So, when I boot to safe mode I will launch th SUPEr Anti Spyware?
You say Custom Scan works,
What do you or do not select in the custom scan that would be selected if it was a Quick Scan or Full Scan??
Quads
-----------------------------------------------------------------------------------------------------------------------------------------------------------
When I run the custom scan I am able to select the drives
tofu99 wrote:
So, when I boot to safe mode I will launch th SUPEr Anti Spyware?
Yes. And can you tell us if the Quick scan (one that hangs) ever shows any files or memory being read in window or does it just go to the report after doing nothing?
It just says that it’s “working” meaning that it never finishes until I log off my user account or shutdown the computer while its running. So it actually never says anything.
If you are still having problem with NIS2009 please run a HiJackThis log and post it here.
You can download the program from this LINK ; choose the third in the list, the executable and save this to your desktop.
Double click on the file and choose "Do a system scan and save a log file" (first choice on the main menu) .
When the scan is finished, Notepad should open with the log file opened in it.
Copy the log file contents and paste this in a post here for review.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:01 PM, on 5/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Diego\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ToggleEN Toolbar - {038cb5c7-48ea-4af9-94e0-a1646542e62b} - C:\Program Files\ToggleEN\tbTogg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [IAAnotif] “C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe”
O4 - HKLM..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM..\Run: [PCMService] “C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe”
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [updateMgr] “C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_0_9 -reboot 1
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Messenger (Yahoo!)] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM..\Policies\Explorer\Run: �
O4 - HKUS\S-1-5-18..\RunOnce: (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: ImageMixer for HDD Camcorder.lnk = C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLSched.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
–
End of file - 10097 bytes
tofu99 -
Thank you for posting the log.
Please check the following in the HiJackThis result window and the select Fix Checked.
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
After that please download MalwareBytes AntiMalware from this LINK . This is the Free version so it only does on demand scanning. Install this program and run the Update All from the Update tab.
Open SUPERAntiSpyware and disable the real time protection in it (we do not want it loading when MBAM scans) .
Reboot the system into Safe Mode and run a full system scan with MalwareBytes AntiMalware. Please have the program fix / delete whatever it finds.
Save the log file from MBAM and post that here for review.
Thank you for your patience in this.
Hi Tofu
can you please do this post for Rootrepel and post the log
I have found posts of Norton Not scanning due to the rootkit variants of TDSS
Quads
reply to dbrisendine: tofu99 -
Thank you for posting the log.
Please check the following in the HiJackThis result window and the select Fix Checked.
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
---------------------------------------------------------------------------------------------------------
Will this change something very improtant? Are their any risks involved? Thanks
Those entries need to be removed. There should be no problems. Quads also wants you to run a scan and has provided a link in the previous message.
Actually Please use Rootrepeal in my previous post above while the Hijackthis entries are there, that way there should be a better change to see if the hidden driver service is there.
See previous post for think to using Rootrepeal, then post the log.
Quads
one more thing, my computer just recently “crash dumped” a blue screen appeared and my system shutdown. does this mean anything?
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/06/01 09:29
Program Version: Version 1.2.3.0
Windows Version: Windows Vista SP1
==================================================
Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\Windows\system32\DRIVERS\1394BUS.SYS
Address: 0x8ABC1000 Size: 57344 File Visible: -
Status: -
Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x82A93000 Size: 286720 File Visible: -
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x8241A000 Size: 3903488 File Visible: -
Status: -
Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x8BA65000 Size: 294912 File Visible: -
Status: -
Name: atapi.sys
Image Path: C:\Windows\system32\drivers\atapi.sys
Address: 0x830C5000 Size: 32768 File Visible: -
Status: -
Name: ataport.SYS
Image Path: C:\Windows\system32\drivers\ataport.SYS
Address: 0x830CD000 Size: 122880 File Visible: -
Status: -
Name: ATMFD.DLL
Image Path: C:\Windows\System32\ATMFD.DLL
Address: 0x93E70000 Size: 311296 File Visible: -
Status: -
Name: Beep.SYS
Image Path: C:\Windows\System32\Drivers\Beep.SYS
Address: 0x8B43A000 Size: 28672 File Visible: -
Status: -
Name: BOOTVID.dll
Image Path: C:\Windows\system32\BOOTVID.dll
Address: 0x80688000 Size: 32768 File Visible: -
Status: -
Name: bowser.sys
Image Path: C:\Windows\system32\DRIVERS\bowser.sys
Address: 0x80D89000 Size: 102400 File Visible: -
Status: -
Name: cdd.dll
Image Path: C:\Windows\System32\cdd.dll
Address: 0x93E60000 Size: 57344 File Visible: -
Status: -
Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0xA79E9000 Size: 90112 File Visible: -
Status: -
Name: cdrom.sys
Image Path: C:\Windows\system32\DRIVERS\cdrom.sys
Address: 0x83371000 Size: 98304 File Visible: -
Status: -
Name: CI.dll
Image Path: C:\Windows\system32\CI.dll
Address: 0x806D1000 Size: 917504 File Visible: -
Status: -
Name: CLASSPNP.SYS
Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS
Address: 0x869C1000 Size: 135168 File Visible: -
Status: -
Name: CLFS.SYS
Image Path: C:\Windows\system32\CLFS.SYS
Address: 0x80690000 Size: 266240 File Visible: -
Status: -
Name: crashdmp.sys
Image Path: C:\Windows\System32\Drivers\crashdmp.sys
Address: 0x8BBE6000 Size: 53248 File Visible: -
Status: -
Name: crcdisk.sys
Image Path: C:\Windows\system32\drivers\crcdisk.sys
Address: 0x869E2000 Size: 36864 File Visible: -
Status: -
Name: dfsc.sys
Image Path: C:\Windows\System32\Drivers\dfsc.sys
Address: 0x8BB8C000 Size: 94208 File Visible: -
Status: -
Name: disk.sys
Image Path: C:\Windows\system32\drivers\disk.sys
Address: 0x869B0000 Size: 69632 File Visible: -
Status: -
Name: drmk.sys
Image Path: C:\Windows\system32\drivers\drmk.sys
Address: 0x8B405000 Size: 151552 File Visible: -
Status: -
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x89E0B000 Size: 753664 File Visible: No
Status: -
Name: Dxapi.sys
Image Path: C:\Windows\System32\drivers\Dxapi.sys
Address: 0x8BBF3000 Size: 40960 File Visible: -
Status: -
Name: dxgkrnl.sys
Image Path: C:\Windows\System32\drivers\dxgkrnl.sys
Address: 0x8AA54000 Size: 651264 File Visible: -
Status: -
Name: e1e6032.sys
Image Path: C:\Windows\system32\DRIVERS\e1e6032.sys
Address: 0x8AB12000 Size: 237568 File Visible: -
Status: -
Name: ecache.sys
Image Path: C:\Windows\System32\drivers\ecache.sys
Address: 0x86989000 Size: 159744 File Visible: -
Status: -
Name: fileinfo.sys
Image Path: C:\Windows\system32\drivers\fileinfo.sys
Address: 0x8311D000 Size: 65536 File Visible: -
Status: -
Name: fltmgr.sys
Image Path: C:\Windows\system32\drivers\fltmgr.sys
Address: 0x830EB000 Size: 204800 File Visible: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8B42A000 Size: 36864 File Visible: -
Status: -
Name: fwpkclnt.sys
Image Path: C:\Windows\System32\drivers\fwpkclnt.sys
Address: 0x8B5BF000 Size: 110592 File Visible: -
Status: -
Name: GEARAspiWDM.sys
Image Path: C:\Windows\System32\Drivers\GEARAspiWDM.sys
Address: 0x8ABF5000 Size: 28672 File Visible: -
Status: -
Name: hal.dll
Image Path: C:\Windows\system32\hal.dll
Address: 0x827D3000 Size: 208896 File Visible: -
Status: -
Name: HDAudBus.sys
Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys
Address: 0x8AB00000 Size: 73728 File Visible: -
Status: -
Name: HIDCLASS.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDCLASS.SYS
Address: 0x8BBC5000 Size: 65536 File Visible: -
Status: -
Name: HIDPARSE.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDPARSE.SYS
Address: 0x8B44A000 Size: 28672 File Visible: -
Status: -
Name: hidusb.sys
Image Path: C:\Windows\system32\DRIVERS\hidusb.sys
Address: 0x8BBBC000 Size: 36864 File Visible: -
Status: -
Name: HTTP.sys
Image Path: C:\Windows\system32\drivers\HTTP.sys
Address: 0x80D01000 Size: 438272 File Visible: -
Status: -
Name: iastor.sys
Image Path: C:\Windows\system32\drivers\iastor.sys
Address: 0x8300D000 Size: 753664 File Visible: -
Status: -
Name: igdkmd32.sys
Image Path: C:\Windows\system32\DRIVERS\igdkmd32.sys
Address: 0x8A407000 Size: 6606848 File Visible: -
Status: -
Name: int15.sys
Image Path: C:\Acer\Empowering Technology\eRecovery\int15.sys
Address: 0xA78CB000 Size: 69632 File Visible: -
Status: -
Name: intelide.sys
Image Path: C:\Windows\system32\drivers\intelide.sys
Address: 0x82B79000 Size: 28672 File Visible: -
Status: -
Name: intelppm.sys
Image Path: C:\Windows\system32\DRIVERS\intelppm.sys
Address: 0x89EDB000 Size: 61440 File Visible: -
Status: -
Name: ipfltdrv.sys
Image Path: C:\Windows\system32\DRIVERS\ipfltdrv.sys
Address: 0x8BA3F000 Size: 73728 File Visible: -
Status: -
Name: kbdclass.sys
Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys
Address: 0x831F5000 Size: 45056 File Visible: -
Status: -
Name: kbdhid.sys
Image Path: C:\Windows\system32\DRIVERS\kbdhid.sys
Address: 0x8BBD5000 Size: 36864 File Visible: -
Status: -
Name: kdcom.dll
Image Path: C:\Windows\system32\kdcom.dll
Address: 0x8060F000 Size: 32768 File Visible: -
Status: -
Name: ks.sys
Image Path: C:\Windows\system32\DRIVERS\ks.sys
Address: 0x82BC3000 Size: 172032 File Visible: -
Status: -
Name: ksecdd.sys
Image Path: C:\Windows\System32\Drivers\ksecdd.sys
Address: 0x83136000 Size: 462848 File Visible: -
Status: -
Name: kungsfrxeetwos.sys
Image Path: C:\Windows\system32\drivers\kungsfrxeetwos.sys
Address: 0x8B48E000 Size: 163840 File Visible: -
Status: Hidden from Windows API!
Name: lltdio.sys
Image Path: C:\Windows\system32\DRIVERS\lltdio.sys
Address: 0x80CDE000 Size: 65536 File Visible: -
Status: -
Name: luafv.sys
Image Path: C:\Windows\system32\drivers\luafv.sys
Address: 0x80C0C000 Size: 110592 File Visible: -
Status: -
Name: mcupdate_GenuineIntel.dll
Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll
Address: 0x80617000 Size: 393216 File Visible: -
Status: -
Name: mfeavfk.sys
Image Path: C:\Windows\system32\drivers\mfeavfk.sys
Address: 0xA79D7000 Size: 72576 File Visible: -
Status: -
Name: mfebopk.sys
Image Path: C:\Windows\system32\drivers\mfebopk.sys
Address: 0xA79D0000 Size: 28512 File Visible: -
Status: -
Name: mfehidk.sys
Image Path: C:\Windows\system32\drivers\mfehidk.sys
Address: 0x8BB5C000 Size: 194592 File Visible: -
Status: -
Name: mferkdk.sys
Image Path: C:\Windows\system32\drivers\mferkdk.sys
Address: 0x80C00000 Size: 27104 File Visible: -
Status: -
Name: mfesmfk.sys
Image Path: C:\Windows\system32\drivers\mfesmfk.sys
Address: 0x80DF6000 Size: 33760 File Visible: -
Status: -
Name: modem.sys
Image Path: C:\Windows\system32\drivers\modem.sys
Address: 0x8ABA4000 Size: 53248 File Visible: -
Status: -
Name: MODEMCSA.sys
Image Path: C:\Windows\system32\drivers\MODEMCSA.sys
Address: 0x82A00000 Size: 40960 File Visible: -
Status: -
Name: monitor.sys
Image Path: C:\Windows\system32\DRIVERS\monitor.sys
Address: 0x8B5EC000 Size: 61440 File Visible: -
Status: -
Name: mouclass.sys
Image Path: C:\Windows\system32\DRIVERS\mouclass.sys
Address: 0x83000000 Size: 45056 File Visible: -
Status: -
Name: mouhid.sys
Image Path: C:\Windows\system32\DRIVERS\mouhid.sys
Address: 0x8BBDE000 Size: 32768 File Visible: -
Status: -
Name: mountmgr.sys
Image Path: C:\Windows\System32\drivers\mountmgr.sys
Address: 0x82B8E000 Size: 65536 File Visible: -
Status: -
Name: Mpfp.sys
Image Path: C:\Windows\System32\Drivers\Mpfp.sys
Address: 0x8BA02000 Size: 159744 File Visible: -
Status: -
Name: mpsdrv.sys
Image Path: C:\Windows\System32\drivers\mpsdrv.sys
Address: 0x80DA2000 Size: 86016 File Visible: -
Status: -
Name: mrxdav.sys
Image Path: C:\Windows\system32\drivers\mrxdav.sys
Address: 0x80DB7000 Size: 131072 File Visible: -
Status: -
Name: mrxsmb.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys
Address: 0x80DD7000 Size: 126976 File Visible: -
Status: -
Name: mrxsmb10.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Address: 0xA7800000 Size: 233472 File Visible: -
Status: -
Name: mrxsmb20.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Address: 0xA7839000 Size: 98304 File Visible: -
Status: -
Name: Msfs.SYS
Image Path: C:\Windows\System32\Drivers\Msfs.SYS
Address: 0x8B4B6000 Size: 45056 File Visible: -
Status: -
Name: msisadrv.sys
Image Path: C:\Windows\system32\drivers\msisadrv.sys
Address: 0x82AE2000 Size: 32768 File Visible: -
Status: -
Name: msiscsi.sys
Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys
Address: 0x83389000 Size: 188416 File Visible: -
Status: -
Name: msrpc.sys
Image Path: C:\Windows\system32\drivers\msrpc.sys
Address: 0x8330C000 Size: 176128 File Visible: -
Status: -
Name: mssmbios.sys
Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys
Address: 0x82BED000 Size: 40960 File Visible: -
Status: -
Name: mup.sys
Image Path: C:\Windows\System32\Drivers\mup.sys
Address: 0x8697A000 Size: 61440 File Visible: -
Status: -
Name: ndis.sys
Image Path: C:\Windows\system32\drivers\ndis.sys
Address: 0x83201000 Size: 1093632 File Visible: -
Status: -
Name: ndistapi.sys
Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys
Address: 0x89E00000 Size: 45056 File Visible: -
Status: -
Name: ndiswan.sys
Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys
Address: 0x831BE000 Size: 143360 File Visible: -
Status: -
Name: NDProxy.SYS
Image Path: C:\Windows\System32\Drivers\NDProxy.SYS
Address: 0x8B20F000 Size: 69632 File Visible: -
Status: -
Name: netbios.sys
Image Path: C:\Windows\system32\DRIVERS\netbios.sys
Address: 0x8BAF5000 Size: 57344 File Visible: -
Status: -
Name: netbt.sys
Image Path: C:\Windows\System32\DRIVERS\netbt.sys
Address: 0x8BAAD000 Size: 204800 File Visible: -
Status: -
Name: NETIO.SYS
Image Path: C:\Windows\system32\drivers\NETIO.SYS
Address: 0x83337000 Size: 237568 File Visible: -
Status: -
Name: Npfs.SYS
Image Path: C:\Windows\System32\Drivers\Npfs.SYS
Address: 0x8B4C1000 Size: 57344 File Visible: -
Status: -
Name: nsiproxy.sys
Image Path: C:\Windows\system32\drivers\nsiproxy.sys
Address: 0x8BB52000 Size: 40960 File Visible: -
Status: -
Name: Ntfs.sys
Image Path: C:\Windows\System32\Drivers\Ntfs.sys
Address: 0x8680F000 Size: 1110016 File Visible: -
Status: -
Name: NTIDrvr.sys
Image Path: C:\Windows\system32\DRIVERS\NTIDrvr.sys
Address: 0x8ABF3000 Size: 6144 File Visible: -
Status: -
Name: ntkrnlpa.exe
Image Path: C:\Windows\system32\ntkrnlpa.exe
Address: 0x8241A000 Size: 3903488 File Visible: -
Status: -
Name: Null.SYS
Image Path: C:\Windows\System32\Drivers\Null.SYS
Address: 0x8B433000 Size: 28672 File Visible: -
Status: -
Name: ohci1394.sys
Image Path: C:\Windows\system32\DRIVERS\ohci1394.sys
Address: 0x8ABB1000 Size: 61952 File Visible: -
Status: -
Name: pacer.sys
Image Path: C:\Windows\system32\DRIVERS\pacer.sys
Address: 0x8BADF000 Size: 90112 File Visible: -
Status: -
Name: parport.sys
Image Path: C:\Windows\system32\DRIVERS\parport.sys
Address: 0x89FDA000 Size: 98304 File Visible: -
Status: -
Name: partmgr.sys
Image Path: C:\Windows\System32\drivers\partmgr.sys
Address: 0x82B11000 Size: 61440 File Visible: -
Status: -
Name: parvdm.sys
Image Path: C:\Windows\system32\DRIVERS\parvdm.sys
Address: 0xA78C4000 Size: 28672 File Visible: -
Status: -
Name: pci.sys
Image Path: C:\Windows\system32\drivers\pci.sys
Address: 0x82AEA000 Size: 159744 File Visible: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS
Address: 0x82B80000 Size: 57344 File Visible: -
Status: -
Name: peauth.sys
Image Path: C:\Windows\system32\drivers\peauth.sys
Address: 0xA78DC000 Size: 909312 File Visible: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x8241A000 Size: 3903488 File Visible: -
Status: -
Name: portcls.sys
Image Path: C:\Windows\system32\drivers\portcls.sys
Address: 0x8B3C8000 Size: 184320 File Visible: -
Status: -
Name: psdfilter.sys
Image Path: C:\Windows\system32\DRIVERS\psdfilter.sys
Address: 0x8312D000 Size: 36864 File Visible: -
Status: -
Name: PSDNServ.sys
Image Path: C:\Windows\system32\drivers\PSDNServ.sys
Address: 0x86971000 Size: 36864 File Visible: -
Status: -
Name: psdvdisk.sys
Image Path: C:\Windows\system32\drivers\psdvdisk.sys
Address: 0x8695F000 Size: 73728 File Visible: -
Status: -
Name: PSHED.dll
Image Path: C:\Windows\system32\PSHED.dll
Address: 0x80677000 Size: 69632 File Visible: -
Status: -
Name: rasacd.sys
Image Path: C:\Windows\System32\DRIVERS\rasacd.sys
Address: 0x8B4CF000 Size: 36864 File Visible: -
Status: -
Name: rasl2tp.sys
Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys
Address: 0x831A7000 Size: 94208 File Visible: -
Status: -
Name: raspppoe.sys
Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys
Address: 0x86800000 Size: 61440 File Visible: -
Status: -
Name: raspptp.sys
Image Path: C:\Windows\system32\DRIVERS\raspptp.sys
Address: 0x831E1000 Size: 81920 File Visible: -
Status: -
Name: rassstp.sys
Image Path: C:\Windows\system32\DRIVERS\rassstp.sys
Address: 0x82B9E000 Size: 86016 File Visible: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x8241A000 Size: 3903488 File Visible: -
Status: -
Name: rdbss.sys
Image Path: C:\Windows\system32\DRIVERS\rdbss.sys
Address: 0x8BB16000 Size: 245760 File Visible: -
Status: -
Name: RDPCDD.sys
Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys
Address: 0x8B47E000 Size: 32768 File Visible: -
Status: -
Name: rdpencdd.sys
Image Path: C:\Windows\system32\drivers\rdpencdd.sys
Address: 0x8B486000 Size: 32768 File Visible: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x8B200000 Size: 45056 File Visible: No
Status: -
Name: rspndr.sys
Image Path: C:\Windows\system32\DRIVERS\rspndr.sys
Address: 0x80CEE000 Size: 77824 File Visible: -
Status: -
Name: RTKVHDA.sys
Image Path: C:\Windows\system32\drivers\RTKVHDA.sys
Address: 0x8B220000 Size: 1733952 File Visible: -
Status: -
Name: secdrv.SYS
Image Path: C:\Windows\System32\Drivers\secdrv.SYS
Address: 0xA79BA000 Size: 40960 File Visible: -
Status: -
Name: serenum.sys
Image Path: C:\Windows\system32\DRIVERS\serenum.sys
Address: 0x8ABE9000 Size: 40960 File Visible: -
Status: -
Name: serial.sys
Image Path: C:\Windows\system32\DRIVERS\serial.sys
Address: 0x8ABCF000 Size: 106496 File Visible: -
Status: -
Name: smb.sys
Image Path: C:\Windows\system32\DRIVERS\smb.sys
Address: 0x8BA51000 Size: 81920 File Visible: -
Status: -
Name: smserial.sys
Image Path: C:\Windows\system32\DRIVERS\smserial.sys
Address: 0x89EEA000 Size: 982272 File Visible: -
Status: -
Name: spldr.sys
Image Path: C:\Windows\System32\Drivers\spldr.sys
Address: 0x86957000 Size: 32768 File Visible: -
Status: -
Name: spsys.sys
Image Path: C:\Windows\system32\drivers\spsys.sys
Address: 0x80C2F000 Size: 716800 File Visible: -
Status: -
Name: srv.sys
Image Path: C:\Windows\System32\DRIVERS\srv.sys
Address: 0xA7878000 Size: 311296 File Visible: -
Status: -
Name: srv2.sys
Image Path: C:\Windows\System32\DRIVERS\srv2.sys
Address: 0xA7851000 Size: 159744 File Visible: -
Status: -
Name: srvnet.sys
Image Path: C:\Windows\System32\DRIVERS\srvnet.sys
Address: 0x80D6C000 Size: 118784 File Visible: -
Status: -
Name: storport.sys
Image Path: C:\Windows\system32\DRIVERS\storport.sys
Address: 0x833B7000 Size: 266240 File Visible: -
Status: -
Name: swenum.sys
Image Path: C:\Windows\system32\DRIVERS\swenum.sys
Address: 0x8ABFC000 Size: 4992 File Visible: -
Status: -
Name: tcpip.sys
Image Path: C:\Windows\System32\drivers\tcpip.sys
Address: 0x8B4D8000 Size: 946176 File Visible: -
Status: -
Name: tcpipreg.sys
Image Path: C:\Windows\System32\drivers\tcpipreg.sys
Address: 0xA79C4000 Size: 49152 File Visible: -
Status: -
Name: TDI.SYS
Image Path: C:\Windows\system32\DRIVERS\TDI.SYS
Address: 0x89FF2000 Size: 45056 File Visible: -
Status: -
Name: tdx.sys
Image Path: C:\Windows\system32\DRIVERS\tdx.sys
Address: 0x8BA29000 Size: 90112 File Visible: -
Status: -
Name: termdd.sys
Image Path: C:\Windows\system32\DRIVERS\termdd.sys
Address: 0x82BB3000 Size: 65536 File Visible: -
Status: -
Name: TSDDD.dll
Image Path: C:\Windows\System32\TSDDD.dll
Address: 0x93E40000 Size: 36864 File Visible: -
Status: -
Name: tunmp.sys
Image Path: C:\Windows\system32\DRIVERS\tunmp.sys
Address: 0x89ED2000 Size: 36864 File Visible: -
Status: -
Name: tunnel.sys
Image Path: C:\Windows\system32\DRIVERS\tunnel.sys
Address: 0x89EC7000 Size: 45056 File Visible: -
Status: -
Name: umbus.sys
Image Path: C:\Windows\system32\DRIVERS\umbus.sys
Address: 0x807B1000 Size: 53248 File Visible: -
Status: -
Name: usbccgp.sys
Image Path: C:\Windows\system32\DRIVERS\usbccgp.sys
Address: 0x8BBA3000 Size: 94208 File Visible: -
Status: -
Name: USBD.SYS
Image Path: C:\Windows\system32\DRIVERS\USBD.SYS
Address: 0x8BBBA000 Size: 8192 File Visible: -
Status: -
Name: usbehci.sys
Image Path: C:\Windows\system32\DRIVERS\usbehci.sys
Address: 0x8AB95000 Size: 61440 File Visible: -
Status: -
Name: usbhub.sys
Image Path: C:\Windows\system32\DRIVERS\usbhub.sys
Address: 0x807BE000 Size: 212992 File Visible: -
Status: -
Name: USBPORT.SYS
Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS
Address: 0x8AB57000 Size: 253952 File Visible: -
Status: -
Name: usbprint.sys
Image Path: C:\Windows\system32\DRIVERS\usbprint.sys
Address: 0x8B3F5000 Size: 40960 File Visible: -
Status: -
Name: USBSTOR.SYS
Image Path: C:\Windows\system32\DRIVERS\USBSTOR.SYS
Address: 0x8B5DA000 Size: 73728 File Visible: -
Status: -
Name: usbuhci.sys
Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys
Address: 0x8AB4C000 Size: 45056 File Visible: -
Status: -
Name: vga.sys
Image Path: C:\Windows\System32\drivers\vga.sys
Address: 0x8B451000 Size: 49152 File Visible: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\Windows\System32\drivers\VIDEOPRT.SYS
Address: 0x8B45D000 Size: 135168 File Visible: -
Status: -
Name: volmgr.sys
Image Path: C:\Windows\system32\drivers\volmgr.sys
Address: 0x82B20000 Size: 61440 File Visible: -
Status: -
Name: volmgrx.sys
Image Path: C:\Windows\System32\drivers\volmgrx.sys
Address: 0x82B2F000 Size: 303104 File Visible: -
Status: -
Name: volsnap.sys
Image Path: C:\Windows\system32\drivers\volsnap.sys
Address: 0x8691E000 Size: 233472 File Visible: -
Status: -
Name: wanarp.sys
Image Path: C:\Windows\system32\DRIVERS\wanarp.sys
Address: 0x8BB03000 Size: 77824 File Visible: -
Status: -
Name: watchdog.sys
Image Path: C:\Windows\System32\drivers\watchdog.sys
Address: 0x8AAF3000 Size: 53248 File Visible: -
Status: -
Name: Wdf01000.sys
Image Path: C:\Windows\system32\drivers\Wdf01000.sys
Address: 0x82A0A000 Size: 507904 File Visible: -
Status: -
Name: WDFLDR.SYS
Image Path: C:\Windows\system32\drivers\WDFLDR.SYS
Address: 0x82A86000 Size: 53248 File Visible: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0x93C20000 Size: 2105344 File Visible: -
Status: -
Name: win32k.sys
Image Path: C:\Windows\System32\win32k.sys
Address: 0x93C20000 Size: 2105344 File Visible: -
Status: -
Name: WMILIB.SYS
Image Path: C:\Windows\system32\drivers\WMILIB.SYS
Address: 0x82AD9000 Size: 36864 File Visible: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x8241A000 Size: 3903488 File Visible: -
Status: -
Name: kungsfrxeetwos.sys
Image Path: C:\Windows\system32\drivers\kungsfrxeetwos.sys
Address: 0x8B48E000 Size: 163840 File Visible: -
Status: Hidden from Windows API!
Is this what we're looking for?
Yeah, I shows further up in the drivers list to, I'm just trying to figure what it belongs to, can't find anything at the moment of that name ot of the likes of "kung[random characters].sys" to make sure it is safe to place in the script to have it deleted.
Quads
this also showed up when i used MalwareBytes AntiMalware
Can you post the Malwarebytes log, to see the name, what was detected, any corrosponding .dll files etc. even though it's still there, so like others of this sort not deleted.
Quads
tofu99 wrote:
one more thing, my computer just recently "crash dumped" a blue screen appeared and my system shutdown. does this mean anything?
That can happen if a file is being attempted to be removed and is still running as a service.
Waiting for Malwarebytes log
Quads
i’m rescanning now. how long will you be online?