Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

winlogon.exe + Gmail doesn't load + low virtual memory

This is a discussion on winlogon.exe + Gmail doesn't load + low virtual memory within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Hi Usually the computers I manage are pretty clean but on the PC that my parents use, the following symptoms


Reply
 
Thread Tools Search this Thread
Old 03-05-2012, 05:03 PM   #1
Registered Member
 
Join Date: Mar 2012
Posts: 6
OS: XP



Hi

Usually the computers I manage are pretty clean but on the PC that my parents use, the following symptoms have come up:
  • gmail does not load - at all, in any browser. It freezes on the loading page and this is the first symptom that was detected. I have cleared cookies, cache and history as well as uninstalled and then reinstalled the latest version of Firefox and Chrome.
  • repetitive low virtual memory dialogue box in the botom right-hand corner which appears during start-up/
  • computer is extremely slow - and doesn't allow me to load applications or internet pages.
  • winlogon.exe virtual memory is >>> memory usage - I have read online and have isolated that the above problem may be due to this process which is consuming much more virtual memory than memory usage. I have read that >150% is a warning point and when I last checked, this process was running 22000kB virtual memory against 700kB memory usage (i.e. 3100%). Some online searches suggest that this may be a trojan.

I have looked through this thread (Is your PC running slow...?) but am unable to run through any of the suggestions as the computer is very unresponsive.

I have tried to manually delete the suspect file (C:\WINDOWS\System32\winlogon.exe) but without success and I am not even sure that this is the culprit in causing the wider PC problems. I would be very grateful if you could help sort out this problem and help get my folks back online :)

Many thanks

TallBox


Mod's Note: note received via PM that nothing happens when trying to run DDS and GMER.

__________________
TallBox is offline   Reply With Quote
Old 03-07-2012, 08:55 PM   #2
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,358
OS: WinXP Home, Vista, Windows 7 64bit



Hello TallBox,

Please so not delete c:\windows\system32\winlogon.exe. That is a critical Windows system file.

What happens when you try to run DDS?

__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 03-07-2012, 10:42 PM   #3
Registered Member
 
Join Date: Mar 2012
Posts: 6
OS: XP



Hi Ried

Thank you for your response.

I followed the instructions for first time posters (including removing cracked software, P2P and CD emulation - of which my parent's computer has none of those) but was not able to execute either dds.scr nor gmer. I double-clicked each icon, the egg-timer would appear momentarily and then nothing would happen.

(I should add that I wasn't able to download each file because the browser kept redirecting to strange sites and was extremely slow. So I manually transferred the files via a USB key).
__________________
TallBox is offline   Reply With Quote
Old 03-08-2012, 04:26 AM   #4
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,358
OS: WinXP Home, Vista, Windows 7 64bit



You're welcome. :)

Try running the tools from Safe Mode: (these tools can be run from the flash driver)

1) Restart the computer.
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 03-09-2012, 09:03 AM   #5
Registered Member
 
Join Date: Mar 2012
Posts: 6
OS: XP



Hi Ried

Thank you for your response.

Unfortunately, this still did not work. I pressed the F8 button after hearing the computer beep once during startup, but before the Windows icon appeared. The menu appeared, I used the up arrow key to highlight and select Safe Mode. It seemed to execute, the screen went blank for a second then the following screen appeared (see attached) and froze. I had to manually hit the power button to reset the computer.

Symptoms again: the computer works more or less normally except that it is very slow - especially in browsing. Gmail does not load at all and there are constant and very annoying redirects to unknown websites. I'll have yet another try of the steps including DDS, GMER and starting in Safe Mode and let you know (although I have already tried about 6 times with no success).

Thanks

TallBox

Attached Thumbnails
Click image for larger version

Name:	2012-03-09 08.35.07.jpg
Views:	17
Size:	217.0 KB
ID:	106221  
__________________
TallBox is offline   Reply With Quote
Old 03-09-2012, 02:55 PM   #6
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,358
OS: WinXP Home, Vista, Windows 7 64bit



Hi,

Forget Safe Mode. :)

It's likely the slowness of your computer that is making it seem as though dds is not doing anything.

Run dds in Normal Mode and walk away - give it time to produce a log.

Also, what Operating System is this machine? Is it XP?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 03-11-2012, 11:19 AM   #7
Registered Member
 
Join Date: Mar 2012
Posts: 6
OS: XP



Hi Ried

After about 2 days and 20 attempts of trying, for some reason I got lucky and both dds and GMER decided to run! :) (The other times, I would double-click, wait for between 5-15 minutes and absolutely nothing would happen, before I shut down).

Below is the dds.txt log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Run by Admin at 17:35:55 on 2012-03-11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.588 [GMT 0:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: {0347C33E-8762-4905-BF09-768834316C61} - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: {100EB1FD-D03E-47FD-81F3-EE91287F9465} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
EB: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
EB: {A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} - No File
StartupFolder: c:\documents and settings\admin\start menu\programs\startup\patdccka.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\dell wireless\PRISMCFG.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download All using 4shared Desktop
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B}
TCP: DhcpNameServer = 192.168.0.1
Hosts: 94.63.147.16 Google
Hosts: 94.63.147.17 Bing
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\j957w8wj.default\
FF - prefs.js: browser.startup.homepage - BBC News - Home
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.accept-encoding -
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
S3 c2qia.sys;c2qia.sys;\??\c:\windows\system32\drivers\c2qia.sys --> c:\windows\system32\drivers\c2qia.sys [?]
.
=============== Created Last 30 ================
.
2012-03-05 03:18:46 140496 ---ha-w- c:\windows\system32\u3qZrJo
2012-03-04 11:26:49 -------- d-sh--w- c:\documents and settings\admin\local settings\application data\.#
2012-03-01 17:46:20 1409 ----a-w- c:\windows\QTFont.for
2012-03-01 17:46:15 169408 ---ha-w- c:\windows\system32\2tBncvSHp
2012-03-01 13:49:30 127984 ---ha-w- c:\windows\system32\OrnKiO3
2012-03-01 01:04:55 127984 ---ha-w- c:\documents and settings\admin\OrnKiO3
2012-03-01 01:04:55 103616 ---ha-w- c:\documents and settings\admin\ggnVP23
2012-03-01 00:31:01 -------- d-----w- c:\documents and settings\admin\local settings\application data\Temp
2012-02-28 00:20:43 114592 ---ha-w- c:\documents and settings\admin\2tBncvSHp
2012-02-22 16:49:09 -------- d-----w- c:\documents and settings\admin\local settings\application data\Google
2012-02-21 18:10:05 -------- d-----w- c:\documents and settings\admin\local settings\application data\i18GLServ
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA1 rev.10.01E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85ED349F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85eda738]; MOV EAX, [0x85eda8ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE136] -> \Device\Harddisk0\DR0[0x8657BAB8]
3 CLASSPNP[0xF75FF05B] -> ntkrnlpa!IofCallDriver[0x804EE136] -> [0x85FD0A90]
\Driver\atapi[0x862B1030] -> IRP_MJ_CREATE -> 0x85ED349F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85ED32C6
user & kernel MBR OK
copy of MBR has been found in sector 156232125
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:40:35.29 ===============

I ran GMER with the scanning directories selected as described by this image.At the end of the GMER scan, the following notification box came up "WarningII GMER has found system modification caused by ROOTKIT activity.

Attached are the ark.txt and attach.txt logs.

Update on symptoms - computer is still quite slow but gmail seems to work on 50% of attempts. The other 50%, I am unable to log in.

I am running Windows XP Home Edition 2002 SP2.

Thank you
Attached Files
File Type: zip attach.zip (10.5 KB, 5 views)
__________________
TallBox is offline   Reply With Quote
Old 03-11-2012, 04:20 PM   #8
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,358
OS: WinXP Home, Vista, Windows 7 64bit



Well done and kudos to you for your perseverence.

This machine has a lot going on so it will be a bit of a rough start, but once you get through the first round, things will improve tremendously. We'll do this in stages, and you must carry out the instructions in the order given.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

=====================================

Next, download TDSSKiller.exe and save it to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 03-12-2012, 05:00 PM   #9
Registered Member
 
Join Date: Mar 2012
Posts: 6
OS: XP



Hi Ried

I was unable to run ComboFix - the same problem as I stated in post #3 came up again and when I pressed the button, a box with green writing against a black background would come out and appeared to run through some code (like something from the Matrix), but nothing happened after that. I waited up to an hour and repeated this about 12 times. I right-clicked the icon, pressed 'Run as' then took the security settings off to see if that worked but it did not. Also, I tried opening it in Safe Mode, but the same problem as I stated in post #5 came up.

I was, however, able to run TDSSKiller and the log is below.

Thank you

- - - - - - - - - - - - - - - -

TDSSKiller
22:39:30.0109 3720 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
22:39:30.0406 3720 ============================================================
22:39:30.0406 3720 Current date / time: 2012/03/12 22:39:30.0406
22:39:30.0406 3720 SystemInfo:
22:39:30.0406 3720
22:39:30.0406 3720 OS Version: 5.1.2600 ServicePack: 2.0
22:39:30.0406 3720 Product type: Workstation
22:39:30.0406 3720 ComputerName: D82JB52J
22:39:30.0406 3720 UserName: Admin
22:39:30.0406 3720 Windows directory: C:\WINDOWS
22:39:30.0406 3720 System windows directory: C:\WINDOWS
22:39:30.0406 3720 Processor architecture: Intel x86
22:39:30.0406 3720 Number of processors: 1
22:39:30.0406 3720 Page size: 0x1000
22:39:30.0406 3720 Boot type: Normal boot
22:39:30.0406 3720 ============================================================
22:39:32.0781 3720 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
22:39:32.0812 3720 Drive \Device\Harddisk1\DR4 - Size: 0x1EB00000 (0.48 Gb), SectorSize: 0x200, Cylinders: 0x3E, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
22:39:32.0812 3720 \Device\Harddisk0\DR0:
22:39:32.0812 3720 MBR used
22:39:32.0812 3720 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x8EE9870
22:39:32.0812 3720 \Device\Harddisk1\DR4:
22:39:32.0812 3720 MBR used
22:39:32.0812 3720 \Device\Harddisk1\DR4\Partition0: MBR, Type 0xE, StartLBA 0x20, BlocksNum 0xF57E0
22:39:33.0000 3720 Initialize success
22:39:33.0000 3720 ============================================================
22:40:35.0296 3788 ============================================================
22:40:35.0296 3788 Scan started
22:40:35.0296 3788 Mode: Manual;
22:40:35.0296 3788 ============================================================
22:40:35.0875 3788 Abiosdsk - ok
22:40:35.0968 3788 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
22:40:35.0968 3788 abp480n5 - ok
22:40:36.0046 3788 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:40:36.0046 3788 ACPI - ok
22:40:36.0109 3788 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:40:36.0109 3788 ACPIEC - ok
22:40:36.0156 3788 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
22:40:36.0156 3788 adpu160m - ok
22:40:36.0250 3788 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
22:40:36.0250 3788 aec - ok
22:40:36.0312 3788 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:40:36.0312 3788 AegisP - ok
22:40:36.0390 3788 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
22:40:36.0390 3788 AFD - ok
22:40:36.0421 3788 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
22:40:36.0421 3788 agp440 - ok
22:40:36.0437 3788 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
22:40:36.0437 3788 agpCPQ - ok
22:40:36.0484 3788 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
22:40:36.0484 3788 Aha154x - ok
22:40:36.0500 3788 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
22:40:36.0500 3788 aic78u2 - ok
22:40:36.0531 3788 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
22:40:36.0531 3788 aic78xx - ok
22:40:36.0562 3788 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
22:40:36.0562 3788 AliIde - ok
22:40:36.0671 3788 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
22:40:36.0671 3788 alim1541 - ok
22:40:36.0687 3788 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
22:40:36.0687 3788 amdagp - ok
22:40:36.0718 3788 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
22:40:36.0718 3788 amsint - ok
22:40:36.0796 3788 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
22:40:36.0796 3788 asc - ok
22:40:36.0812 3788 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
22:40:36.0812 3788 asc3350p - ok
22:40:36.0828 3788 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
22:40:36.0828 3788 asc3550 - ok
22:40:36.0906 3788 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
22:40:36.0906 3788 ASCTRM - ok
22:40:37.0062 3788 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:40:37.0078 3788 AsyncMac - ok
22:40:37.0109 3788 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:40:37.0109 3788 atapi - ok
22:40:37.0125 3788 Atdisk - ok
22:40:37.0156 3788 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:40:37.0187 3788 Atmarpc - ok
22:40:37.0250 3788 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:40:37.0250 3788 audstub - ok
22:40:37.0265 3788 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:40:37.0265 3788 Beep - ok
22:40:37.0296 3788 c2qia.sys - ok
22:40:37.0375 3788 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
22:40:37.0375 3788 cbidf - ok
22:40:37.0390 3788 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:40:37.0390 3788 cbidf2k - ok
22:40:37.0468 3788 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:40:37.0468 3788 CCDECODE - ok
22:40:37.0531 3788 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
22:40:37.0531 3788 cd20xrnt - ok
22:40:37.0609 3788 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:40:37.0609 3788 Cdaudio - ok
22:40:37.0625 3788 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
22:40:37.0625 3788 Cdfs - ok
22:40:37.0656 3788 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:40:37.0656 3788 Cdrom - ok
22:40:37.0671 3788 Changer - ok
22:40:37.0750 3788 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
22:40:37.0750 3788 CmdIde - ok
22:40:37.0781 3788 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
22:40:37.0781 3788 Cpqarray - ok
22:40:37.0812 3788 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
22:40:37.0812 3788 dac2w2k - ok
22:40:37.0843 3788 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
22:40:37.0843 3788 dac960nt - ok
22:40:37.0937 3788 DELL_A02 (8a87352d9fb9597511c34d0c8c0e7223) C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
22:40:37.0953 3788 DELL_A02 - ok
22:40:37.0984 3788 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
22:40:37.0984 3788 Disk - ok
22:40:38.0046 3788 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
22:40:38.0078 3788 dmboot - ok
22:40:38.0125 3788 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
22:40:38.0125 3788 dmio - ok
22:40:38.0140 3788 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:40:38.0140 3788 dmload - ok
22:40:38.0343 3788 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
22:40:38.0343 3788 DMusic - ok
22:40:38.0421 3788 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
22:40:38.0421 3788 dpti2o - ok
22:40:38.0484 3788 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
22:40:38.0500 3788 drmkaud - ok
22:40:38.0531 3788 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
22:40:38.0531 3788 E100B - ok
22:40:38.0609 3788 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
22:40:38.0609 3788 Fastfat - ok
22:40:38.0640 3788 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:40:38.0640 3788 Fdc - ok
22:40:38.0687 3788 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
22:40:38.0687 3788 Fips - ok
22:40:38.0765 3788 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:40:38.0765 3788 Flpydisk - ok
22:40:38.0828 3788 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:40:38.0843 3788 FltMgr - ok
22:40:38.0859 3788 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:40:38.0859 3788 Fs_Rec - ok
22:40:38.0875 3788 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:40:38.0875 3788 Ftdisk - ok
22:40:38.0921 3788 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
22:40:38.0921 3788 GEARAspiWDM - ok
22:40:38.0968 3788 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:40:38.0968 3788 Gpc - ok
22:40:38.0984 3788 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:40:38.0984 3788 HDAudBus - ok
22:40:39.0015 3788 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:40:39.0015 3788 HidUsb - ok
22:40:39.0109 3788 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
22:40:39.0109 3788 hpn - ok
22:40:39.0234 3788 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
22:40:39.0250 3788 HTTP - ok
22:40:39.0281 3788 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
22:40:39.0281 3788 i2omgmt - ok
22:40:39.0296 3788 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
22:40:39.0296 3788 i2omp - ok
22:40:39.0328 3788 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:40:39.0328 3788 i8042prt - ok
22:40:39.0437 3788 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
22:40:39.0484 3788 ialm - ok
22:40:39.0515 3788 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:40:39.0515 3788 Imapi - ok
22:40:39.0609 3788 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
22:40:39.0609 3788 ini910u - ok
22:40:39.0750 3788 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
22:40:39.0750 3788 IntelIde - ok
22:40:39.0843 3788 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:40:39.0843 3788 intelppm - ok
22:40:39.0875 3788 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:40:39.0875 3788 Ip6Fw - ok
22:40:39.0953 3788 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:40:39.0953 3788 IpFilterDriver - ok
22:40:40.0031 3788 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:40:40.0031 3788 IpInIp - ok
22:40:40.0109 3788 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:40:40.0109 3788 IpNat - ok
22:40:40.0187 3788 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:40:40.0187 3788 IPSec - ok
22:40:40.0203 3788 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:40:40.0203 3788 IRENUM - ok
22:40:40.0281 3788 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
22:40:40.0281 3788 irsir - ok
22:40:40.0296 3788 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:40:40.0296 3788 isapnp - ok
22:40:40.0328 3788 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:40:40.0328 3788 Kbdclass - ok
22:40:40.0406 3788 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:40:40.0406 3788 kbdhid - ok
22:40:40.0484 3788 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
22:40:40.0484 3788 kmixer - ok
22:40:40.0562 3788 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
22:40:40.0562 3788 KSecDD - ok
22:40:40.0593 3788 lbrtfdc - ok
22:40:40.0656 3788 map730u (62c3e0f7d3d35aa2c4b02c65e032f7da) C:\WINDOWS\system32\Drivers\map730u.sys
22:40:40.0656 3788 map730u - ok
22:40:40.0718 3788 MaVctrl (1b467fb39d6ee0e7f1970eee5fc07121) C:\WINDOWS\system32\DRIVERS\MaVc2K.sys
22:40:40.0718 3788 MaVctrl - ok
22:40:40.0859 3788 Micorsoft Windows Service - ok
22:40:40.0875 3788 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:40:40.0875 3788 mnmdd - ok
22:40:40.0906 3788 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
22:40:40.0906 3788 Modem - ok
22:40:40.0937 3788 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:40:40.0953 3788 Mouclass - ok
22:40:41.0000 3788 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:40:41.0000 3788 mouhid - ok
22:40:41.0015 3788 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
22:40:41.0015 3788 MountMgr - ok
22:40:41.0109 3788 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
22:40:41.0109 3788 mraid35x - ok
22:40:41.0187 3788 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:40:41.0203 3788 MRxDAV - ok
22:40:41.0281 3788 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:40:41.0296 3788 MRxSmb - ok
22:40:41.0375 3788 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
22:40:41.0375 3788 Msfs - ok
22:40:41.0437 3788 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:40:41.0437 3788 MSKSSRV - ok
22:40:41.0515 3788 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:40:41.0515 3788 MSPCLOCK - ok
22:40:41.0593 3788 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
22:40:41.0593 3788 MSPQM - ok
22:40:41.0625 3788 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:40:41.0625 3788 mssmbios - ok
22:40:41.0703 3788 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
22:40:41.0703 3788 MSTEE - ok
22:40:41.0718 3788 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
22:40:41.0718 3788 Mup - ok
22:40:41.0734 3788 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:40:41.0750 3788 NABTSFEC - ok
22:40:41.0796 3788 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
22:40:41.0796 3788 NDIS - ok
22:40:41.0828 3788 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:40:41.0828 3788 NdisIP - ok
22:40:41.0875 3788 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:40:41.0875 3788 NdisTapi - ok
22:40:41.0890 3788 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:40:41.0890 3788 Ndisuio - ok
22:40:41.0906 3788 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:40:41.0906 3788 NdisWan - ok
22:40:41.0921 3788 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
22:40:41.0937 3788 NDProxy - ok
22:40:41.0953 3788 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:40:41.0953 3788 NetBIOS - ok
22:40:41.0984 3788 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:40:41.0984 3788 NetBT - ok
22:40:42.0078 3788 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
22:40:42.0078 3788 Npfs - ok
22:40:42.0171 3788 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
22:40:42.0187 3788 Ntfs - ok
22:40:42.0218 3788 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:40:42.0218 3788 Null - ok
22:40:42.0312 3788 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
22:40:42.0375 3788 nv - ok
22:40:42.0421 3788 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:40:42.0421 3788 NwlnkFlt - ok
22:40:42.0453 3788 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:40:42.0453 3788 NwlnkFwd - ok
22:40:42.0531 3788 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
22:40:42.0531 3788 Parport - ok
22:40:42.0593 3788 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
22:40:42.0593 3788 PartMgr - ok
22:40:42.0625 3788 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:40:42.0625 3788 ParVdm - ok
22:40:42.0625 3788 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
22:40:42.0625 3788 PCI - ok
22:40:42.0640 3788 PCIDump - ok
22:40:42.0687 3788 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:40:42.0687 3788 PCIIde - ok
22:40:42.0734 3788 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:40:42.0734 3788 Pcmcia - ok
22:40:42.0750 3788 PDCOMP - ok
22:40:42.0765 3788 PDFRAME - ok
22:40:42.0781 3788 PDRELI - ok
22:40:42.0796 3788 PDRFRAME - ok
22:40:42.0828 3788 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
22:40:42.0828 3788 perc2 - ok
22:40:42.0890 3788 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
22:40:42.0890 3788 perc2hib - ok
22:40:42.0953 3788 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:40:42.0953 3788 PptpMiniport - ok
22:40:42.0984 3788 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
22:40:42.0984 3788 PSched - ok
22:40:43.0000 3788 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:40:43.0000 3788 Ptilink - ok
22:40:43.0078 3788 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:40:43.0078 3788 PxHelp20 - ok
22:40:43.0156 3788 QCMerced (d8ec7e2fbf3b8d66ff8f435338be41fe) C:\WINDOWS\system32\DRIVERS\LVCM.sys
22:40:43.0171 3788 QCMerced - ok
22:40:43.0234 3788 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
22:40:43.0234 3788 ql1080 - ok
22:40:43.0296 3788 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
22:40:43.0296 3788 Ql10wnt - ok
22:40:43.0328 3788 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
22:40:43.0328 3788 ql12160 - ok
22:40:43.0406 3788 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
22:40:43.0406 3788 ql1240 - ok
22:40:43.0437 3788 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
22:40:43.0437 3788 ql1280 - ok
22:40:43.0484 3788 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:40:43.0484 3788 RasAcd - ok
22:40:43.0546 3788 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
22:40:43.0546 3788 Rasirda - ok
22:40:43.0593 3788 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:40:43.0593 3788 Rasl2tp - ok
22:40:43.0625 3788 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:40:43.0625 3788 RasPppoe - ok
22:40:43.0640 3788 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:40:43.0640 3788 Raspti - ok
22:40:43.0718 3788 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:40:43.0718 3788 Rdbss - ok
22:40:43.0734 3788 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:40:43.0734 3788 RDPCDD - ok
22:40:43.0781 3788 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:40:43.0796 3788 rdpdr - ok
22:40:43.0843 3788 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
22:40:43.0843 3788 RDPWD - ok
22:40:43.0906 3788 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:40:43.0906 3788 redbook - ok
22:40:44.0000 3788 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:40:44.0000 3788 Secdrv - ok
22:40:44.0031 3788 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:40:44.0031 3788 serenum - ok
22:40:44.0062 3788 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
22:40:44.0062 3788 Serial - ok
22:40:44.0078 3788 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:40:44.0078 3788 Sfloppy - ok
22:40:44.0109 3788 Simbad - ok
22:40:44.0140 3788 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
22:40:44.0140 3788 sisagp - ok
22:40:44.0234 3788 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:40:44.0234 3788 SLIP - ok
22:40:44.0296 3788 SNTNLUSB (a1ff7d99b199cea1f3df371ba70d2780) C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
22:40:44.0296 3788 SNTNLUSB - ok
22:40:44.0359 3788 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
22:40:44.0359 3788 SONYPVU1 - ok
22:40:44.0437 3788 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
22:40:44.0437 3788 Sparrow - ok
22:40:44.0515 3788 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
22:40:44.0515 3788 splitter - ok
22:40:44.0625 3788 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
22:40:44.0625 3788 sr - ok
22:40:44.0718 3788 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
22:40:44.0734 3788 Srv - ok
22:40:44.0828 3788 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
22:40:44.0828 3788 STHDA - ok
22:40:44.0906 3788 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
22:40:44.0906 3788 StillCam - ok
22:40:44.0953 3788 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:40:44.0953 3788 streamip - ok
22:40:45.0000 3788 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:40:45.0000 3788 swenum - ok
22:40:45.0015 3788 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
22:40:45.0031 3788 swmidi - ok
22:40:45.0078 3788 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
22:40:45.0078 3788 symc810 - ok
22:40:45.0109 3788 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
22:40:45.0109 3788 symc8xx - ok
22:40:45.0125 3788 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
22:40:45.0140 3788 sym_hi - ok
22:40:45.0171 3788 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
22:40:45.0171 3788 sym_u3 - ok
22:40:45.0234 3788 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
22:40:45.0234 3788 sysaudio - ok
22:40:45.0359 3788 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:40:45.0359 3788 Tcpip - ok
22:40:45.0421 3788 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:40:45.0421 3788 TDPIPE - ok
22:40:45.0437 3788 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
22:40:45.0437 3788 TDTCP - ok
22:40:45.0484 3788 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:40:45.0484 3788 TermDD - ok
22:40:45.0546 3788 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
22:40:45.0546 3788 TosIde - ok
22:40:45.0609 3788 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
22:40:45.0609 3788 Udfs - ok
22:40:45.0656 3788 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
22:40:45.0656 3788 ultra - ok
22:40:45.0781 3788 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
22:40:45.0796 3788 Update - ok
22:40:45.0875 3788 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
22:40:45.0875 3788 usbaudio - ok
22:40:45.0937 3788 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:40:45.0937 3788 usbccgp - ok
22:40:45.0953 3788 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:40:45.0953 3788 usbehci - ok
22:40:45.0984 3788 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:40:45.0984 3788 usbhub - ok
22:40:46.0046 3788 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:40:46.0046 3788 usbprint - ok
22:40:46.0093 3788 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:40:46.0093 3788 usbscan - ok
22:40:46.0156 3788 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:40:46.0171 3788 USBSTOR - ok
22:40:46.0187 3788 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:40:46.0187 3788 usbuhci - ok
22:40:46.0203 3788 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
22:40:46.0203 3788 VgaSave - ok
22:40:46.0265 3788 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
22:40:46.0265 3788 viaagp - ok
22:40:46.0281 3788 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
22:40:46.0281 3788 ViaIde - ok
22:40:46.0343 3788 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
22:40:46.0343 3788 VolSnap - ok
22:40:46.0421 3788 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:40:46.0421 3788 Wanarp - ok
22:40:46.0468 3788 wanatw - ok
22:40:46.0484 3788 WDICA - ok
22:40:46.0546 3788 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
22:40:46.0546 3788 wdmaud - ok
22:40:46.0718 3788 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys
22:40:46.0718 3788 WpdUsb - ok
22:40:46.0781 3788 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:40:46.0781 3788 WS2IFSL - ok
22:40:46.0828 3788 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:40:46.0828 3788 WSTCODEC - ok
22:40:46.0875 3788 MBR (0x1B8) (4bc21aabb8ea83c34000756722b7398b) \Device\Harddisk0\DR0
22:40:46.0921 3788 \Device\Harddisk0\DR0 ( Backdoor.Win32.Sinowal.knf ) - infected
22:40:46.0921 3788 \Device\Harddisk0\DR0 - detected Backdoor.Win32.Sinowal.knf (0)
22:40:46.0937 3788 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR4
22:41:03.0234 3788 \Device\Harddisk1\DR4 - ok
22:41:03.0250 3788 Boot (0x1200) (25e4ee2e5313f7930cbe213ceb8d755e) \Device\Harddisk0\DR0\Partition0
22:41:03.0250 3788 \Device\Harddisk0\DR0\Partition0 - ok
22:41:03.0250 3788 Boot (0x1200) (dae654a4662b25137f6c9fe2f506dafc) \Device\Harddisk1\DR4\Partition0
22:41:03.0250 3788 \Device\Harddisk1\DR4\Partition0 - ok
22:41:03.0265 3788 ============================================================
22:41:03.0265 3788 Scan finished
22:41:03.0265 3788 ============================================================
22:41:03.0281 3400 Detected object count: 1
22:41:03.0281 3400 Actual detected object count: 1
22:41:12.0421 3400 \Device\Harddisk0\DR0 ( Backdoor.Win32.Sinowal.knf ) - skipped by user
22:41:12.0421 3400 \Device\Harddisk0\DR0 ( Backdoor.Win32.Sinowal.knf ) - User select action: Skip
__________________
TallBox is offline   Reply With Quote
Old 03-12-2012, 07:23 PM   #10
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,358
OS: WinXP Home, Vista, Windows 7 64bit



I would feel much more comfortable allowing TDSSKiller to cure if we had the Recovery Console pre-installed via ComboFix, but since you are unable to run ComboFix, we'll continue.

In the event the machine won't boot after allowing TDSSkiller to fix the mbr infection, you'll need a blank CD disk and access to a CD burner. I'll provide instructions when and if the time comes.

For now, run TDSSKiller again and allow it to Cure the infection.

Reboot when prompted.

Immediately after reboot, disable your Anti Virus program and run ComboFix.exe Follow all prompts and post the C:\ComboFix.txt when it has completed.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 03-16-2012, 07:13 PM   #11
Registered Member
 
Join Date: Mar 2012
Posts: 6
OS: XP



Hi Ried

Sorry for the late reply, I have been trying repeatedly each night to follow your instructions but unfortunately it does not seem to be working.

I understand your concerns about not having run Combofix first, so I once again tried clicking and waiting... clicking and waiting... but it still did not work.

Anyway, then I got to the instructions in your last post and attempted to run TDSSkiller and the offending item (as shown in pic 1) and pressed 'cure'.

After a minute or so, nothing had happened (as shown in pic 2). After 5 minutes, 15 minutes, 30 minutes and then an hour, nothing had happened so I switched off my computer (from the power button) each time. Just to be super sure, I tried once more before bed and left it to run over night and came back to find the following progress had been made (as shown in pic 3.

Frustrated, I restarted the computer in the morning and as it started up noticed that the windows update icon in the bottom right was going crazy (as shown by pic 5 - I deleted pic 4, it's the same thing).

Symptoms - I should add the the computer has gotten a lot slower and is almost totally unresponsive to internet browsing now. When I press Alt+Ctrl+Del to get the task manager, it appears momentarily, then disappears, so is very difficult to find out what processes are causing memory usage.

Attached Thumbnails
Click image for larger version

Name:	1.jpg
Views:	17
Size:	387.2 KB
ID:	106653   Click image for larger version

Name:	2.jpg
Views:	15
Size:	363.2 KB
ID:	106654   Click image for larger version

Name:	3.jpg
Views:	17
Size:	379.7 KB
ID:	106655  

Click image for larger version

Name:	5.jpg
Views:	15
Size:	39.0 KB
ID:	106656  
__________________
TallBox is offline   Reply With Quote
Old 03-24-2012, 08:07 PM   #12
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,358
OS: WinXP Home, Vista, Windows 7 64bit



Do you have acces to a blank CD and CD burner?

__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows NT has found only 495K of low memory. 512K of low memory is required to run..
I'm posting in the XP forum because I was under the impression that I had/have windows XP. The complete message is "Windows NT has found only 495K of low memory. 512K of low memory is required to run Windows NT. You may need to upgrade your computer or run a configuration program provided by...
Cephlapod Windows XP Support 21 06-05-2012 12:31 AM
Huge Memory Usage
Hello, I've been using this PC for over a year now and I do regular maintenance on it, I run MBAM as-well as AVG and a few other click and scan gadgets. I've ran plenty of defrags on schedule also disk cleanup. I have had an issue for the past month or so I've yet to figure out, I am using...
Cody_S Virus/Trojan/Spyware Help 23 03-14-2012 08:01 AM
My website stuck for several seconds before starting to load
Hello. I have a problem. I am using WAMP to host a website, but the problem is that whenever is try to access the website, it wont start loading for 5-10 seconds or so, but when the content starts to get displayed, it loads instantly. Apparently there is a MySQL problem. Maybe someone can guide...
GagLV Web Serving and Management 3 03-04-2012 04:06 PM
Gmail hack, returned and....
I was wondering if you would mind helping me (I am very anxious for my problem) Today on a computer (without any especial AntiVirus) which is in a public place for everyone I checked my Gmail account by IE and I received a bunch of strange emails. by opening of one of them I diverted to...
amir974 Inactive Malware Help Topics 0 03-03-2012 06:06 PM
Any way to get Windows to harass me less often about low disk space?
I have one drive that's almost full and causing Windows to show a popup message seemingly every 2 minutes and getting in the way of my work. Is there a way to have it appear maybe every few hours, or even not at all? Thanks
aab1 Windows 7 Support, Windows Vista Support 6 03-03-2012 03:36 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 05:16 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts