Jump to content

Reoccuring infected \WIndows\System32\str.sys


yucunn

Recommended Posts

Hi,

MalwareBytes Pro detects \Windows\System32\str.sys and c:\Windows\SysWOW64\drivers\str.sys infected. After removing them, restart our PC and scan again. MalwareBytes Pro still detects these two files infected. This is the very similar of topic# 28898. I have attached attach.txt created by DDS. Do I have to run ComboFix?

Additional information is

1. OS is Windows 7 Home Premium.

2. Registry Keys and values might not be correctly set up because they are removed after infections.

3. Microsoft Software updates crashed our PC again. So that I currently stop running Auto Updates. The number of pending updates is over 100.

Thank you for your help

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385

Run by Keiko at 15:14:06 on 2011-10-16

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6135.4702 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Windows\system32\mfevtps.exe

C:\Windows\system32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\TEMP\DAT893B.tmp.exe

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

E:\Program Files (x86)\MalwareBytes\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\Java\jre6\bin\jusched.exe

C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe

C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

E:\Program Files (x86)\MalwareBytes\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\SysWOW64\ping.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE

C:\Windows\splwow64.exe

C:\Program Files\Common Files\McAfee\Core\mchost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\SysWOW64\NOTEPAD.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111014064311.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

mRun: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [shwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun: [Malwarebytes' Anti-Malware] "E:\Program Files (x86)\MalwareBytes\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{96C68491-1EEE-47B2-AE04-DC8F92540262} : DhcpNameServer = 192.168.1.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

BHO-X64: Search Helper - No File

BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111014064311.dll

BHO-X64: scriptproxy - No File

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

BHO-X64: uTorrentBar - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB-X64: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"

mRun-x64: [startCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [shwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Dell DataSafe Online] "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m

mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun-x64: [Malwarebytes' Anti-Malware] "E:\Program Files (x86)\MalwareBytes\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]

R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2009-12-15 92160]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2010-1-11 155648]

R2 MBAMService;MBAMService;E:\Program Files (x86)\MalwareBytes\Malwarebytes' Anti-Malware\mbamservice.exe [2011-10-16 366152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-10-14 249936]

R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-10-14 249936]

R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-10-14 249936]

R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-10-14 249936]

R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-10-14 199008]

R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-10-14 208272]

R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]

R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]

R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]

R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]

R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]

R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-14 136176]

S2 rbxnejwurbrocln;rbxnejwurbrocln;C:\Windows\Temp\DAT893B.tmp.exe [2011-10-14 38400]

S2 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-10-14 136176]

S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]

S3 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]

.

=============== Created Last 30 ================

.

2011-10-16 18:55:30 709968 ----a-w- C:\Windows\isRS-000.tmp

2011-10-15 15:28:53 4261901 ----a-w- C:\Users\Keiko\Combo-Fix.exe

2011-10-14 20:28:49 -------- d-----w- C:\ProgramData\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

2011-10-14 20:14:17 -------- d-----w- C:\Windows\pss

2011-10-14 19:48:38 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Hyugez

2011-10-14 19:48:38 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Eteg

2011-10-14 19:48:37 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Ilja

2011-10-14 19:48:37 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Idumob

2011-10-14 18:17:59 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Kuidol

2011-10-14 18:17:59 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Duep

2011-10-14 18:17:21 125440 ----a-w- C:\Windows\SysWow64\0.09325577088274817.exe

2011-10-14 18:17:10 8 ------w- C:\Windows\SysWow64\drivers\str.sys

2011-10-14 17:22:41 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll

2011-10-14 17:22:41 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll

2011-10-14 16:39:25 -------- d-----w- C:\Windows\SysWow64\Wat

2011-10-14 16:39:24 -------- d-----w- C:\Windows\System32\Wat

2011-10-14 14:54:44 -------- dc-h--w- C:\ProgramData\{CBCE2F73-24E4-481F-84B2-1A5EB720D187}

2011-10-14 14:34:24 -------- d-----w- C:\Program Files\CCleaner

2011-10-14 13:30:10 -------- d-----w- C:\Users\Keiko\AppData\Local\ElevatedDiagnostics

2011-10-14 11:28:04 -------- d-----w- C:\Users\Keiko\AppData\Local\PackageAware

2011-10-14 10:52:06 -------- d-----w- C:\Program Files (x86)\Conduit

2011-10-14 10:52:06 -------- d-----w- C:\extensions

2011-10-14 10:52:05 -------- d-----w- C:\Users\Keiko\AppData\Local\Conduit

2011-10-14 10:43:37 -------- d-----w- C:\Program Files (x86)\McAfee.com

2011-10-14 10:43:06 9984 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys

2011-10-14 10:41:57 75672 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys

2011-10-14 10:41:57 65128 ----a-w- C:\Windows\System32\drivers\cfwids.sys

2011-10-14 10:41:57 481504 ----a-w- C:\Windows\System32\drivers\mfefirek.sys

2011-10-14 10:41:57 283744 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys

2011-10-14 10:41:57 228752 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys

2011-10-14 10:41:57 100904 ----a-w- C:\Windows\System32\drivers\mferkdet.sys

2011-10-14 10:29:18 158832 ----a-w- C:\Windows\System32\mfevtps.exe

2011-10-14 09:49:00 -------- d-----we C:\Windows\system64

2011-10-14 09:30:44 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-10-14 08:55:58 -------- d-----w- C:\Program Files (x86)\MSXML 4.0

2011-10-13 01:58:11 -------- d-----w- C:\Program Files\McAfee.com

2011-10-12 22:42:33 -------- d-----w- C:\Users\Keiko\AppData\Local\Deployment

2011-10-12 22:42:33 -------- d-----w- C:\Users\Keiko\AppData\Local\Apps

2011-10-12 22:01:50 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Malwarebytes

2011-10-12 22:01:50 -------- d-----w- C:\ProgramData\Malwarebytes

2011-10-12 21:55:45 -------- d-----w- C:\Users\Keiko\AppData\Local\Diagnostics

2011-10-12 21:34:09 -------- d-----w- C:\Users\Keiko\AppData\Local\uTorrent

2011-10-12 21:30:41 -------- d-----w- C:\Users\Keiko\AppData\Local\Google

2011-10-12 21:30:39 -------- d-----w- C:\Program Files (x86)\uTorrentBar

2011-10-12 21:29:27 -------- d-----w- C:\Users\Keiko\AppData\Roaming\uTorrent

2011-10-12 21:04:20 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Remote

2011-10-12 20:44:33 -------- d-----w- C:\Users\Keiko\AppData\Roaming\Dell

2011-10-12 20:44:31 -------- d-----w- C:\Users\Keiko\AppData\Local\DataSafeOnline

2011-10-12 20:44:09 -------- d-----w- C:\Users\Keiko\AppData\Local\Stardock_Corporation

2011-10-12 20:44:08 -------- d-----w- C:\Users\Keiko\AppData\Local\ATI

.

==================== Find3M ====================

.

2011-10-01 03:21:20 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-10-01 02:59:14 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-08-20 05:45:20 1197568 ----a-w- C:\Windows\System32\wininet.dll

2011-08-20 05:41:16 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2011-08-20 04:38:10 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-08-20 04:35:20 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2011-08-20 04:20:23 482816 ----a-w- C:\Windows\System32\html.iec

2011-08-20 03:26:38 386048 ----a-w- C:\Windows\SysWow64\html.iec

2011-08-15 14:00:06 642824 ----a-w- C:\Windows\System32\drivers\mfehidk.sys

2011-08-15 14:00:06 158584 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys

.

============= FINISH: 15:14:31.20 ===============

Link to post
Share on other sites

Hello and :welcome:

Lets first do also a rootkit scan here.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Hi Elise,

Thank you for your reply. I followed steps you wrote and got the log file.

15:40:50.0264 9164 TDSS rootkit removing tool 2.6.10.0 Oct 17 2011 15:43:23

15:40:50.0779 9164 ============================================================

15:40:50.0779 9164 Current date / time: 2011/10/17 15:40:50.0779

15:40:50.0779 9164 SystemInfo:

15:40:50.0779 9164

15:40:50.0779 9164 OS Version: 6.1.7600 ServicePack: 0.0

15:40:50.0779 9164 Product type: Workstation

15:40:50.0779 9164 ComputerName: KT-PC

15:40:50.0779 9164 UserName: Keiko

15:40:50.0779 9164 Windows directory: C:\Windows

15:40:50.0779 9164 System windows directory: C:\Windows

15:40:50.0779 9164 Running under WOW64

15:40:50.0779 9164 Processor architecture: Intel x64

15:40:50.0779 9164 Number of processors: 4

15:40:50.0779 9164 Page size: 0x1000

15:40:50.0779 9164 Boot type: Normal boot

15:40:50.0779 9164 ============================================================

15:40:51.0731 9164 Initialize success

15:40:53.0478 10852 ============================================================

15:40:53.0478 10852 Scan started

15:40:53.0478 10852 Mode: Manual;

15:40:53.0478 10852 ============================================================

15:40:54.0819 10852 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys

15:40:54.0819 10852 1394ohci - ok

15:40:54.0835 10852 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys

15:40:54.0835 10852 ACPI - ok

15:40:54.0851 10852 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys

15:40:54.0851 10852 AcpiPmi - ok

15:40:54.0882 10852 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys

15:40:54.0882 10852 adp94xx - ok

15:40:54.0897 10852 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys

15:40:54.0913 10852 adpahci - ok

15:40:54.0913 10852 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys

15:40:54.0929 10852 adpu320 - ok

15:40:54.0960 10852 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys

15:40:54.0960 10852 AFD - ok

15:40:54.0975 10852 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys

15:40:54.0975 10852 agp440 - ok

15:40:54.0975 10852 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys

15:40:54.0975 10852 aliide - ok

15:40:54.0991 10852 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys

15:40:54.0991 10852 amdide - ok

15:40:54.0991 10852 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys

15:40:55.0007 10852 AmdK8 - ok

15:40:55.0007 10852 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys

15:40:55.0007 10852 AmdPPM - ok

15:40:55.0007 10852 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys

15:40:55.0022 10852 amdsata - ok

15:40:55.0022 10852 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys

15:40:55.0022 10852 amdsbs - ok

15:40:55.0038 10852 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys

15:40:55.0038 10852 amdxata - ok

15:40:55.0053 10852 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys

15:40:55.0069 10852 AppID - ok

15:40:55.0085 10852 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys

15:40:55.0085 10852 arc - ok

15:40:55.0085 10852 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys

15:40:55.0100 10852 arcsas - ok

15:40:55.0116 10852 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys

15:40:55.0116 10852 AsyncMac - ok

15:40:55.0116 10852 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys

15:40:55.0116 10852 atapi - ok

15:40:55.0209 10852 atikmdag (80793852021864a9ed344843eeba5fdb) C:\Windows\system32\DRIVERS\atikmdag.sys

15:40:55.0350 10852 atikmdag - ok

15:40:55.0381 10852 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys

15:40:55.0397 10852 b06bdrv - ok

15:40:55.0412 10852 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys

15:40:55.0412 10852 b57nd60a - ok

15:40:55.0428 10852 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys

15:40:55.0428 10852 Beep - ok

15:40:55.0443 10852 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys

15:40:55.0443 10852 blbdrive - ok

15:40:55.0475 10852 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys

15:40:55.0475 10852 bowser - ok

15:40:55.0475 10852 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys

15:40:55.0475 10852 BrFiltLo - ok

15:40:55.0490 10852 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys

15:40:55.0490 10852 BrFiltUp - ok

15:40:55.0506 10852 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys

15:40:55.0506 10852 Brserid - ok

15:40:55.0506 10852 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys

15:40:55.0521 10852 BrSerWdm - ok

15:40:55.0521 10852 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys

15:40:55.0521 10852 BrUsbMdm - ok

15:40:55.0521 10852 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys

15:40:55.0537 10852 BrUsbSer - ok

15:40:55.0537 10852 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys

15:40:55.0537 10852 BTHMODEM - ok

15:40:55.0553 10852 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys

15:40:55.0553 10852 cdfs - ok

15:40:55.0568 10852 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys

15:40:55.0584 10852 cdrom - ok

15:40:55.0615 10852 cfwids (75f91554e5fa6e962b880405fecc97a1) C:\Windows\system32\drivers\cfwids.sys

15:40:55.0646 10852 cfwids - ok

15:40:55.0646 10852 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys

15:40:55.0662 10852 circlass - ok

15:40:55.0677 10852 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys

15:40:55.0693 10852 CLFS - ok

15:40:55.0693 10852 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys

15:40:55.0693 10852 CmBatt - ok

15:40:55.0709 10852 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys

15:40:55.0709 10852 cmdide - ok

15:40:55.0740 10852 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys

15:40:55.0740 10852 CNG - ok

15:40:55.0740 10852 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys

15:40:55.0755 10852 Compbatt - ok

15:40:55.0755 10852 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys

15:40:55.0755 10852 CompositeBus - ok

15:40:55.0771 10852 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys

15:40:55.0771 10852 crcdisk - ok

15:40:55.0818 10852 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys

15:40:55.0818 10852 DfsC - ok

15:40:55.0833 10852 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys

15:40:55.0833 10852 discache - ok

15:40:55.0833 10852 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys

15:40:55.0833 10852 Disk - ok

15:40:55.0865 10852 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys

15:40:55.0865 10852 drmkaud - ok

15:40:55.0896 10852 DXGKrnl (7cb7d2b73813ce05c7bc0f5f95d27cec) C:\Windows\System32\drivers\dxgkrnl.sys

15:40:55.0911 10852 DXGKrnl - ok

15:40:55.0958 10852 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys

15:40:56.0005 10852 ebdrv - ok

15:40:56.0021 10852 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys

15:40:56.0036 10852 elxstor - ok

15:40:56.0036 10852 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys

15:40:56.0036 10852 ErrDev - ok

15:40:56.0052 10852 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys

15:40:56.0067 10852 exfat - ok

15:40:56.0083 10852 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys

15:40:56.0083 10852 fastfat - ok

15:40:56.0099 10852 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys

15:40:56.0099 10852 fdc - ok

15:40:56.0114 10852 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys

15:40:56.0114 10852 FileInfo - ok

15:40:56.0114 10852 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys

15:40:56.0130 10852 Filetrace - ok

15:40:56.0130 10852 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys

15:40:56.0130 10852 flpydisk - ok

15:40:56.0145 10852 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys

15:40:56.0145 10852 FltMgr - ok

15:40:56.0177 10852 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys

15:40:56.0177 10852 FsDepends - ok

15:40:56.0192 10852 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys

15:40:56.0192 10852 Fs_Rec - ok

15:40:56.0208 10852 fvevol (b8b2a6e1558f8f5de5ce431c5b2c7b09) C:\Windows\system32\DRIVERS\fvevol.sys

15:40:56.0208 10852 fvevol - ok

15:40:56.0223 10852 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys

15:40:56.0223 10852 gagp30kx - ok

15:40:56.0301 10852 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys

15:40:56.0317 10852 hcw85cir - ok

15:40:56.0457 10852 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys

15:40:56.0473 10852 HdAudAddService - ok

15:40:56.0489 10852 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys

15:40:56.0489 10852 HDAudBus - ok

15:40:56.0504 10852 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys

15:40:56.0504 10852 HidBatt - ok

15:40:56.0504 10852 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys

15:40:56.0504 10852 HidBth - ok

15:40:56.0520 10852 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys

15:40:56.0520 10852 HidIr - ok

15:40:56.0535 10852 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys

15:40:56.0535 10852 HidUsb - ok

15:40:56.0551 10852 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys

15:40:56.0551 10852 HpSAMD - ok

15:40:56.0567 10852 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys

15:40:56.0567 10852 HTTP - ok

15:40:56.0582 10852 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys

15:40:56.0582 10852 hwpolicy - ok

15:40:56.0598 10852 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys

15:40:56.0598 10852 i8042prt - ok

15:40:56.0645 10852 iaStor (1d004cb1da6323b1f55caef7f94b61d9) C:\Windows\system32\DRIVERS\iaStor.sys

15:40:56.0676 10852 iaStor - ok

15:40:56.0707 10852 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys

15:40:56.0707 10852 iaStorV - ok

15:40:56.0723 10852 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys

15:40:56.0723 10852 iirsp - ok

15:40:56.0769 10852 IntcAzAudAddService (d42d651676883181400e22957a7e0b1e) C:\Windows\system32\drivers\RTKVHD64.sys

15:40:56.0832 10852 IntcAzAudAddService - ok

15:40:56.0832 10852 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys

15:40:56.0832 10852 intelide - ok

15:40:56.0847 10852 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys

15:40:56.0847 10852 intelppm - ok

15:40:56.0879 10852 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys

15:40:56.0879 10852 IpFilterDriver - ok

15:40:56.0894 10852 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys

15:40:56.0894 10852 IPMIDRV - ok

15:40:56.0910 10852 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys

15:40:56.0910 10852 IPNAT - ok

15:40:56.0910 10852 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys

15:40:56.0910 10852 IRENUM - ok

15:40:56.0925 10852 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys

15:40:56.0925 10852 isapnp - ok

15:40:56.0941 10852 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys

15:40:56.0941 10852 iScsiPrt - ok

15:40:56.0957 10852 k57nd60a (249ee2d26cb1530f3bede0ac8b9e3099) C:\Windows\system32\DRIVERS\k57nd60a.sys

15:40:56.0988 10852 k57nd60a - ok

15:40:57.0019 10852 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys

15:40:57.0019 10852 kbdclass - ok

15:40:57.0035 10852 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys

15:40:57.0035 10852 kbdhid - ok

15:40:57.0066 10852 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys

15:40:57.0066 10852 KSecDD - ok

15:40:57.0081 10852 KSecPkg (bbe1bf6d9b661c354d4857d5fadb943b) C:\Windows\system32\Drivers\ksecpkg.sys

15:40:57.0081 10852 KSecPkg - ok

15:40:57.0097 10852 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys

15:40:57.0097 10852 ksthunk - ok

15:40:57.0113 10852 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys

15:40:57.0113 10852 lltdio - ok

15:40:57.0128 10852 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys

15:40:57.0128 10852 LSI_FC - ok

15:40:57.0128 10852 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys

15:40:57.0144 10852 LSI_SAS - ok

15:40:57.0144 10852 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys

15:40:57.0144 10852 LSI_SAS2 - ok

15:40:57.0159 10852 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys

15:40:57.0159 10852 LSI_SCSI - ok

15:40:57.0175 10852 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys

15:40:57.0175 10852 luafv - ok

15:40:57.0222 10852 MBAMProtector (23a854450dab5c9b7a42ab9be6f2e4bd) C:\Windows\system32\drivers\mbam.sys

15:40:57.0253 10852 MBAMProtector - ok

15:40:57.0300 10852 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys

15:40:57.0300 10852 megasas - ok

15:40:57.0315 10852 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys

15:40:57.0315 10852 MegaSR - ok

15:40:57.0331 10852 mfeapfk (eac376dd77ec9e95d38108a27c261dca) C:\Windows\system32\drivers\mfeapfk.sys

15:40:57.0378 10852 mfeapfk - ok

15:40:57.0393 10852 mfeavfk (f55f50b11d635658f346db0457bb2b79) C:\Windows\system32\drivers\mfeavfk.sys

15:40:57.0440 10852 mfeavfk - ok

15:40:57.0456 10852 mfeavfk01 - ok

15:40:57.0487 10852 mfefirek (33b8e35c5839a83d6700aab3e464553b) C:\Windows\system32\drivers\mfefirek.sys

15:40:57.0518 10852 mfefirek - ok

15:40:57.0534 10852 mfehidk (ada8c105c8f9a61284c75157c170585b) C:\Windows\system32\drivers\mfehidk.sys

15:40:57.0581 10852 mfehidk - ok

15:40:57.0627 10852 mfenlfk (c52ee6d1e1e5a69c989acc478051964e) C:\Windows\system32\DRIVERS\mfenlfk.sys

15:40:57.0659 10852 mfenlfk - ok

15:40:57.0674 10852 mferkdet (b000720e19ef733f938a6269d630f5dd) C:\Windows\system32\drivers\mferkdet.sys

15:40:57.0721 10852 mferkdet - ok

15:40:57.0737 10852 mfewfpk (62717ab68b38efee54678b85e19b0538) C:\Windows\system32\drivers\mfewfpk.sys

15:40:57.0783 10852 mfewfpk - ok

15:40:57.0815 10852 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys

15:40:57.0815 10852 Modem - ok

15:40:57.0846 10852 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys

15:40:57.0846 10852 monitor - ok

15:40:57.0861 10852 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys

15:40:57.0861 10852 mouclass - ok

15:40:57.0877 10852 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys

15:40:57.0877 10852 mouhid - ok

15:40:57.0877 10852 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys

15:40:57.0877 10852 mountmgr - ok

15:40:57.0908 10852 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys

15:40:57.0908 10852 mpio - ok

15:40:57.0908 10852 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys

15:40:57.0908 10852 mpsdrv - ok

15:40:57.0924 10852 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys

15:40:57.0939 10852 MRxDAV - ok

15:40:57.0955 10852 mrxsmb (cfdcd8ca87c2a657debc150ac35b5e08) C:\Windows\system32\DRIVERS\mrxsmb.sys

15:40:57.0955 10852 mrxsmb - ok

15:40:57.0971 10852 mrxsmb10 (1bee517b220b7f024f411aec1571dd5a) C:\Windows\system32\DRIVERS\mrxsmb10.sys

15:40:57.0971 10852 mrxsmb10 - ok

15:40:57.0986 10852 mrxsmb20 (6b2d5fef385828b6e485c1c90afb8195) C:\Windows\system32\DRIVERS\mrxsmb20.sys

15:40:57.0986 10852 mrxsmb20 - ok

15:40:58.0002 10852 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys

15:40:58.0002 10852 msahci - ok

15:40:58.0017 10852 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys

15:40:58.0017 10852 msdsm - ok

15:40:58.0033 10852 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys

15:40:58.0033 10852 Msfs - ok

15:40:58.0049 10852 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys

15:40:58.0049 10852 mshidkmdf - ok

15:40:58.0064 10852 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys

15:40:58.0064 10852 msisadrv - ok

15:40:58.0080 10852 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys

15:40:58.0080 10852 MSKSSRV - ok

15:40:58.0080 10852 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys

15:40:58.0095 10852 MSPCLOCK - ok

15:40:58.0095 10852 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys

15:40:58.0095 10852 MSPQM - ok

15:40:58.0111 10852 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys

15:40:58.0127 10852 MsRPC - ok

15:40:58.0127 10852 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys

15:40:58.0127 10852 mssmbios - ok

15:40:58.0142 10852 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys

15:40:58.0142 10852 MSTEE - ok

15:40:58.0158 10852 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys

15:40:58.0158 10852 MTConfig - ok

15:40:58.0173 10852 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys

15:40:58.0173 10852 Mup - ok

15:40:58.0205 10852 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys

15:40:58.0205 10852 NativeWifiP - ok

15:40:58.0236 10852 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys

15:40:58.0236 10852 NDIS - ok

15:40:58.0251 10852 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys

15:40:58.0251 10852 NdisCap - ok

15:40:58.0251 10852 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys

15:40:58.0251 10852 NdisTapi - ok

15:40:58.0283 10852 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys

15:40:58.0283 10852 Ndisuio - ok

15:40:58.0283 10852 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys

15:40:58.0298 10852 NdisWan - ok

15:40:58.0298 10852 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys

15:40:58.0298 10852 NDProxy - ok

15:40:58.0314 10852 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys

15:40:58.0314 10852 NetBIOS - ok

15:40:58.0329 10852 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys

15:40:58.0329 10852 NetBT - ok

15:40:58.0361 10852 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys

15:40:58.0361 10852 nfrd960 - ok

15:40:58.0361 10852 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys

15:40:58.0361 10852 Npfs - ok

15:40:58.0376 10852 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys

15:40:58.0376 10852 nsiproxy - ok

15:40:58.0407 10852 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys

15:40:58.0423 10852 Ntfs - ok

15:40:58.0439 10852 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys

15:40:58.0439 10852 Null - ok

15:40:58.0470 10852 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys

15:40:58.0485 10852 nvraid - ok

15:40:58.0485 10852 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys

15:40:58.0501 10852 nvstor - ok

15:40:58.0501 10852 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys

15:40:58.0517 10852 nv_agp - ok

15:40:58.0548 10852 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys

15:40:58.0548 10852 ohci1394 - ok

15:40:58.0563 10852 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys

15:40:58.0563 10852 Parport - ok

15:40:58.0563 10852 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys

15:40:58.0563 10852 partmgr - ok

15:40:58.0579 10852 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys

15:40:58.0579 10852 pci - ok

15:40:58.0579 10852 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys

15:40:58.0595 10852 pciide - ok

15:40:58.0626 10852 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys

15:40:58.0641 10852 pcmcia - ok

15:40:58.0641 10852 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys

15:40:58.0641 10852 pcw - ok

15:40:58.0657 10852 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys

15:40:58.0657 10852 PEAUTH - ok

15:40:58.0688 10852 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys

15:40:58.0688 10852 PptpMiniport - ok

15:40:58.0704 10852 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys

15:40:58.0704 10852 Processor - ok

15:40:58.0719 10852 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys

15:40:58.0719 10852 Psched - ok

15:40:58.0719 10852 PxHlpa64 (4712cc14e720ecccc0aa16949d18aaf1) C:\Windows\system32\Drivers\PxHlpa64.sys

15:40:58.0766 10852 PxHlpa64 - ok

15:40:58.0797 10852 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys

15:40:58.0829 10852 ql2300 - ok

15:40:58.0844 10852 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys

15:40:58.0844 10852 ql40xx - ok

15:40:58.0860 10852 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys

15:40:58.0860 10852 QWAVEdrv - ok

15:40:58.0875 10852 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys

15:40:58.0875 10852 RasAcd - ok

15:40:58.0907 10852 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys

15:40:58.0907 10852 RasAgileVpn - ok

15:40:58.0922 10852 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys

15:40:58.0922 10852 Rasl2tp - ok

15:40:58.0922 10852 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys

15:40:58.0938 10852 RasPppoe - ok

15:40:58.0938 10852 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys

15:40:58.0938 10852 RasSstp - ok

15:40:58.0969 10852 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys

15:40:58.0969 10852 rdbss - ok

15:40:58.0969 10852 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys

15:40:58.0969 10852 rdpbus - ok

15:40:58.0985 10852 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys

15:40:58.0985 10852 RDPCDD - ok

15:40:59.0000 10852 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys

15:40:59.0000 10852 RDPENCDD - ok

15:40:59.0000 10852 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys

15:40:59.0000 10852 RDPREFMP - ok

15:40:59.0016 10852 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys

15:40:59.0031 10852 RDPWD - ok

15:40:59.0047 10852 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys

15:40:59.0047 10852 rdyboost - ok

15:40:59.0063 10852 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys

15:40:59.0063 10852 rspndr - ok

15:40:59.0078 10852 RxFilter - ok

15:40:59.0094 10852 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys

15:40:59.0109 10852 sbp2port - ok

15:40:59.0109 10852 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys

15:40:59.0109 10852 scfilter - ok

15:40:59.0125 10852 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

15:40:59.0125 10852 secdrv - ok

15:40:59.0141 10852 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys

15:40:59.0141 10852 Serenum - ok

15:40:59.0156 10852 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys

15:40:59.0156 10852 Serial - ok

15:40:59.0156 10852 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys

15:40:59.0156 10852 sermouse - ok

15:40:59.0172 10852 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys

15:40:59.0172 10852 sffdisk - ok

15:40:59.0187 10852 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys

15:40:59.0187 10852 sffp_mmc - ok

15:40:59.0187 10852 sffp_sd (5588b8c6193eb1522490c122eb94dffa) C:\Windows\system32\DRIVERS\sffp_sd.sys

15:40:59.0187 10852 sffp_sd - ok

15:40:59.0203 10852 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys

15:40:59.0203 10852 sfloppy - ok

15:40:59.0219 10852 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys

15:40:59.0219 10852 SiSRaid2 - ok

15:40:59.0219 10852 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys

15:40:59.0219 10852 SiSRaid4 - ok

15:40:59.0234 10852 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys

15:40:59.0234 10852 Smb - ok

15:40:59.0250 10852 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys

15:40:59.0250 10852 spldr - ok

15:40:59.0281 10852 srv (ec8f67289105bf270498095f14963464) C:\Windows\system32\DRIVERS\srv.sys

15:40:59.0281 10852 srv - ok

15:40:59.0297 10852 srv2 (f773d2ed090b7baa1c1a034f3ca476c8) C:\Windows\system32\DRIVERS\srv2.sys

15:40:59.0312 10852 srv2 - ok

15:40:59.0328 10852 srvnet (26e84d3649019c3244622e654dfcd75b) C:\Windows\system32\DRIVERS\srvnet.sys

15:40:59.0328 10852 srvnet - ok

15:40:59.0359 10852 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys

15:40:59.0359 10852 stexstor - ok

15:40:59.0390 10852 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys

15:40:59.0390 10852 swenum - ok

15:40:59.0437 10852 Tcpip (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\drivers\tcpip.sys

15:40:59.0468 10852 Tcpip - ok

15:40:59.0484 10852 TCPIP6 (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\DRIVERS\tcpip.sys

15:40:59.0499 10852 TCPIP6 - ok

15:40:59.0515 10852 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys

15:40:59.0515 10852 tcpipreg - ok

15:40:59.0546 10852 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys

15:40:59.0546 10852 TDPIPE - ok

15:40:59.0546 10852 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys

15:40:59.0546 10852 TDTCP - ok

15:40:59.0562 10852 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys

15:40:59.0577 10852 tdx - ok

15:40:59.0577 10852 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys

15:40:59.0577 10852 TermDD - ok

15:40:59.0593 10852 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys

15:40:59.0593 10852 tssecsrv - ok

15:40:59.0609 10852 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys

15:40:59.0609 10852 tunnel - ok

15:40:59.0609 10852 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys

15:40:59.0624 10852 uagp35 - ok

15:40:59.0640 10852 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys

15:40:59.0655 10852 udfs - ok

15:40:59.0655 10852 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys

15:40:59.0671 10852 uliagpkx - ok

15:40:59.0687 10852 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys

15:40:59.0687 10852 umbus - ok

15:40:59.0687 10852 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys

15:40:59.0687 10852 UmPass - ok

15:40:59.0702 10852 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys

15:40:59.0702 10852 usbccgp - ok

15:40:59.0718 10852 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys

15:40:59.0718 10852 usbcir - ok

15:40:59.0733 10852 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys

15:40:59.0733 10852 usbehci - ok

15:40:59.0749 10852 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys

15:40:59.0749 10852 usbhub - ok

15:40:59.0765 10852 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys

15:40:59.0765 10852 usbohci - ok

15:40:59.0765 10852 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys

15:40:59.0780 10852 usbprint - ok

15:40:59.0780 10852 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS

15:40:59.0780 10852 USBSTOR - ok

15:40:59.0796 10852 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys

15:40:59.0796 10852 usbuhci - ok

15:40:59.0811 10852 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys

15:40:59.0811 10852 vdrvroot - ok

15:40:59.0827 10852 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys

15:40:59.0827 10852 vga - ok

15:40:59.0843 10852 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys

15:40:59.0843 10852 VgaSave - ok

15:40:59.0843 10852 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys

15:40:59.0858 10852 vhdmp - ok

15:40:59.0858 10852 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys

15:40:59.0858 10852 viaide - ok

15:40:59.0874 10852 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys

15:40:59.0874 10852 volmgr - ok

15:40:59.0889 10852 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys

15:40:59.0889 10852 volmgrx - ok

15:40:59.0905 10852 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys

15:40:59.0905 10852 volsnap - ok

15:40:59.0905 10852 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys

15:40:59.0921 10852 vsmraid - ok

15:40:59.0936 10852 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys

15:40:59.0936 10852 vwifibus - ok

15:40:59.0952 10852 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys

15:40:59.0952 10852 WacomPen - ok

15:40:59.0967 10852 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys

15:40:59.0967 10852 WANARP - ok

15:40:59.0967 10852 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys

15:40:59.0967 10852 Wanarpv6 - ok

15:40:59.0983 10852 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys

15:40:59.0983 10852 Wd - ok

15:40:59.0999 10852 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys

15:41:00.0014 10852 Wdf01000 - ok

15:41:00.0030 10852 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys

15:41:00.0030 10852 WfpLwf - ok

15:41:00.0045 10852 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys

15:41:00.0045 10852 WIMMount - ok

15:41:00.0061 10852 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys

15:41:00.0061 10852 WmiAcpi - ok

15:41:00.0077 10852 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys

15:41:00.0077 10852 ws2ifsl - ok

15:41:00.0092 10852 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys

15:41:00.0092 10852 WudfPf - ok

15:41:00.0108 10852 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys

15:41:00.0108 10852 WUDFRd - ok

15:41:00.0123 10852 MBR (0x1B8) (534997c1da6d62ceb42126d018cac57b) \Device\Harddisk0\DR0

15:41:00.0123 10852 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected

15:41:00.0123 10852 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)

15:41:00.0139 10852 Boot (0x1200) (a5c682221bb3be9ca89446427c662f59) \Device\Harddisk0\DR0\Partition0

15:41:00.0139 10852 \Device\Harddisk0\DR0\Partition0 - ok

15:41:00.0139 10852 Boot (0x1200) (5e42e50e1b8fa6de0755cb1bce1af80f) \Device\Harddisk0\DR0\Partition1

15:41:00.0139 10852 \Device\Harddisk0\DR0\Partition1 - ok

15:41:00.0155 10852 Boot (0x1200) (5c24bd2e29e4fcb02ec55eb0dcb120b4) \Device\Harddisk0\DR0\Partition2

15:41:00.0155 10852 \Device\Harddisk0\DR0\Partition2 - ok

15:41:00.0186 10852 Boot (0x1200) (3b1bf9293d854b41efa503193b7b3fff) \Device\Harddisk0\DR0\Partition3

15:41:00.0186 10852 \Device\Harddisk0\DR0\Partition3 - ok

15:41:00.0186 10852 ============================================================

15:41:00.0186 10852 Scan finished

15:41:00.0186 10852 ============================================================

15:41:00.0186 8044 Detected object count: 1

15:41:00.0186 8044 Actual detected object count: 1

15:44:06.0016 8044 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot

15:44:06.0016 8044 \Device\Harddisk0\DR0 - ok

15:44:06.0031 8044 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure

15:44:13.0785 11604 Deinitialize success

Link to post
Share on other sites

Unfortunately you had a nasty rootkit on your computer. It should be gone now, but before continuing, read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Hi Elise,

I downloaded ComboFix.exe, run it and get the report file. It seems that the nasty bug is gone.

Thank you very much.

ComboFix 11-10-18.04 - Keiko 10/18/2011 16:07:11.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6135.4745 [GMT -4:00]

Running from: c:\users\Keiko\Desktop\123ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\fungusfred\AppData\Roaming\Fuyzgy

c:\users\fungusfred\AppData\Roaming\Fuyzgy\rabil.ypo

c:\users\Keiko\AppData\Roaming\Eteg

c:\users\Keiko\AppData\Roaming\Eteg\ogvum.pyy

c:\users\Keiko\AppData\Roaming\Hyugez

c:\users\Keiko\AppData\Roaming\Hyugez\woans.exe

c:\users\Keiko\AppData\Roaming\Idumob

c:\users\Keiko\AppData\Roaming\Idumob\yqaj.vem

c:\users\Keiko\AppData\Roaming\Ilja

c:\users\Keiko\AppData\Roaming\Ilja\ykib.exe

c:\users\Keiko\AppData\Roaming\Remote

c:\users\Keiko\AppData\Roaming\Remote\hnqyzs

c:\users\Keiko\Combo-Fix.exe

c:\windows\SysWow64\0.09325577088274817.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))

.

.

2011-10-18 20:10 . 2011-10-18 20:10 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-10-17 19:59 . 2011-08-19 20:33 27992 ----a-w- c:\windows\system32\SmartDefragBootTime.exe

2011-10-17 19:59 . 2010-11-26 22:02 17720 ----a-w- c:\windows\system32\drivers\SmartDefragDriver.sys

2011-10-17 19:58 . 2011-10-17 19:58 -------- d-----w- c:\programdata\IObit

2011-10-16 15:29 . 2011-10-16 15:29 -------- d-----w- c:\users\fungusfred

2011-10-14 20:28 . 2011-10-14 20:28 -------- d-----w- c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

2011-10-14 18:18 . 2011-10-14 18:18 177152 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\toyfc.exe

2011-10-14 18:17 . 2011-10-14 18:17 177152 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\utcea.exe

2011-10-14 18:17 . 2011-10-14 18:17 177152 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\maco.exe

2011-10-14 17:22 . 2010-10-19 08:47 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2011-10-14 17:22 . 2010-10-19 08:10 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll

2011-10-14 16:39 . 2011-10-14 20:44 -------- d-----w- c:\windows\SysWow64\Wat

2011-10-14 16:39 . 2011-10-14 20:44 -------- d-----w- c:\windows\system32\Wat

2011-10-14 16:07 . 2011-10-14 16:07 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help

2011-10-14 14:54 . 2011-10-14 14:54 -------- dc-h--w- c:\programdata\{CBCE2F73-24E4-481F-84B2-1A5EB720D187}

2011-10-14 14:34 . 2011-10-14 14:34 -------- d-----w- c:\program files\CCleaner

2011-10-14 14:34 . 2011-10-14 14:34 -------- d-----w- c:\program files\Google

2011-10-14 14:33 . 2011-10-14 14:34 -------- d-----w- c:\program files (x86)\Google

2011-10-14 10:52 . 2011-10-14 10:52 -------- d-----w- c:\program files (x86)\Conduit

2011-10-14 10:52 . 2011-10-14 10:52 -------- d-----w- C:\extensions

2011-10-14 10:43 . 2011-10-14 10:43 -------- d-----w- c:\program files (x86)\McAfee.com

2011-10-14 10:43 . 2011-08-15 14:00 9984 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2011-10-14 10:41 . 2011-08-15 14:00 75672 ----a-w- c:\windows\system32\drivers\mfenlfk.sys

2011-10-14 10:41 . 2011-08-15 14:00 65128 ----a-w- c:\windows\system32\drivers\cfwids.sys

2011-10-14 10:41 . 2011-08-15 14:00 481504 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2011-10-14 10:41 . 2011-08-15 14:00 283744 ----a-w- c:\windows\system32\drivers\mfewfpk.sys

2011-10-14 10:41 . 2011-08-15 14:00 228752 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-10-14 10:41 . 2011-08-15 14:00 100904 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2011-10-14 10:29 . 2011-10-06 20:44 158832 ----a-w- c:\windows\system32\mfevtps.exe

2011-10-14 09:49 . 2011-10-14 09:49 -------- d-----we c:\windows\system64

2011-10-14 09:30 . 2011-08-31 21:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-14 08:55 . 2011-10-14 08:55 -------- d-----w- c:\program files (x86)\MSXML 4.0

2011-10-13 01:58 . 2011-10-13 01:58 -------- d-----w- c:\program files\McAfee.com

2011-10-12 22:01 . 2011-10-12 22:01 -------- d-----w- c:\programdata\Malwarebytes

2011-10-12 21:30 . 2011-10-14 10:52 -------- d-----w- c:\program files (x86)\uTorrentBar

2011-10-12 21:04 . 2011-10-12 21:04 -------- d-----w- c:\windows\Sun

2011-10-12 20:42 . 2011-10-18 20:10 -------- d-----w- c:\users\Keiko

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-15 14:00 . 2011-03-13 15:20 158584 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2011-08-15 14:00 . 2009-12-15 16:10 642824 ----a-w- c:\windows\system32\drivers\mfehidk.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\uTorrentBar\prxtbuTor.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files (x86)\uTorrentBar\prxtbuTor.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-10-14 39408]

"Advanced SystemCare 4"="e:\program files (x86)\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files (x86)\Java\jre6\bin\jusched.exe" [2009-12-15 148888]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-06-15 98304]

"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2009-07-17 237568]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]

"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-06-25 140520]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1674896]

"Malwarebytes' Anti-Malware"="e:\program files (x86)\MalwareBytes\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\users\fungusfred\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-10-12 1324384]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-10-12 1324384]

maco.exe [2011-10-14 177152]

toyfc.exe [2011-10-14 177152]

utcea.exe [2011-10-14 177152]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-14 136176]

R2 MBAMService;MBAMService;e:\program files (x86)\MalwareBytes\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-14 136176]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]

R3 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-06-26 1124848]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [x]

S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]

S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]

S2 AdvancedSystemCareService;Advanced SystemCare Service;e:\program files (x86)\IObit\Advanced SystemCare 4\ASCService.exe [2011-08-09 328536]

S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-03-31 92160]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2010-01-11 155648]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-06 208272]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-14 14:34]

.

2011-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-14 14:34]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-05-23 7833120]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

TCP: DhcpNameServer = 192.168.1.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Toolbar-Locked - (no file)

WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - (no file)

HKLM-Run-Skytel - c:\program files\Realtek\Audio\HDA\Skytel.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]

@Denied: (A 2) (Everyone)

@="IFlashBroker2"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\SysWOW64\rundll32.exe

e:\program files (x86)\IObit\Advanced SystemCare 4\PMonitor.exe

e:\program files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe

.

**************************************************************************

.

Completion time: 2011-10-18 16:14:06 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-18 20:14

.

Pre-Run: 226,445,185,024 bytes free

Post-Run: 225,907,830,784 bytes free

.

- - End Of File - - 11EC8B02BEA7D1575DF05C78015780D4

Link to post
Share on other sites

Hi Elise,

I downloaded ComboFix.exe, run it and get the report file that I have attached. It seems that the nasty bug is gone.

Thank you very much.

Our PC is Dell and Dell stores system recovery image when the PIC was out of factory. I shout down outr PC, powder on and select F8. When I get Recovery options window, I select Dell Factory system image. This selection will format C drive and restore the system image. A problem is the system image is 2 years old. I'm thinking that I download Windows 7 SP1 and update it. There are 9 files to be downloaded. I don't know which downloaded file is run first. Do you have any recommendations?

Thank you for your help,

Keiko

ComboFix.txt

Link to post
Share on other sites

If you want to reformat your computer, you can just restore the image, and then let windows update take care of downloading/installing the appropriate updates.

If you want to go through with the cleaning first, please let me know how things are running now and if you have any problem left.

Link to post
Share on other sites

Hi Elise,

I want to go through with cleaning first. Could you find out any problems left?

I don't have a portable hard disk now. So I will order it. After receiving it, I will create a system image, restore the image, and then run Auto Updates. I hope that our PC will not crash again.

Thank you,

Keiko

Link to post
Share on other sites

Hi again,

P2P WARNING

-------------------

Going over your logs I noticed that you have uTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.

I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

Hi Elise,

I removed two old versions, downloaded new and installed them. Is MBAM MalwareBytes Por? If so, I had full scans of my drives (C:\, E:\ and F:\) and attached log files.

I received a portable hard disk. So I'm ready to create a system image and a backup file. Please tell me when I can do so.

Thank you for your help,

Keiko

mbam-log-2011-10-21 (17-31-34).txt

mbam-log-2011-10-21 (17-37-40).txt

mbam-log-2011-10-21 (17-40-06).txt

Link to post
Share on other sites

I received a portable hard disk. So I'm ready to create a system image and a backup file. Please tell me when I can do so.

I would not recommend creating an image at this point. It is much better to do a complete reformat/reinstall and then create a disk image. That way you know for sure the image has no vulnerabilities due to earlier infections included.

After the following scan, you can safely backup all personal files you want to save.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Hi, these were just some leftovers, which means you are good to go. :)

Please let me know if you need any help backing up/reinstalling, if you still want to do that.

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.