PDA

View Full Version : Need help - suspicious netstat activity?

dpastern
July 1st, 2007, 06:44 AM
Hi guys - new to the forum, was linked via a google search to this post:

http://www.cybertechhelp.com/forums/showthread.php?t=103465

Anyways - several odd things - firstly, I'm on a network, behind a router firewall etc. I'm not the admin of the network. Said network runs McAffee Enterprise 8 anti virus software. My PC runs like a dog (AMD 3000+, 2.5gb RAM, Windows XP pro) and my network connection/Internet connection always seems slower than the rest of the PCs on the network. I don't go to "those" websites (I'm sure you can figure out what I mean), I run the Microsoft anti spyware software on an automated daily scan at 2am, and Spybot once a week. I use both IE 7 and FireFox 2, usually IE though as I prefer it. Windows is patched up to date, and during the install process I installed Windows XP SP1 whilst d/l SP2 via another PC. Whilst setting up XP SP 1, I did not enable networking connectivity, and installed SP2 from CD before enabling it.

I run a bunch of software, the usual stuff, plus my own favourites such as Photoshop CS2, Neat Image, Capture One Pro etc. I can provide a full list of installed applications if you want, just in case it helps. Anyways, when connecting my system back to the network after an initial install of Windows, the anti virus software always has to be manually installed, it never seems to auto install onto my system as it should.

Anyways, here is my netstat file (netstat -ano) for your perusal:


Active Connections

Proto Local Address Foreign Address State PID
TCP MORGOTH:epmap MORGOTH.dia.net.au:0 LISTENING 888
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
-- unknown component(s) --
[svchost.exe]

TCP MORGOTH:microsoft-ds MORGOTH.dia.net.au:0 LISTENING 4
[System]

TCP MORGOTH:8081 MORGOTH.dia.net.au:0 LISTENING 1920
[FrameworkService.exe]

TCP MORGOTH:netbios-ssn MORGOTH.dia.net.au:0 LISTENING 1020
-- unknown component(s) --
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

TCP MORGOTH:netbios-ssn MORGOTH.dia.net.au:0 LISTENING 4
[System]

TCP MORGOTH:4828 td-in-f166.google.com:http ESTABLISHED 2600
[iexplore.exe]

TCP MORGOTH:4829 da-in-f104.google.com:http ESTABLISHED 2600
[iexplore.exe]

TCP MORGOTH:4880 a203-111-15-232.deploy.akamaitechnologies.com:http ESTABLISHED 3092
[MsnMsgr.Exe]

TCP MORGOTH:4881 www.games.defencejobs.gov.au:http ESTABLISHED 3092
[MsnMsgr.Exe]

TCP MORGOTH:4887 by1msg2145217.phx.gbl:1863 ESTABLISHED 3092
[MsnMsgr.Exe]

TCP MORGOTH:4888 c.msn.com:http LAST_ACK 3092
[MsnMsgr.Exe]

TCP MORGOTH:4877 65.54.239.20:1863 TIME_WAIT 0
TCP MORGOTH:4885 207.46.26.253:7001 TIME_WAIT 0
TCP MORGOTH:4885 207.46.26.254:7001 TIME_WAIT 0
TCP MORGOTH:4886 65.54.239.20:1863 TIME_WAIT 0
UDP MORGOTH:1027 *:* 1216
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP MORGOTH:4500 *:* 668
[lsass.exe]

UDP MORGOTH:8082 *:* 1920
[FrameworkService.exe]

UDP MORGOTH:isakmp *:* 668
[lsass.exe]

UDP MORGOTH:1026 *:* 1216
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP MORGOTH:8081 *:* 1920
[FrameworkService.exe]

UDP MORGOTH:1028 *:* 1216
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP MORGOTH:1025 *:* 1216
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP MORGOTH:microsoft-ds *:* 4
[System]

UDP MORGOTH:4440 *:* 1216
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP MORGOTH:3661 *:* 1216
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP MORGOTH:4749 *:* 668
[lsass.exe]

UDP MORGOTH:1900 *:* 1316
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP MORGOTH:4752 *:* 2600
[iexplore.exe]

UDP MORGOTH:ntp *:* 1020
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP MORGOTH:4479 *:* 3092
[MsnMsgr.Exe]

UDP MORGOTH:1072 *:* 612
[winlogon.exe]

UDP MORGOTH:ntp *:* 1020
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP MORGOTH:netbios-dgm *:* 1020
-- unknown component(s) --
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP MORGOTH:netbios-ns *:* 1020
-- unknown component(s) --
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP MORGOTH:1900 *:* 1316
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP MORGOTH:netbios-dgm *:* 4
[System]

UDP MORGOTH:discard *:* 3092
[MsnMsgr.Exe]

UDP MORGOTH:netbios-ns *:* 4
[System]

UDP MORGOTH:ntp *:* 1020
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]



You'll note several odd things, several lines where it says:

-- unknown component(s) --

There is also this line:

TCP MORGOTH:4881 www.games.defencejobs.gov.au:http ESTABLISHED 3092
[MsnMsgr.Exe]

Now, I have never been to this site before, and this only shows on an initial netstat on starting up msn messenger live. If I run a 2nd scan, it doesn't show. Odd? The really odd thing is that I had this problem on a previous install of Windows, and it's back again after format/reinstall. Why? I did a google search on this site and only 2 hits, very very odd in my experience.

Furthermore, none of the other PCs on the network have this issue. It doesn't matter whether it's msn v7.6 (the last version before live messenger), or live messenger, it happens with both. It doesn't matter which user account I log into msn messenger on. I haven't tried logging into someone elses PC with my account details - yet. I want to see if it's an account based issue I guess.

Furthermore, since McAffee software is running, I should have the mcshield.exe process listening via netstat in the background, as several other PCs have it. My PC doesn't. I haven't taken this up with the owner of the network yet, I believe that he will not be interested at all and will just say I'm paranoid.

I'm proudly anti American government in my sentiment, and I'm not afraid to speak out against the atrocities that the US government does, in both terms of freedom, and illegal invasions of other countries and I suspect that this has got me now being spied on by government authorities.

I used to run GNU/Linux, which is my preferred operating system, but since I'm a photographer on the side, I need to use Photoshop/Neat Image/Capture One Pro, which don't run under WINE/Cedega/CrossOver office on Linux.

If you want me to provide other files, etc, I'll be happy to.

Any help/suggestions/ideas would be appreciated.

Cheers,

Dave
Archangel122184
July 1st, 2007, 03:05 PM
Go download and run TCPView (http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx) and post the log file here (file/save). This should show us exactly what modules are communicating on which ports. More to the point, we should see what the unknown module is.
dpastern
July 2nd, 2007, 01:28 AM
A clear explanation of the problem you are having

When initially signing into MSN Live messenger I have a established connection to this site:

www.games.defencejobs.gov.au

Why? I've never been there before. It happens ONLY on this computer. None of the other computers on the network have this issue. It doesn't matter which hotmail account I use to sign into MSN Live on my PC, it always has this connection. This connection has been happening for quite some time, I've even reformatted and reinstalled Windows and it's still happening. After a small period of time, the connection is dropped, and is showing as 'discard'. Why?

I haven't been able to test signing into another PC with my own hotmail account to see if it's attached to my actual hotmail account. No one here wants to help me test this, self centred *******s.

Also, these unknown components worry me. They could be legit, but they could be malicious as well.

Windows is NOT my preferred operating system, personally, I find it a pile of ****. GNU/Linux is my preferred platform.

I should test this on my mac actually (PowerMac G4, 1ghz, 10.3.9)!!!

What doesn't work

Everything seems to work, although my Internet connection seems to be more unstable and slower than the rest of the PCs on the network. Also, my PC runs like a dog, Athlon 3000+ (32 bit) and 2.5gb RAM on Windows XP. chkdsk seems fine, and running defrag doesn't help. Put it this way - my system runs slower than my old Athlon 1gzh with 768mb of RAM imho. I've seen explorer.exe running away with 100+ mb of RAM usage, which is NOT normal in my experience.

What does works

Pretty much everything, although there are suspicious things as mentioned above.

What you've tried

Usual stuff - I've actually tried tcpview before, and a host of other tools, including running rootkit detection software. Microsoft anti spyware is set to run automatedly once per day at 2am, I quite often check the results via event viewer. I run Spybot once per week, which comes up with a tiny amount of cookie crap, but nothing serious. I've tried formatting and reinstalling Windows a few months back (mainly due to a dying 80gb hard drive though to be honest). I would like the network admin at home to try running ethereal on my IP address to check data going in and out, but since his main job is being a global IT manager for a medium sized company, he isn't really keen on doing that type of work at home in his own personal time. Plus I don't get on with him at all.

Note: On my previous install, I did notice some odd processes running, but didn't screendump it. By the time I researched the process and found that it was a trojan, the process had quit and subsequent searches on the system directory and registry found nothing. My suspicion is that the system was being monitored and the cracker realised I'd cottoned on, so he/she deleted the offending material so I had no proof. All of this is whilst running the McAffee anti virus software, which I think is a pile of crap, but I'm told I MUST run it if I want to log onto the domain here (it's all automated from the server end anyways). Since I wasn't able to get a screendump of the process, the network admin didn't believe me and implied that I was either seeing things or lying, and that the McAffee software is the best on the market and doesn't make mistakes. He also says that weekly scans from the server end of my system come up clean, although we both know that local anti virus scanners can be modified to report the system as clean and hide trojans/rootkits etc.

I'm in the IT industry myself, with a fair bit of experience in general computing, operating systems, and security. I'm quite competent in Windows, GNU/Linux and OS 9/OS X.

A description of your network

Internal Class C network. Modem router takes the ADSL connection, routes it via a Cisco router to the rest of the network. 2 servers, one running exchange and some other stuff, the other one is primary a backup PDC. 4 normal workstations on the network, including mine. Modem only accepts necessary ports on incoming/outgoing connections, things like sftp, ssh etc are turned off.

Whether its dialup, cable, dsl,...

ADSL 1500/256 connection (crappy ISP connection, but the owner/network admin loves it because of the huge download limit - 80gb per month). I basically browse the web, that's it.

Make and model of your modem

Dlink DSL-G604T

Whether you have a router (If you do then include the what make & model)

Cisco 831

Do you have multiple PCs networked

Yes.

Is it wireless or not (If wireless include the make & model of the wireless adapter)

Modem is wireless, but my PC is not. Standard Ethernet connection.

Are you using Internet Connection Sharing (ICS)

No.

The OS(s) you are using

Windows XP SP 2 (all updates)

Here is the results from the tcpview scan by the way:

FrameworkService.exe:1920 TCP MORGOTH:8081 MORGOTH:0 LISTENING
FrameworkService.exe:1920 UDP MORGOTH:8082 *:*
FrameworkService.exe:1920 UDP MORGOTH:8081 *:*
iexplore.exe:4008 UDP MORGOTH:3405 *:*
lsass.exe:668 UDP MORGOTH:4500 *:*
lsass.exe:668 UDP MORGOTH:isakmp *:*
lsass.exe:668 UDP MORGOTH:4749 *:*
msnmsgr.exe:3092 TCP morgoth.dia.net.au:3235 by1msg2145208.phx.gbl:1863 ESTABLISHED
msnmsgr.exe:3092 UDP MORGOTH:4479 *:*
msnmsgr.exe:3092 UDP morgoth.dia.net.au:discard *:*
svchost.exe:1020 TCP morgoth:netbios-ssn MORGOTH:0 LISTENING
svchost.exe:1020 UDP MORGOTH:ntp *:*
svchost.exe:1020 UDP morgoth:netbios-dgm *:*
svchost.exe:1020 UDP morgoth:ntp *:*
svchost.exe:1020 UDP morgoth:netbios-ns *:*
svchost.exe:1020 UDP morgoth.dia.net.au:ntp *:*
svchost.exe:1020 UDP MORGOTH:bootpc *:*
svchost.exe:1216 UDP MORGOTH:3661 *:*
svchost.exe:1216 UDP MORGOTH:1027 *:*
svchost.exe:1216 UDP MORGOTH:1026 *:*
svchost.exe:1216 UDP MORGOTH:1028 *:*
svchost.exe:1216 UDP MORGOTH:1025 *:*
svchost.exe:1216 UDP MORGOTH:4440 *:*
svchost.exe:1316 UDP MORGOTH:1900 *:*
svchost.exe:1316 UDP morgoth.dia.net.au:1900 *:*
svchost.exe:888 TCP MORGOTH:epmap MORGOTH:0 LISTENING
System:4 TCP MORGOTH:microsoft-ds MORGOTH:0 LISTENING
System:4 TCP morgoth.dia.net.au:netbios-ssn MORGOTH:0 LISTENING
System:4 TCP morgoth.dia.net.au:3370 isis.dia.net.au:microsoft-ds ESTABLISHED
System:4 UDP MORGOTH:microsoft-ds *:*
System:4 UDP morgoth.dia.net.au:netbios-ns *:*
System:4 UDP morgoth.dia.net.au:netbios-dgm *:*
winlogon.exe:612 UDP MORGOTH:1072 *:*


That was just running it after MSN Live messenger has been running overnight. I logged out, and logged back in, and this is the results:

[System Process]:0 TCP morgoth.dia.net.au:3510 horus.dia.net.au:8000 TIME_WAIT
[System Process]:0 TCP morgoth.dia.net.au:3514 horus.dia.net.au:8000 TIME_WAIT
[System Process]:0 TCP morgoth.dia.net.au:3516 65.54.239.20:1863 TIME_WAIT
[System Process]:0 TCP morgoth.dia.net.au:3523 207.46.26.254:7001 TIME_WAIT
[System Process]:0 TCP morgoth.dia.net.au:3523 207.46.26.253:7001 TIME_WAIT
FrameworkService.exe:1920 TCP MORGOTH:8081 MORGOTH:0 LISTENING
FrameworkService.exe:1920 UDP MORGOTH:8082 *:*
FrameworkService.exe:1920 UDP MORGOTH:8081 *:*
iexplore.exe:4008 TCP morgoth.dia.net.au:3507 po-in-f165.google.com:http ESTABLISHED
iexplore.exe:4008 TCP morgoth.dia.net.au:3509 da-in-f104.google.com:http ESTABLISHED
iexplore.exe:4008 UDP MORGOTH:3405 *:*
lsass.exe:668 UDP MORGOTH:4500 *:*
lsass.exe:668 UDP MORGOTH:isakmp *:*
lsass.exe:668 UDP MORGOTH:4749 *:*
msnmsgr.exe:3092 UDP MORGOTH:4479 *:*
msnmsgr.exe:3092 TCP morgoth.dia.net.au:3517 by1msg2175315.phx.gbl:1863 ESTABLISHED
msnmsgr.exe:3092 TCP morgoth.dia.net.au:3519 www.games.defencejobs.gov.au:http ESTABLISHED
msnmsgr.exe:3092 UDP morgoth.dia.net.au:discard *:*
svchost.exe:1020 TCP morgoth:netbios-ssn MORGOTH:0 LISTENING
svchost.exe:1020 UDP MORGOTH:ntp *:*
svchost.exe:1020 UDP morgoth:netbios-dgm *:*
svchost.exe:1020 UDP morgoth:ntp *:*
svchost.exe:1020 UDP morgoth:netbios-ns *:*
svchost.exe:1020 UDP morgoth.dia.net.au:ntp *:*
svchost.exe:1216 UDP MORGOTH:3661 *:*
svchost.exe:1216 UDP MORGOTH:1027 *:*
svchost.exe:1216 UDP MORGOTH:1026 *:*
svchost.exe:1216 UDP MORGOTH:1028 *:*
svchost.exe:1216 UDP MORGOTH:1025 *:*
svchost.exe:1216 UDP MORGOTH:4440 *:*
svchost.exe:1316 UDP MORGOTH:1900 *:*
svchost.exe:1316 UDP morgoth.dia.net.au:1900 *:*
svchost.exe:888 TCP MORGOTH:epmap MORGOTH:0 LISTENING
System:4 TCP MORGOTH:microsoft-ds MORGOTH:0 LISTENING
System:4 TCP morgoth.dia.net.au:netbios-ssn MORGOTH:0 LISTENING
System:4 UDP MORGOTH:microsoft-ds *:*
System:4 UDP morgoth.dia.net.au:netbios-ns *:*
System:4 UDP morgoth.dia.net.au:netbios-dgm *:*
winlogon.exe:612 UDP MORGOTH:1072 *:*


Note the extry entry for the games.defence.gov.au site. I didn't realise that the UNIX utility DIFF had a Windows variant, but just found it and installed it and ran DIFF on the 2 tcpview files, here's the results:

1c1,6
< FrameworkService.exe:1920 TCP MORGOTH:8081 MORGOTH:0 LISTENING
---
> [System Process]:0 TCP morgoth.dia.net.au:3510 horus.dia.net.au:8000 TIME_WAIT
> [System Process]:0 TCP morgoth.dia.net.au:3514 horus.dia.net.au:8000 TIME_WAIT
> [System Process]:0 TCP morgoth.dia.net.au:3516 65.54.239.20:1863 TIME_WAIT
> [System Process]:0 TCP morgoth.dia.net.au:3523 207.46.26.254:7001 TIME_WAIT
> [System Process]:0 TCP morgoth.dia.net.au:3523 207.46.26.253:7001 TIME_WAIT
> FrameworkService.exe:1920 TCP MORGOTH:8081 MORGOTH:0 LISTENING
3a9,10
> iexplore.exe:4008 TCP morgoth.dia.net.au:3507 po-in-f165.google.com:http ESTABLISHED
> iexplore.exe:4008 TCP morgoth.dia.net.au:3509 da-in-f104.google.com:http ESTABLISHED
8d14
< msnmsgr.exe:3092 TCP morgoth.dia.net.au:3235 by1msg2145208.phx.gbl:1863 ESTABLISHED
9a16,17
> msnmsgr.exe:3092 TCP morgoth.dia.net.au:3517 by1msg2175315.phx.gbl:1863 ESTABLISHED
> msnmsgr.exe:3092 TCP morgoth.dia.net.au:3519 www.games.defencejobs.gov.au:http ESTABLISHED
11c19
< svchost.exe:1020 TCP morgoth:netbios-ssn MORGOTH:0 LISTENING
---
> svchost.exe:1020 TCP morgoth:netbios-ssn MORGOTH:0 LISTENING
17d24
< svchost.exe:1020 UDP MORGOTH:bootpc *:*
26,29c33,35
< svchost.exe:888 TCP MORGOTH:epmap MORGOTH:0 LISTENING
< System:4 TCP MORGOTH:microsoft-ds MORGOTH:0 LISTENING
< System:4 TCP morgoth.dia.net.au:netbios-ssn MORGOTH:0 LISTENING
< System:4 TCP morgoth.dia.net.au:3370 isis.dia.net.au:microsoft-ds ESTABLISHED
---
> svchost.exe:888 TCP MORGOTH:epmap MORGOTH:0 LISTENING
> System:4 TCP MORGOTH:microsoft-ds MORGOTH:0 LISTENING
> System:4 TCP morgoth.dia.net.au:netbios-ssn MORGOTH:0 LISTENING


What do you have for an IP address?

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . : dia.net.au
IP Address. . . . . . . . . . . . : 192.168.181.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.181.254

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Autoconfiguration IP Address. . . : 169.254.209.192
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :

What is your default gateway?

192.168.181.254

Can you ping your default gateway?

Yes :)

Thanks for any assistance that you can provide.

Dave
Archangel122184
July 2nd, 2007, 12:13 PM
To answer your question about www.games.defencejobs.gov.au. The msn messenger is programmed to download and connect to addresses for services. In this case it would see the Australian government is paying to have its games advertised and played through MSN.

I'm not seeing any questionable connections. All of the ports look standard for their services. You have a few options to consider: your hardware is just slower, you don't have enough ram/large enough page file, or you have malware taking up cycles on your computer. If you are sure it isn't the first or second, head over to cyber security and post your concerns there. We aren't allowed to deal with hjt logs etc here.
dpastern
July 2nd, 2007, 01:06 PM
Why don't the other msn connections (2 PCs on this network, and a friends MSN connection) show www.games.defencejobs.gov.au? The bottom section of MSN messenger is where the ads are, but there's never a defence force advert there. And, even if it's a advert, it should NEVER show as an established connection in my exerperience.

It still doesn't explain why and what the unknown components are (even using tcpview). Of course, even more worrying from my perspective is that mcshield.exe isn't running in the background like it is with the other PCs on this network. I know that's something I should take up with the network admin, but I'm not going to hold my breath.

As to performance, a Athlon 3ghz should surely run quicker than an Athlon 1ghz ;) 2.5 GB RAM is more than most people run, and the page file is set to let Windows XP handle it. Studying the performance utility doesn't show me running out of steam (RAM).

I'll fire the Mac up and see what happens via netstat. I find it very odd that only my Windows XP PC shows that address, and the others don't (and I presume that the Mac won't either). I'll probably uninstall MSN Live and install AMSN, it works, works well and doesn't come with junk. That should potentially fix this 'advertising'.

I'm tempted to blow this install away and reinstall Debian GNU/Linux back on the hardware and just run Windows via VMWare.

Thanks for your help.

Dave
Archangel122184
July 2nd, 2007, 01:57 PM
MSN is very dynamic in its advertising and differs by installed version and proximity to specific networks.

If you want to see the unknown components/verify your services you can download Autoruns (http://www.microsoft.com/technet/sysinternals/SystemInformation/Autoruns.mspx).

When you run the program go to options and validate the file signatures. You can look at the modules individually and with signature validation on you can quickly remove drivers that aren't from the company they say they are or drivers from companies you don't wish. A word of warning, this tool can be very dangerous as it will allow you to prevent windows from loading any of the system drivers/services so be very careful. If you like, you can post your log and I'll take a look for anything that would effect your network.