Fake Windows 2012 anti-virus removed? Having Internet/firewall issues

Inactive
By mlw038
Dec 22, 2011
Topic Status:
Not open for further replies.
  1. Alright so I used MSE and Malwarebytes to remove it and then I was having issues with my firewall not turning on so I used post 2 from here:
    http://answers.microsoft.com/en-us/...firewall/ec3fc3b8-69ec-4b4b-a703-4b745fe6e8ee

    Once I got firewall and BFE to reappear after a reset I got errors for those to start and my internet stopped working. Here are my logs:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122301

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514

    12/22/2011 11:19:42 PM
    mbam-log-2011-12-22 (23-19-42).txt

    Scan type: Quick scan
    Objects scanned: 205241
    Time elapsed: 4 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Gmer

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-22 23:35:22
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 WDC_WD3200KS-75PFB0 rev.21.00M21
    Running: qmrrckbj.exe; Driver: C:\Users\Welch\AppData\Local\Temp\fgloqpog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13D1 82C45369 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C7ED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text autochk.exe 004011D1 42 Bytes [C4, 08, 5D, C3, CC, CC, CC, ...]
    .text autochk.exe 004011FC 5 Bytes [8B, E5, 5D, C2, 08]
    .text autochk.exe 00401202 41 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
    .text autochk.exe 0040122C 5 Bytes [8B, E5, 5D, C2, 08]
    .text autochk.exe 00401232 47 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\MediaMall\MediaMallServer.exe[1032] KERNEL32.dll!GetFileAttributesExW 75CF307E 6 Bytes JMP 71A90F5A
    .text C:\Program Files\MediaMall\MediaMallServer.exe[1032] KERNEL32.dll!GetModuleFileNameW 75CFEF35 6 Bytes JMP 71AF0F5A

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\ACPI_HAL \Device\00000053 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\$NtUninstallKB28521$\3558784311 0 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489 0 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\@ 2048 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\bckfg.tmp 814 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\cfg.ini 207 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\Desktop.ini 4608 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\keywords 219 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\kwrd.dll 223744 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\L 0 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\L\xadqgnnk 338944 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\lsflt7.ver 5176 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\U 0 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\U\00000001.@ 1536 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\U\00000002.@ 224768 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\U\00000004.@ 1024 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\U\80000000.@ 11264 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\U\80000004.@ 12800 bytes
    File C:\Windows\$NtUninstallKB28521$\411072489\U\80000032.@ 97792 bytes
    File C:\Windows\$NtUninstallKB37014$\3634874217 0 bytes
    File C:\Windows\$NtUninstallKB37014$\411072489 0 bytes
    File C:\Windows\$NtUninstallKB37014$\411072489\L 0 bytes
    File C:\Windows\$NtUninstallKB37014$\411072489\U 0 bytes

    ---- EOF - GMER 1.0.15 ----

    DDS
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514
    Run by Welch at 23:35:54 on 2011-12-22
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2046.1186 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
    C:\Windows\system32\svchost.exe -k apphost
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Citrix\GoToMyPC\g2svc.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Citrix\GoToMyPC\g2comm.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\MediaMall\MediaMallServer.exe
    C:\Program Files\Citrix\GoToMyPC\g2pre.exe
    C:\Program Files\Citrix\GoToMyPC\g2tray.exe
    C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
    c:\program files\common files\protexis\license service\psiservice_2.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
    C:\Program Files\Common Files\supportsoft\bin\bcont.exe
    C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
    C:\Users\Welch\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=127.0.0.1:53172
    BHO: AutorunsDisabled - No File
    BHO: Canon Easy-WebPrint EX BHO - No File
    BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
    BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll
    BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
    TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
    uRun: [RCHotKey] "c:\program files\ringcentral\ringcentral call controller\RCHotKey.exe"
    uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\723\g2mstart.exe" "/Trigger RunAtLogon"
    uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
    uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_ActiveX.exe -update activex
    StartupFolder: c:\users\welch\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\welch\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\users\welch\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\users\welch\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\quickb~2.lnk - c:\program files\intuit\quickbooks 2008\QBW32.EXE
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: {90A81828-92DB-400e-AECD-78C540F5EB49} - c:\program files\egrabber\addressgrabber business 2010\InternetAddress.exe
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    LSP: mswsock.dll
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    TCP: Interfaces\{1F580317-1C55-40BC-BE99-23BD28E176D9} : DhcpNameServer = 192.168.2.1 192.168.2.1
    TCP: Interfaces\{48C9BFA9-EF0D-4489-934E-C8C8E54983BD} : DhcpNameServer = 192.168.2.1 192.168.2.1
    TCP: Interfaces\{48C9BFA9-EF0D-4489-934E-C8C8E54983BD}\D4966496233373230253633303 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{A08A42F6-2480-4698-B1CD-BA35177C272B} : DhcpNameServer = 192.168.2.1 192.168.2.1
    TCP: Interfaces\{A08A42F6-2480-4698-B1CD-BA35177C272B}\2375942554235393 : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{A8D10DF4-D8AD-42D1-9E93-EDF8AE3FD0EE} : DhcpNameServer = 192.168.2.1 192.168.2.1
    TCP: Interfaces\{C3AEE420-1FF5-42AC-A7A3-691E806C986A} : DhcpNameServer = 192.168.2.1 192.168.2.1
    Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2011-3-29 21728]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-5 164048]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsl1e3c35cb;MpKsl1e3c35cb;c:\programdata\microsoft\microsoft antimalware\definition updates\{48356ec5-2bf8-4339-8230-c8e086a7eb36}\MpKsl1e3c35cb.sys [2011-12-22 29904]
    R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-5 19024]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-5 51792]
    R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2011-10-22 5424504]
    R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2010-4-30 3795560]
    R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]
    R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2010-12-6 2222376]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2011-3-29 699896]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
    S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2010-1-14 65536]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
    S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2009-7-13 20992]
    S2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2011-3-29 272864]
    S3 2WXG7053;2W 802.11g XG705 SP3 Driver;c:\windows\system32\drivers\wlanUIG.sys [2007-4-24 358304]
    S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2007-3-27 857600]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
    S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-29 39272]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
    S3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-11-12 468480]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-25 52224]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-13 1343400]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
    S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-14 135664]
    S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-14 135664]
    S4 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
    S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
    .
    =============== Created Last 30 ================
    .
    2011-12-23 04:10:56 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{48356ec5-2bf8-4339-8230-c8e086a7eb36}\MpKsl1e3c35cb.sys
    2011-12-23 04:10:27 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{48356ec5-2bf8-4339-8230-c8e086a7eb36}\offreg.dll
    2011-12-23 02:34:58 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-12-23 02:32:08 703824 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1abc2fd0-c57a-4d7b-b07a-2137acc1186e}\gapaengine.dll
    2011-12-23 02:32:03 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{48356ec5-2bf8-4339-8230-c8e086a7eb36}\mpengine.dll
    2011-12-23 02:31:04 -------- d-----w- c:\program files\Microsoft Security Client
    2011-12-22 02:44:47 -------- d-----w- c:\program files\WOT
    2011-12-14 03:02:54 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 03:02:53 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 03:02:50 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-14 03:02:50 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-06 12:15:18 277504 ----a-w- c:\windows\system32\CNMLMA7.DLL
    2011-12-06 12:14:48 1310720 ----a-w- c:\windows\system32\CNC870C.dll
    2011-12-06 12:14:48 110592 ----a-w- c:\windows\system32\CNC870I.dll
    2011-12-06 12:14:48 102400 ----a-w- c:\windows\system32\CNC870U.dll
    2011-12-01 03:28:22 -------- d-----w- c:\users\welch\appdata\local\PhotoChannel
    2011-11-30 22:55:29 -------- d-----w- c:\users\welch\appdata\local\WMTools Downloaded Files
    2011-11-30 22:45:04 -------- d-----w- c:\program files\Movie Maker 2.6
    2011-11-30 00:40:58 -------- d-----w- c:\users\welch\appdata\local\{44EC752A-6758-4570-AD3D-1EE973CF2685}
    2011-11-30 00:40:48 -------- d-----w- c:\users\welch\appdata\local\{5E933785-29B1-4B2B-B665-51EDC1AA3982}
    2011-11-30 00:32:44 -------- d-----w- c:\users\welch\appdata\local\{6A718644-F11C-49A6-BB32-8168ECECCA8E}
    2011-11-24 10:47:15 -------- d-----w- c:\users\welch\appdata\roaming\IPNycA1uv2b4
    2011-11-24 10:47:15 -------- d-----w- c:\users\welch\appdata\roaming\dmG5sQJ6dKfZhXj
    2011-11-24 10:44:01 -------- d-----w- c:\users\welch\appdata\roaming\YbF4pmG5sJdKfZh
    2011-11-24 10:44:01 -------- d-----w- c:\users\welch\appdata\roaming\eXwjUCelIrPyAuS
    2011-11-24 10:43:50 -------- d-----w- c:\users\welch\appdata\roaming\WhYXwjUVtPyAu24
    2011-11-24 10:43:49 -------- d-----w- c:\users\welch\appdata\roaming\kamH6sWJ7E8TqYw
    .
    ==================== Find3M ====================
    .
    2011-12-05 17:56:26 952 --sha-w- c:\programdata\KGyGaAvL.sys
    2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-08 12:27:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-05 04:35:00 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-05 02:48:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-09-29 16:03:04 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    ============= FINISH: 23:36:25.83 ===============
  2. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================================

    Attach.txt part of DDS is missing so please provide that.

    Then....

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  3. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    Sorry about the Attach missing, the post was over 50k characters and I couldn't find the post I made after I made it. Anyways here's the logs for attach then ffs. Thanks and merry christmas!

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/19/2009 7:48:29 PM
    System Uptime: 12/22/2011 11:10:06 PM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0DN075
    Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz | Microprocessor | 2394/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 217.452 GiB free.
    D: is Removable
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: Voyager
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_CORSAIR&PROD_VOYAGER&REV_0.00#100000039EEA6A&0#
    Manufacturer: Corsair
    Name: CORSAIR
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_CORSAIR&PROD_VOYAGER&REV_0.00#100000039EEA6A&0#
    Service: WUDFRd
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB HS-SD Card
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.00#000003093FED&3#
    Manufacturer: TEAC
    Name: G:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.00#000003093FED&3#
    Service: WUDFRd
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: SASDIFSV
    Device ID: ROOT\LEGACY_SASDIFSV\0000
    Manufacturer:
    Name: SASDIFSV
    PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
    Service: SASDIFSV
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsl3f914193
    Device ID: ROOT\LEGACY_MPKSL3F914193\0000
    Manufacturer:
    Name: MpKsl3f914193
    PNP Device ID: ROOT\LEGACY_MPKSL3F914193\0000
    Service: MpKsl3f914193
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: SASKUTIL
    Device ID: ROOT\LEGACY_SASKUTIL\0000
    Manufacturer:
    Name: SASKUTIL
    PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
    Service: SASKUTIL
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsl51a1ac52
    Device ID: ROOT\LEGACY_MPKSL51A1AC52\0000
    Manufacturer:
    Name: MpKsl51a1ac52
    PNP Device ID: ROOT\LEGACY_MPKSL51A1AC52\0000
    Service: MpKsl51a1ac52
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: MX870 series
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_CANON&PROD_MX870_SERIES&REV_0101#7&F01AA71&0&119E08&0#
    Manufacturer: Canon
    Name: H:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_CANON&PROD_MX870_SERIES&REV_0101#7&F01AA71&0&119E08&0#
    Service: WUDFRd
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsl644f65eb
    Device ID: ROOT\LEGACY_MPKSL644F65EB\0000
    Manufacturer:
    Name: MpKsl644f65eb
    PNP Device ID: ROOT\LEGACY_MPKSL644F65EB\0000
    Service: MpKsl644f65eb
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB HS-xD/SM
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-XD#SM&REV_4.00#000003093FED&1#
    Manufacturer: TEAC
    Name: E:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-XD#SM&REV_4.00#000003093FED&1#
    Service: WUDFRd
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsl7c329dc2
    Device ID: ROOT\LEGACY_MPKSL7C329DC2\0000
    Manufacturer:
    Name: MpKsl7c329dc2
    PNP Device ID: ROOT\LEGACY_MPKSL7C329DC2\0000
    Service: MpKsl7c329dc2
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: @%systemroot%\system32\drivers\afd.sys,-1000
    Device ID: ROOT\LEGACY_AFD\0000
    Manufacturer:
    Name: @%systemroot%\system32\drivers\afd.sys,-1000
    PNP Device ID: ROOT\LEGACY_AFD\0000
    Service: AFD
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: MpKsl8c012499
    Device ID: ROOT\LEGACY_MPKSL8C012499\0000
    Manufacturer:
    Name: MpKsl8c012499
    PNP Device ID: ROOT\LEGACY_MPKSL8C012499\0000
    Service: MpKsl8c012499
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: HTTP
    Device ID: ROOT\LEGACY_HTTP\0000
    Manufacturer:
    Name: HTTP
    PNP Device ID: ROOT\LEGACY_HTTP\0000
    Service: HTTP
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB HS-CF Card
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.00#000003093FED&0#
    Manufacturer: TEAC
    Name: D:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.00#000003093FED&0#
    Service: WUDFRd
    .
    Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMPHILIPS_DVD+-RW_DVD8801_________________4D28____\5&44E1900&0&0.0.0
    Manufacturer: (Standard CD-ROM drives)
    Name: PHILIPS DVD+-RW DVD8801 ATA Device
    PNP Device ID: IDE\CDROMPHILIPS_DVD+-RW_DVD8801_________________4D28____\5&44E1900&0&0.0.0
    Service: cdrom
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB HS-MS Card
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.00#000003093FED&2#
    Manufacturer: TEAC
    Name: F:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.00#000003093FED&2#
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    RP271: 11/25/2011 5:06:47 PM - Windows Update
    RP272: 11/29/2011 5:06:01 PM - Windows Update
    RP273: 11/30/2011 5:44:37 PM - Installed Windows Movie Maker 2.6
    RP274: 12/3/2011 5:06:06 PM - Windows Update
    RP275: 12/7/2011 9:54:05 AM - Windows Update
    RP276: 12/11/2011 1:52:30 AM - Windows Update
    RP277: 12/14/2011 2:00:50 AM - Windows Update
    RP278: 12/14/2011 3:00:11 AM - Windows Update
    RP279: 12/17/2011 3:25:54 AM - Windows Update
    RP280: 12/21/2011 3:25:55 AM - Windows Update
    RP281: 12/21/2011 9:44:24 PM - Installed WOT for Internet Explorer
    RP282: 12/22/2011 11:07:29 PM - Restore Operation
    .
    ==== Installed Programs ======================
    .
    .
    ACT! by Sage Premium 2008 (10.0)
    AddressGrabber Business 2010
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8
    Adobe Reader 8.2.0
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    AT&T U-verse Setup
    Bonjour
    Boxee
    CA Pest Patrol Realtime Protection
    Canon Easy-WebPrint EX
    Canon IJ Network Scan Utility
    Canon IJ Network Tool
    Canon Inkjet Printer/Scanner/Fax Extended Survey Program
    Canon MP Navigator EX 3.1
    Canon MX870 series MP Drivers
    Canon MX870 series User Registration
    Canon Speed Dial Utility
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    Comcast Desktop Software (v1.2.0.9)
    Compatibility Pack for the 2007 Office system
    ConTracker EZ
    CutePDF Writer 2.8
    D3DX10
    Dropbox
    ESET Online Scanner v3
    FileZilla Client 3.5.1
    Full Tilt Poker
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToMeeting 4.8.0.723
    GoToMyPC
    ImgBurn
    Internet TV for Windows Media Center
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 27
    Junk Mail filter update
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Mesh Runtime
    Messenger Companion
    Microsoft .NET Framework 4 Client Profile
    Microsoft Access 2002 Runtime
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Office Excel Viewer
    Microsoft Office Word Viewer 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Express Edition (ACT7)
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MuseScore 1.1 MuseScore score typesetter
    NETGEAR WNDA3100v2 wireless USB 2.0 adapter
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA Performance Drivers
    OpenOffice.org 3.3
    PlayLater
    PlayOn
    PVSonyDll
    QuickBooks
    QuickBooks Pro 2011
    QuickTime
    RingCentral Call Controller
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Skype Toolbars
    Skype™ 4.2
    SUPERAntiSpyware
    SupportSoft Assisted Service
    TeamViewer 6
    TeraCopy 2.12
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    VLC media player 1.0.5
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Movie Maker 2.6
    WinRAR archiver
    WOT for Internet Explorer
    XFINITY Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/22/2011 9:57:31 PM, Error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: The system cannot find the path specified.
    12/22/2011 9:56:55 PM, Error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: The system cannot find the path specified.
    12/22/2011 9:56:26 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    12/22/2011 9:56:11 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    12/22/2011 9:55:56 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
    12/22/2011 9:53:01 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 9:52:51 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\system32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: Welch-PC\Welch Process Name: Unknown Action: Quarantine Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x8007001e Error description: The system cannot read from the specified device. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
    12/22/2011 9:52:51 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\system32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: Welch-PC\Welch Process Name: Unknown Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
    12/22/2011 9:51:31 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\system32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: Welch-PC\Welch Process Name: Unknown Action: Quarantine Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x8007001e Error description: The system cannot read from the specified device. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
    12/22/2011 9:51:31 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\system32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: Welch-PC\Welch Process Name: Unknown Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
    12/22/2011 9:48:20 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\System32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: Welch-PC\Welch Process Name: Unknown Action: Quarantine Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x8007001e Error description: The system cannot read from the specified device. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
    12/22/2011 9:48:19 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\System32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: Welch-PC\Welch Process Name: Unknown Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
    12/22/2011 9:42:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    12/22/2011 9:42:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    12/22/2011 9:42:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/22/2011 9:42:06 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSP aswTdi CSC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr tdx VWiFiFlt Wanarpv6 WfpLwf
    12/22/2011 9:42:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/22/2011 9:37:15 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\System32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: Welch-PC\Welch Process Name: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 10.7.0.0 Engine Version: AM: 1.1.7903.0, NIS: 2.0.7707.0
    12/22/2011 9:32:19 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    12/22/2011 9:32:19 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: Real-time protection has stopped functioning for an unknown reason. Restart the service in order to recover.
    12/22/2011 3:14:03 AM, Error: Service Control Manager [7031] - The Microsoft Network Inspection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    12/22/2011 11:34:34 AM, Error: Service Control Manager [7030] - The USB Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    12/22/2011 11:12:57 PM, Error: Service Control Manager [7023] - The Windows Update service terminated with the following error: %%-2147014846
    12/22/2011 11:12:56 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 11:12:56 PM, Error: Service Control Manager [7001] - The Function Discovery Provider Host service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
    12/22/2011 11:12:56 PM, Error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: The device does not recognize the command.
    12/22/2011 11:12:55 PM, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147014846.
    12/22/2011 11:12:55 PM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x80072742.
    12/22/2011 11:11:09 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    12/22/2011 11:10:55 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD SASDIFSV SASKUTIL
    12/22/2011 11:10:55 PM, Error: Service Control Manager [7001] - The SSDP Discovery service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
    12/22/2011 11:10:50 PM, Error: Service Control Manager [7024] - The SQL Server (ACT7) service terminated with service-specific error %%-1.
    12/22/2011 11:10:48 PM, Error: Service Control Manager [7001] - The Server service depends on the Server SMB 1.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 11:10:48 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    12/22/2011 11:10:47 PM, Error: Service Control Manager [7001] - The Server SMB 2.xxx Driver service depends on the srvnet service which failed to start because of the following error: The device does not recognize the command.
    12/22/2011 11:10:47 PM, Error: Service Control Manager [7001] - The Server SMB 1.xxx Driver service depends on the Server SMB 2.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 11:10:40 PM, Error: Service Control Manager [7001] - The World Wide Web Publishing Service service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
    12/22/2011 11:10:40 PM, Error: Service Control Manager [7001] - The Internet Connection Sharing (ICS) service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    12/22/2011 11:10:40 PM, Error: Service Control Manager [7000] - The srvnet service failed to start due to the following error: The device does not recognize the command.
    12/22/2011 11:10:38 PM, Error: Service Control Manager [7023] - The USB Service service terminated with the following error: The specified module could not be found.
    12/22/2011 11:10:33 PM, Error: Service Control Manager [7001] - The IIS Admin Service service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
    12/22/2011 11:10:33 PM, Error: Service Control Manager [7000] - The CA Pest Patrol Realtime Protection Service service failed to start due to the following error: Access is denied.
    12/22/2011 11:10:32 PM, Error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error %%-1.
    12/22/2011 11:10:32 PM, Error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
    12/22/2011 11:10:26 PM, Error: Service Control Manager [7001] - The Workstation service depends on the SMB 2.0 MiniRedirector service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 11:10:26 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
    12/22/2011 11:10:26 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The device does not recognize the command.
    12/22/2011 11:10:26 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The device does not recognize the command.
    12/22/2011 11:10:26 PM, Error: Service Control Manager [7000] - The SMB MiniRedirector Wrapper and Engine service failed to start due to the following error: The device does not recognize the command.
    12/22/2011 11:10:24 PM, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied.
    12/22/2011 11:10:24 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/22/2011 11:10:24 PM, Error: Service Control Manager [7001] - The Print Spooler service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
    12/22/2011 11:10:24 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/22/2011 11:10:24 PM, Error: Service Control Manager [7000] - The avast! Antivirus service failed to start due to the following error: Access is denied.
    12/22/2011 11:07:48 PM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
    12/22/2011 11:07:48 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the AFD service which failed to start because of the following error: The system cannot find the file specified.
    12/22/2011 11:07:48 PM, Error: Service Control Manager [7000] - The AFD service failed to start due to the following error: The system cannot find the file specified.
    12/22/2011 10:48:57 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    12/22/2011 10:21:30 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    12/22/2011 10:21:07 PM, Error: Service Control Manager [7003] - The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed.
    12/17/2011 12:01:18 PM, Error: Service Control Manager [7034] - The QBCFMonitorService service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================


    fss
    Farbar Service Scanner
    Ran by Welch (administrator) on 24-12-2011 at 21:45:37
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    ****************************************************************

    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    bfe Service is not running. Checking service configuration:
    The start type of bfe service is OK.
    The ImagePath of bfe service is OK.
    The ServiceDll of bfe service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    Attention! C:\Windows\system32\Drivers\afd.sys is missing.
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  4. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    [​IMG]

    For now I can see one system file missing so we'll try to find a replacement.
    Judging from the log I'd assume Windows firewall is whacked as well. Let me know.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      afd.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  5. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    Yeah BFE and the firewall are both messed up. Here's the log:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:40 on 25/12/2011 by Welch
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "afd.sys"
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys --a---- 338944 bytes [23:12 13/07/2009] [23:12 13/07/2009] DDC040FDB01EF1712A6B13E52AFB104C
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys --a---- 338944 bytes [18:19 15/06/2011] [02:35 25/04/2011] 0DB7A48388D54D154EBEC120461A0FCD
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys --a---- 338944 bytes [18:19 15/06/2011] [02:27 25/04/2011] C114AB7A1550D42EA1700FFD4179CF5A
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [21:56 25/05/2011] [08:40 20/11/2010] 1151FD4FB0216CFED887BFDE29EBD516
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys --a---- 338944 bytes [18:19 15/06/2011] [02:18 25/04/2011] (Unable to calculate MD5)
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys --a---- 338944 bytes [18:19 15/06/2011] [03:24 25/04/2011] C427F91A748CD342A2B3F9278D9FD6A5

    -= EOF =-
  6. Broni

    Broni Malware Annihilator Posts: 46,132   +251

  7. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    Internet works now. =D
  8. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Good news :)

    Post new FSS log.
  9. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    Farbar Service Scanner
    Ran by Welch (administrator) on 26-12-2011 at 20:23:28
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    bfe Service is not running. Checking service configuration:
    The start type of bfe service is OK.
    The ImagePath of bfe service is OK.
    The ServiceDll of bfe service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    Attention! C:\Windows\system32\Drivers\afd.sys is missing.
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  10. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Can you turn Windows firewall on now?
  11. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    No, I tried clicking "Use recommended settings" and got an error code 0x8007042c
     
  12. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Yeah, this is what I thought.

    Since you can't be using your computer without any firewall you have two options:
    - reinstall Windows
    - use 3rd party firewall like Comodo free firewall: http://personalfirewall.comodo.com/free-download.html

    Let me know, which way you want to go.
  13. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    I just set up the 3rd party firewall.
  14. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    :-/

    After I set up Comodo it asked me to do a reboot so I did. My computer got stuck on the screen before the Windows 7 image (there was just a blank underscore on a black screen). I manually reset again and got to the normal screen, ran Comodo then tried connecting to the internet and there was a yellow exclamation point by my internet... so my internet doesn't work again for that computer.
  15. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    There is a new version of FSS, so....

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  16. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    Farbar Service Scanner
    Ran by Welch (administrator) on 27-12-2011 at 17:35:59
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    bfe Service is not running. Checking service configuration:
    The start type of bfe service is OK.
    The ImagePath of bfe service is OK.
    The ServiceDll of bfe service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============
    wscsvc Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    Attention! C:\Windows\system32\Drivers\afd.sys is missing.
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  17. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    We have afd.sys file missing again.
    Possibly some infection keeps removing it.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  18. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    Internet works. Combofix told me that there was rootkit activity and had to do a reboot so I did. Here's the log:

    ComboFix 11-12-29.04 - Welch 12/29/2011 12:51:52.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2046.1063 [GMT -5:00]
    Running from: c:\users\Welch\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Internet Explorer\14F6.tmp
    c:\program files\Internet Explorer\8004.tmp
    c:\program files\Internet Explorer\8610.tmp
    c:\program files\Internet Explorer\8AE0.tmp
    c:\program files\Internet Explorer\9F5A.tmp
    c:\program files\Internet Explorer\D0F4.tmp
    c:\users\Welch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Guard Online
    c:\windows\$NtUninstallKB28521$
    c:\windows\$NtUninstallKB28521$\3558784311
    c:\windows\$NtUninstallKB28521$\411072489\@
    c:\windows\$NtUninstallKB28521$\411072489\bckfg.tmp
    c:\windows\$NtUninstallKB28521$\411072489\cfg.ini
    c:\windows\$NtUninstallKB28521$\411072489\Desktop.ini
    c:\windows\$NtUninstallKB28521$\411072489\keywords
    c:\windows\$NtUninstallKB28521$\411072489\kwrd.dll
    c:\windows\$NtUninstallKB28521$\411072489\L\xadqgnnk
    c:\windows\$NtUninstallKB28521$\411072489\lsflt7.ver
    c:\windows\$NtUninstallKB28521$\411072489\U\00000001.@
    c:\windows\$NtUninstallKB28521$\411072489\U\00000002.@
    c:\windows\$NtUninstallKB28521$\411072489\U\00000004.@
    c:\windows\$NtUninstallKB28521$\411072489\U\80000000.@
    c:\windows\$NtUninstallKB28521$\411072489\U\80000004.@
    c:\windows\$NtUninstallKB28521$\411072489\U\80000032.@
    c:\windows\$NtUninstallKB37014$
    c:\windows\$NtUninstallKB37014$\3634874217
    .
    c:\windows\system32\drivers\afd.sys was missing
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
    .
    c:\windows\system32\drivers\cdrom.sys was missing
    Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_6381e09675524225\cdrom.sys
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-29 18:00 . 2011-12-29 18:06 -------- d-----w- c:\users\Welch\AppData\Local\temp
    2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\EGTransServer\AppData\Local\temp
    2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
    2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
    2011-12-29 17:59 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2011-12-29 17:50 . 2011-12-29 18:05 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8EDB6578-9ACE-468F-B36F-5E6FEC3F0222}\offreg.dll
    2011-12-29 17:42 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-12-27 03:49 . 2011-12-29 18:06 -------- d-----w- c:\programdata\CPA_VA
    2011-12-27 03:42 . 2011-12-27 03:45 -------- d-----w- c:\programdata\Comodo
    2011-12-27 03:42 . 2011-12-27 03:42 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2011-12-27 03:42 . 2011-12-27 03:42 -------- d-----w- c:\program files\COMODO
    2011-12-26 23:02 . 2011-11-21 07:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-12-26 23:01 . 2011-11-21 07:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8EDB6578-9ACE-468F-B36F-5E6FEC3F0222}\mpengine.dll
    2011-12-23 02:34 . 2011-12-23 02:35 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-12-23 02:32 . 2011-12-23 02:32 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1ABC2FD0-C57A-4D7B-B07A-2137ACC1186E}\gapaengine.dll
    2011-12-23 02:31 . 2011-12-23 02:31 -------- d-----w- c:\program files\Microsoft Security Client
    2011-12-22 02:44 . 2011-12-22 02:44 -------- d-----w- c:\program files\WOT
    2011-12-19 23:59 . 2011-12-19 23:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
    2011-12-19 23:59 . 2011-12-19 23:59 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-12-19 23:59 . 2011-12-19 23:59 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-12-19 23:59 . 2011-12-19 23:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-12-19 23:58 . 2011-12-19 23:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
    2011-12-19 23:58 . 2011-12-19 23:58 301224 ----a-w- c:\windows\system32\guard32.dll
    2011-12-14 03:03 . 2011-11-05 04:30 860672 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
    2011-12-14 03:03 . 2011-11-05 04:30 163328 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
    2011-12-14 03:02 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 03:02 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-06 12:15 . 2010-05-16 10:00 277504 ----a-w- c:\windows\system32\CNMLMA7.DLL
    2011-12-06 12:14 . 2011-01-06 18:08 1310720 ----a-w- c:\windows\system32\CNC870C.dll
    2011-12-06 12:14 . 2011-01-06 18:08 110592 ----a-w- c:\windows\system32\CNC870I.dll
    2011-12-06 12:14 . 2011-01-06 18:07 102400 ----a-w- c:\windows\system32\CNC870U.dll
    2011-12-01 03:28 . 2011-12-01 03:42 -------- d-----w- c:\users\Welch\AppData\Local\PhotoChannel
    2011-11-30 22:55 . 2011-12-02 16:57 -------- d-----w- c:\users\Welch\AppData\Local\WMTools Downloaded Files
    2011-11-30 22:45 . 2011-11-30 22:45 -------- d-----w- c:\program files\Movie Maker 2.6
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-05 17:56 . 2010-01-14 16:00 952 --sha-w- c:\programdata\KGyGaAvL.sys
    2011-11-24 04:25 . 2011-12-14 03:03 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-08 12:27 . 2011-11-08 12:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-05 04:35 . 2011-12-14 03:03 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-11-05 04:26 . 2011-12-14 03:03 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-05 02:48 . 2011-12-14 03:03 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-26 04:47 . 2011-12-14 03:02 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-26 04:47 . 2011-12-14 03:02 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2010-01-29 32768]
    "GoToMeeting"="c:\program files\Citrix\GoToMeeting\723\g2mstart.exe" [2011-07-14 39816]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    "ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-05-06 2815192]
    "EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-09-30 2215768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
    "COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
    "CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe" [2011-11-08 243360]
    .
    c:\users\Welch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Welch\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
    OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\users\Welch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2009-12-18 40368]
    Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2009-12-18 738776]
    Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-11-9 5889880]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
    NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2011-3-29 4577760]
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-9 1156968]
    QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2008\QBW32.EXE [2011-11-9 1178984]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "wave1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R1 MpKsl3f914193;MpKsl3f914193;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D64EEA0-376B-4456-A638-875A3119E81D}\MpKsl3f914193.sys [x]
    R1 MpKsl51a1ac52;MpKsl51a1ac52;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0D8536BA-7DEE-4DF5-8A11-59E312F3F251}\MpKsl51a1ac52.sys [x]
    R1 MpKsl644f65eb;MpKsl644f65eb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3C011C60-481D-4FF4-9BFF-4FE130E7CC16}\MpKsl644f65eb.sys [x]
    R1 MpKsl7c329dc2;MpKsl7c329dc2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1AE285F8-8ABB-45C0-BD6B-A9A051F32CC0}\MpKsl7c329dc2.sys [x]
    R1 MpKsl8c012499;MpKsl8c012499;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4655FF60-70A6-4F61-884D-553707CA24C4}\MpKsl8c012499.sys [x]
    R1 MpKslea50dec1;MpKslea50dec1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8EDB6578-9ACE-468F-B36F-5E6FEC3F0222}\MpKslea50dec1.sys [x]
    R1 SASDIFSV;SASDIFSV;c:\users\Welch\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
    R1 SASKUTIL;SASKUTIL;c:\users\Welch\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.sys [x]
    R2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2008-06-25 65536]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 NecUsb;USB Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [2010-08-19 272864]
    R3 2WXG7053;2W 802.11g XG705 SP3 Driver;c:\windows\system32\DRIVERS\WlanUIG.sys [2007-04-24 358304]
    R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2007-03-27 857600]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
    R3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-11-12 468480]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
    R3 SASENUM;SASENUM;c:\users\Welch\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-13 1343400]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
    R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 135664]
    R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 135664]
    R4 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
    S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728]
    S1 aswSP;aswSP; [x]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-12-19 491816]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-12-19 39640]
    S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
    S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
    S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1052472]
    S2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2011-12-20 5424504]
    S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
    S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2010-04-30 3795560]
    S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-06-30 1248256]
    S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2010-11-30 2222376]
    S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    NecUsbSevice REG_MULTI_SZ NecUsb
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 23:54]
    .
    2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 23:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=127.0.0.1:53172
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: {{90A81828-92DB-400e-AECD-78C540F5EB49} - c:\program files\eGrabber\AddressGrabber Business 2010\InternetAddress.exe
    TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
    TCP: Interfaces\{48C9BFA9-EF0D-4489-934E-C8C8E54983BD}: NameServer = 8.26.56.26,156.154.70.22
    TCP: Interfaces\{C3AEE420-1FF5-42AC-A7A3-691E806C986A}: NameServer = 8.26.56.26,156.154.70.22
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-24899557.sys
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.dfsc]
    "ImagePath"="\*"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-274280530-1200791623-3899067147-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.Email.1"
    .
    [HKEY_USERS\S-1-5-21-274280530-1200791623-3899067147-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="WindowsLiveMail.VCard.1"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(528)
    c:\windows\system32\guard32.dll
    .
    - - - - - - - > 'Explorer.exe'(4832)
    c:\windows\system32\guard32.dll
    c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    c:\program files\RingCentral\RingCentral Call Controller\RCHotKeyHook.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\conhost.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Citrix\GoToMyPC\g2svc.exe
    c:\windows\system32\inetsrv\inetinfo.exe
    c:\program files\Citrix\GoToMyPC\g2comm.exe
    c:\program files\Canon\IJPLM\IJPLMSVC.EXE
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\Citrix\GoToMyPC\g2pre.exe
    c:\program files\Citrix\GoToMyPC\g2tray.exe
    c:\program files\common files\protexis\license service\psiservice_2.exe
    c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\COMODO\COMODO GeekBuddy\CLPS.exe
    c:\windows\system32\UI0Detect.exe
    c:\program files\OpenOffice.org 3\program\soffice.exe
    c:\program files\OpenOffice.org 3\program\soffice.bin
    c:\program files\Citrix\GoToMeeting\723\g2mcomm.exe
    c:\program files\Citrix\GoToMeeting\723\g2mlauncher.exe
    c:\windows\system32\sppsvc.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    c:\program files\Common Files\Java\Java Update\jucheck.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-29 13:14:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-29 18:13
    ComboFix2.txt 2011-06-10 18:38
    .
    Pre-Run: 232,696,279,040 bytes free
    Post-Run: 233,108,856,832 bytes free
    .
    - - End Of File - - 5251184D25D3BD1E0CF7EE662B2EBF84
     
  19. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Good news :)

    Combofix log looks good.

    Any current issues?

    Post new FSS log.
  20. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    No current issues. Here's the FSS log:

    Farbar Service Scanner
    Ran by Welch (administrator) on 30-12-2011 at 17:16:07
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    bfe Service is not running. Checking service configuration:
    The start type of bfe service is OK.
    The ImagePath of bfe service is OK.
    The ServiceDll of bfe service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    Attention! C:\Windows\system32\Drivers\afd.sys is missing.
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  21. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Please run Farbar Service Scanner.
    Type the following in the edit box after "Search:".

    afd.sys

    Click Search Files button and post the log (FSS.txt) it makes to your reply.
  22. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    The internet stopped working again. Here's the search log and I'll post the FSS log that scans everything as well.

    Farbar Service Scanner
    Ran by Welch (administrator) on 03-01-2012 at 21:56:46
    Windows 7 Professional Service Pack 1 (X86)

    ************************************************
    ================== Search: "afd.sys" ===================

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
    [2011-06-15 13:19] - [2011-04-24 22:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys
    [2011-06-15 13:19] - [2011-04-24 21:18] - 0338944 ____N () D41D8CD98F00B204E9800998ECF8427E

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys
    [2011-05-25 16:56] - [2010-11-20 03:40] - 0338944 ____A (Microsoft Corporation) 1151FD4FB0216CFED887BFDE29EBD516

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys
    [2011-06-15 13:19] - [2011-04-24 21:27] - 0338944 ____A (Microsoft Corporation) C114AB7A1550D42EA1700FFD4179CF5A

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys
    [2011-06-15 13:19] - [2011-04-24 21:35] - 0338944 ____A (Microsoft Corporation) 0DB7A48388D54D154EBEC120461A0FCD

    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys
    [2009-07-13 18:12] - [2009-07-13 18:12] - 0338944 ____A (Microsoft Corporation) DDC040FDB01EF1712A6B13E52AFB104C

    ====== End Of Search ======

    FSS scan
    Farbar Service Scanner
    Ran by Welch (administrator) on 03-01-2012 at 21:57:57
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    afd Service is not running. Checking service configuration:
    The start type of afd service is OK.
    The ImagePath of afd service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    There is no connection to network.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============
    MpsSvc Service is not running. Checking service configuration:
    The start type of MpsSvc service is OK.
    The ImagePath of MpsSvc service is OK.
    The ServiceDll of MpsSvc service is OK.

    bfe Service is not running. Checking service configuration:
    The start type of bfe service is OK.
    The ImagePath of bfe service is OK.
    The ServiceDll of bfe service is OK.


    Firewall Disabled Policy:
    ==================


    System Restore:
    ============
    SDRSVC Service is not running. Checking service configuration:
    The start type of SDRSVC service is OK.
    The ImagePath of SDRSVC service is OK.
    The ServiceDll of SDRSVC service is OK.

    VSS Service is not running. Checking service configuration:
    The start type of VSS service is OK.
    The ImagePath of VSS service is OK.


    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    Attention! C:\Windows\system32\Drivers\afd.sys is missing.
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****
  23. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    =============================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
  24. mlw038

    mlw038 Newcomer, in training Topic Starter Posts: 36

    23:00:20.0488 2628 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
    23:00:20.0519 2628 ============================================================
    23:00:20.0519 2628 Current date / time: 2012/01/03 23:00:20.0519
    23:00:20.0519 2628 SystemInfo:
    23:00:20.0519 2628
    23:00:20.0519 2628 OS Version: 6.1.7601 ServicePack: 1.0
    23:00:20.0519 2628 Product type: Workstation
    23:00:20.0519 2628 ComputerName: WELCH-PC
    23:00:20.0519 2628 UserName: Welch
    23:00:20.0519 2628 Windows directory: C:\Windows
    23:00:20.0519 2628 System windows directory: C:\Windows
    23:00:20.0519 2628 Processor architecture: Intel x86
    23:00:20.0519 2628 Number of processors: 2
    23:00:20.0519 2628 Page size: 0x1000
    23:00:20.0519 2628 Boot type: Normal boot
    23:00:20.0519 2628 ============================================================
    23:00:21.0923 2628 Initialize success
    23:00:25.0886 0200 ============================================================
    23:00:25.0886 0200 Scan started
    23:00:25.0886 0200 Mode: Manual;
    23:00:25.0886 0200 ============================================================
    23:00:26.0635 0200 .dfsc - ok
    23:00:26.0775 0200 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
    23:00:26.0775 0200 1394ohci - ok
    23:00:26.0869 0200 2WXG7053 (576af12c5fed35d8afac2a5ee49d0dff) C:\Windows\system32\DRIVERS\WlanUIG.sys
    23:00:26.0900 0200 2WXG7053 - ok
    23:00:26.0947 0200 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
    23:00:26.0962 0200 ACPI - ok
    23:00:27.0025 0200 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
    23:00:27.0025 0200 AcpiPmi - ok
    23:00:27.0118 0200 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
    23:00:27.0118 0200 adp94xx - ok
    23:00:27.0149 0200 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
    23:00:27.0149 0200 adpahci - ok
    23:00:27.0181 0200 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
    23:00:27.0181 0200 adpu320 - ok
    23:00:27.0227 0200 AFD - ok
    23:00:27.0274 0200 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
    23:00:27.0274 0200 agp440 - ok
    23:00:27.0337 0200 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
    23:00:27.0337 0200 aic78xx - ok
    23:00:27.0399 0200 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
    23:00:27.0399 0200 aliide - ok
    23:00:27.0430 0200 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
    23:00:27.0430 0200 amdagp - ok
    23:00:27.0461 0200 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
    23:00:27.0461 0200 amdide - ok
    23:00:27.0493 0200 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
    23:00:27.0493 0200 AmdK8 - ok
    23:00:27.0508 0200 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
    23:00:27.0508 0200 AmdPPM - ok
    23:00:27.0571 0200 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
    23:00:27.0571 0200 amdsata - ok
    23:00:27.0617 0200 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
    23:00:27.0633 0200 amdsbs - ok
    23:00:27.0727 0200 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
    23:00:27.0727 0200 amdxata - ok
    23:00:27.0836 0200 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
    23:00:27.0836 0200 AppID - ok
    23:00:27.0929 0200 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
    23:00:27.0929 0200 arc - ok
    23:00:27.0961 0200 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
    23:00:27.0961 0200 arcsas - ok
    23:00:28.0054 0200 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\Windows\system32\drivers\aswFsBlk.sys
    23:00:28.0054 0200 aswFsBlk - ok
    23:00:28.0132 0200 aswMonFlt (58254e06b36b984e33ae314c0ea8f1a5) C:\Windows\system32\drivers\aswMonFlt.sys
    23:00:28.0132 0200 aswMonFlt - ok
    23:00:28.0163 0200 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\Windows\system32\drivers\aswRdr.sys
    23:00:28.0163 0200 aswRdr - ok
    23:00:28.0210 0200 aswSP (d78b644816db540e103d0b0766fd9967) C:\Windows\system32\drivers\aswSP.sys
    23:00:28.0210 0200 aswSP - ok
    23:00:28.0257 0200 aswTdi (606d731008d98b6ef946730c597c1642) C:\Windows\system32\drivers\aswTdi.sys
    23:00:28.0273 0200 aswTdi - ok
    23:00:28.0304 0200 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
    23:00:28.0304 0200 AsyncMac - ok
    23:00:28.0351 0200 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
    23:00:28.0351 0200 atapi - ok
    23:00:28.0429 0200 athrusb (cd90739cb064f5a234a41d190f25a822) C:\Windows\system32\DRIVERS\athrusb.sys
    23:00:28.0460 0200 athrusb - ok
    23:00:28.0616 0200 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
    23:00:28.0631 0200 b06bdrv - ok
    23:00:28.0678 0200 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
    23:00:28.0678 0200 b57nd60x - ok
    23:00:28.0787 0200 BCMH43XX (601259276b934f0c938bff4f558c5691) C:\Windows\system32\DRIVERS\bcmwlhigh6.sys
    23:00:28.0803 0200 BCMH43XX - ok
    23:00:28.0834 0200 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
    23:00:28.0834 0200 Beep - ok
    23:00:28.0928 0200 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
    23:00:28.0928 0200 blbdrive - ok
    23:00:28.0975 0200 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
    23:00:28.0990 0200 bowser - ok
    23:00:29.0006 0200 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
    23:00:29.0006 0200 BrFiltLo - ok
    23:00:29.0037 0200 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
    23:00:29.0037 0200 BrFiltUp - ok
    23:00:29.0068 0200 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
    23:00:29.0068 0200 Brserid - ok
    23:00:29.0099 0200 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
    23:00:29.0099 0200 BrSerWdm - ok
    23:00:29.0115 0200 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
    23:00:29.0115 0200 BrUsbMdm - ok
    23:00:29.0146 0200 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
    23:00:29.0146 0200 BrUsbSer - ok
    23:00:29.0177 0200 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
    23:00:29.0177 0200 BTHMODEM - ok
    23:00:29.0287 0200 catchme - ok
    23:00:29.0333 0200 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
    23:00:29.0333 0200 cdfs - ok
    23:00:29.0458 0200 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
    23:00:29.0458 0200 circlass - ok
    23:00:29.0505 0200 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
    23:00:29.0505 0200 CLFS - ok
    23:00:29.0614 0200 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
    23:00:29.0614 0200 CmBatt - ok
    23:00:29.0661 0200 cmdGuard (da8b98c232dadb0e6aee6f46d0a22114) C:\Windows\system32\DRIVERS\cmdguard.sys
    23:00:29.0739 0200 cmdGuard - ok
    23:00:29.0801 0200 cmdHlp (051d5be8106f09dd5e0d5589ea931b1e) C:\Windows\system32\DRIVERS\cmdhlp.sys
    23:00:29.0833 0200 cmdHlp - ok
    23:00:29.0864 0200 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
    23:00:29.0864 0200 cmdide - ok
    23:00:29.0895 0200 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
    23:00:29.0895 0200 CNG - ok
    23:00:29.0926 0200 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
    23:00:29.0926 0200 Compbatt - ok
    23:00:29.0989 0200 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
    23:00:29.0989 0200 CompositeBus - ok
    23:00:30.0035 0200 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
    23:00:30.0035 0200 crcdisk - ok
    23:00:30.0129 0200 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
    23:00:30.0129 0200 CSC - ok
    23:00:30.0176 0200 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
    23:00:30.0176 0200 discache - ok
    23:00:30.0379 0200 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
    23:00:30.0379 0200 Disk - ok
    23:00:30.0488 0200 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
    23:00:30.0488 0200 drmkaud - ok
    23:00:30.0550 0200 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
    23:00:30.0581 0200 DXGKrnl - ok
    23:00:30.0691 0200 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
    23:00:30.0753 0200 ebdrv - ok
    23:00:30.0831 0200 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
    23:00:30.0831 0200 elxstor - ok
    23:00:30.0878 0200 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
    23:00:30.0878 0200 ErrDev - ok
    23:00:30.0909 0200 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
    23:00:30.0909 0200 exfat - ok
    23:00:30.0956 0200 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
    23:00:30.0956 0200 fastfat - ok
    23:00:31.0034 0200 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
    23:00:31.0034 0200 fdc - ok
    23:00:31.0065 0200 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
    23:00:31.0065 0200 FileInfo - ok
    23:00:31.0096 0200 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
    23:00:31.0096 0200 Filetrace - ok
    23:00:31.0112 0200 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
    23:00:31.0127 0200 flpydisk - ok
    23:00:31.0159 0200 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
    23:00:31.0159 0200 FltMgr - ok
    23:00:31.0190 0200 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
    23:00:31.0190 0200 FsDepends - ok
    23:00:31.0221 0200 fssfltr (d909075fa72c090f27aa926c32cb4612) C:\Windows\system32\DRIVERS\fssfltr.sys
    23:00:31.0221 0200 fssfltr - ok
    23:00:31.0268 0200 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
    23:00:31.0268 0200 Fs_Rec - ok
    23:00:31.0330 0200 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
    23:00:31.0330 0200 fvevol - ok
    23:00:31.0439 0200 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
    23:00:31.0455 0200 gagp30kx - ok
    23:00:31.0486 0200 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    23:00:31.0486 0200 GEARAspiWDM - ok
    23:00:31.0580 0200 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
    23:00:31.0580 0200 hcw85cir - ok
    23:00:31.0658 0200 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
    23:00:31.0658 0200 HdAudAddService - ok
    23:00:31.0720 0200 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
    23:00:31.0720 0200 HDAudBus - ok
    23:00:31.0751 0200 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
    23:00:31.0751 0200 HidBatt - ok
    23:00:31.0783 0200 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
    23:00:31.0783 0200 HidBth - ok
    23:00:31.0829 0200 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
    23:00:31.0829 0200 HidIr - ok
    23:00:31.0892 0200 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
    23:00:31.0892 0200 HidUsb - ok
    23:00:31.0939 0200 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
    23:00:31.0939 0200 HpSAMD - ok
    23:00:31.0985 0200 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
    23:00:32.0001 0200 HTTP - ok
    23:00:32.0032 0200 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
    23:00:32.0032 0200 hwpolicy - ok
    23:00:32.0110 0200 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
    23:00:32.0141 0200 i8042prt - ok
    23:00:32.0219 0200 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
    23:00:32.0219 0200 iaStorV - ok
    23:00:32.0329 0200 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
    23:00:32.0329 0200 iirsp - ok
    23:00:32.0438 0200 inspect (2ee3db2c1760171c6f72f2f1792a47b5) C:\Windows\system32\DRIVERS\inspect.sys
    23:00:32.0453 0200 inspect - ok
    23:00:32.0485 0200 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
    23:00:32.0485 0200 intelide - ok
    23:00:32.0531 0200 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
    23:00:32.0531 0200 intelppm - ok
    23:00:32.0594 0200 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    23:00:32.0594 0200 IpFilterDriver - ok
    23:00:32.0625 0200 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
    23:00:32.0625 0200 IPMIDRV - ok
    23:00:32.0656 0200 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
    23:00:32.0656 0200 IPNAT - ok
    23:00:32.0734 0200 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
    23:00:32.0734 0200 IRENUM - ok
    23:00:32.0765 0200 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
    23:00:32.0765 0200 isapnp - ok
    23:00:32.0812 0200 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
    23:00:32.0812 0200 iScsiPrt - ok
    23:00:32.0890 0200 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
    23:00:32.0890 0200 kbdclass - ok
    23:00:32.0953 0200 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
    23:00:32.0953 0200 kbdhid - ok
    23:00:32.0999 0200 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
    23:00:32.0999 0200 KSecDD - ok
    23:00:33.0109 0200 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
    23:00:33.0109 0200 KSecPkg - ok
    23:00:33.0171 0200 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
    23:00:33.0171 0200 lltdio - ok
    23:00:33.0249 0200 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
    23:00:33.0249 0200 LSI_FC - ok
    23:00:33.0265 0200 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
    23:00:33.0265 0200 LSI_SAS - ok
    23:00:33.0296 0200 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
    23:00:33.0296 0200 LSI_SAS2 - ok
    23:00:33.0327 0200 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
    23:00:33.0327 0200 LSI_SCSI - ok
    23:00:33.0358 0200 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
    23:00:33.0358 0200 luafv - ok
    23:00:33.0452 0200 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
    23:00:33.0452 0200 megasas - ok
    23:00:33.0483 0200 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
    23:00:33.0483 0200 MegaSR - ok
    23:00:33.0514 0200 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
    23:00:33.0514 0200 Modem - ok
    23:00:33.0561 0200 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
    23:00:33.0561 0200 monitor - ok
    23:00:33.0639 0200 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
    23:00:33.0639 0200 mouclass - ok
    23:00:33.0701 0200 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
    23:00:33.0701 0200 mouhid - ok
    23:00:33.0717 0200 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
    23:00:33.0733 0200 mountmgr - ok
    23:00:33.0857 0200 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\Windows\system32\DRIVERS\MpFilter.sys
    23:00:33.0857 0200 MpFilter - ok
    23:00:33.0920 0200 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
    23:00:33.0920 0200 mpio - ok
    23:00:34.0091 0200 MpKsl30e4c518 (a69630d039c38018689190234f866d77) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{36FDB12E-C01C-4143-BCC6-159F720665A6}\MpKsl30e4c518.sys
    23:00:34.0091 0200 MpKsl30e4c518 - ok
    23:00:34.0138 0200 MpKsl3f914193 - ok
    23:00:34.0154 0200 MpKsl51a1ac52 - ok
    23:00:34.0185 0200 MpKsl644f65eb - ok
    23:00:34.0201 0200 MpKsl7c329dc2 - ok
    23:00:34.0232 0200 MpKsl8c012499 - ok
    23:00:34.0232 0200 MpKslea50dec1 - ok
    23:00:34.0294 0200 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\Windows\system32\DRIVERS\MpNWMon.sys
    23:00:34.0294 0200 MpNWMon - ok
    23:00:34.0325 0200 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
    23:00:34.0325 0200 mpsdrv - ok
    23:00:34.0403 0200 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    23:00:34.0419 0200 MREMP50 - ok
    23:00:34.0419 0200 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    23:00:34.0450 0200 MRESP50 - ok
    23:00:34.0497 0200 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
    23:00:34.0497 0200 MRxDAV - ok
    23:00:34.0559 0200 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
    23:00:34.0575 0200 mrxsmb - ok
    23:00:34.0622 0200 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    23:00:34.0637 0200 mrxsmb10 - ok
    23:00:34.0669 0200 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    23:00:34.0669 0200 mrxsmb20 - ok
    23:00:34.0700 0200 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
    23:00:34.0700 0200 msahci - ok
    23:00:34.0731 0200 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
    23:00:34.0747 0200 msdsm - ok
    23:00:34.0809 0200 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
    23:00:34.0809 0200 Msfs - ok
    23:00:34.0825 0200 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
    23:00:34.0825 0200 mshidkmdf - ok
    23:00:34.0871 0200 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
    23:00:34.0871 0200 msisadrv - ok
    23:00:34.0934 0200 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
    23:00:34.0934 0200 MSKSSRV - ok
    23:00:35.0012 0200 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
    23:00:35.0012 0200 MSPCLOCK - ok
    23:00:35.0043 0200 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
    23:00:35.0043 0200 MSPQM - ok
    23:00:35.0059 0200 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
    23:00:35.0074 0200 MsRPC - ok
    23:00:35.0105 0200 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
    23:00:35.0105 0200 mssmbios - ok
    23:00:35.0152 0200 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
    23:00:35.0152 0200 MSTEE - ok
    23:00:35.0215 0200 msvad_simple (00c7b2306f1ca5389a1ac6d1df9c2e25) C:\Windows\system32\drivers\povrtdev.sys
    23:00:35.0215 0200 msvad_simple - ok
    23:00:35.0246 0200 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
    23:00:35.0246 0200 MTConfig - ok
    23:00:35.0277 0200 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
    23:00:35.0277 0200 Mup - ok
    23:00:35.0339 0200 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
    23:00:35.0355 0200 NativeWifiP - ok
    23:00:35.0449 0200 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
    23:00:35.0480 0200 NDIS - ok
    23:00:35.0558 0200 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
    23:00:35.0558 0200 NdisCap - ok
    23:00:35.0651 0200 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
    23:00:35.0651 0200 NdisTapi - ok
    23:00:35.0761 0200 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
    23:00:35.0761 0200 Ndisuio - ok
    23:00:35.0792 0200 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
    23:00:35.0792 0200 NdisWan - ok
    23:00:35.0854 0200 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
    23:00:35.0854 0200 NDProxy - ok
    23:00:35.0932 0200 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
    23:00:35.0932 0200 NetBIOS - ok
    23:00:35.0995 0200 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
    23:00:35.0995 0200 NetBT - ok
    23:00:36.0073 0200 netr73 (fbbdcacbc128670983cca59345be5454) C:\Windows\system32\DRIVERS\netr73.sys
    23:00:36.0088 0200 netr73 - ok
    23:00:36.0151 0200 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
    23:00:36.0166 0200 nfrd960 - ok
    23:00:36.0197 0200 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
    23:00:36.0197 0200 NisDrv - ok
    23:00:36.0307 0200 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
    23:00:36.0307 0200 Npfs - ok
    23:00:36.0353 0200 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
    23:00:36.0353 0200 nsiproxy - ok
    23:00:36.0416 0200 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
    23:00:36.0447 0200 Ntfs - ok
    23:00:36.0509 0200 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
    23:00:36.0509 0200 Null - ok
    23:00:36.0821 0200 nvlddmkm (377140a534d013bd661c69f1741de43c) C:\Windows\system32\DRIVERS\nvlddmkm.sys
    23:00:37.0087 0200 nvlddmkm - ok
    23:00:37.0133 0200 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
    23:00:37.0133 0200 nvraid - ok
    23:00:37.0165 0200 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
    23:00:37.0165 0200 nvstor - ok
    23:00:37.0227 0200 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
    23:00:37.0227 0200 nv_agp - ok
    23:00:37.0258 0200 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
    23:00:37.0274 0200 ohci1394 - ok
    23:00:37.0352 0200 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
    23:00:37.0352 0200 Parport - ok
    23:00:37.0399 0200 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
    23:00:37.0399 0200 partmgr - ok
    23:00:37.0414 0200 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
    23:00:37.0414 0200 Parvdm - ok
    23:00:37.0445 0200 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
    23:00:37.0445 0200 pci - ok
    23:00:37.0477 0200 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
    23:00:37.0477 0200 pciide - ok
    23:00:37.0508 0200 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
    23:00:37.0523 0200 pcmcia - ok
    23:00:37.0539 0200 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
    23:00:37.0539 0200 pcw - ok
    23:00:37.0586 0200 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
    23:00:37.0601 0200 PEAUTH - ok
    23:00:37.0695 0200 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
    23:00:37.0711 0200 PptpMiniport - ok
    23:00:37.0757 0200 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
    23:00:37.0757 0200 Processor - ok
    23:00:37.0851 0200 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
    23:00:37.0851 0200 Psched - ok
    23:00:37.0976 0200 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
    23:00:38.0007 0200 ql2300 - ok
    23:00:38.0023 0200 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
    23:00:38.0038 0200 ql40xx - ok
    23:00:38.0054 0200 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
    23:00:38.0054 0200 QWAVEdrv - ok
    23:00:38.0085 0200 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
    23:00:38.0085 0200 RasAcd - ok
    23:00:38.0147 0200 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
    23:00:38.0147 0200 RasAgileVpn - ok
    23:00:38.0179 0200 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
    23:00:38.0179 0200 Rasl2tp - ok
    23:00:38.0241 0200 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
    23:00:38.0241 0200 RasPppoe - ok
    23:00:38.0303 0200 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
    23:00:38.0303 0200 RasSstp - ok
    23:00:38.0350 0200 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
    23:00:38.0350 0200 rdbss - ok
    23:00:38.0397 0200 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
    23:00:38.0397 0200 rdpbus - ok
    23:00:38.0428 0200 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
    23:00:38.0444 0200 RDPCDD - ok
    23:00:38.0475 0200 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
    23:00:38.0491 0200 RDPDR - ok
    23:00:38.0569 0200 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
    23:00:38.0569 0200 RDPENCDD - ok
    23:00:38.0600 0200 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
    23:00:38.0600 0200 RDPREFMP - ok
    23:00:38.0647 0200 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
    23:00:38.0647 0200 RDPWD - ok
    23:00:38.0756 0200 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
    23:00:38.0771 0200 rdyboost - ok
    23:00:38.0881 0200 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
    23:00:38.0881 0200 rspndr - ok
    23:00:38.0943 0200 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
    23:00:38.0943 0200 s3cap - ok
    23:00:39.0068 0200 SASDIFSV - ok
    23:00:39.0083 0200 SASENUM - ok
    23:00:39.0115 0200 SASKUTIL - ok
    23:00:39.0177 0200 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
    23:00:39.0177 0200 sbp2port - ok
    23:00:39.0224 0200 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
    23:00:39.0224 0200 scfilter - ok
    23:00:39.0317 0200 SCMNdisP (3b68015683c27cb00c7a6b60a37cbcfd) C:\Windows\system32\DRIVERS\scmndisp.sys
    23:00:39.0333 0200 SCMNdisP - ok
    23:00:39.0442 0200 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    23:00:39.0442 0200 secdrv - ok
    23:00:39.0551 0200 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
    23:00:39.0567 0200 Serenum - ok
    23:00:39.0614 0200 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
    23:00:39.0614 0200 Serial - ok
    23:00:39.0692 0200 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
    23:00:39.0692 0200 sermouse - ok
    23:00:39.0785 0200 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
    23:00:39.0785 0200 sffdisk - ok
    23:00:39.0832 0200 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
    23:00:39.0832 0200 sffp_mmc - ok
    23:00:39.0879 0200 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
    23:00:39.0879 0200 sffp_sd - ok
    23:00:39.0926 0200 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
    23:00:39.0926 0200 sfloppy - ok
    23:00:40.0035 0200 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
    23:00:40.0035 0200 sisagp - ok
    23:00:40.0082 0200 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
    23:00:40.0082 0200 SiSRaid2 - ok
    23:00:40.0113 0200 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
    23:00:40.0129 0200 SiSRaid4 - ok
    23:00:40.0191 0200 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
    23:00:40.0191 0200 Smb - ok
    23:00:40.0269 0200 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
    23:00:40.0269 0200 spldr - ok
    23:00:40.0456 0200 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
    23:00:40.0456 0200 srv - ok
    23:00:40.0519 0200 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
    23:00:40.0519 0200 srv2 - ok
    23:00:40.0550 0200 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
    23:00:40.0565 0200 srvnet - ok
    23:00:40.0768 0200 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
    23:00:40.0768 0200 stexstor - ok
    23:00:40.0846 0200 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
    23:00:40.0846 0200 storflt - ok
    23:00:40.0877 0200 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
    23:00:40.0877 0200 storvsc - ok
    23:00:40.0893 0200 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
    23:00:40.0893 0200 swenum - ok
    23:00:41.0002 0200 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
    23:00:41.0018 0200 Tcpip - ok
    23:00:41.0096 0200 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
    23:00:41.0111 0200 TCPIP6 - ok
    23:00:41.0158 0200 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
    23:00:41.0158 0200 tcpipreg - ok
    23:00:41.0205 0200 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
    23:00:41.0205 0200 TDPIPE - ok
    23:00:41.0236 0200 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
    23:00:41.0236 0200 TDTCP - ok
    23:00:41.0299 0200 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
    23:00:41.0299 0200 tdx - ok
    23:00:41.0377 0200 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
    23:00:41.0377 0200 TermDD - ok
    23:00:41.0455 0200 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
    23:00:41.0455 0200 tssecsrv - ok
    23:00:41.0533 0200 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
    23:00:41.0548 0200 TsUsbFlt - ok
    23:00:41.0642 0200 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
    23:00:41.0642 0200 tunnel - ok
    23:00:41.0704 0200 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
    23:00:41.0704 0200 uagp35 - ok
    23:00:41.0767 0200 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
    23:00:41.0782 0200 udfs - ok
    23:00:41.0891 0200 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
    23:00:41.0891 0200 uliagpkx - ok
    23:00:41.0985 0200 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
    23:00:41.0985 0200 umbus - ok
    23:00:42.0047 0200 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
    23:00:42.0047 0200 UmPass - ok
    23:00:42.0125 0200 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
    23:00:42.0125 0200 usbccgp - ok
    23:00:42.0172 0200 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
    23:00:42.0172 0200 usbcir - ok
    23:00:42.0219 0200 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
    23:00:42.0219 0200 usbehci - ok
    23:00:42.0235 0200 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
    23:00:42.0250 0200 usbhub - ok
    23:00:42.0266 0200 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
    23:00:42.0266 0200 usbohci - ok
    23:00:42.0313 0200 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
    23:00:42.0313 0200 usbprint - ok
    23:00:42.0391 0200 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
    23:00:42.0391 0200 usbscan - ok
    23:00:42.0422 0200 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    23:00:42.0422 0200 USBSTOR - ok
    23:00:42.0437 0200 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\DRIVERS\usbuhci.sys
    23:00:42.0437 0200 usbuhci - ok
    23:00:42.0500 0200 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
    23:00:42.0500 0200 vdrvroot - ok
    23:00:42.0531 0200 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
    23:00:42.0531 0200 vga - ok
    23:00:42.0547 0200 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
    23:00:42.0547 0200 VgaSave - ok
    23:00:42.0593 0200 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
    23:00:42.0593 0200 vhdmp - ok
    23:00:42.0625 0200 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
    23:00:42.0625 0200 viaagp - ok
    23:00:42.0671 0200 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
    23:00:42.0671 0200 ViaC7 - ok
    23:00:42.0687 0200 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
    23:00:42.0703 0200 viaide - ok
    23:00:42.0718 0200 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
    23:00:42.0734 0200 vmbus - ok
    23:00:42.0749 0200 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
    23:00:42.0749 0200 VMBusHID - ok
    23:00:42.0796 0200 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
    23:00:42.0796 0200 volmgr - ok
    23:00:42.0827 0200 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
    23:00:42.0827 0200 volmgrx - ok
    23:00:42.0890 0200 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
    23:00:42.0890 0200 volsnap - ok
    23:00:42.0983 0200 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
    23:00:42.0983 0200 vsmraid - ok
    23:00:43.0046 0200 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
    23:00:43.0046 0200 vwifibus - ok
    23:00:43.0124 0200 VWiFiFlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
    23:00:43.0124 0200 VWiFiFlt - ok
    23:00:43.0202 0200 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
    23:00:43.0202 0200 vwifimp - ok
    23:00:43.0249 0200 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
    23:00:43.0264 0200 WacomPen - ok
    23:00:43.0358 0200 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
    23:00:43.0358 0200 WANARP - ok
    23:00:43.0389 0200 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
    23:00:43.0389 0200 Wanarpv6 - ok
    23:00:43.0545 0200 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
    23:00:43.0545 0200 Wd - ok
    23:00:43.0623 0200 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
    23:00:43.0623 0200 WDC_SAM - ok
    23:00:43.0685 0200 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    23:00:43.0685 0200 Wdf01000 - ok
    23:00:43.0795 0200 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
    23:00:43.0795 0200 WfpLwf - ok
    23:00:43.0810 0200 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
    23:00:43.0810 0200 WIMMount - ok
    23:00:43.0919 0200 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
    23:00:43.0935 0200 WinUsb - ok
    23:00:44.0029 0200 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
    23:00:44.0029 0200 WmiAcpi - ok
    23:00:44.0169 0200 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
    23:00:44.0169 0200 ws2ifsl - ok
    23:00:44.0247 0200 WSDPrintDevice (553f6ccd7c58eb98d4a8fbdaf283d7a9) C:\Windows\system32\DRIVERS\WSDPrint.sys
    23:00:44.0247 0200 WSDPrintDevice - ok
    23:00:44.0341 0200 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
    23:00:44.0341 0200 WudfPf - ok
    23:00:44.0372 0200 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
    23:00:44.0387 0200 WUDFRd - ok
    23:00:44.0621 0200 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
    23:00:44.0684 0200 \Device\Harddisk0\DR0 - ok
    23:00:44.0699 0200 MBR (0x1B8) (739b36f7a373fc81121d831231b6d311) \Device\Harddisk6\DR7
    23:00:44.0731 0200 \Device\Harddisk6\DR7 - ok
    23:00:44.0731 0200 Boot (0x1200) (f654f46475ec63c88650a98633d830e4) \Device\Harddisk0\DR0\Partition0
    23:00:44.0731 0200 \Device\Harddisk0\DR0\Partition0 - ok
    23:00:44.0762 0200 Boot (0x1200) (0c0a73cfd481978f07040d9ffd62cfc4) \Device\Harddisk0\DR0\Partition1
    23:00:44.0762 0200 \Device\Harddisk0\DR0\Partition1 - ok
    23:00:44.0762 0200 Boot (0x1200) (7b5764f04a3569ff789acd1731860ca3) \Device\Harddisk6\DR7\Partition0
    23:00:44.0762 0200 \Device\Harddisk6\DR7\Partition0 - ok
    23:00:44.0762 0200 ============================================================
    23:00:44.0762 0200 Scan finished
    23:00:44.0762 0200 ============================================================
    23:00:44.0777 1764 Detected object count: 0
    23:00:44.0777 1764 Actual detected object count: 0

    aswMBR
    aswMBR version 0.9.9.1156 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-03 23:02:16
    -----------------------------
    23:02:16.272 OS Version: Windows 6.1.7601 Service Pack 1
    23:02:16.272 Number of processors: 2 586 0xF06
    23:02:16.272 ComputerName: WELCH-PC UserName: Welch
    23:02:17.114 Initialize success
    23:02:18.268 AVAST engine defs: 11100801
    23:02:54.074 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
    23:02:54.074 Disk 0 Vendor: WDC_WD3200KS-75PFB0 21.00M21 Size: 305245MB BusType: 11
    23:02:54.090 Disk 0 MBR read successfully
    23:02:54.090 Disk 0 MBR scan
    23:02:54.402 Disk 0 Windows 7 default MBR code
    23:02:54.402 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    23:02:54.636 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
    23:02:54.667 Disk 0 scanning sectors +625139712
    23:02:54.932 Disk 0 scanning C:\Windows\system32\drivers
    23:03:07.287 Service scanning
    23:03:07.974 Service .dfsc \* **LOCKED** 123
    23:03:08.067 Service MpKsl30e4c518 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{36FDB12E-C01C-4143-BCC6-159F720665A6}\MpKsl30e4c518.sys **LOCKED** 32
    23:03:08.083 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
    23:03:08.738 Modules scanning
    23:03:21.515 Disk 0 trace - called modules:
    23:03:21.530 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
    23:03:21.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a715e0]
    23:03:21.546 3 CLASSPNP.SYS[88f8f59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x84c2f908]
    23:03:22.248 AVAST engine scan C:\Windows
    23:03:24.463 AVAST engine scan C:\Windows\system32
    23:04:49.000 AVAST engine scan C:\Windows\system32\drivers
    23:04:56.846 AVAST engine scan C:\Users\Welch
    23:09:09.645 AVAST engine scan C:\ProgramData
    23:10:38.425 Scan finished successfully
    23:12:46.259 Disk 0 MBR has been saved successfully to "C:\Users\Welch\Desktop\MBR.dat"
    23:12:46.337 The log file has been saved successfully to "C:\Users\Welch\Desktop\aswMBR.txt"
  25. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    All looks clean.

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys | C:\Windows\system32\Drivers\afd.sys
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt

    Post new FSS log as well.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.