18:42:32.0662 3808 NativeWifiP - ok
    18:42:32.0751 3808 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    18:42:32.0759 3808 NDIS - ok
    18:42:32.0851 3808 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    18:42:32.0852 3808 NdisTapi - ok
    18:42:32.0892 3808 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    18:42:32.0894 3808 Ndisuio - ok
    18:42:32.0944 3808 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    18:42:32.0946 3808 NdisWan - ok
    18:42:32.0982 3808 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    18:42:32.0984 3808 NDProxy - ok
    18:42:33.0056 3808 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    18:42:33.0058 3808 NetBIOS - ok
    18:42:33.0120 3808 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    18:42:33.0124 3808 netbt - ok
    18:42:33.0302 3808 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    18:42:33.0304 3808 nfrd960 - ok
    18:42:33.0349 3808 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
    18:42:33.0351 3808 NisDrv - ok
    18:42:33.0458 3808 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\Windows\system32\drivers\npf.sys
    18:42:33.0480 3808 NPF - ok
    18:42:33.0509 3808 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    18:42:33.0511 3808 Npfs - ok
    18:42:33.0566 3808 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    18:42:33.0568 3808 nsiproxy - ok
    18:42:33.0662 3808 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    18:42:33.0678 3808 Ntfs - ok
    18:42:33.0786 3808 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    18:42:33.0788 3808 ntrigdigi - ok
    18:42:33.0848 3808 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    18:42:33.0849 3808 Null - ok
    18:42:33.0872 3808 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
    18:42:33.0875 3808 nvraid - ok
    18:42:33.0894 3808 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
    18:42:33.0896 3808 nvstor - ok
    18:42:33.0946 3808 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
    18:42:33.0949 3808 nv_agp - ok
    18:42:33.0958 3808 NwlnkFlt - ok
    18:42:33.0970 3808 NwlnkFwd - ok
    18:42:34.0030 3808 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
    18:42:34.0032 3808 ohci1394 - ok
    18:42:34.0137 3808 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
    18:42:34.0139 3808 Parport - ok
    18:42:34.0184 3808 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    18:42:34.0186 3808 partmgr - ok
    18:42:34.0204 3808 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
    18:42:34.0205 3808 Parvdm - ok
    18:42:34.0278 3808 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    18:42:34.0281 3808 pci - ok
    18:42:34.0334 3808 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
    18:42:34.0336 3808 pciide - ok
    18:42:34.0388 3808 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
    18:42:34.0392 3808 pcmcia - ok
    18:42:34.0466 3808 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    18:42:34.0478 3808 PEAUTH - ok
    18:42:34.0577 3808 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    18:42:34.0579 3808 PptpMiniport - ok
    18:42:34.0608 3808 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
    18:42:34.0610 3808 Processor - ok
    18:42:34.0666 3808 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    18:42:34.0668 3808 PSched - ok
    18:42:34.0760 3808 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
    18:42:34.0762 3808 PxHelp20 - ok
    18:42:34.0842 3808 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
    18:42:34.0856 3808 ql2300 - ok
    18:42:34.0909 3808 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    18:42:34.0911 3808 ql40xx - ok
    18:42:34.0959 3808 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    18:42:34.0961 3808 QWAVEdrv - ok
    18:42:35.0148 3808 R300 (da3cf5b94ad09290896e2b73df6d4173) C:\Windows\system32\DRIVERS\atikmdag.sys
    18:42:35.0190 3808 R300 - ok
    18:42:35.0403 3808 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\34302\RapportCerberus32_34302.sys
    18:42:35.0407 3808 RapportCerberus_34302 - ok
    18:42:35.0511 3808 RapportEI (43b9aa1423bf54367c5a3de1559780e8) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
    18:42:35.0513 3808 RapportEI - ok
    18:42:35.0618 3808 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) c:\programdata\trusteer\rapport\store\exts\rapportms\28896\rapportiaso.sys
    18:42:35.0619 3808 RapportIaso - ok
    18:42:35.0704 3808 RapportKELL (118600ab8f15fe27f2c865f3fb4efa58) C:\Windows\system32\Drivers\RapportKELL.sys
    18:42:35.0706 3808 RapportKELL - ok
    18:42:35.0820 3808 RapportPG (4af05a67b643a5190dfcbb793273e0bc) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    18:42:35.0824 3808 RapportPG - ok
    18:42:35.0924 3808 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    18:42:35.0926 3808 RasAcd - ok
    18:42:35.0951 3808 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    18:42:35.0953 3808 Rasl2tp - ok
    18:42:35.0987 3808 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    18:42:35.0989 3808 RasPppoe - ok
    18:42:36.0005 3808 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    18:42:36.0007 3808 RasSstp - ok
    18:42:36.0092 3808 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    18:42:36.0096 3808 rdbss - ok
    18:42:36.0116 3808 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    18:42:36.0117 3808 RDPCDD - ok
    18:42:36.0164 3808 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
    18:42:36.0169 3808 rdpdr - ok
    18:42:36.0222 3808 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    18:42:36.0224 3808 RDPENCDD - ok
    18:42:36.0258 3808 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
    18:42:36.0262 3808 RDPWD - ok
    18:42:36.0329 3808 RimUsb (92d33f76769a028ddc54a863eb7de4a2) C:\Windows\system32\Drivers\RimUsb.sys
    18:42:36.0330 3808 RimUsb - ok
    18:42:36.0482 3808 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
    18:42:36.0483 3808 RimVSerPort - ok
    18:42:36.0508 3808 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
    18:42:36.0509 3808 ROOTMODEM - ok
    18:42:36.0588 3808 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    18:42:36.0590 3808 rspndr - ok
    18:42:36.0733 3808 SAVOnAccess (127e21305c1880b550bea4b0adfd9d94) C:\Windows\system32\DRIVERS\savonaccess.sys
    18:42:36.0780 3808 SAVOnAccess - ok
    18:42:36.0877 3808 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    18:42:36.0879 3808 sbp2port - ok
    18:42:36.0941 3808 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    18:42:36.0943 3808 secdrv - ok
    18:42:37.0070 3808 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
    18:42:37.0071 3808 Serenum - ok
    18:42:37.0175 3808 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
    18:42:37.0178 3808 Serial - ok
    18:42:37.0207 3808 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    18:42:37.0209 3808 sermouse - ok
    18:42:37.0239 3808 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
    18:42:37.0241 3808 sffdisk - ok
    18:42:37.0288 3808 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
    18:42:37.0289 3808 sffp_mmc - ok
    18:42:37.0328 3808 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
    18:42:37.0329 3808 sffp_sd - ok
    18:42:37.0406 3808 sfloppy (c33bfbd6e9e41fcd9ffef9729e9faed6) C:\Windows\system32\DRIVERS\sfloppy.sys
    18:42:37.0422 3808 sfloppy - ok
    18:42:37.0530 3808 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
    18:42:37.0532 3808 sisagp - ok
    18:42:37.0584 3808 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
    18:42:37.0586 3808 SiSRaid2 - ok
    18:42:37.0613 3808 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
    18:42:37.0616 3808 SiSRaid4 - ok
    18:42:37.0665 3808 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    18:42:37.0667 3808 Smb - ok
    18:42:37.0750 3808 SophosBootDriver (6de03cbac3139d2fd8fba4aab4ac5bd0) C:\Windows\system32\DRIVERS\SophosBootDriver.sys
    18:42:37.0768 3808 SophosBootDriver - ok
    18:42:37.0821 3808 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    18:42:37.0822 3808 spldr - ok
    18:42:37.0935 3808 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
    18:42:37.0936 3808 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    18:42:37.0937 3808 sptd ( LockedFile.Multi.Generic ) - warning
    18:42:37.0937 3808 sptd - detected LockedFile.Multi.Generic (1)
    18:42:38.0015 3808 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    18:42:38.0020 3808 srv - ok
    18:42:38.0067 3808 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    18:42:38.0070 3808 srv2 - ok
    18:42:38.0115 3808 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    18:42:38.0117 3808 srvnet - ok
    18:42:38.0181 3808 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
    18:42:38.0183 3808 StillCam - ok
    18:42:38.0234 3808 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    18:42:38.0236 3808 swenum - ok
    18:42:38.0290 3808 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    18:42:38.0292 3808 Symc8xx - ok
    18:42:38.0305 3808 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    18:42:38.0307 3808 Sym_hi - ok
    18:42:38.0325 3808 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    18:42:38.0327 3808 Sym_u3 - ok
    18:42:38.0421 3808 Tcpip (16731b631f28f63cd9f4cb60940e7ddd) C:\Windows\system32\drivers\tcpip.sys
    18:42:38.0434 3808 Tcpip - ok
    18:42:38.0595 3808 Tcpip6 (16731b631f28f63cd9f4cb60940e7ddd) C:\Windows\system32\DRIVERS\tcpip.sys
    18:42:38.0602 3808 Tcpip6 - ok
    18:42:38.0671 3808 tcpipreg (3fc13f09af9be487c7b4fac4070a036c) C:\Windows\system32\drivers\tcpipreg.sys
    18:42:38.0672 3808 tcpipreg - ok
    18:42:38.0741 3808 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    18:42:38.0742 3808 TDPIPE - ok
    18:42:38.0762 3808 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    18:42:38.0764 3808 TDTCP - ok
    18:42:38.0822 3808 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    18:42:38.0824 3808 tdx - ok
    18:42:38.0936 3808 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    18:42:38.0938 3808 TermDD - ok
    18:42:38.0999 3808 TfFsMon (a56ec942ecabfb7849bfa76060f929fb) C:\Windows\system32\drivers\TfFsMon.sys
    18:42:39.0001 3808 TfFsMon - ok
    18:42:39.0050 3808 TfNetMon (917ef522563f6047685486efa486fb3c) C:\Windows\system32\drivers\TfNetMon.sys
    18:42:39.0052 3808 TfNetMon - ok
    18:42:39.0072 3808 TfSysMon (57edbb5fe7ff09bb21121d13bb950ba5) C:\Windows\system32\drivers\TfSysMon.sys
    18:42:39.0074 3808 TfSysMon - ok
    18:42:39.0172 3808 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    18:42:39.0173 3808 tssecsrv - ok
    18:42:39.0192 3808 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    18:42:39.0193 3808 tunmp - ok
    18:42:39.0217 3808 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    18:42:39.0218 3808 tunnel - ok
    18:42:39.0264 3808 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
    18:42:39.0266 3808 uagp35 - ok
    18:42:39.0314 3808 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    18:42:39.0319 3808 udfs - ok
    18:42:39.0367 3808 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
    18:42:39.0369 3808 uliagpkx - ok
    18:42:39.0434 3808 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
    18:42:39.0438 3808 uliahci - ok
    18:42:39.0460 3808 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    18:42:39.0463 3808 UlSata - ok
    18:42:39.0514 3808 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    18:42:39.0516 3808 ulsata2 - ok
    18:42:39.0611 3808 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    18:42:39.0612 3808 umbus - ok
    18:42:39.0677 3808 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
    18:42:39.0679 3808 usbaudio - ok
    18:42:39.0751 3808 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    18:42:39.0753 3808 usbccgp - ok
    18:42:39.0828 3808 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    18:42:39.0830 3808 usbcir - ok
    18:42:39.0862 3808 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    18:42:39.0863 3808 usbehci - ok
    18:42:39.0940 3808 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    18:42:39.0944 3808 usbhub - ok
    18:42:40.0032 3808 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
    18:42:40.0034 3808 usbohci - ok
    18:42:40.0085 3808 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    18:42:40.0086 3808 usbprint - ok
    18:42:40.0145 3808 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    18:42:40.0147 3808 USBSTOR - ok
    18:42:40.0203 3808 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    18:42:40.0205 3808 usbuhci - ok
    18:42:40.0264 3808 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
    18:42:40.0268 3808 usbvideo - ok
    18:42:40.0315 3808 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    18:42:40.0317 3808 vga - ok
    18:42:40.0338 3808 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    18:42:40.0340 3808 VgaSave - ok
    18:42:40.0386 3808 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
    18:42:40.0388 3808 viaagp - ok
    18:42:40.0408 3808 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
    18:42:40.0409 3808 ViaC7 - ok
    18:42:40.0449 3808 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
    18:42:40.0451 3808 viaide - ok
    18:42:40.0472 3808 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    18:42:40.0474 3808 volmgr - ok
    18:42:40.0597 3808 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    18:42:40.0603 3808 volmgrx - ok
    18:42:40.0682 3808 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    18:42:40.0686 3808 volsnap - ok
    18:42:40.0738 3808 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
    18:42:40.0741 3808 vsmraid - ok
    18:42:40.0822 3808 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    18:42:40.0823 3808 WacomPen - ok
    18:42:40.0841 3808 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    18:42:40.0844 3808 Wanarp - ok
    18:42:40.0877 3808 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    18:42:40.0879 3808 Wanarpv6 - ok
    18:42:40.0933 3808 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
    18:42:40.0935 3808 Wd - ok
    18:42:40.0987 3808 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    18:42:40.0994 3808 Wdf01000 - ok
    18:42:41.0087 3808 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
    18:42:41.0088 3808 WmiAcpi - ok
    18:42:41.0180 3808 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    18:42:41.0181 3808 ws2ifsl - ok
    18:42:41.0247 3808 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
    18:42:41.0248 3808 WSDPrintDevice - ok
    18:42:41.0349 3808 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    18:42:41.0351 3808 WUDFRd - ok
    18:42:41.0384 3808 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
    18:42:41.0440 3808 \Device\Harddisk0\DR0 - ok
    18:42:41.0451 3808 MBR (0x1B8) (973e9ba32fdbb305c552ed3e1ebf0686) \Device\Harddisk1\DR1
    18:42:41.0461 3808 \Device\Harddisk1\DR1 - ok
    18:42:41.0480 3808 Boot (0x1200) (47b7c63b1ff6106e81d91108af21ffb5) \Device\Harddisk0\DR0\Partition0
    18:42:41.0481 3808 \Device\Harddisk0\DR0\Partition0 - ok
    18:42:41.0487 3808 Boot (0x1200) (2550465ec1fd92fcd2071b2e5e16973e) \Device\Harddisk0\DR0\Partition1
    18:42:41.0488 3808 \Device\Harddisk0\DR0\Partition1 - ok
    18:42:41.0498 3808 Boot (0x1200) (cdcdee224afbb2371d076be8797665cf) \Device\Harddisk1\DR1\Partition0
    18:42:41.0499 3808 \Device\Harddisk1\DR1\Partition0 - ok
    18:42:41.0501 3808 ============================================================
    18:42:41.0502 3808 Scan finished
    18:42:41.0502 3808 ============================================================
    18:42:41.0524 4672 Detected object count: 1
    18:42:41.0524 4672 Actual detected object count: 1
    18:43:27.0862 4672 C:\Windows\system32\Drivers\sptd.sys - copied to quarantine
    18:43:28.0591 4672 sptd ( LockedFile.Multi.Generic ) - User select action: Quarantine
    18:44:57.0073 3852 Deinitialize success

    Then I rebooted.

    =============================

    As far as I am concerned MSE is the only functional, traditional AntiVirus program installed right now.

    ThreatFire is not really an AV program in the traditional sense. It does not use virus definitions and can co-exist with AV programs. http://www.threatfire.com/ If it had not been for ThreatFire I would not have known that the PC was still infected after the AVG scan. However, if you still want me to uninstall it, I will.

    The version of Sophos installed is this one:
    http://www.sophos.com/en-us/product...urity-scans/sophos-threat-detection-test.aspx
    It does not have any resident shield functionality or even scheduled scan functionality. The only thing it does without user intervention as far as I can tell is to update itself. So it should not cause any conflicts with other AV programs. However, if you still want me to uninstall it, I will.

    To be honest, I don't know what the final antivirus solution will be. This infection has shown to me (a) how lacking AVG is, and (b) how all definition based AntiVirus software I know about is behind the curve and therefore cannot protect you from new threats. Do you have any recommendations for an inexpensive AV solution for a small office environment? Probably 10 workstations, including some at people's homes. With a central management console. The server part should preferably be in the cloud, but I could install it on a Windows or Linux server.

    =============================

    RegTool: I too was suspicious of this file. It turns out (or at least it appears) that it was installed with Gemalto Classic Client (http://www.gemalto.com/products/classic_client/ Classic Client is a smart card-based crypto-library product that brings portability and the highest level of security to enterprise networks.) Lots of other people have it installed in this location: http://processchecker.com/file/RegTool.exe.html However, it probably does not need to run automatically from what I read here: http://forums.epo.org/installation-and-maintenance/topic1923.html. If it is not installed on Citrix workstations, I guess it can be run manually when needed. However, it is located here:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    So I will not edit the registry without you telling me to.

    ============================

    I downloaded and ran OTM as specified. Here is the log that opened after rebooting:

    All processes killed
    ========== FILES ==========
    ========== PROCESSES ==========
    No active process named C:\Users\James.SYNTEC_DOM1\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe was found!
    No active process named C:\winnt\system32\repl\import\scripts.V2\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe was found!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: AppData
    ->Temp folder emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 56466 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: James
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 51189886 bytes
    ->Flash cache emptied: 1280 bytes

    User: James.SYNTEC_DOM1
    ->Temp folder emptied: 313725 bytes
    ->Temporary Internet Files folder emptied: 234784532 bytes
    ->Java cache emptied: 5121057 bytes
    ->FireFox cache emptied: 58530973 bytes
    ->Google Chrome cache emptied: 6417939 bytes
    ->Flash cache emptied: 250068 bytes

    User: JAMES~1~SYN
    ->Temp folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5683560 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 41282544 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 385.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 03152012_192607

    Files moved on Reboot...

    Registry entries deleted on Reboot...
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You may have any antivirus program you want> but only one. Aditional security should be a firewall and at least 2 antispyware programs.

    It this your work? >>http://syntec.co.uk/
    Is this what you use the Remove Connection for?
    Are you the office IT? Do you have an IT?
    ===================================
    I am puzzled why you have posted on a free computer internet forum 'staffed' by volunteers. You are obviously knowledgeable in the cyberworld and you want to second guess or dispute what I say. It sounds like maybe someone said to you "be the IT for the office" but you are asking me how to set up the security.

    When I refer to a process, assuming I am not asking you what it is, please be assured that "I" know what it is. It is not necessary for you to look it up, leave links for me to look at- I've already been there.

    From OTM>> Total Files Cleaned = 385.00 mb- this is a large amount of files.

    When you decide which AV you want to have now-only one- remove the others. I will remove any left over entries. There are some entries in Combofix to remove also so I'll give you all the script together.
    =====================================
    The first TDSSKiller log pointed to several downloads that weren't digitally signed:
    DSproct ( UnsignedFile.Multi.Generic )
    Dsproct.sys with description Process Trigger Driver is a driver file from company Gteko Ltd.
    SAVOnAccess ( UnsignedFile.Multi.Generic )
    SophosBootDriver ( UnsignedFile.Multi.Generic )
    However, they don't show in the 2nd log. The processes are still on the system> curious they don't show up in the second log.
    ======================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ========================================
    Please handle the AV. Leave the Eset log in your next reply.
     
  12. Seb7

    Seb7 TS Rookie Topic Starter

    Yes, it is.
    The Remote Connection is from my Office PC to the infected PC downstairs through a firewall. However, some members of staff work from home.
    Yes, I am Office IT as well as other things like Networking. But I am a generalist having spent time as a software developer / architect. You are clearly a specialist in this area, which is why I have come to you for help. I am trying to help you where I can with information that may be relevant just to save you time. But in the end, I will do what you recommend as I respect your increased knowledge in this area. (I am not disputing anything you say. In fact, I am asking you for recomendations, should you wish to give any.)

    Well, for now, lets keep MSE and remove ThreatFire and Sophos then.

    =======================================

    Indeed, it is curious that they do not show up in 2nd TDSSKiller log. SAVOnAccess may be Sophos. Perhaps the two Sophos ones are loaded when it does a scan and then not unloaded until a reboot? Dsproct.sys is bundled with Dell Support Center (which is made by Gteko Ltd). The version installed is actually somewhat old (maybe a few years), and also uses the Windows 98 User-Agent when it connects to the Internet. As this triggers (possible malware) alerts in Snort, I was considering removing or disabling it. There is a newer version of Dell Support Center available, I believe, but I don't know if it's 'better'. Not sure why they would disappear from the TDSSKiller log though. Internet access was denied in the firewall so it would not have been able to get any updates - maybe that's why???

    =======================================

    Removed ThreatFire, rebooted.
    Removed Sophos (both via Programs and Features, Uninstall), rebooted.
    Allowed access to the Internet in the firewall.
    Downloaded Eset Smart Installer again and ran it. When I saw it had detected something I denied access in the firewall again. But it hasn't found anything new. Here is the log:

    C:\TDSSKiller_Quarantine\12.03.2012_13.49.02\rtkt0000\svc0000\tsk0000.dta Win32/Agent.SUC.Gen trojan
    C:\Users\James.SYNTEC_DOM1\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe Win32/Toggle application
    C:\winnt\system32\repl\import\scripts.V2\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe Win32/Toggle application


    P.S. I noticed yesterday or Wednesday that Firefox no longer thought it was the default browser. Neither I, nor James, changed that. I made it the default browser again when it asked me again today. Strange.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Fill me in please:

    This computer belongs to James- correct?
    You are helping James with the system using a Remote Access.
    You are the office IT.

    What is the relationship between you and James? Is he a client?

    I question some of the things you are doing- such as 'closing the firewall?'
    When doing an antivirus scan, it will show entries no matter what the location.
    1. If Eset shows an entry C:\TDSSKiller_Quarantine\12.03.2012_13.49.02\rtkt0000\svc0000\tsk0000.dta Win32/Agent.SUC.Gen trojan, the entry is not active in the system, but has been put in quarantine by the program.
    2. If a virus scan shows an entry in the Qoobox, that is where Combofix puts the quarantined folders. It is not active in the system.
    3. If a virus scan shows an entry in System Volume, those are where restore points are held. It is not active in the system. IF you did a System Restore and restored back to that restore point, you could reinfect the system.

    All of the above is removed when appropriate in the cleaning process. But the virus scan doesn't read the location of TDSSKiller quarantine log or Qoobox or System Volume> it only reads the name of the malware, even though it has been handled. So whatever you're doing to the firewall has no effect on these entries because they have already been handled.
    ==========================================
    I can't find much on Win32/Toggle- possibly adware, or a False Positive.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :
      :Files 
      C:\Users\James.SYNTEC_DOM1\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe 
      C:\winnt\system32\repl\import\scripts.V2\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  14. Seb7

    Seb7 TS Rookie Topic Starter

    The computer is ordinarily used by James. I have been helping him either logged on locally as him, or at certain times logged on as him from my PC upstairs so that (a) he can still use his desk, (b) I can be doing other things at the same time, e.g. while a scan is running, or (c) so I can control what access his PC has to the Internet.

    James is a colleague.

    I am aware of what the firewall does and does not do. I was simply removing Internet access at times when it was not required in case there was still a virus active on his computer (as, if so, I did not want it downloading new viruses). At the time, the ESET virus scan had just started so I did not know what the result would be.

    ==========================================

    I ran OTMovit with the code listed and this is the log produced:

    All processes killed
    Error: Unable to interpret <:> in the current context!
    ========== FILES ==========
    C:\Users\James.SYNTEC_DOM1\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe moved successfully.
    C:\winnt\system32\repl\import\scripts.V2\Downloads\Cannon drivers\scan\MF tool box\MF drivers\omnipage\installer_omnipage_professional.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: AppData
    ->Temp folder emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: James
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: James.SYNTEC_DOM1
    ->Temp folder emptied: 6117578 bytes
    ->Temporary Internet Files folder emptied: 6503713 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 91654783 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 252514 bytes

    User: JAMES~1~SYN
    ->Temp folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 195392 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 100.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 03292012_130346

    Files moved on Reboot...
    C:\Windows\temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Windows\temp\FXSTIFFDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...

    ==========================================

    I rebooted when it requested me to.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Again, sorry for the delay but I have been sick.

    I asked about who and how you were helping for a specific reason: some IT persons can't deal with a client's problem so they will post here to get free help, then charge the client. Understandably, I take issue with this.

    You are more qualified than I am set up the network. IF there is any unresolved problem with the malware, please let me know.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...