msfwhlpr.sys potential malware message in event log

L

lurker

I can't find a hit in google. I keep seeing this message in my event log.

Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
Scan ID: {CBC7D30E-7B03-4048-96B4-023D8E8D7DBF}
User: KING-DADDY\clackey
Threat Name: Unknown
Threat Id:
Threat Severity:
Threat Category:
Path Found: driver:MSFWHLPR;file:C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
Threat Classification: Unknown
Detection Type:
 
B

Bill Sanderson MVP

The message by itself means little--it's an unknown driver--not necessarily
bad, just not known to be good.

Not being able to google it tends towards the bad side, though.

Can you spot where it is located on your system--the folder path may give
some clues to whether it has legitimate ownership and provenance?
 
B

Bill Sanderson MVP

Sorry - I see that the path is in the message, and doesn't help.
right-clicking the file and looking at properties might give some useful
data, or not. Ditto searching the registry for the filename, and seeing
whether there's other identifying information relating to what put it there.
 
G

Guest

Gee, guys. I do believe that is a driver update for the Windows Live One
Care firewall. I just downloaded it 2 days ago to check it out, and there
was an update last evening.
 
B

Bill Sanderson MVP

Hmm - leave it to me to look in Google, but not in my own systems!

OK--I agree:
Lurker--assuming your file looks a lot like mine, below, and you are running
OneCare, I think you are fine.

(wipes egg off face.......)

Thanks, Old Rebel!


dir \msfwhlpr.sys /s

Volume in drive E has no label.
Volume Serial Number is 48D3-3BCA

Directory of E:\Program Files\Microsoft Windows OneCare
Live\Firewall\Drivers\M
SFWhlpr

05/09/2006 10:15 PM 108,032 msfwhlpr.sys
1 File(s) 108,032 bytes

Directory of E:\WINDOWS\system32\drivers

05/09/2006 10:15 PM 108,032 msfwhlpr.sys
1 File(s) 108,032 bytes

Directory of
E:\WINDOWS\system32\DRVSTORE\msfwhlpr_CC260A8846E2C104F2BC8912EF26
B0A181F9B26F

05/09/2006 10:15 PM 108,032 msfwhlpr.sys
1 File(s) 108,032 bytes

--
 
G

Guest

Don't be so hard on yourself, Bill. How can anyone be expected to memorize
the millions of good and bad filenames. Add to that the fact that even
"good" files can be overwritten or injected ... the mind boggles. ;-)
 
B

Bill Sanderson MVP

I'm really not bothered--just tickled that Old Rebel spotted the name, and I
hadn't the foggiest. Indeed, names are not a reliable indicator of content
or safety--just another data point that may help you think about what is
really going on.

(I was thinking that the filename used would be an excellent bit of social
engineering if it was malware--I'm glad it doesn't appear to be.)

--
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top