Solved dllhost.exe COM Surrogate 32* Virus

M

Magum_RK

New Member
Thread author
Jan 8, 2015
4
Hi, I've been experiencing memory and disk problems for about 2 days and think it's due to dllhost.exe and COM Surrogate (32). I stop the process and it inevitably starts back up almost immediately. I have seen other threads similar too mine but I don't know how to get rid of this life sucking virus from my computer. An OS reinstallation did not fix my problem and I believe this virus/trojan is deep inside my pc.
 

Attachments

  • FRST.txt
    23.8 KB · Views: 90
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
PC seems clean, I do not see active infection here. Let's make one more check:


Download
51a5f31352b88-icon_MBAR.png
Malwarebytes Anti-Rootkit to your desktop.
  • Double-click the icon to start the tool.
  • It will ask you where to extract it, then it will start.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"
 
M

Magum_RK

New Member
Thread author
Jan 8, 2015
4
Malwarebytes Anti-Rootkit BETA 1.08.2.1001
www.malwarebytes.org

Database version: v2015.01.09.12

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16635
Nobay_H :: VAIO [administrator]

1/9/2015 9:52:15 AM
mbar-log-2015-01-09 (09-52-15).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 323252
Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16635

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.800000 GHz
Memory total: 4185702400, free: 468119552

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16635

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.800000 GHz
Memory total: 4185702400, free: 516153344

Downloaded database version: v2015.01.08.14
Downloaded database version: v2015.01.07.01
Downloaded database version: v2014.12.06.01
=======================================
Initializing...
------------ Kernel report ------------
01/08/2015 12:37:56
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\hiosd.sys
\SystemRoot\system32\DRIVERS\FLTMGR.SYS
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\kl1.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\IntelPcc.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\system32\DRIVERS\hiofs.sys
\SystemRoot\system32\DRIVERS\klif.sys
\SystemRoot\system32\DRIVERS\klflt.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\klwfp.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\klim6.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\system32\DRIVERS\kneps.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\System32\drivers\CompositeBus.sys
\SystemRoot\System32\drivers\usb3Hub.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\system32\DRIVERS\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\System32\drivers\ucx01000.sys
\SystemRoot\system32\DRIVERS\TeeDriverx64.sys
\SystemRoot\system32\DRIVERS\NETwew02.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\system32\DRIVERS\Rt630x64.sys
\SystemRoot\system32\DRIVERS\RtsPer.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\msgpiowin32.sys
\SystemRoot\System32\drivers\SFEP.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\klkbdflt.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\klmouflt.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\Smb_driver_Intel.sys
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\iwdbus.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\AMPPAL.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\system32\DRIVERS\portcls.sys
\SystemRoot\system32\DRIVERS\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\system32\DRIVERS\ibtusb.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\System32\drivers\WUDFRd.sys
\SystemRoot\System32\drivers\rdpvideominiport.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\btmhsf.sys
\SystemRoot\System32\Drivers\BTHUSB.sys
\SystemRoot\System32\Drivers\bthport.sys
\SystemRoot\system32\DRIVERS\BthLEEnum.sys
\SystemRoot\System32\drivers\rfcomm.sys
\SystemRoot\System32\drivers\BthEnum.sys
\SystemRoot\system32\DRIVERS\bthpan.sys
\SystemRoot\system32\DRIVERS\btmaux.sys
\SystemRoot\System32\drivers\umpass.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80059e3060
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000037\
Lower Device Object: 0xfffffa8004f89730
Lower Device Driver Name: \Driver\storahci\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80059e3060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80051edb10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005975050, DeviceName: \Device\hiosd0\, DriverName: \Driver\hiosd\
DevicePointer: 0xfffffa80059e3060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xfffffa80050f6d20, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8004f89730, DeviceName: \Device\00000037\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\hiosd0\, DriverName: \Driver\hiosd\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 7857B89

GPT Protective MBR Partition information:

Partition 0 type is EFI-GPT (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec = 1496426399

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GPT Header Signature 4546492050415254
GPT Header Revision 65536 Size 92 CRC 1053952167
GPT Header CurrentLba = 1 BackupLba 1496426399
GPT Header FirstUsableLba 34 LastUsableLba 1496426366
GPT Header Guid da109c20-c3b9-44d7-aa35-2d6d4ceef853
GPT Header Contains 128 partition entries starting at LBA 2
GPT Header Partition entry size = 128

Backup GPT header Signature 4546492050415254
Backup GPT header Revision 65536 Size 92 CRC 1053952167
Backup GPT header CurrentLba = 1496426399 BackupLba 1
Backup GPT header FirstUsableLba 34 LastUsableLba 1496426366
Backup GPT header Guid da109c20-c3b9-44d7-aa35-2d6d4ceef853
Backup GPT header Contains 128 partition entries starting at LBA 1496426367
Backup GPT header Partition entry size = 128

Partition 0 Type f4019732-66e-4e12-8273-346c5641494f
Partition ID de3efbb5-897c-4749-9622-e9fdf43d222
FirstLBA 2048 Last LBA 534527
Attributes 1
Partition Name EFI system partition

Partition 1 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 55046782-4930-4c62-83ba-ccead3688ad
FirstLBA 534528 Last LBA 3553279
Attributes 1
Partition Name Basic data partition

Partition 2 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
Partition ID 3681607-bf69-4282-b3dd-4e59b0a8e932
FirstLBA 3553280 Last LBA 4085759
Attributes 0
Partition Name EFI system partition

GPT Partition 2 is bootable
Partition 3 Type e3c9e316-b5c-4db8-817d-f92df0215ae
Partition ID 70a03778-1445-4a64-8148-a1983a2fa141
FirstLBA 4085760 Last LBA 4347903
Attributes 0
Partition Name Microsoft reserved partition

Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID ee888eec-552-4a9c-bf59-439965e6de55
FirstLBA 4347904 Last LBA 1398515711
Attributes 0
Partition Name Basic data partition

Partition 5 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID ec79c1e1-4815-4047-8598-9a5f4477c69
FirstLBA 1398515712 Last LBA 1399437311
Attributes 1
Partition Name

Partition 6 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 84b0cab6-d78-469f-b1f8-f93ede52f977
FirstLBA 1399437312 Last LBA 1400154111
Attributes 1
Partition Name

Partition 7 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 5c85442e-f64d-49c7-af7a-c6f3f4c29968
FirstLBA 1400154112 Last LBA 1465147391
Attributes 1
Partition Name Basic data partition

Partition 8 Type 873a3810-c9a2-4126-bf34-970169d9732
Partition ID d2ac05c2-ed09-48ae-b868-58da2326158b
FirstLBA 1465149168 Last LBA 1496422127
Attributes 1
Partition Name

Disk Size: 766170316800 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16635

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.800000 GHz
Memory total: 4185702400, free: 646664192

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 6.2.9200 Windows 8 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16635

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.800000 GHz
Memory total: 4185702400, free: 2068484096

Downloaded database version: v2015.01.09.12
Downloaded database version: v2015.01.07.01
Downloaded database version: v2014.12.06.01
=======================================
Initializing...
------------ Kernel report ------------
01/09/2015 09:52:08
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\hiosd.sys
\SystemRoot\system32\DRIVERS\FLTMGR.SYS
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\kl1.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\storahci.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\wfplwfs.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\IntelPcc.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\system32\DRIVERS\hiofs.sys
\SystemRoot\system32\DRIVERS\klif.sys
\SystemRoot\system32\DRIVERS\klflt.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\klwfp.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\klim6.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\system32\DRIVERS\kneps.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\System32\drivers\CompositeBus.sys
\SystemRoot\System32\drivers\usb3Hub.sys
\SystemRoot\System32\drivers\USBD.SYS
\SystemRoot\system32\DRIVERS\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\System32\drivers\ucx01000.sys
\SystemRoot\system32\DRIVERS\TeeDriverx64.sys
\SystemRoot\system32\DRIVERS\NETwew02.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\system32\DRIVERS\Rt630x64.sys
\SystemRoot\system32\DRIVERS\RtsPer.sys
\SystemRoot\System32\drivers\usbehci.sys
\SystemRoot\System32\drivers\USBPORT.SYS
\SystemRoot\System32\drivers\msgpiowin32.sys
\SystemRoot\System32\drivers\SFEP.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\klkbdflt.sys
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\klmouflt.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\Smb_driver_Intel.sys
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\iwdbus.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\System32\drivers\AMPPAL.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\drivers\usbhub.sys
\SystemRoot\system32\DRIVERS\portcls.sys
\SystemRoot\system32\DRIVERS\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\HIDPARSE.SYS
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\system32\DRIVERS\ibtusb.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_storahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\System32\drivers\WUDFRd.sys
\SystemRoot\System32\drivers\rdpvideominiport.sys
\SystemRoot\system32\DRIVERS\btmhsf.sys
\SystemRoot\System32\Drivers\BTHUSB.sys
\SystemRoot\System32\Drivers\bthport.sys
\SystemRoot\system32\DRIVERS\BthLEEnum.sys
\SystemRoot\System32\drivers\rfcomm.sys
\SystemRoot\System32\drivers\BthEnum.sys
\SystemRoot\system32\DRIVERS\bthpan.sys
\SystemRoot\system32\DRIVERS\btmaux.sys
\SystemRoot\System32\drivers\umpass.sys
\SystemRoot\System32\cdd.dll
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80059e3060
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\00000037\
Lower Device Object: 0xfffffa8004f89730
Lower Device Driver Name: \Driver\storahci\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80059e3060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80051edb10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005975050, DeviceName: \Device\hiosd0\, DriverName: \Driver\hiosd\
DevicePointer: 0xfffffa80059e3060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xfffffa80050f6d20, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8004f89730, DeviceName: \Device\00000037\, DriverName: \Driver\storahci\
------------ End ----------
Alternate DeviceName: \Device\hiosd0\, DriverName: \Driver\hiosd\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 7857B89

GPT Protective MBR Partition information:

Partition 0 type is EFI-GPT (0xee)
Partition is NOT ACTIVE.
Partition starts at LBA: 1 Numsec = 1496426399

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

GPT Partition information:

GPT Header Signature 4546492050415254
GPT Header Revision 65536 Size 92 CRC 1053952167
GPT Header CurrentLba = 1 BackupLba 1496426399
GPT Header FirstUsableLba 34 LastUsableLba 1496426366
GPT Header Guid da109c20-c3b9-44d7-aa35-2d6d4ceef853
GPT Header Contains 128 partition entries starting at LBA 2
GPT Header Partition entry size = 128

Backup GPT header Signature 4546492050415254
Backup GPT header Revision 65536 Size 92 CRC 1053952167
Backup GPT header CurrentLba = 1496426399 BackupLba 1
Backup GPT header FirstUsableLba 34 LastUsableLba 1496426366
Backup GPT header Guid da109c20-c3b9-44d7-aa35-2d6d4ceef853
Backup GPT header Contains 128 partition entries starting at LBA 1496426367
Backup GPT header Partition entry size = 128

Partition 0 Type f4019732-66e-4e12-8273-346c5641494f
Partition ID de3efbb5-897c-4749-9622-e9fdf43d222
FirstLBA 2048 Last LBA 534527
Attributes 1
Partition Name EFI system partition

Partition 1 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 55046782-4930-4c62-83ba-ccead3688ad
FirstLBA 534528 Last LBA 3553279
Attributes 1
Partition Name Basic data partition

Partition 2 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
Partition ID 3681607-bf69-4282-b3dd-4e59b0a8e932
FirstLBA 3553280 Last LBA 4085759
Attributes 0
Partition Name EFI system partition

GPT Partition 2 is bootable
Partition 3 Type e3c9e316-b5c-4db8-817d-f92df0215ae
Partition ID 70a03778-1445-4a64-8148-a1983a2fa141
FirstLBA 4085760 Last LBA 4347903
Attributes 0
Partition Name Microsoft reserved partition

Partition 4 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
Partition ID ee888eec-552-4a9c-bf59-439965e6de55
FirstLBA 4347904 Last LBA 1398515711
Attributes 0
Partition Name Basic data partition

Partition 5 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID ec79c1e1-4815-4047-8598-9a5f4477c69
FirstLBA 1398515712 Last LBA 1399437311
Attributes 1
Partition Name

Partition 6 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 84b0cab6-d78-469f-b1f8-f93ede52f977
FirstLBA 1399437312 Last LBA 1400154111
Attributes 1
Partition Name

Partition 7 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
Partition ID 5c85442e-f64d-49c7-af7a-c6f3f4c29968
FirstLBA 1400154112 Last LBA 1465147391
Attributes 1
Partition Name Basic data partition

Partition 8 Type 873a3810-c9a2-4126-bf34-970169d9732
Partition ID d2ac05c2-ed09-48ae-b868-58da2326158b
FirstLBA 1465149168 Last LBA 1496422127
Attributes 1
Partition Name

Disk Size: 766170316800 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself :)


Recommended reading:
icon_exclaim.gif
MUST READ - security tips:

icon_exclaim.gif
MUST READ - general maintenance:


The Importance of Software Updating:

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.



Recommended additional software:
icon_arrow.gif
TFC - to clean unneeded temporary files.
icon_arrow.gif
Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
icon_arrow.gif
Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
icon_arrow.gif
McShield - to prevent infections spread by removable media.
icon_arrow.gif
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
icon_arrow.gif
Adblock - to surf the web without annoying ads!



Post-cleanup procedures:


Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the
    51a5ce45263de-delfix.png
    icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.



My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​




Stay safe,
TwinHeadedEagle :)
 

Similar threads

S
  • Locked
COM Surrogate eats 20% of CPU. And I don't know if its that a virus or not. Could anyone help me?
Replies
1
Views
1,203
Windows Malware Removal Help & Support
nasdaq
nasdaq
danted4
  • Locked
COM Surrogate (dllhost) from appdata roaming folder
Replies
8
Views
4,286
Windows Malware Removal Help & Support
danted4
danted4
Trident
    • Like
    • +Reputation
    • Thanks
Serious Discussion Decoding the Trend Micro Components and Protection Model
Replies
24
Views
2,964
Other security for Windows, Mac, Linux
Mahesh Sudula
Mahesh Sudula

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top