Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Modem Activity Processes - Need Help


  • Please log in to reply
21 replies to this topic

#1 stellium

stellium

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 April 2012 - 11:24 AM

Hi there,

I did the unthinkable. I started a music file I got from someone. I ended up with a Trojan. I got rid of it (To the best of my knowledge) and yet something is bothering me.

I use Windows XP and Mozilla Firefox 5.0 (an older version, I don't like the newer invasive versions of browsers). The isssue at hand is that as soon as I log into the internet, I have send/receive activity going on constantly. I'm not knowlegeable as far as diagnostics are concerned but I do know a thing or two. I'm not sure how to get a screenshot onto this forum, but otherwise I do know how to follow instructions.

I used a scan to determine what processes were active, I checked port activity and such and found a bunch of stuff was going on, either with Firefox, Yahoo (my search engine, notorious for showing ads and crap) or some independent stuff that I think shouldn't be there. I had a bunch of processes going on which seemed sketchy. Could I be the victim of an exploit?

I have a bunch of stuff at my disposal

Avast Antivirus, and their rootkit scanner
ESET online Scanner
F-Secure Blacklight
TrendMicro Housecall
Gibson Research Firewall Leaktest
Malwarebytes Anti-Malware
Nico Cuppem Network Monitor
OTS.exe old time tools
Process explorer
Rootkit revealer
Security check
Spybot Search and Destroy
TCP view by sysinternals
WinPcap Packet capture
TCP view by Sysinternals (this one shows some stuff I'm not sure about)

I have not got Hijackthis, nor have I posted a log.

I was hoping that someone could help me analyze proceses in order to dispose of whatever is not required.

Thanking you in advance for your assistance

Jacques
a.k.a. Stellium

Edited by stellium, 09 April 2012 - 11:32 AM.


BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:18 PM

Posted 09 April 2012 - 06:12 PM

Hello,

I will be helping you with your problems
Please do the following:

Step 1

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Step 2

Please download Farbar Service Scanner to your Desktop and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Step 3

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Step 4

  • Launch Malwarebytes' Anti-Malware (MBAM)
  • Click on the tab update, then click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Then on the Scanner tab select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log in your next reply.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Edited by dev00790, 09 April 2012 - 06:13 PM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 stellium

stellium
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 09 April 2012 - 08:32 PM

Thanks a lot for your assistance. I ran the different evaluation tools as per your instructions, Here are the results :

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
ZoneAlarm LTD Toolbar
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

SpywareBlaster 4.4
Spybot - Search & Destroy
Java™ 6 Update 31
Adobe Flash Player 10.1.102.64 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (3.0.19) Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbam.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
``````````End of Log````````````

Farbar Service Scanner Version: 01-03-2012
Ran by jacques (administrator) on 09-04-2012 at 20:09:44
Running from "C:\Documents and Settings\jacques.JACQUES-01\My Documents"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is set to Disabled. The default start type is System.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
WAN connected
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

MiniToolBox by Farbar Version: 18-01-2012
Ran by jacques (administrator) on 09-04-2012 at 20:12:37
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Efficient Networks Enternet P.P.P.o.E Adapter = Local Area Connection 2 (Disconnected)
VIA Rhine II Fast Ethernet Adapter = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : jacques-01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

PPP adapter Inter.net:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 206.126.87.21
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 206.126.87.21
DNS Servers . . . . . . . . . . . : 208.72.120.204
208.79.56.204
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: dns1.295.ca
Address: 208.72.120.204

Name: google.com
Addresses: 74.125.226.46, 74.125.226.38, 74.125.226.40, 74.125.226.35
74.125.226.34, 74.125.226.33, 74.125.226.32, 74.125.226.41, 74.125.226.37
74.125.226.36, 74.125.226.39


Pinging google.com [74.125.226.46] with 32 bytes of data:

Reply from 74.125.226.46: bytes=32 time=27ms TTL=59
Reply from 74.125.226.46: bytes=32 time=15ms TTL=59

Ping statistics for 74.125.226.46:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 27ms, Average = 21ms
Server: dns1.295.ca
Address: 208.72.120.204

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.38.140, 98.139.183.24


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=74ms TTL=51
Reply from 209.191.122.70: bytes=32 time=77ms TTL=51

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 77ms, Average = 75ms
Server: dns1.295.ca
Address: 208.72.120.204

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x20003 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 206.126.87.21 206.126.87.21 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.2.1 255.255.255.255 206.126.87.21 206.126.87.21 1
206.126.87.21 255.255.255.255 127.0.0.1 127.0.0.1 50
206.126.87.255 255.255.255.255 206.126.87.21 206.126.87.21 50
224.0.0.0 240.0.0.0 206.126.87.21 206.126.87.21 1
255.255.255.255 255.255.255.255 206.126.87.21 206.126.87.21 1
Default Gateway: 206.126.87.21
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/04/2012 11:10:34 AM) (Source: Application Hang) (User: )
Description: Hanging application msimn.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/10/2011 00:49:31 PM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (09/20/2011 00:07:58 AM) (Source: Application Error) (User: )
Description: Faulting application firefox.exe, version 1.9.0.3725, faulting module unknown, version 0.0.0.0, fault address 0x037d124d.
Processing media-specific event for [firefox.exe!ws!]

Error: (08/13/2011 10:00:21 AM) (Source: Application Hang) (User: )
Description: Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (05/17/2011 02:08:44 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (05/17/2011 02:08:44 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally

Error: (05/17/2011 00:00:59 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25.crt> with error: This network connection does not exist.

Error: (05/17/2011 00:00:59 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (05/17/2011 00:00:59 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (05/17/2011 00:00:59 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25.crt> with error: This network connection does not exist.


System errors:
=============
Error: (04/09/2012 06:46:48 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058

Error: (04/09/2012 06:46:48 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058

Error: (04/09/2012 06:04:53 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058

Error: (04/09/2012 06:04:53 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058

Error: (04/09/2012 05:44:20 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058

Error: (04/09/2012 05:44:20 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058

Error: (04/09/2012 05:19:53 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058

Error: (04/09/2012 05:19:53 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058

Error: (04/09/2012 05:10:27 PM) (Source: System Error) (User: )
Description: Error code 00000019, parameter1 00000020, parameter2 8441f960, parameter3 8441f990, parameter4 1a060001.

Error: (04/09/2012 05:09:35 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%1058


Microsoft Office Sessions:
=========================
Error: (01/04/2012 11:10:34 AM) (Source: Application Hang)(User: )
Description: msimn.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (12/10/2011 00:49:31 PM) (Source: Application Hang)(User: )
Description: firefox.exe1.9.0.3725hungapp0.0.0.000000000

Error: (09/20/2011 00:07:58 AM) (Source: Application Error)(User: )
Description: firefox.exe1.9.0.3725unknown0.0.0.0037d124d

Error: (08/13/2011 10:00:21 AM) (Source: Application Hang)(User: )
Description: firefox.exe1.9.0.3725hungapp0.0.0.000000000

Error: (05/17/2011 02:08:44 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (05/17/2011 02:08:44 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe connection with the server was terminated abnormally

Error: (05/17/2011 00:00:59 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25.crtThis network connection does not exist.

Error: (05/17/2011 00:00:59 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (05/17/2011 00:00:59 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis network connection does not exist.

Error: (05/17/2011 00:00:59 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25.crtThis network connection does not exist.


=========================== Installed Programs ============================

Acrobat.com (Version: 1.6.65)
Adobe AIR (Version: 1.5.0.7220)
Adobe Flash Player 10 ActiveX (Version: 10.0.22.87)
Adobe Flash Player 10 Plugin (Version: 10.1.102.64)
Adobe Reader 9.1.3 (Version: 9.1.3)
Adobe Shockwave Player 11.5 (Version: 11.5)
avast! Free Antivirus (Version: 7.0.1426.0)
Camedia Master 4.3 (Version: 1.00.0000)
Critical Update for Windows Media Player 11 (KB959772)
DesignPro 5.4 Limited Edition (Version: 5.2.1201)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 31 (Version: 6.0.310)
LaserJet 1020 series
Malwarebytes Anti-Malware version 1.60.1.1000 (Version: 1.60.1.1000)
max.inter.net
Microsoft Office Professional Edition 2003 (Version: 11.0.5614.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Mozilla Firefox (3.0.19) (Version: 3.0.19 (en-US))
Network Traffic Monitor version 2.01 (Version: 2.01)
OLYMPUS CAMEDIA Master 4.3
OLYMPUS USB Reader/Writer (Version: 2.00)
ProSavageDDR and Utilities
QuickTime (Version: 7.60.92.0)
Realtek AC'97 Audio
S3Display
S3Gamma2
S3Info2
S3Overlay
Spybot - Search & Destroy (Version: 1.6.2)
SpywareBlaster 4.4 (Version: 4.4.0)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
VC 9.0 Runtime (Version: 1.0.0)
VIA Rhine-Family Fast Ethernet Adapter
WebFldrs XP (Version: 9.50.7523)
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
WinPcap 4.1.1 (Version: 4.1.0.1753)
ZoneAlarm LTD Toolbar

========================= Devices: ================================

Name: PCI Modem
Description: PCI Modem
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Efficient Networks Enternet P.P.P.o.E Adapter
Description: Efficient Networks Enternet P.P.P.o.E Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Efficient Networks
Service: NTSPPPOE
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 50%
Total physical RAM: 479.48 MB
Available physical RAM: 239.13 MB
Total Pagefile: 1122.19 MB
Available Pagefile: 967.39 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.6 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:74.52 GB) (Free:47.91 GB) NTFS

========================= Users: ========================================

User accounts for \\JACQUES-01

Administrator Guest HelpAssistant
jacques SUPPORT_388945a0

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini041409-01.dmp
C:\WINDOWS\Minidump\Mini041409-02.dmp
C:\WINDOWS\Minidump\Mini092011-01.dmp

**** End of log ****

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.04.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
jacques :: JACQUES-01 [administrator]

4/9/2012 8:58:06 PM
mbam-log-2012-04-09 (20-58-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 257230
Time elapsed: 9 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Let me know what you find out...

Jacques

#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:18 PM

Posted 10 April 2012 - 04:18 PM

Hi stellium,

1

I had a bunch of processes going on which seemed sketchy

Please give more details on this

2
Please download and run tdsskiller:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3
Change the Start type of the NetBT Service

  • Click the Start button in the bottom left on your desktop
  • In the search box type "services.msc" without the quotes, then press enter. A window named "Services" should open.
  • Click the on the header of the column "Name" until the small triangle has it's tip facing upwards (like: ^ )
  • Scroll down the names until you find the service named "TCP/IP NetBIOS Helper"
  • Right click on this, then click "Properties"
  • On the "General" tab, there is a dropdown for "startup type" - please select "Automatic"
  • Click on Apply

4
How is your computer running now?

Edited by dev00790, 10 April 2012 - 05:12 PM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#5 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:18 PM

Posted 10 April 2012 - 05:13 PM

Hi - just letting you know that I've edited the instructions in my last post.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#6 stellium

stellium
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 11 April 2012 - 11:30 AM

Dev,

Thanks a lot for your assistance/support. I did a little digging and the suspicious activity seems to resume itself to the following.

I decided to check the ongoing I/O graph and found the following

A 30.4 kb read and 30.4 kb write and 120 Other originating from svchost.exe Process ID 896 (every second or so), along with jqs.exe process ID 1664.

Every 30 seconds or so, I have a spike in activity, to 8.4 MB Read, 4.8 Kb write and 25.5 Kb Other. This was found using Sysinternals Process Explorer. I hope this doesn't serve as a red herring, but I'd really like to find the underlying program/process/activity that causes my computer to act this way. FYI, as soon as the link to the internet is severed, activity stops. Sounds like monitoring, or am I getting this wrong? Maybe an ad server?

I'll be carrying out the activities that you asked for and will report back soon.

Jacques

Edited by stellium, 11 April 2012 - 11:43 AM.


#7 stellium

stellium
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 11 April 2012 - 12:31 PM

Dev,

Here is a copy of the log. The computer scanned clean.

13:05:49.0343 3868 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
13:05:49.0703 3868 ============================================================
13:05:49.0703 3868 Current date / time: 2012/04/11 13:05:49.0703
13:05:49.0703 3868 SystemInfo:
13:05:49.0703 3868
13:05:49.0703 3868 OS Version: 5.1.2600 ServicePack: 3.0
13:05:49.0703 3868 Product type: Workstation
13:05:49.0703 3868 ComputerName: JACQUES-01
13:05:49.0703 3868 UserName: jacques
13:05:49.0703 3868 Windows directory: C:\WINDOWS
13:05:49.0703 3868 System windows directory: C:\WINDOWS
13:05:49.0703 3868 Processor architecture: Intel x86
13:05:49.0703 3868 Number of processors: 1
13:05:49.0703 3868 Page size: 0x1000
13:05:49.0703 3868 Boot type: Normal boot
13:05:49.0703 3868 ============================================================
13:05:51.0281 3868 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:05:51.0296 3868 \Device\Harddisk0\DR0:
13:05:51.0296 3868 MBR used
13:05:51.0296 3868 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
13:05:51.0343 3868 Initialize success
13:05:51.0343 3868 ============================================================
13:06:26.0312 3112 ============================================================
13:06:26.0312 3112 Scan started
13:06:26.0312 3112 Mode: Manual;
13:06:26.0312 3112 ============================================================
13:06:26.0546 3112 Aavmker4 (473f97edc5a5312f3665ab2921196c0c) C:\WINDOWS\system32\drivers\Aavmker4.sys
13:06:26.0578 3112 Aavmker4 - ok
13:06:26.0750 3112 Abiosdsk - ok
13:06:26.0937 3112 abp480n5 - ok
13:06:27.0156 3112 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:06:27.0156 3112 ACPI - ok
13:06:27.0390 3112 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:06:27.0390 3112 ACPIEC - ok
13:06:27.0578 3112 adpu160m - ok
13:06:27.0796 3112 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:06:27.0796 3112 aec - ok
13:06:28.0015 3112 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
13:06:28.0015 3112 AFD - ok
13:06:28.0203 3112 Aha154x - ok
13:06:28.0359 3112 aic78u2 - ok
13:06:28.0468 3112 aic78xx - ok
13:06:28.0718 3112 ALABULKO (caf3c6b875b42ec9b2cea79b9f10653c) C:\WINDOWS\system32\Drivers\ALABLK2o.sys
13:06:28.0718 3112 ALABULKO - ok
13:06:28.0968 3112 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
13:06:28.0984 3112 ALCXSENS - ok
13:06:29.0218 3112 ALCXWDM (4dd2c10fc6434fedcb7c71fbdc1f107a) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
13:06:29.0234 3112 ALCXWDM - ok
13:06:29.0421 3112 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
13:06:29.0421 3112 Alerter - ok
13:06:29.0609 3112 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
13:06:29.0609 3112 ALG - ok
13:06:29.0796 3112 AliIde - ok
13:06:30.0000 3112 amsint - ok
13:06:30.0156 3112 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
13:06:30.0171 3112 AppMgmt - ok
13:06:30.0328 3112 asc - ok
13:06:30.0515 3112 asc3350p - ok
13:06:30.0671 3112 asc3550 - ok
13:06:30.0890 3112 aswFsBlk (0ae43c6c411254049279c2ee55630f95) C:\WINDOWS\system32\drivers\aswFsBlk.sys
13:06:30.0890 3112 aswFsBlk - ok
13:06:31.0093 3112 aswMon2 (8c30b7ddd2f1d8d138ebe40345af2b11) C:\WINDOWS\system32\drivers\aswMon2.sys
13:06:31.0093 3112 aswMon2 - ok
13:06:31.0265 3112 aswRdr (da12626fd9a67f4e917e2f2fbe1e1764) C:\WINDOWS\system32\drivers\aswRdr.sys
13:06:31.0265 3112 aswRdr - ok
13:06:31.0500 3112 aswSnx (dcb199b967375753b5019ec15f008f53) C:\WINDOWS\system32\drivers\aswSnx.sys
13:06:31.0531 3112 aswSnx - ok
13:06:31.0781 3112 aswSP (b32873e5a1443c0a1e322266e203bf10) C:\WINDOWS\system32\drivers\aswSP.sys
13:06:31.0796 3112 aswSP - ok
13:06:32.0015 3112 aswTdi (6ff544175a9180c5d88534d3d9c9a9f7) C:\WINDOWS\system32\drivers\aswTdi.sys
13:06:32.0031 3112 aswTdi - ok
13:06:32.0250 3112 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:06:32.0250 3112 AsyncMac - ok
13:06:32.0484 3112 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:06:32.0484 3112 atapi - ok
13:06:32.0671 3112 Atdisk - ok
13:06:32.0890 3112 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:06:32.0906 3112 Atmarpc - ok
13:06:33.0078 3112 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
13:06:33.0078 3112 AudioSrv - ok
13:06:33.0296 3112 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:06:33.0296 3112 audstub - ok
13:06:33.0484 3112 avast! Antivirus (4041d31508a2a084dfb42c595854090f) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
13:06:33.0484 3112 avast! Antivirus - ok
13:06:33.0718 3112 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:06:33.0718 3112 Beep - ok
13:06:33.0921 3112 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
13:06:33.0953 3112 BITS - ok
13:06:34.0156 3112 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
13:06:34.0156 3112 Browser - ok
13:06:34.0375 3112 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:06:34.0375 3112 cbidf2k - ok
13:06:34.0546 3112 cd20xrnt - ok
13:06:34.0781 3112 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:06:34.0781 3112 Cdaudio - ok
13:06:35.0015 3112 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:06:35.0015 3112 Cdfs - ok
13:06:35.0250 3112 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:06:35.0250 3112 Cdrom - ok
13:06:35.0406 3112 Changer - ok
13:06:35.0562 3112 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
13:06:35.0562 3112 CiSvc - ok
13:06:35.0734 3112 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
13:06:35.0750 3112 ClipSrv - ok
13:06:35.0906 3112 CmdIde - ok
13:06:36.0046 3112 COMSysApp - ok
13:06:36.0265 3112 Cpqarray - ok
13:06:36.0468 3112 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
13:06:36.0468 3112 CryptSvc - ok
13:06:36.0656 3112 dac2w2k - ok
13:06:36.0812 3112 dac960nt - ok
13:06:37.0000 3112 DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
13:06:37.0031 3112 DcomLaunch - ok
13:06:37.0218 3112 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
13:06:37.0218 3112 Dhcp - ok
13:06:37.0453 3112 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:06:37.0453 3112 Disk - ok
13:06:37.0609 3112 dmadmin - ok
13:06:37.0859 3112 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:06:37.0890 3112 dmboot - ok
13:06:38.0140 3112 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:06:38.0156 3112 dmio - ok
13:06:38.0359 3112 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:06:38.0359 3112 dmload - ok
13:06:38.0562 3112 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
13:06:38.0562 3112 dmserver - ok
13:06:38.0796 3112 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:06:38.0796 3112 DMusic - ok
13:06:38.0984 3112 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
13:06:38.0984 3112 Dnscache - ok
13:06:39.0187 3112 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
13:06:39.0203 3112 Dot3svc - ok
13:06:39.0375 3112 dpti2o - ok
13:06:39.0578 3112 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:06:39.0578 3112 drmkaud - ok
13:06:39.0734 3112 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
13:06:39.0750 3112 EapHost - ok
13:06:39.0984 3112 ENIMSR (5ef446083a3712ce8a237182bb9c7934) C:\PROGRA~1\INTER~1.NET\MAXINT~1.NET\app\ENIMSR.SYS
13:06:39.0984 3112 ENIMSR - ok
13:06:40.0187 3112 EPPSCSIx (a4136ef9844bb0ebac68f37b0704a0b2) C:\WINDOWS\system32\DRIVERS\EPPSCAN.sys
13:06:40.0203 3112 EPPSCSIx - ok
13:06:40.0375 3112 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
13:06:40.0375 3112 ERSvc - ok
13:06:40.0593 3112 Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
13:06:40.0609 3112 Eventlog - ok
13:06:40.0796 3112 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
13:06:40.0812 3112 EventSystem - ok
13:06:41.0031 3112 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:06:41.0062 3112 Fastfat - ok
13:06:41.0234 3112 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
13:06:41.0250 3112 FastUserSwitchingCompatibility - ok
13:06:41.0500 3112 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:06:41.0515 3112 Fdc - ok
13:06:41.0718 3112 FETND5BV (cfc4cc73c903152a23e1db28eaba1f03) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
13:06:41.0718 3112 FETND5BV - ok
13:06:41.0937 3112 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
13:06:41.0937 3112 FETNDIS - ok
13:06:42.0156 3112 FETNDISB (cc6b6df3c35c20531492e1b700f700fa) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
13:06:42.0156 3112 FETNDISB - ok
13:06:42.0375 3112 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:06:42.0406 3112 Fips - ok
13:06:42.0640 3112 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:06:42.0671 3112 Flpydisk - ok
13:06:42.0890 3112 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
13:06:42.0921 3112 FltMgr - ok
13:06:43.0140 3112 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:06:43.0171 3112 Fs_Rec - ok
13:06:43.0406 3112 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:06:43.0468 3112 Ftdisk - ok
13:06:43.0703 3112 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:06:43.0703 3112 Gpc - ok
13:06:43.0890 3112 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
13:06:43.0890 3112 helpsvc - ok
13:06:44.0031 3112 HidServ - ok
13:06:44.0234 3112 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
13:06:44.0265 3112 hkmsvc - ok
13:06:44.0421 3112 hpn - ok
13:06:44.0656 3112 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
13:06:44.0687 3112 HTTP - ok
13:06:44.0890 3112 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
13:06:44.0906 3112 HTTPFilter - ok
13:06:45.0078 3112 i2omgmt - ok
13:06:45.0218 3112 i2omp - ok
13:06:45.0437 3112 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:06:45.0468 3112 i8042prt - ok
13:06:45.0718 3112 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:06:45.0718 3112 Imapi - ok
13:06:45.0906 3112 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
13:06:45.0906 3112 ImapiService - ok
13:06:46.0125 3112 ini910u - ok
13:06:46.0281 3112 IntelIde - ok
13:06:46.0515 3112 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:06:46.0531 3112 intelppm - ok
13:06:46.0750 3112 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
13:06:46.0750 3112 Ip6Fw - ok
13:06:46.0921 3112 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:06:46.0921 3112 IpFilterDriver - ok
13:06:47.0078 3112 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:06:47.0078 3112 IpInIp - ok
13:06:47.0265 3112 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:06:47.0281 3112 IpNat - ok
13:06:47.0500 3112 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:06:47.0500 3112 IPSec - ok
13:06:47.0718 3112 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:06:47.0718 3112 IRENUM - ok
13:06:47.0937 3112 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:06:47.0953 3112 isapnp - ok
13:06:48.0125 3112 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
13:06:48.0125 3112 JavaQuickStarterService - ok
13:06:48.0375 3112 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:06:48.0375 3112 Kbdclass - ok
13:06:48.0609 3112 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:06:48.0609 3112 kmixer - ok
13:06:48.0875 3112 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
13:06:48.0875 3112 KSecDD - ok
13:06:49.0062 3112 LanmanServer (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
13:06:49.0078 3112 LanmanServer - ok
13:06:49.0265 3112 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
13:06:49.0281 3112 lanmanworkstation - ok
13:06:49.0406 3112 Lavasoft Kernexplorer - ok
13:06:49.0578 3112 lbrtfdc - ok
13:06:49.0765 3112 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
13:06:49.0781 3112 LmHosts - ok
13:06:49.0937 3112 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
13:06:49.0953 3112 MDM - ok
13:06:50.0140 3112 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
13:06:50.0140 3112 Messenger - ok
13:06:50.0359 3112 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:06:50.0390 3112 mnmdd - ok
13:06:50.0593 3112 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
13:06:50.0609 3112 mnmsrvc - ok
13:06:50.0828 3112 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:06:50.0843 3112 Modem - ok
13:06:51.0062 3112 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:06:51.0078 3112 Mouclass - ok
13:06:51.0312 3112 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:06:51.0343 3112 MountMgr - ok
13:06:51.0515 3112 mraid35x - ok
13:06:51.0750 3112 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:06:51.0781 3112 MRxDAV - ok
13:06:52.0015 3112 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:06:52.0031 3112 MRxSmb - ok
13:06:52.0218 3112 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
13:06:52.0265 3112 MSDTC - ok
13:06:52.0500 3112 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:06:52.0531 3112 Msfs - ok
13:06:52.0656 3112 MSIServer - ok
13:06:52.0875 3112 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:06:52.0875 3112 MSKSSRV - ok
13:06:53.0109 3112 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:06:53.0109 3112 MSPCLOCK - ok
13:06:53.0328 3112 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:06:53.0328 3112 MSPQM - ok
13:06:53.0562 3112 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:06:53.0562 3112 mssmbios - ok
13:06:53.0796 3112 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
13:06:53.0812 3112 Mup - ok
13:06:53.0984 3112 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
13:06:54.0031 3112 napagent - ok
13:06:54.0265 3112 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:06:54.0296 3112 NDIS - ok
13:06:54.0531 3112 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:06:54.0562 3112 NdisTapi - ok
13:06:54.0781 3112 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:06:54.0781 3112 Ndisuio - ok
13:06:55.0015 3112 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:06:55.0015 3112 NdisWan - ok
13:06:55.0250 3112 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
13:06:55.0265 3112 NDProxy - ok
13:06:55.0500 3112 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:06:55.0546 3112 NetBIOS - ok
13:06:55.0781 3112 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:06:55.0796 3112 NetBT - ok
13:06:55.0968 3112 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:06:56.0000 3112 NetDDE - ok
13:06:56.0093 3112 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:06:56.0109 3112 NetDDEdsdm - ok
13:06:56.0281 3112 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:06:56.0281 3112 Netlogon - ok
13:06:56.0484 3112 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
13:06:56.0484 3112 Netman - ok
13:06:56.0687 3112 Nla (832e4dd8964ab7acc880b2837cb1ed20) C:\WINDOWS\System32\mswsock.dll
13:06:56.0718 3112 Nla - ok
13:06:56.0953 3112 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
13:06:56.0953 3112 NPF - ok
13:06:57.0156 3112 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:06:57.0156 3112 Npfs - ok
13:06:57.0390 3112 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:06:57.0421 3112 Ntfs - ok
13:06:57.0593 3112 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:06:57.0609 3112 NtLmSsp - ok
13:06:57.0812 3112 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
13:06:57.0875 3112 NtmsSvc - ok
13:06:58.0093 3112 NTSPPPOE (6309899ba2cef2fec5b87d70aee27b25) C:\WINDOWS\system32\DRIVERS\ntspppoe.sys
13:06:58.0093 3112 NTSPPPOE - ok
13:06:58.0328 3112 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:06:58.0328 3112 Null - ok
13:06:58.0562 3112 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:06:58.0593 3112 NwlnkFlt - ok
13:06:58.0812 3112 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:06:58.0828 3112 NwlnkFwd - ok
13:06:58.0921 3112 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
13:06:58.0937 3112 ose - ok
13:06:59.0156 3112 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:06:59.0203 3112 Parport - ok
13:06:59.0421 3112 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:06:59.0421 3112 PartMgr - ok
13:06:59.0671 3112 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:06:59.0703 3112 ParVdm - ok
13:06:59.0937 3112 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:06:59.0937 3112 PCI - ok
13:07:00.0140 3112 PCIDump - ok
13:07:00.0312 3112 PCIIde - ok
13:07:00.0562 3112 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:07:00.0593 3112 Pcmcia - ok
13:07:00.0781 3112 PDCOMP - ok
13:07:00.0953 3112 PDFRAME - ok
13:07:01.0125 3112 PDRELI - ok
13:07:01.0312 3112 PDRFRAME - ok
13:07:01.0500 3112 perc2 - ok
13:07:01.0671 3112 perc2hib - ok
13:07:01.0937 3112 PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
13:07:01.0937 3112 PlugPlay - ok
13:07:02.0093 3112 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:07:02.0093 3112 PolicyAgent - ok
13:07:02.0312 3112 PPPoEService (54f77d4e298b76664dcc3b72c6d3ccd3) C:\PROGRA~1\INTER~1.NET\MAXINT~1.NET\app\pppoeservice.exe
13:07:02.0328 3112 PPPoEService - ok
13:07:02.0578 3112 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:07:02.0578 3112 PptpMiniport - ok
13:07:02.0781 3112 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:07:02.0796 3112 ProtectedStorage - ok
13:07:03.0015 3112 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:07:03.0015 3112 PSched - ok
13:07:03.0250 3112 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:07:03.0265 3112 Ptilink - ok
13:07:03.0421 3112 ql1080 - ok
13:07:03.0578 3112 Ql10wnt - ok
13:07:03.0718 3112 ql12160 - ok
13:07:03.0859 3112 ql1240 - ok
13:07:03.0968 3112 ql1280 - ok
13:07:04.0046 3112 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:07:04.0046 3112 RasAcd - ok
13:07:04.0203 3112 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
13:07:04.0218 3112 RasAuto - ok
13:07:04.0421 3112 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:07:04.0421 3112 Rasl2tp - ok
13:07:04.0593 3112 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
13:07:04.0609 3112 RasMan - ok
13:07:04.0843 3112 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:07:04.0843 3112 RasPppoe - ok
13:07:05.0062 3112 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:07:05.0093 3112 Raspti - ok
13:07:05.0296 3112 RAWESR (e13bdfb79b2b9a8fadb4cbdd171e4375) C:\PROGRA~1\INTER~1.NET\MAXINT~1.NET\app\RAWESR.SYS
13:07:05.0296 3112 RAWESR - ok
13:07:05.0500 3112 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:07:05.0562 3112 Rdbss - ok
13:07:05.0828 3112 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:07:05.0859 3112 RDPCDD - ok
13:07:06.0109 3112 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:07:06.0140 3112 rdpdr - ok
13:07:06.0375 3112 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
13:07:06.0390 3112 RDPWD - ok
13:07:06.0578 3112 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
13:07:06.0593 3112 RDSessMgr - ok
13:07:06.0828 3112 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:07:06.0828 3112 redbook - ok
13:07:07.0015 3112 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
13:07:07.0046 3112 RemoteAccess - ok
13:07:07.0218 3112 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
13:07:07.0234 3112 RemoteRegistry - ok
13:07:07.0406 3112 rpcapd (a780d3eaa74582ea1deb6bd9c7a3d9c9) C:\Program Files\WinPcap\rpcapd.exe
13:07:07.0437 3112 rpcapd - ok
13:07:07.0625 3112 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
13:07:07.0671 3112 RpcLocator - ok
13:07:07.0906 3112 RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
13:07:07.0921 3112 RpcSs - ok
13:07:08.0109 3112 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
13:07:08.0171 3112 RSVP - ok
13:07:08.0421 3112 S3Psddr (335b7f9129e65b29c7be68c5f38b4711) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
13:07:08.0437 3112 S3Psddr - ok
13:07:08.0500 3112 S3SavageNB (335b7f9129e65b29c7be68c5f38b4711) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
13:07:08.0500 3112 S3SavageNB - ok
13:07:08.0687 3112 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:07:08.0703 3112 SamSs - ok
13:07:08.0890 3112 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
13:07:08.0921 3112 SCardSvr - ok
13:07:09.0109 3112 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
13:07:09.0125 3112 Schedule - ok
13:07:09.0375 3112 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:07:09.0375 3112 Secdrv - ok
13:07:09.0562 3112 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
13:07:09.0578 3112 seclogon - ok
13:07:09.0750 3112 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
13:07:09.0750 3112 SENS - ok
13:07:09.0968 3112 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:07:09.0984 3112 serenum - ok
13:07:10.0203 3112 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:07:10.0234 3112 Serial - ok
13:07:10.0453 3112 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:07:10.0453 3112 Sfloppy - ok
13:07:10.0671 3112 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
13:07:10.0703 3112 SharedAccess - ok
13:07:10.0875 3112 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
13:07:10.0890 3112 ShellHWDetection - ok
13:07:11.0078 3112 Simbad - ok
13:07:11.0281 3112 Sparrow - ok
13:07:11.0437 3112 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:07:11.0437 3112 splitter - ok
13:07:11.0625 3112 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
13:07:11.0640 3112 Spooler - ok
13:07:11.0859 3112 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:07:11.0859 3112 sr - ok
13:07:12.0062 3112 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
13:07:12.0078 3112 srservice - ok
13:07:12.0343 3112 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
13:07:12.0343 3112 Srv - ok
13:07:12.0546 3112 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
13:07:12.0546 3112 SSDPSRV - ok
13:07:12.0765 3112 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
13:07:12.0796 3112 stisvc - ok
13:07:13.0015 3112 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:07:13.0031 3112 swenum - ok
13:07:13.0250 3112 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:07:13.0265 3112 swmidi - ok
13:07:13.0406 3112 SwPrv - ok
13:07:13.0578 3112 symc810 - ok
13:07:13.0781 3112 symc8xx - ok
13:07:13.0953 3112 sym_hi - ok
13:07:14.0125 3112 sym_u3 - ok
13:07:14.0328 3112 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:07:14.0343 3112 sysaudio - ok
13:07:14.0515 3112 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
13:07:14.0531 3112 SysmonLog - ok
13:07:14.0734 3112 TAPBIND (88ad4a7d066a2a004d6d93e736f1070e) C:\PROGRA~1\INTER~1.NET\MAXINT~1.NET\app\TAPBIND1.SYS
13:07:14.0750 3112 TAPBIND - ok
13:07:14.0906 3112 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
13:07:14.0953 3112 TapiSrv - ok
13:07:15.0171 3112 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:07:15.0203 3112 Tcpip - ok
13:07:15.0468 3112 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:07:15.0468 3112 TDPIPE - ok
13:07:15.0703 3112 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:07:15.0765 3112 TDTCP - ok
13:07:15.0984 3112 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:07:16.0000 3112 TermDD - ok
13:07:16.0203 3112 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
13:07:16.0218 3112 TermService - ok
13:07:16.0437 3112 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
13:07:16.0437 3112 Themes - ok
13:07:16.0640 3112 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
13:07:16.0671 3112 TlntSvr - ok
13:07:16.0843 3112 TosIde - ok
13:07:17.0031 3112 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
13:07:17.0062 3112 TrkWks - ok
13:07:17.0296 3112 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:07:17.0343 3112 Udfs - ok
13:07:17.0515 3112 ultra - ok
13:07:17.0781 3112 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:07:17.0796 3112 Update - ok
13:07:18.0000 3112 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
13:07:18.0046 3112 upnphost - ok
13:07:18.0234 3112 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
13:07:18.0281 3112 UPS - ok
13:07:18.0500 3112 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:07:18.0515 3112 usbehci - ok
13:07:18.0750 3112 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:07:18.0750 3112 usbhub - ok
13:07:18.0953 3112 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:07:18.0968 3112 usbprint - ok
13:07:19.0187 3112 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:07:19.0218 3112 usbscan - ok
13:07:19.0453 3112 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:07:19.0453 3112 USBSTOR - ok
13:07:19.0671 3112 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:07:19.0671 3112 usbuhci - ok
13:07:19.0890 3112 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:07:19.0890 3112 VgaSave - ok
13:07:20.0125 3112 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
13:07:20.0156 3112 viaagp - ok
13:07:20.0343 3112 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
13:07:20.0343 3112 viaagp1 - ok
13:07:20.0531 3112 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
13:07:20.0546 3112 ViaIde - ok
13:07:20.0718 3112 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:07:20.0734 3112 VolSnap - ok
13:07:20.0921 3112 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
13:07:20.0937 3112 VSS - ok
13:07:21.0125 3112 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
13:07:21.0140 3112 W32Time - ok
13:07:21.0328 3112 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:07:21.0328 3112 Wanarp - ok
13:07:21.0500 3112 WDICA - ok
13:07:21.0703 3112 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:07:21.0703 3112 wdmaud - ok
13:07:21.0890 3112 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
13:07:21.0906 3112 WebClient - ok
13:07:22.0140 3112 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
13:07:22.0156 3112 winmgmt - ok
13:07:22.0406 3112 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\mspmsnsv.dll
13:07:22.0437 3112 WmdmPmSN - ok
13:07:22.0625 3112 Wmi (bab489a5fe26f2d0c910cf7af7e4cf92) C:\WINDOWS\System32\advapi32.dll
13:07:22.0656 3112 Wmi - ok
13:07:22.0875 3112 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
13:07:22.0875 3112 WmiApSrv - ok
13:07:23.0093 3112 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
13:07:23.0125 3112 WMPNetworkSvc - ok
13:07:23.0328 3112 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
13:07:23.0343 3112 wscsvc - ok
13:07:23.0531 3112 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
13:07:23.0546 3112 wuauserv - ok
13:07:23.0765 3112 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:07:23.0796 3112 WudfPf - ok
13:07:24.0000 3112 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:07:24.0015 3112 WudfRd - ok
13:07:24.0203 3112 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
13:07:24.0218 3112 WudfSvc - ok
13:07:24.0390 3112 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
13:07:24.0453 3112 WZCSVC - ok
13:07:24.0656 3112 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
13:07:24.0703 3112 xmlprov - ok
13:07:24.0765 3112 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:07:24.0937 3112 \Device\Harddisk0\DR0 - ok
13:07:24.0984 3112 Boot (0x1200) (88addb1e98195cfe8f32b48b2cb40a5f) \Device\Harddisk0\DR0\Partition0
13:07:24.0984 3112 \Device\Harddisk0\DR0\Partition0 - ok
13:07:25.0000 3112 ============================================================
13:07:25.0000 3112 Scan finished
13:07:25.0000 3112 ============================================================
13:07:25.0093 3344 Detected object count: 0
13:07:25.0093 3344 Actual detected object count: 0
13:07:39.0750 3104 Deinitialize success


Also,
I found a couple of system files at the c:

hyberfil.sys 480MB
ntldr 245kb
pagefile.sys 720MB

Are these ok?


According to instructions step 3 The TCP/IP NetBIOS startup type was already selected as "Automatic" yet service status was "Stopped" wtih an option to start and add specific parameters

Cheers,

Jacques

#8 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:18 PM

Posted 11 April 2012 - 05:43 PM

I found a couple of system files at the c:

hyberfil.sys 480MB
ntldr 245kb
pagefile.sys 720MB

Are these ok?

Those are legitimate Windows system files.

According to instructions step 3 The TCP/IP NetBIOS startup type was already selected as "Automatic" yet service status was "Stopped" wtih an option to start and add specific parameters

1) Please start the service.
2) Restart the computer
3) Tell me what the startup type of TCP/IP NetBIOS is now?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#9 stellium

stellium
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 12 April 2012 - 12:43 PM

Dev

The plot thickens

Error message:

"Could not start the TCP/IP NetBIOS helper on the host computer"

"Error 1068: The dependency service or group failed to start"


Log on tab

Log on as "this account" selected

NT AUTHORITY\LocalService
Password protected 15 character password (unsure if this was how the computer was configured when delivered or not. My buddy set up my comp, a few years ago)

Jacques

#10 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:18 PM

Posted 12 April 2012 - 04:31 PM

Hi stellium,

Ok now we're getting somewhere. Please do the following:

1)

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

If using Windows XP:
Open Erunt.exe (use the shortcut on your desktop if you used the installer).
If you get a message box with the title "Welcome", click on "OK"
Follow the subsequent prompts, leaving the values at default, and click on "OK"
If you get asked whether to create a folder please click "Yes".

If using Windows Vista / 7:
Right click on Erunt.exe and click "Run as Adminstrator" (use the shortcut on your desktop if you used the installer).
If you get a message box with the title "Welcome", click on "OK"
Follow the subsequent prompts, leaving the values at default, and click on "OK"
If you get asked whether to create a folder please click "Yes".

2)

We need to amend the NetBT Service:

  • Please click on following: NetBT.reg
  • Save the file to your desktop
  • Double click the file to merge it into the registry. If window appears asking you whether to run this click "Run".

3)

Please rerun Farbar service scanner (FSS) as per my earlier post.

4)

How is your computer running now?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#11 stellium

stellium
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 12 April 2012 - 05:34 PM

Dev,

Here is the FSS Scan

Farbar Service Scanner Version: 01-03-2012
Ran by jacques (administrator) on 12-04-2012 at 18:32:22
Running from "C:\Documents and Settings\jacques.JACQUES-01\My Documents"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
WAN connected
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Background modem activity still under way, condition unchanged...

Jacques

DEV,

Ok did a little research on my own...

Went into REGEDIT and changed value of HKLM/SYSTEM/CurrentControlSet/services/NetBT/Start to "2" NetBT seems to be on now.

Got this FSS scan (My internet connection had not yet been established)

Farbar Service Scanner Version: 01-03-2012
Ran by jacques (administrator) on 12-04-2012 at 18:58:48
Running from "C:\Documents and Settings\jacques.JACQUES-01\My Documents"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

I have a question. Why are both Yahoo and Google accessible? I mean Yahoo.com is my homepage, but Google should be dormant or not even there, no? Or is it indelibly linked to Yahoo?

Connected to Internet. Modem still looking for it's mother...

Jacques

Edited by stellium, 12 April 2012 - 06:33 PM.


#12 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:18 PM

Posted 12 April 2012 - 06:49 PM

Hi Stellium,

Went into REGEDIT and changed value of HKLM/SYSTEM/CurrentControlSet/services/NetBT/Start to "2" NetBT seems to be on now.


Please be careful when editing the registry. It is very easy to make a mistake which may cause you machine to become unbootable. Please do not do any further changes like this unless I say - it is often harder to figure out what is going on, and causes a delay as a result.

1) Please do step 2) in my previous post again.

2) Please do step 3) in my previous post again.
Post the log in your next reply.

3) How is your computer running now?

Edited by dev00790, 12 April 2012 - 06:50 PM.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#13 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:18 PM

Posted 15 April 2012 - 05:47 AM

Hi Stellium,

Are you still with me?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#14 stellium

stellium
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 16 April 2012 - 11:25 AM

Dev,

Yers I am, I apologize for the delay in re-doing those steps. I;m in North America and you're in the UK I gather. Sometimes we don't sync up too well.

Will execute this P.M. and report,

Thanks

Stellium

#15 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:18 PM

Posted 16 April 2012 - 12:29 PM

Thanks for letting me know

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users