Inactive Fake Windows 2012 anti-virus removed? Having Internet/firewall issues

mlw038 · Dec 22, 2011

Alright so I used MSE and Malwarebytes to remove it and then I was having issues with my firewall not turning on so I used post 2 from here:
http://answers.microsoft.com/en-us/...firewall/ec3fc3b8-69ec-4b4b-a703-4b745fe6e8ee

Once I got firewall and BFE to reappear after a reset I got errors for those to start and my internet stopped working. Here are my logs:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122301

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

12/22/2011 11:19:42 PM
mbam-log-2011-12-22 (23-19-42).txt

Scan type: Quick scan
Objects scanned: 205241
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Gmer

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-22 23:35:22
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 WDC_WD3200KS-75PFB0 rev.21.00M21
Running: qmrrckbj.exe; Driver: C:\Users\Welch\AppData\Local\Temp\fgloqpog.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82C45369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C7ED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text autochk.exe 004011D1 42 Bytes [C4, 08, 5D, C3, CC, CC, CC, ...]
.text autochk.exe 004011FC 5 Bytes [8B, E5, 5D, C2, 08]
.text autochk.exe 00401202 41 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text autochk.exe 0040122C 5 Bytes [8B, E5, 5D, C2, 08]
.text autochk.exe 00401232 47 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\MediaMall\MediaMallServer.exe[1032] KERNEL32.dll!GetFileAttributesExW 75CF307E 6 Bytes JMP 71A90F5A
.text C:\Program Files\MediaMall\MediaMallServer.exe[1032] KERNEL32.dll!GetModuleFileNameW 75CFEF35 6 Bytes JMP 71AF0F5A

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000053 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\$NtUninstallKB28521$\3558784311 0 bytes
File C:\Windows\$NtUninstallKB28521$\411072489 0 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\@ 2048 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\bckfg.tmp 814 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\cfg.ini 207 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\Desktop.ini 4608 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\keywords 219 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\kwrd.dll 223744 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\L 0 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\L\xadqgnnk 338944 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\lsflt7.ver 5176 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\U 0 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\U\00000001.@ 1536 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\U\00000002.@ 224768 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\U\00000004.@ 1024 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\U\80000000.@ 11264 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\U\80000004.@ 12800 bytes
File C:\Windows\$NtUninstallKB28521$\411072489\U\80000032.@ 97792 bytes
File C:\Windows\$NtUninstallKB37014$\3634874217 0 bytes
File C:\Windows\$NtUninstallKB37014$\411072489 0 bytes
File C:\Windows\$NtUninstallKB37014$\411072489\L 0 bytes
File C:\Windows\$NtUninstallKB37014$\411072489\U 0 bytes

---- EOF - GMER 1.0.15 ----

DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by Welch at 23:35:54 on 2011-12-22
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2046.1186 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\MediaMall\MediaMallServer.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\Program Files\Common Files\supportsoft\bin\bcont.exe
C:\Program Files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
C:\Users\Welch\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:53172
BHO: AutorunsDisabled - No File
BHO: Canon Easy-WebPrint EX BHO - No File
BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [RCHotKey] "c:\program files\ringcentral\ringcentral call controller\RCHotKey.exe"
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\723\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [ComcastAntispyClient] "c:\program files\comcasttb\comcastspywarescan\ComcastAntispy.exe" /hide
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_ActiveX.exe -update activex
StartupFolder: c:\users\welch\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\welch\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\welch\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\welch\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\netgea~1.lnk - c:\program files\netgear\wnda3100v2\WNDA3100v2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\quickb~2.lnk - c:\program files\intuit\quickbooks 2008\QBW32.EXE
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {90A81828-92DB-400e-AECD-78C540F5EB49} - c:\program files\egrabber\addressgrabber business 2010\InternetAddress.exe
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: mswsock.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{1F580317-1C55-40BC-BE99-23BD28E176D9} : DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{48C9BFA9-EF0D-4489-934E-C8C8E54983BD} : DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{48C9BFA9-EF0D-4489-934E-C8C8E54983BD}\D4966496233373230253633303 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A08A42F6-2480-4698-B1CD-BA35177C272B} : DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{A08A42F6-2480-4698-B1CD-BA35177C272B}\2375942554235393 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A8D10DF4-D8AD-42D1-9E93-EDF8AE3FD0EE} : DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{C3AEE420-1FF5-42AC-A7A3-691E806C986A} : DhcpNameServer = 192.168.2.1 192.168.2.1
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2011-3-29 21728]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-5 164048]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl1e3c35cb;MpKsl1e3c35cb;c:\programdata\microsoft\microsoft antimalware\definition updates\{48356ec5-2bf8-4339-8230-c8e086a7eb36}\MpKsl1e3c35cb.sys [2011-12-22 29904]
R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-5 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-5 51792]
R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2011-10-22 5424504]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2010-4-30 3795560]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2010-12-6 2222376]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2011-3-29 699896]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2010-1-14 65536]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
S2 NecUsb;USB Service;c:\windows\system32\svchost.exe -k NecUsbSevice [2009-7-13 20992]
S2 WSWNDA3100;WSWNDA3100;c:\program files\netgear\wnda3100v2\WifiSvc.exe [2011-3-29 272864]
S3 2WXG7053;2W 802.11g XG705 SP3 Driver;c:\windows\system32\drivers\wlanUIG.sys [2007-4-24 358304]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2007-3-27 857600]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-5 40384]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-11-29 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
S3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-11-12 468480]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-25 52224]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-13 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-14 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-14 135664]
S4 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-12-23 04:10:56 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{48356ec5-2bf8-4339-8230-c8e086a7eb36}\MpKsl1e3c35cb.sys
2011-12-23 04:10:27 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{48356ec5-2bf8-4339-8230-c8e086a7eb36}\offreg.dll
2011-12-23 02:34:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-23 02:32:08 703824 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1abc2fd0-c57a-4d7b-b07a-2137acc1186e}\gapaengine.dll
2011-12-23 02:32:03 6823496 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{48356ec5-2bf8-4339-8230-c8e086a7eb36}\mpengine.dll
2011-12-23 02:31:04 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-22 02:44:47 -------- d-----w- c:\program files\WOT
2011-12-14 03:02:54 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 03:02:53 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 03:02:50 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 03:02:50 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-06 12:15:18 277504 ----a-w- c:\windows\system32\CNMLMA7.DLL
2011-12-06 12:14:48 1310720 ----a-w- c:\windows\system32\CNC870C.dll
2011-12-06 12:14:48 110592 ----a-w- c:\windows\system32\CNC870I.dll
2011-12-06 12:14:48 102400 ----a-w- c:\windows\system32\CNC870U.dll
2011-12-01 03:28:22 -------- d-----w- c:\users\welch\appdata\local\PhotoChannel
2011-11-30 22:55:29 -------- d-----w- c:\users\welch\appdata\local\WMTools Downloaded Files
2011-11-30 22:45:04 -------- d-----w- c:\program files\Movie Maker 2.6
2011-11-30 00:40:58 -------- d-----w- c:\users\welch\appdata\local\{44EC752A-6758-4570-AD3D-1EE973CF2685}
2011-11-30 00:40:48 -------- d-----w- c:\users\welch\appdata\local\{5E933785-29B1-4B2B-B665-51EDC1AA3982}
2011-11-30 00:32:44 -------- d-----w- c:\users\welch\appdata\local\{6A718644-F11C-49A6-BB32-8168ECECCA8E}
2011-11-24 10:47:15 -------- d-----w- c:\users\welch\appdata\roaming\IPNycA1uv2b4
2011-11-24 10:47:15 -------- d-----w- c:\users\welch\appdata\roaming\dmG5sQJ6dKfZhXj
2011-11-24 10:44:01 -------- d-----w- c:\users\welch\appdata\roaming\YbF4pmG5sJdKfZh
2011-11-24 10:44:01 -------- d-----w- c:\users\welch\appdata\roaming\eXwjUCelIrPyAuS
2011-11-24 10:43:50 -------- d-----w- c:\users\welch\appdata\roaming\WhYXwjUVtPyAu24
2011-11-24 10:43:49 -------- d-----w- c:\users\welch\appdata\roaming\kamH6sWJ7E8TqYw
.
==================== Find3M ====================
.
2011-12-05 17:56:26 952 --sha-w- c:\programdata\KGyGaAvL.sys
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 12:27:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 04:35:00 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 02:48:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-29 16:03:04 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
============= FINISH: 23:36:25.83 ===============

Broni · Dec 23, 2011

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

============================================================

Attach.txt part of DDS is missing so please provide that.

Then....

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

mlw038 · Dec 24, 2011

Sorry about the Attach missing, the post was over 50k characters and I couldn't find the post I made after I made it. Anyways here's the logs for attach then ffs. Thanks and merry christmas!

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/19/2009 7:48:29 PM
System Uptime: 12/22/2011 11:10:06 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0DN075
Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz | Microprocessor | 2394/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 217.452 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Voyager
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_CORSAIR&PROD_VOYAGER&REV_0.00#100000039EEA6A&0#
Manufacturer: Corsair
Name: CORSAIR
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_CORSAIR&PROD_VOYAGER&REV_0.00#100000039EEA6A&0#
Service: WUDFRd
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB HS-SD Card
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.00#000003093FED&3#
Manufacturer: TEAC
Name: G:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.00#000003093FED&3#
Service: WUDFRd
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASDIFSV
Device ID: ROOT\LEGACY_SASDIFSV\0000
Manufacturer:
Name: SASDIFSV
PNP Device ID: ROOT\LEGACY_SASDIFSV\0000
Service: SASDIFSV
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl3f914193
Device ID: ROOT\LEGACY_MPKSL3F914193\0000
Manufacturer:
Name: MpKsl3f914193
PNP Device ID: ROOT\LEGACY_MPKSL3F914193\0000
Service: MpKsl3f914193
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SASKUTIL
Device ID: ROOT\LEGACY_SASKUTIL\0000
Manufacturer:
Name: SASKUTIL
PNP Device ID: ROOT\LEGACY_SASKUTIL\0000
Service: SASKUTIL
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl51a1ac52
Device ID: ROOT\LEGACY_MPKSL51A1AC52\0000
Manufacturer:
Name: MpKsl51a1ac52
PNP Device ID: ROOT\LEGACY_MPKSL51A1AC52\0000
Service: MpKsl51a1ac52
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: MX870 series
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_CANON&PROD_MX870_SERIES&REV_0101#7&F01AA71&0&119E08&0#
Manufacturer: Canon
Name: H:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_CANON&PROD_MX870_SERIES&REV_0101#7&F01AA71&0&119E08&0#
Service: WUDFRd
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl644f65eb
Device ID: ROOT\LEGACY_MPKSL644F65EB\0000
Manufacturer:
Name: MpKsl644f65eb
PNP Device ID: ROOT\LEGACY_MPKSL644F65EB\0000
Service: MpKsl644f65eb
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB HS-xD/SM
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-XD#SM&REV_4.00#000003093FED&1#
Manufacturer: TEAC
Name: E:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-XD#SM&REV_4.00#000003093FED&1#
Service: WUDFRd
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl7c329dc2
Device ID: ROOT\LEGACY_MPKSL7C329DC2\0000
Manufacturer:
Name: MpKsl7c329dc2
PNP Device ID: ROOT\LEGACY_MPKSL7C329DC2\0000
Service: MpKsl7c329dc2
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: @%systemroot%\system32\drivers\afd.sys,-1000
Device ID: ROOT\LEGACY_AFD\0000
Manufacturer:
Name: @%systemroot%\system32\drivers\afd.sys,-1000
PNP Device ID: ROOT\LEGACY_AFD\0000
Service: AFD
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MpKsl8c012499
Device ID: ROOT\LEGACY_MPKSL8C012499\0000
Manufacturer:
Name: MpKsl8c012499
PNP Device ID: ROOT\LEGACY_MPKSL8C012499\0000
Service: MpKsl8c012499
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: HTTP
Device ID: ROOT\LEGACY_HTTP\0000
Manufacturer:
Name: HTTP
PNP Device ID: ROOT\LEGACY_HTTP\0000
Service: HTTP
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB HS-CF Card
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.00#000003093FED&0#
Manufacturer: TEAC
Name: D:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.00#000003093FED&0#
Service: WUDFRd
.
Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMPHILIPS_DVD+-RW_DVD8801_________________4D28____\5&44E1900&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: PHILIPS DVD+-RW DVD8801 ATA Device
PNP Device ID: IDE\CDROMPHILIPS_DVD+-RW_DVD8801_________________4D28____\5&44E1900&0&0.0.0
Service: cdrom
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: USB HS-MS Card
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.00#000003093FED&2#
Manufacturer: TEAC
Name: F:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.00#000003093FED&2#
Service: WUDFRd
.
==== System Restore Points ===================
.
RP271: 11/25/2011 5:06:47 PM - Windows Update
RP272: 11/29/2011 5:06:01 PM - Windows Update
RP273: 11/30/2011 5:44:37 PM - Installed Windows Movie Maker 2.6
RP274: 12/3/2011 5:06:06 PM - Windows Update
RP275: 12/7/2011 9:54:05 AM - Windows Update
RP276: 12/11/2011 1:52:30 AM - Windows Update
RP277: 12/14/2011 2:00:50 AM - Windows Update
RP278: 12/14/2011 3:00:11 AM - Windows Update
RP279: 12/17/2011 3:25:54 AM - Windows Update
RP280: 12/21/2011 3:25:55 AM - Windows Update
RP281: 12/21/2011 9:44:24 PM - Installed WOT for Internet Explorer
RP282: 12/22/2011 11:07:29 PM - Restore Operation
.
==== Installed Programs ======================
.
.
ACT! by Sage Premium 2008 (10.0)
AddressGrabber Business 2010
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
Adobe Reader 8.2.0
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
AT&T U-verse Setup
Bonjour
Boxee
CA Pest Patrol Realtime Protection
Canon Easy-WebPrint EX
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 3.1
Canon MX870 series MP Drivers
Canon MX870 series User Registration
Canon Speed Dial Utility
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Comcast Desktop Software (v1.2.0.9)
Compatibility Pack for the 2007 Office system
ConTracker EZ
CutePDF Writer 2.8
D3DX10
Dropbox
ESET Online Scanner v3
FileZilla Client 3.5.1
Full Tilt Poker
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.8.0.723
GoToMyPC
ImgBurn
Internet TV for Windows Media Center
iTunes
Java Auto Updater
Java(TM) 6 Update 27
Junk Mail filter update
Malwarebytes' Anti-Malware version 1.51.2.1300
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4 Client Profile
Microsoft Access 2002 Runtime
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Office Excel Viewer
Microsoft Office Word Viewer 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MuseScore 1.1 MuseScore score typesetter
NETGEAR WNDA3100v2 wireless USB 2.0 adapter
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA Performance Drivers
OpenOffice.org 3.3
PlayLater
PlayOn
PVSonyDll
QuickBooks
QuickBooks Pro 2011
QuickTime
RingCentral Call Controller
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Skype Toolbars
Skype™ 4.2
SUPERAntiSpyware
SupportSoft Assisted Service
TeamViewer 6
TeraCopy 2.12
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
VLC media player 1.0.5
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Windows Movie Maker 2.6
WinRAR archiver
WOT for Internet Explorer
XFINITY Toolbar
.
==== Event Viewer Messages From Past Week ========
.
12/22/2011 9:57:31 PM, Error: Service Control Manager [7000] - The SASKUTIL service failed to start due to the following error: The system cannot find the path specified.
12/22/2011 9:56:55 PM, Error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: The system cannot find the path specified.
12/22/2011 9:56:26 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
12/22/2011 9:56:11 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/22/2011 9:55:56 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
12/22/2011 9:53:01 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 9:52:51 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\system32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: Welch-PC\Welch Process Name: Unknown Action: Quarantine Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x8007001e Error description: The system cannot read from the specified device. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
12/22/2011 9:52:51 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\system32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: Welch-PC\Welch Process Name: Unknown Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
12/22/2011 9:51:31 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\system32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: Welch-PC\Welch Process Name: Unknown Action: Quarantine Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x8007001e Error description: The system cannot read from the specified device. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
12/22/2011 9:51:31 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\system32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: Welch-PC\Welch Process Name: Unknown Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
12/22/2011 9:48:20 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\System32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: Welch-PC\Welch Process Name: Unknown Action: Quarantine Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x8007001e Error description: The system cannot read from the specified device. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
12/22/2011 9:48:19 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\System32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: System User: Welch-PC\Welch Process Name: Unknown Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7903.0, NIS: 0.0.0.0
12/22/2011 9:42:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
12/22/2011 9:42:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
12/22/2011 9:42:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/22/2011 9:42:06 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSP aswTdi CSC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss SASDIFSV SASKUTIL spldr tdx VWiFiFlt Wanarpv6 WfpLwf
12/22/2011 9:42:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 9:41:38 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 9:37:15 PM, Error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Sirefef.N&threatid=2147652496 Name: Virus:Win32/Sirefef.N ID: 2147652496 Severity: Severe Category: Virus Path: driver:_AFD;file:_C:\Windows\System32\drivers\afd.sys;regkey:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;safeboot:_HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\AFD;service:_AFD Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection User: Welch-PC\Welch Process Name: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe Action: Clean Action Status: To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: This program is blocked by group policy. For more information, contact your system administrator. Signature Version: AV: 1.117.1602.0, AS: 1.117.1602.0, NIS: 10.7.0.0 Engine Version: AM: 1.1.7903.0, NIS: 2.0.7707.0
12/22/2011 9:32:19 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/22/2011 9:32:19 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: Real-time protection has stopped functioning for an unknown reason. Restart the service in order to recover.
12/22/2011 3:14:03 AM, Error: Service Control Manager [7031] - The Microsoft Network Inspection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
12/22/2011 11:34:34 AM, Error: Service Control Manager [7030] - The USB Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
12/22/2011 11:12:57 PM, Error: Service Control Manager [7023] - The Windows Update service terminated with the following error: %%-2147014846
12/22/2011 11:12:56 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 11:12:56 PM, Error: Service Control Manager [7001] - The Function Discovery Provider Host service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
12/22/2011 11:12:56 PM, Error: Service Control Manager [7000] - The HTTP service failed to start due to the following error: The device does not recognize the command.
12/22/2011 11:12:55 PM, Error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error %%-2147014846.
12/22/2011 11:12:55 PM, Error: Microsoft-Windows-Bits-Client [16392] - The BITS service failed to start. Error 0x80072742.
12/22/2011 11:11:09 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/22/2011 11:10:55 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD SASDIFSV SASKUTIL
12/22/2011 11:10:55 PM, Error: Service Control Manager [7001] - The SSDP Discovery service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
12/22/2011 11:10:50 PM, Error: Service Control Manager [7024] - The SQL Server (ACT7) service terminated with service-specific error %%-1.
12/22/2011 11:10:48 PM, Error: Service Control Manager [7001] - The Server service depends on the Server SMB 1.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 11:10:48 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
12/22/2011 11:10:47 PM, Error: Service Control Manager [7001] - The Server SMB 2.xxx Driver service depends on the srvnet service which failed to start because of the following error: The device does not recognize the command.
12/22/2011 11:10:47 PM, Error: Service Control Manager [7001] - The Server SMB 1.xxx Driver service depends on the Server SMB 2.xxx Driver service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 11:10:40 PM, Error: Service Control Manager [7001] - The World Wide Web Publishing Service service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
12/22/2011 11:10:40 PM, Error: Service Control Manager [7001] - The Internet Connection Sharing (ICS) service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
12/22/2011 11:10:40 PM, Error: Service Control Manager [7000] - The srvnet service failed to start due to the following error: The device does not recognize the command.
12/22/2011 11:10:38 PM, Error: Service Control Manager [7023] - The USB Service service terminated with the following error: The specified module could not be found.
12/22/2011 11:10:33 PM, Error: Service Control Manager [7001] - The IIS Admin Service service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
12/22/2011 11:10:33 PM, Error: Service Control Manager [7000] - The CA Pest Patrol Realtime Protection Service service failed to start due to the following error: Access is denied.
12/22/2011 11:10:32 PM, Error: Service Control Manager [7024] - The Bonjour Service service terminated with service-specific error %%-1.
12/22/2011 11:10:32 PM, Error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
12/22/2011 11:10:26 PM, Error: Service Control Manager [7001] - The Workstation service depends on the SMB 2.0 MiniRedirector service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 11:10:26 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
12/22/2011 11:10:26 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The device does not recognize the command.
12/22/2011 11:10:26 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The device does not recognize the command.
12/22/2011 11:10:26 PM, Error: Service Control Manager [7000] - The SMB MiniRedirector Wrapper and Engine service failed to start due to the following error: The device does not recognize the command.
12/22/2011 11:10:24 PM, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied.
12/22/2011 11:10:24 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 11:10:24 PM, Error: Service Control Manager [7001] - The Print Spooler service depends on the HTTP service which failed to start because of the following error: The device does not recognize the command.
12/22/2011 11:10:24 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/22/2011 11:10:24 PM, Error: Service Control Manager [7000] - The avast! Antivirus service failed to start due to the following error: Access is denied.
12/22/2011 11:07:48 PM, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service or group failed to start.
12/22/2011 11:07:48 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the AFD service which failed to start because of the following error: The system cannot find the file specified.
12/22/2011 11:07:48 PM, Error: Service Control Manager [7000] - The AFD service failed to start due to the following error: The system cannot find the file specified.
12/22/2011 10:48:57 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/22/2011 10:21:30 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
12/22/2011 10:21:07 PM, Error: Service Control Manager [7003] - The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed.
12/17/2011 12:01:18 PM, Error: Service Control Manager [7034] - The QBCFMonitorService service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

fss
Farbar Service Scanner
Ran by Welch (administrator) on 24-12-2011 at 21:45:37
Microsoft Windows 7 Professional Service Pack 1 (X86)
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Broni · Dec 24, 2011

For now I can see one system file missing so we'll try to find a replacement.
Judging from the log I'd assume Windows firewall is whacked as well. Let me know.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

Double-click SystemLook.exe to run it.
Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box and paste it into the main textfield:
Code:
```
:filefind
afd.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

mlw038 · Dec 25, 2011

Yeah BFE and the firewall are both messed up. Here's the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 12:40 on 25/12/2011 by Welch
Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys --a---- 338944 bytes [23:12 13/07/2009] [23:12 13/07/2009] DDC040FDB01EF1712A6B13E52AFB104C
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys --a---- 338944 bytes [18:19 15/06/2011] [02:35 25/04/2011] 0DB7A48388D54D154EBEC120461A0FCD
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys --a---- 338944 bytes [18:19 15/06/2011] [02:27 25/04/2011] C114AB7A1550D42EA1700FFD4179CF5A
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys --a---- 338944 bytes [21:56 25/05/2011] [08:40 20/11/2010] 1151FD4FB0216CFED887BFDE29EBD516
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys --a---- 338944 bytes [18:19 15/06/2011] [02:18 25/04/2011] (Unable to calculate MD5)
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys --a---- 338944 bytes [18:19 15/06/2011] [03:24 25/04/2011] C427F91A748CD342A2B3F9278D9FD6A5

-= EOF =-

Broni · Dec 25, 2011

Download following fix: http://www.filedropper.com/fix_6
Double click on download file to run the fix.

Restart computer and see if internet works.

mlw038 · Dec 26, 2011

Internet works now. =D

Broni · Dec 26, 2011

Good news

Post new FSS log.

mlw038 · Dec 26, 2011

Farbar Service Scanner
Ran by Welch (administrator) on 26-12-2011 at 20:23:28
Microsoft Windows 7 Professional Service Pack 1 (X86)
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Broni · Dec 26, 2011

Can you turn Windows firewall on now?

mlw038 · Dec 26, 2011

No, I tried clicking "Use recommended settings" and got an error code 0x8007042c

Broni · Dec 26, 2011

Yeah, this is what I thought.

Since you can't be using your computer without any firewall you have two options:
- reinstall Windows
- use 3rd party firewall like Comodo free firewall: http://personalfirewall.comodo.com/free-download.html

Let me know, which way you want to go.

mlw038 · Dec 26, 2011

I just set up the 3rd party firewall.

mlw038 · Dec 26, 2011

:-/

After I set up Comodo it asked me to do a reboot so I did. My computer got stuck on the screen before the Windows 7 image (there was just a blank underscore on a black screen). I manually reset again and got to the normal screen, ran Comodo then tried connecting to the internet and there was a yellow exclamation point by my internet... so my internet doesn't work again for that computer.

Broni · Dec 26, 2011

There is a new version of FSS, so....

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

mlw038 · Dec 27, 2011

Farbar Service Scanner
Ran by Welch (administrator) on 27-12-2011 at 17:35:59
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Broni · Dec 27, 2011

We have afd.sys file missing again.
Possibly some infection keeps removing it.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

mlw038 · Dec 29, 2011

Internet works. Combofix told me that there was rootkit activity and had to do a reboot so I did. Here's the log:

ComboFix 11-12-29.04 - Welch 12/29/2011 12:51:52.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2046.1063 [GMT -5:00]
Running from: c:\users\Welch\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\14F6.tmp
c:\program files\Internet Explorer\8004.tmp
c:\program files\Internet Explorer\8610.tmp
c:\program files\Internet Explorer\8AE0.tmp
c:\program files\Internet Explorer\9F5A.tmp
c:\program files\Internet Explorer\D0F4.tmp
c:\users\Welch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Guard Online
c:\windows\$NtUninstallKB28521$
c:\windows\$NtUninstallKB28521$\3558784311
c:\windows\$NtUninstallKB28521$\411072489\@
c:\windows\$NtUninstallKB28521$\411072489\bckfg.tmp
c:\windows\$NtUninstallKB28521$\411072489\cfg.ini
c:\windows\$NtUninstallKB28521$\411072489\Desktop.ini
c:\windows\$NtUninstallKB28521$\411072489\keywords
c:\windows\$NtUninstallKB28521$\411072489\kwrd.dll
c:\windows\$NtUninstallKB28521$\411072489\L\xadqgnnk
c:\windows\$NtUninstallKB28521$\411072489\lsflt7.ver
c:\windows\$NtUninstallKB28521$\411072489\U\00000001.@
c:\windows\$NtUninstallKB28521$\411072489\U\00000002.@
c:\windows\$NtUninstallKB28521$\411072489\U\00000004.@
c:\windows\$NtUninstallKB28521$\411072489\U\80000000.@
c:\windows\$NtUninstallKB28521$\411072489\U\80000004.@
c:\windows\$NtUninstallKB28521$\411072489\U\80000032.@
c:\windows\$NtUninstallKB37014$
c:\windows\$NtUninstallKB37014$\3634874217
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\windows\System32\DriverStore\FileRepository\cdrom.inf_x86_neutral_6381e09675524225\cdrom.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-29 18:00 . 2011-12-29 18:06 -------- d-----w- c:\users\Welch\AppData\Local\temp
2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\EGTransServer\AppData\Local\temp
2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-29 18:00 . 2011-12-29 18:00 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2011-12-29 17:59 . 2010-11-20 08:38 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-12-29 17:50 . 2011-12-29 18:05 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8EDB6578-9ACE-468F-B36F-5E6FEC3F0222}\offreg.dll
2011-12-29 17:42 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-27 03:49 . 2011-12-29 18:06 -------- d-----w- c:\programdata\CPA_VA
2011-12-27 03:42 . 2011-12-27 03:45 -------- d-----w- c:\programdata\Comodo
2011-12-27 03:42 . 2011-12-27 03:42 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-12-27 03:42 . 2011-12-27 03:42 -------- d-----w- c:\program files\COMODO
2011-12-26 23:02 . 2011-11-21 07:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-26 23:01 . 2011-11-21 07:47 6823496 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8EDB6578-9ACE-468F-B36F-5E6FEC3F0222}\mpengine.dll
2011-12-23 02:34 . 2011-12-23 02:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-23 02:32 . 2011-12-23 02:32 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1ABC2FD0-C57A-4D7B-B07A-2137ACC1186E}\gapaengine.dll
2011-12-23 02:31 . 2011-12-23 02:31 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-22 02:44 . 2011-12-22 02:44 -------- d-----w- c:\program files\WOT
2011-12-19 23:59 . 2011-12-19 23:59 82400 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-12-19 23:59 . 2011-12-19 23:59 491816 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-12-19 23:59 . 2011-12-19 23:59 39640 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-12-19 23:59 . 2011-12-19 23:59 19600 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-12-19 23:58 . 2011-12-19 23:58 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2011-12-19 23:58 . 2011-12-19 23:58 301224 ----a-w- c:\windows\system32\guard32.dll
2011-12-14 03:03 . 2011-11-05 04:30 860672 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
2011-12-14 03:03 . 2011-11-05 04:30 163328 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2011-12-14 03:02 . 2011-10-15 05:38 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 03:02 . 2011-10-26 04:28 38912 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-06 12:15 . 2010-05-16 10:00 277504 ----a-w- c:\windows\system32\CNMLMA7.DLL
2011-12-06 12:14 . 2011-01-06 18:08 1310720 ----a-w- c:\windows\system32\CNC870C.dll
2011-12-06 12:14 . 2011-01-06 18:08 110592 ----a-w- c:\windows\system32\CNC870I.dll
2011-12-06 12:14 . 2011-01-06 18:07 102400 ----a-w- c:\windows\system32\CNC870U.dll
2011-12-01 03:28 . 2011-12-01 03:42 -------- d-----w- c:\users\Welch\AppData\Local\PhotoChannel
2011-11-30 22:55 . 2011-12-02 16:57 -------- d-----w- c:\users\Welch\AppData\Local\WMTools Downloaded Files
2011-11-30 22:45 . 2011-11-30 22:45 -------- d-----w- c:\program files\Movie Maker 2.6
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-05 17:56 . 2010-01-14 16:00 952 --sha-w- c:\programdata\KGyGaAvL.sys
2011-11-24 04:25 . 2011-12-14 03:03 2342912 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 12:27 . 2011-11-08 12:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 04:35 . 2011-12-14 03:03 981504 ----a-w- c:\windows\system32\wininet.dll
2011-11-05 04:26 . 2011-12-14 03:03 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-05 02:48 . 2011-12-14 03:03 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-26 04:47 . 2011-12-14 03:02 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 04:47 . 2011-12-14 03:02 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2010-01-29 32768]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\723\g2mstart.exe" [2011-07-14 39816]
"Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-05-06 2815192]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-09-30 2215768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe" [2011-11-08 243360]
.
c:\users\Welch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Welch\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\users\Welch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2009-12-18 40368]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2009-12-18 738776]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-11-9 5889880]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [N/A]
NETGEAR WNDA3100v2 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3100v2\WNDA3100v2.exe [2011-3-29 4577760]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-9 1156968]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2008\QBW32.EXE [2011-11-9 1178984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl3f914193;MpKsl3f914193;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D64EEA0-376B-4456-A638-875A3119E81D}\MpKsl3f914193.sys [x]
R1 MpKsl51a1ac52;MpKsl51a1ac52;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0D8536BA-7DEE-4DF5-8A11-59E312F3F251}\MpKsl51a1ac52.sys [x]
R1 MpKsl644f65eb;MpKsl644f65eb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3C011C60-481D-4FF4-9BFF-4FE130E7CC16}\MpKsl644f65eb.sys [x]
R1 MpKsl7c329dc2;MpKsl7c329dc2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1AE285F8-8ABB-45C0-BD6B-A9A051F32CC0}\MpKsl7c329dc2.sys [x]
R1 MpKsl8c012499;MpKsl8c012499;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4655FF60-70A6-4F61-884D-553707CA24C4}\MpKsl8c012499.sys [x]
R1 MpKslea50dec1;MpKslea50dec1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8EDB6578-9ACE-468F-B36F-5E6FEC3F0222}\MpKslea50dec1.sys [x]
R1 SASDIFSV;SASDIFSV;c:\users\Welch\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\users\Welch\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.sys [x]
R2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [2008-06-25 65536]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NecUsb;USB Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
R2 WSWNDA3100;WSWNDA3100;c:\program files\NETGEAR\WNDA3100v2\WifiSvc.exe [2010-08-19 272864]
R3 2WXG7053;2W 802.11g XG705 SP3 Driver;c:\windows\system32\DRIVERS\WlanUIG.sys [2007-04-24 358304]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2007-03-27 857600]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
R3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2007-11-12 468480]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 SASENUM;SASENUM;c:\users\Welch\AppData\Local\Temp\SAS_SelfExtract\SASENUM.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-13 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 135664]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 135664]
R4 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2009-07-14 20992]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [2007-01-19 21728]
S1 aswSP;aswSP; [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2011-12-19 491816]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2011-12-19 39640]
S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO GeekBuddy\CLPSLS.exe [2011-11-23 1052472]
S2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2011-12-20 5424504]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [2010-04-30 3795560]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-06-30 1248256]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2010-11-30 2222376]
S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 23:54]
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 23:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:53172
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {{90A81828-92DB-400e-AECD-78C540F5EB49} - c:\program files\eGrabber\AddressGrabber Business 2010\InternetAddress.exe
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
TCP: Interfaces\{48C9BFA9-EF0D-4489-934E-C8C8E54983BD}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{C3AEE420-1FF5-42AC-A7A3-691E806C986A}: NameServer = 8.26.56.26,156.154.70.22
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-24899557.sys
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.dfsc]
"ImagePath"="\*"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-274280530-1200791623-3899067147-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-274280530-1200791623-3899067147-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(528)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'Explorer.exe'(4832)
c:\windows\system32\guard32.dll
c:\users\Welch\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\RingCentral\RingCentral Call Controller\RCHotKeyHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\program files\COMODO\COMODO GeekBuddy\CLPS.exe
c:\windows\system32\UI0Detect.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Citrix\GoToMeeting\723\g2mcomm.exe
c:\program files\Citrix\GoToMeeting\723\g2mlauncher.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-12-29 13:14:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-29 18:13
ComboFix2.txt 2011-06-10 18:38
.
Pre-Run: 232,696,279,040 bytes free
Post-Run: 233,108,856,832 bytes free
.
- - End Of File - - 5251184D25D3BD1E0CF7EE662B2EBF84

Broni · Dec 29, 2011

Good news

Combofix log looks good.

Any current issues?

Post new FSS log.

mlw038 · Dec 30, 2011

No current issues. Here's the FSS log:

Farbar Service Scanner
Ran by Welch (administrator) on 30-12-2011 at 17:16:07
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Broni · Dec 30, 2011

Please run Farbar Service Scanner.
Type the following in the edit box after "Search:".

afd.sys

Click Search Files button and post the log (FSS.txt) it makes to your reply.

mlw038 · Jan 3, 2012

The internet stopped working again. Here's the search log and I'll post the FSS log that scans everything as well.

Farbar Service Scanner
Ran by Welch (administrator) on 03-01-2012 at 21:56:46
Windows 7 Professional Service Pack 1 (X86)

************************************************
================== Search: "afd.sys" ===================

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys
[2011-06-15 13:19] - [2011-04-24 22:24] - 0338944 ____A (Microsoft Corporation) C427F91A748CD342A2B3F9278D9FD6A5

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_d9f97e05bca8003a\afd.sys
[2011-06-15 13:19] - [2011-04-24 21:18] - 0338944 ____N () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_d9efac7dbcaf385b\afd.sys
[2011-05-25 16:56] - [2010-11-20 03:40] - 0338944 ____A (Microsoft Corporation) 1151FD4FB0216CFED887BFDE29EBD516

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.20951_none_d864ad9ad8c98d1f\afd.sys
[2011-06-15 13:19] - [2011-04-24 21:27] - 0338944 ____A (Microsoft Corporation) C114AB7A1550D42EA1700FFD4179CF5A

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16802_none_d81220b5bf827af7\afd.sys
[2011-06-15 13:19] - [2011-04-24 21:35] - 0338944 ____A (Microsoft Corporation) 0DB7A48388D54D154EBEC120461A0FCD

C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7600.16385_none_d7be98b5bfc0b4c1\afd.sys
[2009-07-13 18:12] - [2009-07-13 18:12] - 0338944 ____A (Microsoft Corporation) DDC040FDB01EF1712A6B13E52AFB104C

====== End Of Search ======

FSS scan
Farbar Service Scanner
Ran by Welch (administrator) on 03-01-2012 at 21:57:57
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Security Center:
============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
Attention! C:\Windows\system32\Drivers\afd.sys is missing.
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Broni · Jan 3, 2012

Download TDSSKiller and save it to your desktop.

Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

=============================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

mlw038 · Jan 3, 2012

23:00:20.0488 2628 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
23:00:20.0519 2628 ============================================================
23:00:20.0519 2628 Current date / time: 2012/01/03 23:00:20.0519
23:00:20.0519 2628 SystemInfo:
23:00:20.0519 2628
23:00:20.0519 2628 OS Version: 6.1.7601 ServicePack: 1.0
23:00:20.0519 2628 Product type: Workstation
23:00:20.0519 2628 ComputerName: WELCH-PC
23:00:20.0519 2628 UserName: Welch
23:00:20.0519 2628 Windows directory: C:\Windows
23:00:20.0519 2628 System windows directory: C:\Windows
23:00:20.0519 2628 Processor architecture: Intel x86
23:00:20.0519 2628 Number of processors: 2
23:00:20.0519 2628 Page size: 0x1000
23:00:20.0519 2628 Boot type: Normal boot
23:00:20.0519 2628 ============================================================
23:00:21.0923 2628 Initialize success
23:00:25.0886 0200 ============================================================
23:00:25.0886 0200 Scan started
23:00:25.0886 0200 Mode: Manual;
23:00:25.0886 0200 ============================================================
23:00:26.0635 0200 .dfsc - ok
23:00:26.0775 0200 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
23:00:26.0775 0200 1394ohci - ok
23:00:26.0869 0200 2WXG7053 (576af12c5fed35d8afac2a5ee49d0dff) C:\Windows\system32\DRIVERS\WlanUIG.sys
23:00:26.0900 0200 2WXG7053 - ok
23:00:26.0947 0200 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
23:00:26.0962 0200 ACPI - ok
23:00:27.0025 0200 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
23:00:27.0025 0200 AcpiPmi - ok
23:00:27.0118 0200 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
23:00:27.0118 0200 adp94xx - ok
23:00:27.0149 0200 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
23:00:27.0149 0200 adpahci - ok
23:00:27.0181 0200 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
23:00:27.0181 0200 adpu320 - ok
23:00:27.0227 0200 AFD - ok
23:00:27.0274 0200 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
23:00:27.0274 0200 agp440 - ok
23:00:27.0337 0200 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
23:00:27.0337 0200 aic78xx - ok
23:00:27.0399 0200 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
23:00:27.0399 0200 aliide - ok
23:00:27.0430 0200 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
23:00:27.0430 0200 amdagp - ok
23:00:27.0461 0200 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
23:00:27.0461 0200 amdide - ok
23:00:27.0493 0200 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
23:00:27.0493 0200 AmdK8 - ok
23:00:27.0508 0200 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
23:00:27.0508 0200 AmdPPM - ok
23:00:27.0571 0200 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
23:00:27.0571 0200 amdsata - ok
23:00:27.0617 0200 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
23:00:27.0633 0200 amdsbs - ok
23:00:27.0727 0200 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
23:00:27.0727 0200 amdxata - ok
23:00:27.0836 0200 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
23:00:27.0836 0200 AppID - ok
23:00:27.0929 0200 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
23:00:27.0929 0200 arc - ok
23:00:27.0961 0200 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
23:00:27.0961 0200 arcsas - ok
23:00:28.0054 0200 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\Windows\system32\drivers\aswFsBlk.sys
23:00:28.0054 0200 aswFsBlk - ok
23:00:28.0132 0200 aswMonFlt (58254e06b36b984e33ae314c0ea8f1a5) C:\Windows\system32\drivers\aswMonFlt.sys
23:00:28.0132 0200 aswMonFlt - ok
23:00:28.0163 0200 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\Windows\system32\drivers\aswRdr.sys
23:00:28.0163 0200 aswRdr - ok
23:00:28.0210 0200 aswSP (d78b644816db540e103d0b0766fd9967) C:\Windows\system32\drivers\aswSP.sys
23:00:28.0210 0200 aswSP - ok
23:00:28.0257 0200 aswTdi (606d731008d98b6ef946730c597c1642) C:\Windows\system32\drivers\aswTdi.sys
23:00:28.0273 0200 aswTdi - ok
23:00:28.0304 0200 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
23:00:28.0304 0200 AsyncMac - ok
23:00:28.0351 0200 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
23:00:28.0351 0200 atapi - ok
23:00:28.0429 0200 athrusb (cd90739cb064f5a234a41d190f25a822) C:\Windows\system32\DRIVERS\athrusb.sys
23:00:28.0460 0200 athrusb - ok
23:00:28.0616 0200 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
23:00:28.0631 0200 b06bdrv - ok
23:00:28.0678 0200 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
23:00:28.0678 0200 b57nd60x - ok
23:00:28.0787 0200 BCMH43XX (601259276b934f0c938bff4f558c5691) C:\Windows\system32\DRIVERS\bcmwlhigh6.sys
23:00:28.0803 0200 BCMH43XX - ok
23:00:28.0834 0200 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
23:00:28.0834 0200 Beep - ok
23:00:28.0928 0200 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
23:00:28.0928 0200 blbdrive - ok
23:00:28.0975 0200 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
23:00:28.0990 0200 bowser - ok
23:00:29.0006 0200 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
23:00:29.0006 0200 BrFiltLo - ok
23:00:29.0037 0200 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
23:00:29.0037 0200 BrFiltUp - ok
23:00:29.0068 0200 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
23:00:29.0068 0200 Brserid - ok
23:00:29.0099 0200 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
23:00:29.0099 0200 BrSerWdm - ok
23:00:29.0115 0200 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
23:00:29.0115 0200 BrUsbMdm - ok
23:00:29.0146 0200 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
23:00:29.0146 0200 BrUsbSer - ok
23:00:29.0177 0200 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
23:00:29.0177 0200 BTHMODEM - ok
23:00:29.0287 0200 catchme - ok
23:00:29.0333 0200 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
23:00:29.0333 0200 cdfs - ok
23:00:29.0458 0200 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
23:00:29.0458 0200 circlass - ok
23:00:29.0505 0200 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
23:00:29.0505 0200 CLFS - ok
23:00:29.0614 0200 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
23:00:29.0614 0200 CmBatt - ok
23:00:29.0661 0200 cmdGuard (da8b98c232dadb0e6aee6f46d0a22114) C:\Windows\system32\DRIVERS\cmdguard.sys
23:00:29.0739 0200 cmdGuard - ok
23:00:29.0801 0200 cmdHlp (051d5be8106f09dd5e0d5589ea931b1e) C:\Windows\system32\DRIVERS\cmdhlp.sys
23:00:29.0833 0200 cmdHlp - ok
23:00:29.0864 0200 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
23:00:29.0864 0200 cmdide - ok
23:00:29.0895 0200 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
23:00:29.0895 0200 CNG - ok
23:00:29.0926 0200 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
23:00:29.0926 0200 Compbatt - ok
23:00:29.0989 0200 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
23:00:29.0989 0200 CompositeBus - ok
23:00:30.0035 0200 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
23:00:30.0035 0200 crcdisk - ok
23:00:30.0129 0200 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
23:00:30.0129 0200 CSC - ok
23:00:30.0176 0200 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
23:00:30.0176 0200 discache - ok
23:00:30.0379 0200 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
23:00:30.0379 0200 Disk - ok
23:00:30.0488 0200 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
23:00:30.0488 0200 drmkaud - ok
23:00:30.0550 0200 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
23:00:30.0581 0200 DXGKrnl - ok
23:00:30.0691 0200 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
23:00:30.0753 0200 ebdrv - ok
23:00:30.0831 0200 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
23:00:30.0831 0200 elxstor - ok
23:00:30.0878 0200 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
23:00:30.0878 0200 ErrDev - ok
23:00:30.0909 0200 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
23:00:30.0909 0200 exfat - ok
23:00:30.0956 0200 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
23:00:30.0956 0200 fastfat - ok
23:00:31.0034 0200 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
23:00:31.0034 0200 fdc - ok
23:00:31.0065 0200 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
23:00:31.0065 0200 FileInfo - ok
23:00:31.0096 0200 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
23:00:31.0096 0200 Filetrace - ok
23:00:31.0112 0200 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
23:00:31.0127 0200 flpydisk - ok
23:00:31.0159 0200 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
23:00:31.0159 0200 FltMgr - ok
23:00:31.0190 0200 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
23:00:31.0190 0200 FsDepends - ok
23:00:31.0221 0200 fssfltr (d909075fa72c090f27aa926c32cb4612) C:\Windows\system32\DRIVERS\fssfltr.sys
23:00:31.0221 0200 fssfltr - ok
23:00:31.0268 0200 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
23:00:31.0268 0200 Fs_Rec - ok
23:00:31.0330 0200 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
23:00:31.0330 0200 fvevol - ok
23:00:31.0439 0200 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
23:00:31.0455 0200 gagp30kx - ok
23:00:31.0486 0200 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
23:00:31.0486 0200 GEARAspiWDM - ok
23:00:31.0580 0200 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
23:00:31.0580 0200 hcw85cir - ok
23:00:31.0658 0200 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
23:00:31.0658 0200 HdAudAddService - ok
23:00:31.0720 0200 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
23:00:31.0720 0200 HDAudBus - ok
23:00:31.0751 0200 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
23:00:31.0751 0200 HidBatt - ok
23:00:31.0783 0200 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
23:00:31.0783 0200 HidBth - ok
23:00:31.0829 0200 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
23:00:31.0829 0200 HidIr - ok
23:00:31.0892 0200 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
23:00:31.0892 0200 HidUsb - ok
23:00:31.0939 0200 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
23:00:31.0939 0200 HpSAMD - ok
23:00:31.0985 0200 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
23:00:32.0001 0200 HTTP - ok
23:00:32.0032 0200 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
23:00:32.0032 0200 hwpolicy - ok
23:00:32.0110 0200 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
23:00:32.0141 0200 i8042prt - ok
23:00:32.0219 0200 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
23:00:32.0219 0200 iaStorV - ok
23:00:32.0329 0200 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
23:00:32.0329 0200 iirsp - ok
23:00:32.0438 0200 inspect (2ee3db2c1760171c6f72f2f1792a47b5) C:\Windows\system32\DRIVERS\inspect.sys
23:00:32.0453 0200 inspect - ok
23:00:32.0485 0200 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
23:00:32.0485 0200 intelide - ok
23:00:32.0531 0200 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
23:00:32.0531 0200 intelppm - ok
23:00:32.0594 0200 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
23:00:32.0594 0200 IpFilterDriver - ok
23:00:32.0625 0200 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
23:00:32.0625 0200 IPMIDRV - ok
23:00:32.0656 0200 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
23:00:32.0656 0200 IPNAT - ok
23:00:32.0734 0200 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
23:00:32.0734 0200 IRENUM - ok
23:00:32.0765 0200 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
23:00:32.0765 0200 isapnp - ok
23:00:32.0812 0200 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
23:00:32.0812 0200 iScsiPrt - ok
23:00:32.0890 0200 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
23:00:32.0890 0200 kbdclass - ok
23:00:32.0953 0200 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
23:00:32.0953 0200 kbdhid - ok
23:00:32.0999 0200 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
23:00:32.0999 0200 KSecDD - ok
23:00:33.0109 0200 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
23:00:33.0109 0200 KSecPkg - ok
23:00:33.0171 0200 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
23:00:33.0171 0200 lltdio - ok
23:00:33.0249 0200 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
23:00:33.0249 0200 LSI_FC - ok
23:00:33.0265 0200 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
23:00:33.0265 0200 LSI_SAS - ok
23:00:33.0296 0200 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
23:00:33.0296 0200 LSI_SAS2 - ok
23:00:33.0327 0200 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
23:00:33.0327 0200 LSI_SCSI - ok
23:00:33.0358 0200 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
23:00:33.0358 0200 luafv - ok
23:00:33.0452 0200 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
23:00:33.0452 0200 megasas - ok
23:00:33.0483 0200 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
23:00:33.0483 0200 MegaSR - ok
23:00:33.0514 0200 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
23:00:33.0514 0200 Modem - ok
23:00:33.0561 0200 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
23:00:33.0561 0200 monitor - ok
23:00:33.0639 0200 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
23:00:33.0639 0200 mouclass - ok
23:00:33.0701 0200 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
23:00:33.0701 0200 mouhid - ok
23:00:33.0717 0200 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
23:00:33.0733 0200 mountmgr - ok
23:00:33.0857 0200 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\Windows\system32\DRIVERS\MpFilter.sys
23:00:33.0857 0200 MpFilter - ok
23:00:33.0920 0200 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
23:00:33.0920 0200 mpio - ok
23:00:34.0091 0200 MpKsl30e4c518 (a69630d039c38018689190234f866d77) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{36FDB12E-C01C-4143-BCC6-159F720665A6}\MpKsl30e4c518.sys
23:00:34.0091 0200 MpKsl30e4c518 - ok
23:00:34.0138 0200 MpKsl3f914193 - ok
23:00:34.0154 0200 MpKsl51a1ac52 - ok
23:00:34.0185 0200 MpKsl644f65eb - ok
23:00:34.0201 0200 MpKsl7c329dc2 - ok
23:00:34.0232 0200 MpKsl8c012499 - ok
23:00:34.0232 0200 MpKslea50dec1 - ok
23:00:34.0294 0200 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\Windows\system32\DRIVERS\MpNWMon.sys
23:00:34.0294 0200 MpNWMon - ok
23:00:34.0325 0200 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
23:00:34.0325 0200 mpsdrv - ok
23:00:34.0403 0200 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
23:00:34.0419 0200 MREMP50 - ok
23:00:34.0419 0200 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
23:00:34.0450 0200 MRESP50 - ok
23:00:34.0497 0200 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
23:00:34.0497 0200 MRxDAV - ok
23:00:34.0559 0200 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
23:00:34.0575 0200 mrxsmb - ok
23:00:34.0622 0200 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
23:00:34.0637 0200 mrxsmb10 - ok
23:00:34.0669 0200 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
23:00:34.0669 0200 mrxsmb20 - ok
23:00:34.0700 0200 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
23:00:34.0700 0200 msahci - ok
23:00:34.0731 0200 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
23:00:34.0747 0200 msdsm - ok
23:00:34.0809 0200 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
23:00:34.0809 0200 Msfs - ok
23:00:34.0825 0200 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
23:00:34.0825 0200 mshidkmdf - ok
23:00:34.0871 0200 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
23:00:34.0871 0200 msisadrv - ok
23:00:34.0934 0200 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
23:00:34.0934 0200 MSKSSRV - ok
23:00:35.0012 0200 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
23:00:35.0012 0200 MSPCLOCK - ok
23:00:35.0043 0200 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
23:00:35.0043 0200 MSPQM - ok
23:00:35.0059 0200 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
23:00:35.0074 0200 MsRPC - ok
23:00:35.0105 0200 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
23:00:35.0105 0200 mssmbios - ok
23:00:35.0152 0200 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
23:00:35.0152 0200 MSTEE - ok
23:00:35.0215 0200 msvad_simple (00c7b2306f1ca5389a1ac6d1df9c2e25) C:\Windows\system32\drivers\povrtdev.sys
23:00:35.0215 0200 msvad_simple - ok
23:00:35.0246 0200 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
23:00:35.0246 0200 MTConfig - ok
23:00:35.0277 0200 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
23:00:35.0277 0200 Mup - ok
23:00:35.0339 0200 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
23:00:35.0355 0200 NativeWifiP - ok
23:00:35.0449 0200 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
23:00:35.0480 0200 NDIS - ok
23:00:35.0558 0200 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
23:00:35.0558 0200 NdisCap - ok
23:00:35.0651 0200 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
23:00:35.0651 0200 NdisTapi - ok
23:00:35.0761 0200 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
23:00:35.0761 0200 Ndisuio - ok
23:00:35.0792 0200 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
23:00:35.0792 0200 NdisWan - ok
23:00:35.0854 0200 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
23:00:35.0854 0200 NDProxy - ok
23:00:35.0932 0200 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
23:00:35.0932 0200 NetBIOS - ok
23:00:35.0995 0200 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
23:00:35.0995 0200 NetBT - ok
23:00:36.0073 0200 netr73 (fbbdcacbc128670983cca59345be5454) C:\Windows\system32\DRIVERS\netr73.sys
23:00:36.0088 0200 netr73 - ok
23:00:36.0151 0200 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
23:00:36.0166 0200 nfrd960 - ok
23:00:36.0197 0200 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
23:00:36.0197 0200 NisDrv - ok
23:00:36.0307 0200 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
23:00:36.0307 0200 Npfs - ok
23:00:36.0353 0200 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
23:00:36.0353 0200 nsiproxy - ok
23:00:36.0416 0200 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
23:00:36.0447 0200 Ntfs - ok
23:00:36.0509 0200 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
23:00:36.0509 0200 Null - ok
23:00:36.0821 0200 nvlddmkm (377140a534d013bd661c69f1741de43c) C:\Windows\system32\DRIVERS\nvlddmkm.sys
23:00:37.0087 0200 nvlddmkm - ok
23:00:37.0133 0200 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
23:00:37.0133 0200 nvraid - ok
23:00:37.0165 0200 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
23:00:37.0165 0200 nvstor - ok
23:00:37.0227 0200 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
23:00:37.0227 0200 nv_agp - ok
23:00:37.0258 0200 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
23:00:37.0274 0200 ohci1394 - ok
23:00:37.0352 0200 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
23:00:37.0352 0200 Parport - ok
23:00:37.0399 0200 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
23:00:37.0399 0200 partmgr - ok
23:00:37.0414 0200 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
23:00:37.0414 0200 Parvdm - ok
23:00:37.0445 0200 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
23:00:37.0445 0200 pci - ok
23:00:37.0477 0200 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
23:00:37.0477 0200 pciide - ok
23:00:37.0508 0200 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
23:00:37.0523 0200 pcmcia - ok
23:00:37.0539 0200 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
23:00:37.0539 0200 pcw - ok
23:00:37.0586 0200 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
23:00:37.0601 0200 PEAUTH - ok
23:00:37.0695 0200 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
23:00:37.0711 0200 PptpMiniport - ok
23:00:37.0757 0200 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
23:00:37.0757 0200 Processor - ok
23:00:37.0851 0200 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
23:00:37.0851 0200 Psched - ok
23:00:37.0976 0200 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
23:00:38.0007 0200 ql2300 - ok
23:00:38.0023 0200 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
23:00:38.0038 0200 ql40xx - ok
23:00:38.0054 0200 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
23:00:38.0054 0200 QWAVEdrv - ok
23:00:38.0085 0200 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
23:00:38.0085 0200 RasAcd - ok
23:00:38.0147 0200 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
23:00:38.0147 0200 RasAgileVpn - ok
23:00:38.0179 0200 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
23:00:38.0179 0200 Rasl2tp - ok
23:00:38.0241 0200 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
23:00:38.0241 0200 RasPppoe - ok
23:00:38.0303 0200 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
23:00:38.0303 0200 RasSstp - ok
23:00:38.0350 0200 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
23:00:38.0350 0200 rdbss - ok
23:00:38.0397 0200 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
23:00:38.0397 0200 rdpbus - ok
23:00:38.0428 0200 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
23:00:38.0444 0200 RDPCDD - ok
23:00:38.0475 0200 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
23:00:38.0491 0200 RDPDR - ok
23:00:38.0569 0200 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
23:00:38.0569 0200 RDPENCDD - ok
23:00:38.0600 0200 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
23:00:38.0600 0200 RDPREFMP - ok
23:00:38.0647 0200 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
23:00:38.0647 0200 RDPWD - ok
23:00:38.0756 0200 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
23:00:38.0771 0200 rdyboost - ok
23:00:38.0881 0200 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
23:00:38.0881 0200 rspndr - ok
23:00:38.0943 0200 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
23:00:38.0943 0200 s3cap - ok
23:00:39.0068 0200 SASDIFSV - ok
23:00:39.0083 0200 SASENUM - ok
23:00:39.0115 0200 SASKUTIL - ok
23:00:39.0177 0200 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
23:00:39.0177 0200 sbp2port - ok
23:00:39.0224 0200 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
23:00:39.0224 0200 scfilter - ok
23:00:39.0317 0200 SCMNdisP (3b68015683c27cb00c7a6b60a37cbcfd) C:\Windows\system32\DRIVERS\scmndisp.sys
23:00:39.0333 0200 SCMNdisP - ok
23:00:39.0442 0200 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
23:00:39.0442 0200 secdrv - ok
23:00:39.0551 0200 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
23:00:39.0567 0200 Serenum - ok
23:00:39.0614 0200 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
23:00:39.0614 0200 Serial - ok
23:00:39.0692 0200 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
23:00:39.0692 0200 sermouse - ok
23:00:39.0785 0200 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
23:00:39.0785 0200 sffdisk - ok
23:00:39.0832 0200 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
23:00:39.0832 0200 sffp_mmc - ok
23:00:39.0879 0200 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
23:00:39.0879 0200 sffp_sd - ok
23:00:39.0926 0200 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
23:00:39.0926 0200 sfloppy - ok
23:00:40.0035 0200 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
23:00:40.0035 0200 sisagp - ok
23:00:40.0082 0200 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
23:00:40.0082 0200 SiSRaid2 - ok
23:00:40.0113 0200 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
23:00:40.0129 0200 SiSRaid4 - ok
23:00:40.0191 0200 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
23:00:40.0191 0200 Smb - ok
23:00:40.0269 0200 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
23:00:40.0269 0200 spldr - ok
23:00:40.0456 0200 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
23:00:40.0456 0200 srv - ok
23:00:40.0519 0200 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
23:00:40.0519 0200 srv2 - ok
23:00:40.0550 0200 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
23:00:40.0565 0200 srvnet - ok
23:00:40.0768 0200 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
23:00:40.0768 0200 stexstor - ok
23:00:40.0846 0200 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
23:00:40.0846 0200 storflt - ok
23:00:40.0877 0200 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
23:00:40.0877 0200 storvsc - ok
23:00:40.0893 0200 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
23:00:40.0893 0200 swenum - ok
23:00:41.0002 0200 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
23:00:41.0018 0200 Tcpip - ok
23:00:41.0096 0200 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
23:00:41.0111 0200 TCPIP6 - ok
23:00:41.0158 0200 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
23:00:41.0158 0200 tcpipreg - ok
23:00:41.0205 0200 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
23:00:41.0205 0200 TDPIPE - ok
23:00:41.0236 0200 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
23:00:41.0236 0200 TDTCP - ok
23:00:41.0299 0200 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
23:00:41.0299 0200 tdx - ok
23:00:41.0377 0200 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
23:00:41.0377 0200 TermDD - ok
23:00:41.0455 0200 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
23:00:41.0455 0200 tssecsrv - ok
23:00:41.0533 0200 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
23:00:41.0548 0200 TsUsbFlt - ok
23:00:41.0642 0200 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
23:00:41.0642 0200 tunnel - ok
23:00:41.0704 0200 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
23:00:41.0704 0200 uagp35 - ok
23:00:41.0767 0200 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
23:00:41.0782 0200 udfs - ok
23:00:41.0891 0200 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
23:00:41.0891 0200 uliagpkx - ok
23:00:41.0985 0200 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
23:00:41.0985 0200 umbus - ok
23:00:42.0047 0200 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
23:00:42.0047 0200 UmPass - ok
23:00:42.0125 0200 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
23:00:42.0125 0200 usbccgp - ok
23:00:42.0172 0200 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
23:00:42.0172 0200 usbcir - ok
23:00:42.0219 0200 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
23:00:42.0219 0200 usbehci - ok
23:00:42.0235 0200 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
23:00:42.0250 0200 usbhub - ok
23:00:42.0266 0200 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
23:00:42.0266 0200 usbohci - ok
23:00:42.0313 0200 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
23:00:42.0313 0200 usbprint - ok
23:00:42.0391 0200 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
23:00:42.0391 0200 usbscan - ok
23:00:42.0422 0200 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
23:00:42.0422 0200 USBSTOR - ok
23:00:42.0437 0200 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\DRIVERS\usbuhci.sys
23:00:42.0437 0200 usbuhci - ok
23:00:42.0500 0200 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
23:00:42.0500 0200 vdrvroot - ok
23:00:42.0531 0200 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
23:00:42.0531 0200 vga - ok
23:00:42.0547 0200 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
23:00:42.0547 0200 VgaSave - ok
23:00:42.0593 0200 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
23:00:42.0593 0200 vhdmp - ok
23:00:42.0625 0200 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
23:00:42.0625 0200 viaagp - ok
23:00:42.0671 0200 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
23:00:42.0671 0200 ViaC7 - ok
23:00:42.0687 0200 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
23:00:42.0703 0200 viaide - ok
23:00:42.0718 0200 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
23:00:42.0734 0200 vmbus - ok
23:00:42.0749 0200 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
23:00:42.0749 0200 VMBusHID - ok
23:00:42.0796 0200 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
23:00:42.0796 0200 volmgr - ok
23:00:42.0827 0200 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
23:00:42.0827 0200 volmgrx - ok
23:00:42.0890 0200 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
23:00:42.0890 0200 volsnap - ok
23:00:42.0983 0200 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
23:00:42.0983 0200 vsmraid - ok
23:00:43.0046 0200 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
23:00:43.0046 0200 vwifibus - ok
23:00:43.0124 0200 VWiFiFlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
23:00:43.0124 0200 VWiFiFlt - ok
23:00:43.0202 0200 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
23:00:43.0202 0200 vwifimp - ok
23:00:43.0249 0200 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
23:00:43.0264 0200 WacomPen - ok
23:00:43.0358 0200 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
23:00:43.0358 0200 WANARP - ok
23:00:43.0389 0200 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
23:00:43.0389 0200 Wanarpv6 - ok
23:00:43.0545 0200 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
23:00:43.0545 0200 Wd - ok
23:00:43.0623 0200 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
23:00:43.0623 0200 WDC_SAM - ok
23:00:43.0685 0200 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
23:00:43.0685 0200 Wdf01000 - ok
23:00:43.0795 0200 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
23:00:43.0795 0200 WfpLwf - ok
23:00:43.0810 0200 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
23:00:43.0810 0200 WIMMount - ok
23:00:43.0919 0200 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
23:00:43.0935 0200 WinUsb - ok
23:00:44.0029 0200 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
23:00:44.0029 0200 WmiAcpi - ok
23:00:44.0169 0200 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
23:00:44.0169 0200 ws2ifsl - ok
23:00:44.0247 0200 WSDPrintDevice (553f6ccd7c58eb98d4a8fbdaf283d7a9) C:\Windows\system32\DRIVERS\WSDPrint.sys
23:00:44.0247 0200 WSDPrintDevice - ok
23:00:44.0341 0200 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
23:00:44.0341 0200 WudfPf - ok
23:00:44.0372 0200 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
23:00:44.0387 0200 WUDFRd - ok
23:00:44.0621 0200 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
23:00:44.0684 0200 \Device\Harddisk0\DR0 - ok
23:00:44.0699 0200 MBR (0x1B8) (739b36f7a373fc81121d831231b6d311) \Device\Harddisk6\DR7
23:00:44.0731 0200 \Device\Harddisk6\DR7 - ok
23:00:44.0731 0200 Boot (0x1200) (f654f46475ec63c88650a98633d830e4) \Device\Harddisk0\DR0\Partition0
23:00:44.0731 0200 \Device\Harddisk0\DR0\Partition0 - ok
23:00:44.0762 0200 Boot (0x1200) (0c0a73cfd481978f07040d9ffd62cfc4) \Device\Harddisk0\DR0\Partition1
23:00:44.0762 0200 \Device\Harddisk0\DR0\Partition1 - ok
23:00:44.0762 0200 Boot (0x1200) (7b5764f04a3569ff789acd1731860ca3) \Device\Harddisk6\DR7\Partition0
23:00:44.0762 0200 \Device\Harddisk6\DR7\Partition0 - ok
23:00:44.0762 0200 ============================================================
23:00:44.0762 0200 Scan finished
23:00:44.0762 0200 ============================================================
23:00:44.0777 1764 Detected object count: 0
23:00:44.0777 1764 Actual detected object count: 0

aswMBR
aswMBR version 0.9.9.1156 Copyright(c) 2011 AVAST Software
Run date: 2012-01-03 23:02:16
-----------------------------
23:02:16.272 OS Version: Windows 6.1.7601 Service Pack 1
23:02:16.272 Number of processors: 2 586 0xF06
23:02:16.272 ComputerName: WELCH-PC UserName: Welch
23:02:17.114 Initialize success
23:02:18.268 AVAST engine defs: 11100801
23:02:54.074 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2
23:02:54.074 Disk 0 Vendor: WDC_WD3200KS-75PFB0 21.00M21 Size: 305245MB BusType: 11
23:02:54.090 Disk 0 MBR read successfully
23:02:54.090 Disk 0 MBR scan
23:02:54.402 Disk 0 Windows 7 default MBR code
23:02:54.402 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
23:02:54.636 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
23:02:54.667 Disk 0 scanning sectors +625139712
23:02:54.932 Disk 0 scanning C:\Windows\system32\drivers
23:03:07.287 Service scanning
23:03:07.974 Service .dfsc \* **LOCKED** 123
23:03:08.067 Service MpKsl30e4c518 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{36FDB12E-C01C-4143-BCC6-159F720665A6}\MpKsl30e4c518.sys **LOCKED** 32
23:03:08.083 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
23:03:08.738 Modules scanning
23:03:21.515 Disk 0 trace - called modules:
23:03:21.530 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
23:03:21.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a715e0]
23:03:21.546 3 CLASSPNP.SYS[88f8f59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-2[0x84c2f908]
23:03:22.248 AVAST engine scan C:\Windows
23:03:24.463 AVAST engine scan C:\Windows\system32
23:04:49.000 AVAST engine scan C:\Windows\system32\drivers
23:04:56.846 AVAST engine scan C:\Users\Welch
23:09:09.645 AVAST engine scan C:\ProgramData
23:10:38.425 Scan finished successfully
23:12:46.259 Disk 0 MBR has been saved successfully to "C:\Users\Welch\Desktop\MBR.dat"
23:12:46.337 The log file has been saved successfully to "C:\Users\Welch\Desktop\aswMBR.txt"

Broni · Jan 3, 2012

All looks clean.

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_da774a9ad5cea29e\afd.sys | C:\Windows\system32\Drivers\afd.sys

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Post new FSS log as well.

Inactive Fake Windows 2012 anti-virus removed? Having Internet/firewall issues

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Posts: 36 +0

Posts: 56,041 +516

Similar threads