Clean Master Boot Record With Recovery Disc

July 1, 2011 at 03:55:16
Specs: Windows 7, 2gb Ram
Hi

I bought a second hand laptop (Dell Inspiron 6400) with win 7 on it. The guy did not give me the win 7 disc but said it was a legit copy (which i believe it is...he was a sort of honest looking guy). He gave me a recovery disc which he said that would restore the computer to it's clean state just after win 7 was installed.

I think I have a virus as the computer is working really slow and found a process called csrss.exe running which I now could not be good.

To cut a long story short thought about sticking the recovery disk in taking it back to point 0 but read today on BBC about a viruses which hide in boot record files which are used for starting up. Would a recovery disk reset sort out this possibility too or do i have to do a clean install..ie buy Windows 7 and re-install the whole OS after reformatting.

The OS and programs are on C and the data on D partition...according to his instructions the recovery disk will not touch data on D, only C.

Any advise is most welcome

Thanks
Stveve


See More: Clean Master Boot Record With Recovery Disc

Report •


#1
July 1, 2011 at 19:54:05
laylos,

Let's see if a RootKit is detected in the system, and check on the Master Boot Record:

Please download GMER:
http://gmer.net/download.php
[Downloads a randomly named file. (Recommended)]

Disconnect from the Internet and close all running programs.

Temporarily disable any real-time active protection so your security programs do not conflict with gmer's driver. Info:
http://www.bleepingcomputer.com/for...

Right-click on the randomly named GMER file (i.e. n7gmo46c.exe) and select: Run as Administrator

Allow the gmer.sys driver to load...

GMER opens to the Rootkit/Malware tab and performs an automatic quick scan when first run. (Please do not use the computer while the scan is in progress.)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO

Now, click the >Scan< button.
If you see a rootkit warning window, click OK.

When the scan finishes, click the 'Save...' button to save the scan results to your Desktop.
Save the file as >gmer.log<

>>Click the Copy button and Paste the results of the GMER log in your reply.<<

Note: Please, do not take action on any of the information on the GMER report!!

If you encounter any problems, try running GMER in Safe Mode:
http://www.computerhope.com/issues/...

If GMER crashes or keeps resulting in a BSODs, uncheck 'Devices' (on the right side) before scanning.


Now, download aswMBR:
http://public.avast.com/~gmerek/asw...
Save to your Desktop.

Right-cliick the aswMBR.exe icon, and select: Run as Administrator

Click the Scan button

Upon completion of the scan, click the Save Log button

>>Save the aswMBR log to your Desktop, and post it in your reply.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#2
July 3, 2011 at 08:52:03
Hi aaflac

Many thanks for your help

I restored the pc to the earlier image as given by the guy i bought the laptop off.

These are the logs from the restored pc as it is now.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-03 12:27:38
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL040D
Running: ut6ff7ng.exe; Driver: D:\Users\Dell\AppData\Local\Temp\kfliypod.sys


---- System - GMER 1.0.15 ----

SSDT 8D5F0D16 ZwCreateSection
SSDT 8D5F0D1B ZwSetContextThread
SSDT 8D5F0CB7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82860569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82885092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 340 8288C950 4 Bytes [16, 0D, 5F, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 6E0 8288CCF0 4 Bytes [1B, 0D, 5F, 8D]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 8288CDC8 4 Bytes [B7, 0C, 5F, 8D]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c26f2e609
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001c26f2e609 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-07-03 13:13:31
-----------------------------
13:13:31.606 OS Version: Windows 6.1.7600
13:13:31.606 Number of processors: 2 586 0xF02
13:13:31.606 ComputerName: DELL-6400 UserName: Dell
13:13:38.611 Initialize success
13:13:43.993 AVAST engine defs: 11070300
13:13:51.184 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:13:51.184 Disk 0 Vendor: TOSHIBA_MK1637GSX DL040D Size: 152627MB BusType: 3
13:13:53.212 Disk 0 MBR read successfully
13:13:53.228 Disk 0 MBR scan
13:13:53.228 Disk 0 unknown MBR code
13:13:55.240 Disk 0 scanning sectors +312576705
13:13:55.256 Disk 0 scanning C:\Windows\system32\drivers
13:14:03.181 Service scanning
13:14:05.724 Disk 0 trace - called modules:
13:14:05.755 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
13:14:05.770 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85619530]
13:14:05.786 3 CLASSPNP.SYS[889aa59e] -> nt!IofCallDriver -> [0x85187918]
13:14:05.786 5 ACPI.sys[884af3b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8489e610]
13:14:06.862 AVAST engine scan C:\Windows
13:33:32.418 AVAST engine scan D:\Users\Dell
14:05:45.257 AVAST engine scan C:\ProgramData
14:05:50.327 Scan finished successfully
14:12:54.601 Disk 0 MBR has been saved successfully to "D:\Users\Dell\Documents\Steve\MBR.dat"
14:12:54.617 The log file has been saved successfully to "D:\Users\Dell\Documents\Steve\aswMBR.txt"


I would be grateful if you could let me know if you find anything

Thanks
Steve


Report •

#3
July 3, 2011 at 13:34:47
You have a Dell with Windows 7 Enterprise installed. Its MBR may be unique to Dell.

Do the following to cross check:

Please download TDSSKiller
Windows 7:
http://www.windows7download.com/win...
Go to: Download TDSSKiller 2.5.0.0

Save it to the Desktop.
Be sure to temporarily disable all AntiVirus/AntiSpyware software, while these steps are being completed, to keep these programs from interfering with the repairs.
This can normally be done by right clicking the software's Taskbar icon, or accessing each software through Start - Programs.
Some tips if needed:
http://www.bleepingcomputer.com/for...

Vista/Windows 7 users, right-click the file, and select: Run As Administrator

Click the 'Start Scan' button.

Do not use the computer during the scan

If the scan completes with nothing found, click Close to exit.

When the scan finishes it displays a Scan results screen stating whether or not an infection was found on your computer.

To remove the infection, click on the Continue button.
If it does not say Cure on the results screen, leave it at the default action of Skip, and press the Continue button.

Do not change to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

Reboot to finish the cleaning process.

A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) is created and saved to the root directory (usually Local Disk C:).

>>Please provide the contents of TDSSKiller in your reply.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

Related Solutions

#4
July 3, 2011 at 21:21:38
Hi

Ran it but nothing found

2011/07/04 06:15:24.0523 3548 TDSS rootkit removing tool 2.5.8.0 Jun 28 2011 19:12:16
2011/07/04 06:15:24.0950 3548 ================================================================================
2011/07/04 06:15:24.0950 3548 SystemInfo:
2011/07/04 06:15:24.0950 3548
2011/07/04 06:15:24.0950 3548 OS Version: 6.1.7600 ServicePack: 0.0
2011/07/04 06:15:24.0950 3548 Product type: Workstation
2011/07/04 06:15:24.0950 3548 ComputerName: DELL-6400
2011/07/04 06:15:24.0951 3548 UserName: Dell
2011/07/04 06:15:24.0951 3548 Windows directory: C:\Windows
2011/07/04 06:15:24.0951 3548 System windows directory: C:\Windows
2011/07/04 06:15:24.0951 3548 Processor architecture: Intel x86
2011/07/04 06:15:24.0951 3548 Number of processors: 2
2011/07/04 06:15:24.0951 3548 Page size: 0x1000
2011/07/04 06:15:24.0951 3548 Boot type: Normal boot
2011/07/04 06:15:24.0951 3548 ================================================================================
2011/07/04 06:15:28.0649 3548 Initialize success
2011/07/04 06:15:32.0470 4084 ================================================================================
2011/07/04 06:15:32.0470 4084 Scan started
2011/07/04 06:15:32.0470 4084 Mode: Manual;
2011/07/04 06:15:32.0470 4084 ================================================================================
2011/07/04 06:15:38.0506 4084 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/07/04 06:15:38.0607 4084 a2djavs (bb36cfd7926652bd1bf4b8e963307901) C:\Windows\system32\Drivers\a2djavs.sys
2011/07/04 06:15:38.0750 4084 a2djusb (23654334944c48396e2ed94dd33b2f0c) C:\Windows\system32\Drivers\a2djusb.sys
2011/07/04 06:15:38.0814 4084 a2djusb_svc (23654334944c48396e2ed94dd33b2f0c) C:\Windows\system32\Drivers\a2djusb.sys
2011/07/04 06:15:39.0011 4084 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2011/07/04 06:15:39.0356 4084 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/07/04 06:15:39.0432 4084 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/07/04 06:15:39.0552 4084 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/07/04 06:15:39.0619 4084 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/07/04 06:15:39.0742 4084 AFD (0db7a48388d54d154ebec120461a0fcd) C:\Windows\system32\drivers\afd.sys
2011/07/04 06:15:39.0820 4084 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2011/07/04 06:15:39.0866 4084 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/07/04 06:15:39.0949 4084 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2011/07/04 06:15:40.0177 4084 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2011/07/04 06:15:40.0276 4084 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2011/07/04 06:15:40.0345 4084 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/07/04 06:15:40.0378 4084 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/07/04 06:15:40.0450 4084 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
2011/07/04 06:15:40.0532 4084 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/07/04 06:15:40.0583 4084 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
2011/07/04 06:15:40.0670 4084 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2011/07/04 06:15:40.0771 4084 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/07/04 06:15:40.0804 4084 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/07/04 06:15:40.0943 4084 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/07/04 06:15:41.0014 4084 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2011/07/04 06:15:41.0238 4084 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/07/04 06:15:41.0436 4084 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\Windows\system32\DRIVERS\avipbb.sys
2011/07/04 06:15:41.0591 4084 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/07/04 06:15:41.0739 4084 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/07/04 06:15:41.0901 4084 bcm4sbxp (82dd21bfa8bbe0a3a3833a1bd8e86158) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
2011/07/04 06:15:41.0976 4084 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/07/04 06:15:42.0143 4084 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/07/04 06:15:42.0231 4084 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\Windows\system32\DRIVERS\bowser.sys
2011/07/04 06:15:42.0296 4084 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/07/04 06:15:42.0323 4084 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/07/04 06:15:42.0381 4084 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/07/04 06:15:42.0429 4084 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/07/04 06:15:42.0456 4084 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/07/04 06:15:42.0486 4084 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/07/04 06:15:42.0568 4084 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\DRIVERS\BthEnum.sys
2011/07/04 06:15:42.0731 4084 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/07/04 06:15:42.0853 4084 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
2011/07/04 06:15:43.0016 4084 BTHPORT (4a34888e13224678dd062466afec4240) C:\Windows\system32\Drivers\BTHport.sys
2011/07/04 06:15:43.0182 4084 BTHUSB (fa04c63916fa221dbb91fce153d07a55) C:\Windows\system32\Drivers\BTHUSB.sys
2011/07/04 06:15:43.0279 4084 btusbflt (f549c3fb145a4928e40bb1518b2034dc) C:\Windows\system32\drivers\btusbflt.sys
2011/07/04 06:15:43.0357 4084 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/07/04 06:15:43.0858 4084 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2011/07/04 06:15:43.0949 4084 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/07/04 06:15:44.0066 4084 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/07/04 06:15:44.0148 4084 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/07/04 06:15:44.0192 4084 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2011/07/04 06:15:44.0266 4084 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/07/04 06:15:44.0354 4084 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/07/04 06:15:44.0408 4084 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/07/04 06:15:44.0484 4084 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/07/04 06:15:44.0600 4084 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys
2011/07/04 06:15:44.0767 4084 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\Windows\system32\Drivers\dfsc.sys
2011/07/04 06:15:44.0841 4084 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/07/04 06:15:45.0039 4084 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/07/04 06:15:45.0183 4084 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/07/04 06:15:45.0354 4084 DXGKrnl (c94b6c3cc628179cb9b9061c19888b99) C:\Windows\System32\drivers\dxgkrnl.sys
2011/07/04 06:15:45.0684 4084 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/07/04 06:15:45.0953 4084 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/07/04 06:15:46.0050 4084 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2011/07/04 06:15:46.0143 4084 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/07/04 06:15:46.0186 4084 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/07/04 06:15:46.0254 4084 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/07/04 06:15:46.0375 4084 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/07/04 06:15:46.0435 4084 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/07/04 06:15:46.0460 4084 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/07/04 06:15:46.0517 4084 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/07/04 06:15:46.0559 4084 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/07/04 06:15:46.0604 4084 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/07/04 06:15:46.0664 4084 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
2011/07/04 06:15:46.0711 4084 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/07/04 06:15:46.0864 4084 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/07/04 06:15:47.0091 4084 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
2011/07/04 06:15:47.0179 4084 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/07/04 06:15:47.0233 4084 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/07/04 06:15:47.0332 4084 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/07/04 06:15:47.0376 4084 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/07/04 06:15:47.0444 4084 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2011/07/04 06:15:47.0532 4084 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/07/04 06:15:47.0689 4084 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/07/04 06:15:47.0855 4084 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/07/04 06:15:48.0080 4084 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2011/07/04 06:15:48.0122 4084 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2011/07/04 06:15:48.0184 4084 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/07/04 06:15:48.0431 4084 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/07/04 06:15:48.0959 4084 igfx (9467514ea189475a6e7fdc5d7bde9d3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/07/04 06:15:49.0357 4084 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/07/04 06:15:49.0445 4084 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2011/07/04 06:15:49.0552 4084 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/07/04 06:15:49.0857 4084 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/07/04 06:15:49.0953 4084 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/07/04 06:15:50.0005 4084 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/07/04 06:15:50.0099 4084 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/07/04 06:15:50.0166 4084 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2011/07/04 06:15:50.0226 4084 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/07/04 06:15:50.0294 4084 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/07/04 06:15:50.0346 4084 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/07/04 06:15:50.0392 4084 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2011/07/04 06:15:50.0451 4084 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
2011/07/04 06:15:50.0581 4084 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/07/04 06:15:50.0656 4084 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/07/04 06:15:50.0755 4084 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/07/04 06:15:50.0849 4084 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/07/04 06:15:50.0920 4084 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/07/04 06:15:51.0001 4084 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/07/04 06:15:51.0144 4084 mdmxsdk (e246a32c445056996074a397da56e815) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/07/04 06:15:51.0358 4084 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/07/04 06:15:51.0468 4084 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/07/04 06:15:51.0540 4084 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/07/04 06:15:51.0606 4084 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/07/04 06:15:51.0688 4084 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2011/07/04 06:15:51.0765 4084 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/07/04 06:15:51.0806 4084 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2011/07/04 06:15:51.0854 4084 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2011/07/04 06:15:51.0905 4084 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/07/04 06:15:51.0962 4084 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2011/07/04 06:15:52.0096 4084 mrxsmb (ca7570e42522e24324a12161db14ec02) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/07/04 06:15:52.0261 4084 mrxsmb10 (c108952d3660375dcb716b222912e868) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/07/04 06:15:52.0322 4084 mrxsmb20 (25c38264a3c72594dd21d355d70d7a5d) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/07/04 06:15:52.0390 4084 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
2011/07/04 06:15:52.0544 4084 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2011/07/04 06:15:52.0631 4084 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/07/04 06:15:52.0675 4084 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/07/04 06:15:52.0702 4084 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/07/04 06:15:52.0822 4084 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/07/04 06:15:52.0886 4084 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/07/04 06:15:53.0169 4084 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/07/04 06:15:53.0352 4084 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/07/04 06:15:53.0522 4084 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/07/04 06:15:53.0604 4084 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/07/04 06:15:53.0677 4084 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/07/04 06:15:53.0887 4084 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/07/04 06:15:53.0963 4084 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/07/04 06:15:54.0062 4084 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
2011/07/04 06:15:54.0180 4084 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/07/04 06:15:54.0237 4084 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/07/04 06:15:54.0293 4084 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/07/04 06:15:54.0338 4084 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/07/04 06:15:54.0394 4084 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2011/07/04 06:15:54.0432 4084 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/07/04 06:15:54.0515 4084 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2011/07/04 06:15:55.0001 4084 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
2011/07/04 06:15:55.0383 4084 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/07/04 06:15:55.0455 4084 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/07/04 06:15:55.0597 4084 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/07/04 06:15:56.0053 4084 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
2011/07/04 06:15:56.0330 4084 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/07/04 06:15:56.0428 4084 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/07/04 06:15:56.0499 4084 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
2011/07/04 06:15:56.0541 4084 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/07/04 06:15:56.0580 4084 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/07/04 06:15:56.0779 4084 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/07/04 06:15:56.0917 4084 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2011/07/04 06:15:56.0958 4084 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/07/04 06:15:57.0055 4084 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2011/07/04 06:15:57.0131 4084 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2011/07/04 06:15:57.0516 4084 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/07/04 06:15:57.0823 4084 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/07/04 06:15:57.0896 4084 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/07/04 06:15:58.0394 4084 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/07/04 06:15:58.0531 4084 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/07/04 06:15:58.0839 4084 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/07/04 06:15:59.0198 4084 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/07/04 06:15:59.0557 4084 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/07/04 06:16:00.0062 4084 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/07/04 06:16:00.0250 4084 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/07/04 06:16:00.0459 4084 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/07/04 06:16:00.0747 4084 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/07/04 06:16:00.0914 4084 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/07/04 06:16:01.0053 4084 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/07/04 06:16:01.0361 4084 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2011/07/04 06:16:01.0842 4084 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/07/04 06:16:02.0004 4084 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/07/04 06:16:02.0110 4084 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
2011/07/04 06:16:02.0257 4084 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/07/04 06:16:02.0422 4084 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/07/04 06:16:02.0531 4084 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2011/07/04 06:16:02.0609 4084 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2011/07/04 06:16:02.0774 4084 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
2011/07/04 06:16:03.0103 4084 rimmptsk (c2ef513bbe069f0d4ee0938a76f975d3) C:\Windows\system32\DRIVERS\rimmptsk.sys
2011/07/04 06:16:03.0284 4084 rimsptsk (c398bca91216755b098679a8da8a2300) C:\Windows\system32\DRIVERS\rimsptsk.sys
2011/07/04 06:16:03.0599 4084 rismxdp (2a2554cb24506e0a0508fc395c4a1b42) C:\Windows\system32\DRIVERS\rixdptsk.sys
2011/07/04 06:16:03.0740 4084 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/07/04 06:16:03.0914 4084 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
2011/07/04 06:16:04.0032 4084 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/07/04 06:16:04.0094 4084 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2011/07/04 06:16:04.0280 4084 sdbus (aa826e35f6d28a8e5d1efeb337f24ba2) C:\Windows\system32\DRIVERS\sdbus.sys
2011/07/04 06:16:04.0401 4084 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/07/04 06:16:04.0541 4084 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/07/04 06:16:04.0567 4084 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/07/04 06:16:04.0598 4084 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/07/04 06:16:04.0680 4084 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/07/04 06:16:04.0738 4084 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/07/04 06:16:04.0789 4084 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/07/04 06:16:04.0824 4084 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/07/04 06:16:04.0991 4084 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2011/07/04 06:16:05.0163 4084 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/07/04 06:16:05.0244 4084 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/07/04 06:16:05.0380 4084 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/07/04 06:16:05.0484 4084 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/07/04 06:16:05.0804 4084 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\Windows\system32\DRIVERS\srv.sys
2011/07/04 06:16:06.0069 4084 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\Windows\system32\DRIVERS\srv2.sys
2011/07/04 06:16:06.0232 4084 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/07/04 06:16:06.0346 4084 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2011/07/04 06:16:06.0538 4084 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2011/07/04 06:16:06.0689 4084 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\Windows\system32\DRIVERS\srvnet.sys
2011/07/04 06:16:06.0828 4084 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2011/07/04 06:16:06.0965 4084 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/07/04 06:16:07.0265 4084 STHDA (6a2a5e809c2c0178326d92b19ee4aad3) C:\Windows\system32\drivers\stwrt.sys
2011/07/04 06:16:07.0483 4084 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
2011/07/04 06:16:07.0777 4084 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
2011/07/04 06:16:07.0836 4084 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2011/07/04 06:16:07.0944 4084 SynTP (1f5192248a364d4ab68db063d18a2139) C:\Windows\system32\DRIVERS\SynTP.sys
2011/07/04 06:16:08.0065 4084 Tcpip (0158d5e9982e9d6a90dfc802f618e130) C:\Windows\system32\drivers\tcpip.sys
2011/07/04 06:16:08.0437 4084 TCPIP6 (0158d5e9982e9d6a90dfc802f618e130) C:\Windows\system32\DRIVERS\tcpip.sys
2011/07/04 06:16:08.0918 4084 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2011/07/04 06:16:09.0008 4084 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2011/07/04 06:16:09.0065 4084 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2011/07/04 06:16:09.0235 4084 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2011/07/04 06:16:09.0529 4084 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2011/07/04 06:16:09.0623 4084 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/07/04 06:16:09.0695 4084 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2011/07/04 06:16:09.0768 4084 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/07/04 06:16:09.0826 4084 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
2011/07/04 06:16:09.0887 4084 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/07/04 06:16:09.0944 4084 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2011/07/04 06:16:09.0982 4084 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/07/04 06:16:10.0041 4084 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/07/04 06:16:10.0137 4084 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2011/07/04 06:16:10.0198 4084 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2011/07/04 06:16:10.0340 4084 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
2011/07/04 06:16:10.0425 4084 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2011/07/04 06:16:10.0477 4084 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/07/04 06:16:10.0544 4084 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/07/04 06:16:10.0584 4084 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/07/04 06:16:10.0648 4084 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/07/04 06:16:10.0703 4084 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/07/04 06:16:10.0739 4084 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/07/04 06:16:10.0774 4084 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/07/04 06:16:10.0987 4084 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2011/07/04 06:16:11.0175 4084 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/07/04 06:16:11.0213 4084 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2011/07/04 06:16:11.0270 4084 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
2011/07/04 06:16:11.0298 4084 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
2011/07/04 06:16:11.0356 4084 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/07/04 06:16:11.0512 4084 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/07/04 06:16:11.0720 4084 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2011/07/04 06:16:11.0855 4084 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/07/04 06:16:11.0935 4084 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2011/07/04 06:16:12.0009 4084 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/07/04 06:16:12.0105 4084 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/04 06:16:12.0130 4084 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/07/04 06:16:12.0289 4084 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/07/04 06:16:12.0369 4084 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/07/04 06:16:12.0624 4084 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/07/04 06:16:12.0674 4084 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/07/04 06:16:12.0832 4084 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/07/04 06:16:13.0121 4084 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/07/04 06:16:13.0254 4084 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/07/04 06:16:13.0668 4084 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2011/07/04 06:16:14.0014 4084 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/07/04 06:16:14.0296 4084 MBR (0x1B8) (e7d69fbcd87e8b5ad9d652d5ffe0af4c) \Device\Harddisk0\DR0
2011/07/04 06:16:14.0317 4084 Boot (0x1200) (9bf004827b5b11efdeb6f0fe26514be5) \Device\Harddisk0\DR0\Partition0
2011/07/04 06:16:14.0374 4084 Boot (0x1200) (48071bd5e77c818c53168be8d6897258) \Device\Harddisk0\DR0\Partition1
2011/07/04 06:16:14.0427 4084 Boot (0x1200) (36c132e5b2698a6ffd002d4e318fa68a) \Device\Harddisk0\DR0\Partition2
2011/07/04 06:16:14.0435 4084 ================================================================================
2011/07/04 06:16:14.0435 4084 Scan finished
2011/07/04 06:16:14.0435 4084 ================================================================================
2011/07/04 06:16:14.0465 2328 Detected object count: 0
2011/07/04 06:16:14.0465 2328 Actual detected object count: 0
2011/07/04 06:16:25.0440 3080 Deinitialize success


I still have a process running called csrss.exe in task manager. Do you know what this is? I seems like it could be a legit windows process or a trojan. How can I tell or do oyu think everything is OK with my laptop.

Thanks
Steve


Report •

#5
July 3, 2011 at 23:04:57
Is the csrss.exe file located in the folder C:\Windows\System32? If so, it is legit.

Is there only one instance of it running?

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#6
July 3, 2011 at 23:23:42
When I open the task manager process screen it is the one entry without a description and pathname associated with it hence why I am a bit suspicious.

There is only one instance of it.

Thanks
Steve


Report •

#7
July 4, 2011 at 12:42:24
Csrss stands for Client/Server Run-Time Subsystem, and is an essential file.

Let's go this route:

Enable the viewing of hidden and protected system files in Windows 7:

Close all programs so that you are at your Desktop.
Click on the Start button (globe).
Click on the Control Panel menu option.
Click on: Appearance and Personalization

Under Folder Options, click on: Show hidden files and folders
Under the Hidden files and folders section select the radio button labeled: Show hidden files, folders, and drives.

Remove the checkmark from the checkbox labeled: Hide extensions for known file types.

Remove the checkmark from the checkbox labeled: Hide protected operating system files (Recommended).

Press the Apply button and then OK

Now, do a search for C:\Windows\System32\csrss.exe

Right-click the file, and select: Properties

You should see the info that applies to the file, and, in the Version tab, it should show Microsoft.

If you still have doubts, then use VirusTotal, a free virus, malware and URL online scanning service:
http://www.virustotal.com

Click the ‘Browse’ button and search for the following file:
C:\WINDOWS\System32\csrss.exe

When found, click: Open
Then click: Send File

If it says the file is already scanned, click: ‘Reanalyze Now’
The scan takes awhile…

Please copy and paste the results of the scan in your reply.

This should increase your ‘comfort level’ with that file. ;-)

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#8
July 5, 2011 at 08:54:44
Hi aaflac

Here is the results

Looks like it's good...but if you could confirm that would be even better just in case i misread something.

On the properties tab copyright is by Microsoft and date modified is 2009 which is before I bought the commputer..so gives a extra comfort. Just don't know why the pathname is missing in task manager process tab....winlogon.exe is also missing?

This VirusTotal seems like a good tool. Does it analyse files there and then looking inside of them? Sometimes I download .rar file and not sure if they contain malware. Is it possible to scan these files before opening them with this tool?

Many thanks with your help

Steve

9 VT Community user(s) with a total of 1589 reputation credit(s) say(s) this sample is goodware. 1 VT Community user(s) with a total of 1 reputation credit(s) say(s) this sample is malware.
File name:
csrss.exe
Submission date:
2011-07-05 15:36:13 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

VT Community

goodware
Safety score: 99.9%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.07.05.01 2011.07.05 -
AntiVir 7.11.10.223 2011.07.05 -
Antiy-AVL 2.0.3.7 2011.07.05 -
Avast 4.8.1351.0 2011.07.05 -
Avast5 5.0.677.0 2011.07.05 -
AVG 10.0.0.1190 2011.07.05 -
BitDefender 7.2 2011.07.05 -
CAT-QuickHeal 11.00 2011.07.05 -
ClamAV 0.97.0.0 2011.07.05 -
Commtouch 5.3.2.6 2011.07.05 -
Comodo 9281 2011.07.05 -
DrWeb 5.0.2.03300 2011.07.05 -
Emsisoft 5.1.0.8 2011.07.05 -
eSafe 7.0.17.0 2011.07.04 -
eTrust-Vet 36.1.8426 2011.07.05 -
F-Prot 4.6.2.117 2011.07.04 -
F-Secure 9.0.16440.0 2011.07.05 -
Fortinet 4.2.257.0 2011.07.05 -
GData 22 2011.07.05 -
Ikarus T3.1.1.104.0 2011.07.05 -
Jiangmin 13.0.900 2011.07.05 -
K7AntiVirus 9.107.4870 2011.07.04 -
Kaspersky 9.0.0.837 2011.07.05 -
McAfee 5.400.0.1158 2011.07.05 -
McAfee-GW-Edition 2010.1D 2011.07.05 -
Microsoft 1.7000 2011.07.05 -
NOD32 6266 2011.07.05 -
Norman 6.07.10 2011.07.05 -
nProtect 2011-07-05.03 2011.07.05 -
Panda 10.0.3.5 2011.07.04 -
PCTools 8.0.0.5 2011.07.05 -
Prevx 3.0 2011.07.05 -
Rising 23.65.00.05 2011.07.04 -
Sophos 4.67.0 2011.07.05 -
SUPERAntiSpyware 4.40.0.1006 2011.07.04 -
Symantec 20111.1.0.186 2011.07.05 -
TheHacker 6.7.0.1.248 2011.07.05 -
TrendMicro 9.200.0.1012 2011.07.05 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.05 -
VBA32 3.12.16.4 2011.07.05 -
VIPRE 9778 2011.07.05 -
ViRobot 2011.7.5.4552 2011.07.05 -
VirusBuster 14.0.110.0 2011.07.05 -
Additional information
MD5 : 342271f6142e7c70805b8a81e1ba5f5c
SHA1 : 53bc9b2ae89fcad6197ec519ae588f926c88e460
SHA256: f9112b88fec5ef10a7aedf88dcee61956d1fcde7cb42197216e8265578713786
ssdeep: 96:p1AhMqrIEpi8qykDJvkM/HHEW5s9nWw3:p1AhMqrPGywkLW5s9nW
File size : 6144 bytes
First seen: 2009-08-19 18:53:22
Last seen : 2011-07-05 15:36:13
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Client Server Runtime Process
original name: CSRSS.Exe
internal name: CSRSS.Exe
file version.: 6.1.7600.16385 (win7_rtm.090713-1255)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1382
timedatestamp....: 0x4A5BBF0D (Mon Jul 13 23:11:09 2009)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x66E, 0x800, 5.63, 60ef29d0fae291699580e45ecb6f6116
.data, 0x2000, 0x33C, 0x200, 0.16, 0b2e7741e0c0fc65af1542e370d89f53
.rsrc, 0x3000, 0x7F8, 0x800, 4.38, 6210d9f78d6b6e5161e018d9ffc65275
.reloc, 0x4000, 0x96, 0x200, 0.82, 261d724141c07be71e8be5b4f269b3c5

[[ 2 import(s) ]]
ntdll.dll: RtlSetHeapInformation, RtlSetProcessIsCritical, NtTerminateThread, NtSetInformationProcess, RtlSetUnhandledExceptionFilter, NtTerminateProcess, RtlFreeAnsiString, RtlAllocateHeap, isspace, RtlUnicodeStringToAnsiString, RtlNormalizeProcessParams
CSRSRV.dll: CsrUnhandledExceptionFilter, CsrServerInitialization
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 2048
CompanyName: Microsoft Corporation
EntryPoint: 0x1382
FileDescription: Client Server Runtime Process
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 6.0 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileVersionNumber: 6.1.7600.16385
ImageVersion: 6.1
InitializedDataSize: 3584
InternalName: CSRSS.Exe
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.1
ObjectFileType: Executable application
OriginalFilename: CSRSS.Exe
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 6.1.7600.16385
ProductVersionNumber: 6.1.7600.16385
Subsystem: Native
SubsystemVersion: 6.1
TimeStamp: 2009:07:14 01:11:09+02:00
UninitializedDataSize: 0


Report •

#9
July 5, 2011 at 08:57:30
Hi aaflac

Just realised that you can only upload max 20mb files to VirusTotal. Is there a tool I can download which looks inside of bigger files such as the .rar or .exe files which may have been booby-trapped.

Thanks
Steve


Report •

#10
July 5, 2011 at 09:56:24
You can only upload one file at a time at VirusTotal, within its size contraints.

There is also Jotti, but I am sure it is the same:
http://virusscan.jotti.org/en

Here are some Microsoft suggestions on optiimizing your system:
http://windows.microsoft.com/en-US/...

Follow each one of them, and see if your system speed improves.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#11
July 6, 2011 at 05:50:26
Thanks for all your help aaflac.

Quite happy all is OK now

Steve


Report •

#12
July 6, 2011 at 08:53:01
Quite happy all is OK now

Good!!!!

Have a great day, laylos!!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#13
July 7, 2011 at 03:03:39
Hi aaflac

After all your help I decided to buy my own version of windows 7. I am currently a student at a place here in Germany and I can get a student Win 7 ultimate copy for 49 euro. My last day here is tom...so bought it.

I don't know if you can help me with the following. If not, it's cool as will post on the win 7 forum. Thought I'd ask you first.

I want to do a clean install with the new disk. The laptop has 2 partitions on it C for OS and programs (by the looks of it) and D for data...eg music, films, etc. The backup disk which I used reset all of C and did not touch D.

If I want to install this win7 do you think I can do the same..ie leave the data partition and just re-format c. Do you think this will be possible, will i get the option when I insert the disk. Don't know if you can tell me this.

Is it better to re-format both partitions anyway? Can there be a virus or malware on the d drive?

Never had a computer with this partition before. When I installed a OS before it's only ever been on an unpartitioned drive

Any suggestions/advice listened to with keen ears!

Thanks
Steve

ps. Can you recommend any free antivirus? I've used avg before and currently avira antivir..both free. What free AV would you recommend?


Report •

#14
July 7, 2011 at 09:22:29
laylos,

As far as an AV program is concerned, have been using avast! (free) for a few years, and never had any problems with it.

On your questions regarding the install of Windows 7, I have not done any installing for a while, and do not feel comfortable giving you guidance on it. However, check your Personal Messages.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

Ask Question