Help... Unknown malware/browser Hijack

Bogtrotter

Hey guys

Wonder if anyone has come across similar?

I have a laptop that frequently gets infected with malware. At the moment malwarebytes, hijackthis shows nothing. However guaranteed within a week it will become infected again.

On closer inspection when a browser is started the browser connects to a site gcoogle.co.uk (homepage in options but if changed always reverts back to gcoogle on browser restart) and unlimitedsearch.co.uk before ending up on www.google.co.uk so you don't really notice these other connections. Occasionally clicking a link will take you to a page that frequently serves up an ad with fresh helpings of malware.

I have added these 2 sites to the hosts file but random ads still appear.

I'm guessing its some sort of rootkit/windows exploit since if I try to run combofix it fails to run generating a bluescreen error and I am unable to update windows failing with error 80073EFE.

RussJK

Does HitManPro work in breach mode? You could also try AVZ or Comodo Cleaning Essentials. Let me know if you need links/info. Also won't hurt to do scans with TDSSkiller or vundofix.

Do DDS or Hijack Hunter work? both give more information than HJT.

Interesting, someone complaining on mozilla about it 3 weeks ago - but it's still not in MVPS or MalwareDomainList hosts files.

Someone started the topic in http://www.bleepingcomputer.com/forums/topic388263.html, but as typical for people seeking help with malware, the thread starter never finished so no clue how the steps offered would have helped.

I'll go into a sandbox and see if anything I'm using blocks my access to gcoogle. Edit: yes nothing stops my access to gcoogle.co.uk or unlimitedsearch.co.uk, it just flicks me straight onto google.co.uk after a few changes.

For reference, I'm using:
Avast, MBAM Pro, Adblock with Easylist & MalwareDomains list, and a combination of MVPS/MalwareDomainList, and spywareblaster along with ClearcloudDNS. Fast enough for a speedy netbook believe it or not, so fine on this main one

GunJack

this type of persistent redirect usually needs either combofix or Dr Web to shift...... bogtrotter, be prepared for a possible 10+hrs scan

asbokid

A packet sniffer like Ethereal / Wireshark would tell you about the contents of the outgoing HTTP packets to gcoogle.co.uk

You could analyse those packets to determine the vector and purpose of the attack.

The HTTP request packet that is sent to gcoogle.co.uk must contain site-identifiable content (in addition to your IP address at the TCP/IP layer).

Have you tried running the networking tool 'netstat' in continuous mode before you start Firefox? If so, what does netstat show is happening? Is Firefox (or a malware process spawned by Firefox) causing a listening socket to be bound to a network port on your machine?

The HTTP connection to gcoogle.co.uk could be informing the hacker that a network backdoor is installed and open on your machine.

You could use the 'netcat' (nc) tool to create a local listening socket on port 80 (HTTP).

By modifying the hosts file to override DNS so that gcoogle.co.uk points to 127.0.0.1, you can cause firefox to connect to that TCP listening socket that 'netcat' created on your local machine.

That would allow you to inspect the contents of the outgoing packets to gcoogle.co.uk

If you have other machines on your network, you could set the ethernet interface to "promiscuous" mode and sniff all the traffic that flows to and from the hacked laptop.

I remember there is quite a nice GUI tool called CurrPorts that shows each of the processes which has created a network socket. Maybe that would be useful.

http://www.wireshark.org/
http://www.downloadnetcat.com/
http://en.wikipedia.org/wiki/Wireshark
http://www.nirsoft.net/utils/cports.html

Bogtrotter

Thanks guys

Definitely a headscratcher don't know if its gonna be worth persevering trying to remove this one... if it was my machine I don't think I could trust it to be malware free and to be honest I've spent too much time on it already.

There is no recovery partition and the owner is away on holidays till next week so I'll have to wait till then to get his recovery CDs. If I have a some spare time over the next week I may investigate a little more for my own curiosity.

Interesting both domains registered end of Feb to same individual in Latvia so maybe a bit early in the malware life cycle just add them to your hosts file just in case.

closed

all browsers?

post the hijackthis log

disable or uninstall superfluous toobars/browser helper object/FF plugins

empty java cache with ccleaner, applications, java tickbox

disable any proxies in IE/FF connection settings

scan with

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

http://www.eset.com/home/products/online-scanner



failing that, search the contents of every file for those strings

asbokid

Bogtrotter wrote: »

Thanks guys

Definitely a headscratcher don't know if its gonna be worth persevering trying to remove this one... if it was my machine I don't think I could trust it to be malware free and to be honest I've spent too much time on it already.

There is no recovery partition and the owner is away on holidays till next week so I'll have to wait till then to get his recovery CDs. If I have a some spare time over the next week I may investigate a little more for my own curiosity.

Interesting both domains registered end of Feb to same individual in Latvia so maybe a bit early in the malware life cycle just add them to your hosts file just in case.

but bogtrotter, you could be the dood who analyses the hack and ritez up the security advisory!

Bogtrotter

closed wrote: »

all browsers?

post the hijackthis log

disable or uninstall superfluous toobars/browser helper object/FF plugins

empty java cache with ccleaner, applications, java tickbox

disable any proxies in IE/FF connection settings

scan with tdsskiller, kaspersky


failing that, search the contents of every file for those strings

Ok if you really want to see a hijackthis log I'll post it tomorrow but take it from me there's nothing untoward in it.

All toolbars and plugins disabled from the start.

Seem to have got no new malware from firefox since I removed all traces and reinstalled from installer downloaded on a different machine but the underlying malware is still there indetected.

Internet Explorer 8 crashes so is useless and Internet Explorer 9 website, Windows Update website seem to be blocked and time out. Vista Windows Update fails to update with error and combofix immeadiately blue screen errors.

I'll maybe try some other malware programs tomorrow.

Bogtrotter

Just an update guys in case you come across this or are remotely interested.

A bit of a summary of the original symptoms.

Computer has recurring malware problems which seemed at first to be fixed with malwarebytes. Virus checker (Avira) appears to be operating/updating ok but scans find nothing.

On closer inspection Firefox seen to be connecting to at least 2 sites gcoogle.co.uk and unlimitedsearch.co.uk before ending up on www.google.co.uk and Hijackthis shows nothing...
Occasionally popup sites which result in more malware
Internet Explorer 8 crashes and freezes...
Windows Update fails and unable to connect to Windows Update website and IE9 website...
Some webpages from tech help sites like bleepingcomputer get redirected to harmless websites like ebay or yahoo...
Combofix crashes with blue screen error...
TDSSKiller fails to run also...
Rkill doesn't find any processes stopping TDSSkiller or combofix from running


Ok maybe I'm just unlucky but I think the main problem with this is that there is many different things happening and each piece of software only detects some of the problem.

Ran it through lots of different scans buts the steps below are those that actually found something.

First was to stop connections to above websites... I assume that the redirects must have been as a result of Firefox profiles or something because complete removal and reinstall of Firefox cured bogus connections and seemed to cure popup pages.

Second... overnight scan using Dr Web Live CD found some problems including malicious java. After running TDSSkiller and combofix able to run.

Third... TDSSKiller scan found and removed rootkit now able to update windows, internet explorer and visit previously redirected webpages.

Finally... combofix removed a few files and registry entries.


I'll hesitate to say that problem is now fixed for a while since each program only found part of the problem its possible there is still something lurking but so far so good.

Thanks again for the suggestions guys

GunJack

Goooo Bogtrotter well done for gettin' there (tm)

for reference, do you still have access to the dr web, TDSS and combofix logs ?? I know it's a lot to post, but may be useful reference material for poss future similar infections


just shows it's worth keeping a good arsenal of tools to zap the nasties

Bogtrotter

Didn't export a log from the Dr Web I'm afraid


Log for TDSS

2011/04/27 09:49:21.0156 3252 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/27 09:49:21.0515 3252 ================================================================================
2011/04/27 09:49:21.0515 3252 SystemInfo:
2011/04/27 09:49:21.0515 3252
2011/04/27 09:49:21.0515 3252 OS Version: 6.0.6002 ServicePack: 2.0
2011/04/27 09:49:21.0515 3252 Product type: Workstation
2011/04/27 09:49:21.0515 3252 ComputerName: LAPTOP-PC
2011/04/27 09:49:21.0515 3252 UserName: Administrator
2011/04/27 09:49:21.0515 3252 Windows directory: C:\Windows
2011/04/27 09:49:21.0515 3252 System windows directory: C:\Windows
2011/04/27 09:49:21.0515 3252 Processor architecture: Intel x86
2011/04/27 09:49:21.0515 3252 Number of processors: 1
2011/04/27 09:49:21.0515 3252 Page size: 0x1000
2011/04/27 09:49:21.0515 3252 Boot type: Normal boot
2011/04/27 09:49:21.0515 3252 ================================================================================
2011/04/27 09:49:22.0357 3252 Initialize success
2011/04/27 09:49:27.0443 3088 ================================================================================
2011/04/27 09:49:27.0443 3088 Scan started
2011/04/27 09:49:27.0443 3088 Mode: Manual;
2011/04/27 09:49:27.0443 3088 ================================================================================
2011/04/27 09:49:29.0658 3088 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/04/27 09:49:29.0877 3088 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/04/27 09:49:29.0970 3088 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/04/27 09:49:30.0048 3088 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/04/27 09:49:30.0079 3088 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/04/27 09:49:30.0173 3088 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
2011/04/27 09:49:30.0376 3088 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/04/27 09:49:30.0532 3088 AgereSoftModem (5d97943c128ed756d1b0a08302c1b1f8) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/04/27 09:49:30.0688 3088 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/04/27 09:49:30.0781 3088 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/04/27 09:49:30.0844 3088 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/04/27 09:49:30.0891 3088 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/04/27 09:49:30.0937 3088 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/04/27 09:49:31.0062 3088 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/04/27 09:49:31.0109 3088 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/04/27 09:49:31.0405 3088 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/04/27 09:49:31.0468 3088 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/04/27 09:49:31.0530 3088 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/04/27 09:49:31.0624 3088 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/04/27 09:49:31.0983 3088 athr (8be56f8300e1c37b578da23c71816b7a) C:\Windows\system32\DRIVERS\athr.sys
2011/04/27 09:49:32.0279 3088 AVGIDSDriver (fdc788f9c135f1d3d1ef632e955d386f) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
2011/04/27 09:49:32.0388 3088 AVGIDSEH (c59c9bc3f0612bd207ccdc5d8cb9ce39) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2011/04/27 09:49:32.0497 3088 AVGIDSFilter (c5559de2ec66cede15a1664f6d183d8e) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
2011/04/27 09:49:32.0887 3088 AVGIDSShim (ae5e9667fa40206796d1bd5bd0427a8a) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
2011/04/27 09:49:33.0215 3088 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\Windows\system32\DRIVERS\avgldx86.sys
2011/04/27 09:49:33.0433 3088 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\Windows\system32\DRIVERS\avgmfx86.sys
2011/04/27 09:49:33.0823 3088 Avgrkx86 (ffbe8adeb1fd8640540bf6e4a137b3ef) C:\Windows\system32\DRIVERS\avgrkx86.sys
2011/04/27 09:49:34.0073 3088 Avgtdix (69e6adf5cbbdeb5f2b727c93937a5823) C:\Windows\system32\DRIVERS\avgtdix.sys
2011/04/27 09:49:34.0447 3088 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/04/27 09:49:34.0853 3088 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/04/27 09:49:35.0118 3088 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/04/27 09:49:35.0368 3088 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/04/27 09:49:35.0524 3088 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/04/27 09:49:35.0773 3088 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/04/27 09:49:36.0101 3088 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/04/27 09:49:36.0382 3088 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/04/27 09:49:36.0538 3088 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/04/27 09:49:36.0881 3088 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/04/27 09:49:37.0287 3088 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/04/27 09:49:37.0645 3088 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/04/27 09:49:37.0973 3088 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/04/27 09:49:38.0145 3088 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/04/27 09:49:38.0597 3088 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/04/27 09:49:38.0722 3088 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/04/27 09:49:38.0847 3088 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/04/27 09:49:38.0925 3088 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/04/27 09:49:38.0987 3088 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/04/27 09:49:39.0127 3088 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
2011/04/27 09:49:39.0315 3088 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/04/27 09:49:39.0439 3088 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/04/27 09:49:39.0751 3088 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/04/27 09:49:39.0876 3088 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/04/27 09:49:40.0032 3088 E100B (d00eeae1cacd77a1a8396bbc19140bba) C:\Windows\system32\DRIVERS\e100b325.sys
2011/04/27 09:49:40.0157 3088 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/04/27 09:49:40.0266 3088 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/04/27 09:49:40.0407 3088 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/04/27 09:49:40.0531 3088 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/04/27 09:49:40.0687 3088 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/04/27 09:49:40.0797 3088 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/04/27 09:49:40.0968 3088 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/04/27 09:49:41.0077 3088 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/04/27 09:49:41.0265 3088 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/04/27 09:49:41.0311 3088 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/04/27 09:49:41.0405 3088 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/04/27 09:49:41.0623 3088 fssfltr (d909075fa72c090f27aa926c32cb4612) C:\Windows\system32\DRIVERS\fssfltr.sys
2011/04/27 09:49:41.0717 3088 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/04/27 09:49:41.0795 3088 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys
2011/04/27 09:49:41.0842 3088 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/04/27 09:49:42.0013 3088 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/04/27 09:49:42.0138 3088 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2011/04/27 09:49:42.0247 3088 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/04/27 09:49:42.0388 3088 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/04/27 09:49:42.0450 3088 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/04/27 09:49:42.0513 3088 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\drivers\hidusb.sys
2011/04/27 09:49:42.0591 3088 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/04/27 09:49:42.0669 3088 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/04/27 09:49:42.0809 3088 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/04/27 09:49:42.0918 3088 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/04/27 09:49:43.0090 3088 ialm (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/04/27 09:49:43.0308 3088 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/04/27 09:49:43.0511 3088 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/04/27 09:49:43.0667 3088 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/04/27 09:49:43.0776 3088 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/04/27 09:49:43.0839 3088 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/04/27 09:49:43.0979 3088 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/04/27 09:49:44.0135 3088 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/04/27 09:49:44.0213 3088 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/04/27 09:49:44.0338 3088 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/04/27 09:49:44.0431 3088 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/04/27 09:49:44.0556 3088 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/04/27 09:49:44.0619 3088 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/04/27 09:49:44.0697 3088 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/04/27 09:49:44.0775 3088 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/04/27 09:49:44.0853 3088 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2011/04/27 09:49:44.0977 3088 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/04/27 09:49:45.0102 3088 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/04/27 09:49:45.0227 3088 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/04/27 09:49:45.0305 3088 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/04/27 09:49:45.0414 3088 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/04/27 09:49:45.0477 3088 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/04/27 09:49:45.0555 3088 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/04/27 09:49:45.0664 3088 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/04/27 09:49:45.0789 3088 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/04/27 09:49:45.0851 3088 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/04/27 09:49:45.0929 3088 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/04/27 09:49:46.0007 3088 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\drivers\mouhid.sys
2011/04/27 09:49:46.0069 3088 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/04/27 09:49:46.0194 3088 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/04/27 09:49:46.0272 3088 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/04/27 09:49:46.0413 3088 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/04/27 09:49:46.0491 3088 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/04/27 09:49:46.0600 3088 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/04/27 09:49:46.0740 3088 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/04/27 09:49:46.0927 3088 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/04/27 09:49:47.0052 3088 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/04/27 09:49:47.0130 3088 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/04/27 09:49:47.0302 3088 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/04/27 09:49:47.0427 3088 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/04/27 09:49:47.0551 3088 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/04/27 09:49:47.0645 3088 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/04/27 09:49:47.0723 3088 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/04/27 09:49:47.0817 3088 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/04/27 09:49:47.0926 3088 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/04/27 09:49:48.0019 3088 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/04/27 09:49:48.0113 3088 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/04/27 09:49:48.0207 3088 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/04/27 09:49:48.0363 3088 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/04/27 09:49:48.0487 3088 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/04/27 09:49:48.0550 3088 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/04/27 09:49:48.0628 3088 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/04/27 09:49:48.0706 3088 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/04/27 09:49:48.0768 3088 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/04/27 09:49:48.0877 3088 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/04/27 09:49:49.0033 3088 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/04/27 09:49:49.0221 3088 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/04/27 09:49:49.0330 3088 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/04/27 09:49:49.0486 3088 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/04/27 09:49:49.0642 3088 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/04/27 09:49:49.0751 3088 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/04/27 09:49:49.0813 3088 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/04/27 09:49:49.0876 3088 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/04/27 09:49:49.0969 3088 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/04/27 09:49:50.0157 3088 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/04/27 09:49:50.0344 3088 PAC207 (4a410c7aea51123519c20d43a20bce96) C:\Windows\system32\DRIVERS\PFC027.SYS
2011/04/27 09:49:50.0469 3088 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/04/27 09:49:50.0593 3088 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/04/27 09:49:50.0656 3088 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/04/27 09:49:50.0765 3088 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/04/27 09:49:50.0890 3088 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/04/27 09:49:50.0999 3088 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/04/27 09:49:51.0155 3088 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/04/27 09:49:51.0467 3088 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/04/27 09:49:51.0561 3088 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/04/27 09:49:51.0685 3088 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/04/27 09:49:51.0841 3088 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/04/27 09:49:52.0122 3088 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/04/27 09:49:52.0247 3088 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/04/27 09:49:52.0309 3088 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/04/27 09:49:52.0465 3088 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/04/27 09:49:52.0559 3088 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/04/27 09:49:52.0762 3088 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/04/27 09:49:52.0887 3088 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/04/27 09:49:52.0980 3088 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys