Jump to content

2013 Antivirus virus and ransomware removal...need help


Recommended Posts

I just removed these virus from my PC.  I then ran malewarebytes and Emergency kit scanner again in safe mode and then in normal boot mode.  Both came back clean.  I then ran Mcafee and it was clean.  All these to this point had fully updated definitions.  I then noticed 3 instances of twain_32.exe being ran in processes taking up 80% CPU usage. ran RogueKiller and it found some more trojans.  No twain_32.exe found running in processes now.  I knew something was up because PC fans were running loud.  I just want to be sure that everything is clean at this point.

 

Here's the DDS and Attach logs:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514
Run by admin at 18:30:14 on 2013-07-25
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.3241.1691 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Host Intrusion Prevention Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Imprivata\OneSign Agent\SSOManHost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Windows\dwrcs\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe
c:\Program Files\IBM\Lotus\Notes\SUService.exe
c:\Program Files\IBM\Lotus\Notes\nsd.exe
C:\Program Files\ManageEngine\AssetExplorer\bin\agentmonitor.exe
C:\Program Files\ManageEngine\AssetExplorer\bin\aeagent.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Microsoft\MDOP MBAM\MBAMAgent.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\mfevtps.exe
c:\Program Files\IBM\Lotus\Notes\ntmulti.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\msiexec.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\dwrcs\DWRCST.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Imprivata\OneSign Agent\ISXAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.

uWindow Title = Windows Internet Explorer provided by Omya
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20130117173819.dll
BHO: SSO Browser Helper Object: {A683EEA9-ECFA-45A2-BCA9-7D9D54AD58AE} - c:\program files\imprivata\onesign agent\ISXBHO.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfee Host Intrusion Prevention Tray] "c:\program files\mcafee\host intrusion prevention\FireTray.exe"
mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iJNetworkScannerSelectorEX] c:\program files\canon\ij network scanner selector ex\CNMNSST.exe /FORCE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [DivXMediaServer] c:\program files\divx\divx media server\DivXMediaServer.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DameWare MRC Agent] c:\windows\dwrcs\DWRCST.exe
dRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
StartupFolder: c:\users\papagdi1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: DisallowCpl = dword:1
uPolicies-Explorer: NoStartMenuMyGames = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: disablecad = dword:1
mPolicies-System: LocalAccountTokenFilterPolicy = dword:1
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
Trusted Zone: omya.com

TCP: NameServer = 192.168.0.1
TCP: Interfaces\{09CBF180-72B5-42DA-86D8-B158449E4A97} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{09CBF180-72B5-42DA-86D8-B158449E4A97}\07279667164756530303 : DHCPNameServer = 172.26.160.35 172.25.224.31 172.25.224.33
TCP: Interfaces\{09CBF180-72B5-42DA-86D8-B158449E4A97}\275637964656E63656 : DHCPNameServer = 10.71.0.1
TCP: Interfaces\{09CBF180-72B5-42DA-86D8-B158449E4A97}\34F657274797162746D27457563747 : DHCPNameServer = 12.127.17.71 12.127.17.72
TCP: Interfaces\{09CBF180-72B5-42DA-86D8-B158449E4A97}\34F657274797162746F57455543545 : DHCPNameServer = 4.2.2.1
TCP: Interfaces\{09CBF180-72B5-42DA-86D8-B158449E4A97}\741627C616E646F505C616E647 : DHCPNameServer = 192.168.201.18 4.2.2.1
TCP: Interfaces\{09CBF180-72B5-42DA-86D8-B158449E4A97}\7457563747 : DHCPNameServer = 66.90.133.117 66.90.130.10 166.102.165.11
TCP: Interfaces\{09CBF180-72B5-42DA-86D8-B158449E4A97}\8497164747 : DHCPNameServer = 4.2.2.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
Notify: OneSign - c:\program files\imprivata\onesign agent\SGLaunch.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: Adobe Flash Player 11 ActiveX - msiexec /fa {D01750A5-49E5-4BF4-92CC-F72F5F20DBEC} /qb!
mASetup: Adobe_ShockwavePlayer_11.6.3.633_eng - Msiexec /fou {176E6B52-9E39-4AC6-9071-746994344595} /qn
mASetup: PDFForge_PDFCreator_1-2-0_Multi - Msiexec /fu {3C8178FD-B30F-4BD0-B3D7-A23F4BAB49ED} /qb
mASetup: SAP-GUI_7-20-PL9_DELTA_MUI - c:\programdata\SAP-GUI_7-20-PL9_DELTA_MUI.vbs
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2013-1-17 461864]
R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2013-1-17 164840]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2013-1-17 17904]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\eek\run\a2ddax86.sys [2013-7-25 22056]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2008-3-13 26624]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2013-1-17 81920]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;c:\program files\mcafee\host intrusion prevention\FireSvc.exe [2011-4-13 1506464]
R2 hips;McAfee HIPSCore Service;c:\program files\mcafee\host intrusion prevention\hipscore\HIPSvc.exe [2013-1-17 35696]
R2 LNSUSvc;Lotus Notes Smart Upgrade Service;c:\program files\ibm\lotus\notes\SUService.exe [2011-9-16 189832]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\ibm\lotus\notes\nsd.exe [2011-9-16 4453768]
R2 ManageEngine AssetExplorer Agent;ManageEngine AssetExplorer Agent;c:\program files\manageengine\assetexplorer\bin\agentmonitor.exe [2012-1-10 299008]
R2 MBAMAgent;BitLocker Management Client Service;c:\program files\microsoft\mdop mbam\MBAMAgent.exe [2012-6-5 184616]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2012-11-27 132712]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2013-1-17 166024]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2011-9-14 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2013-1-17 148520]
R2 SSOManHost;SSO Manager Host;c:\program files\imprivata\onesign agent\SSOManHost.exe [2010-8-16 79184]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys [2013-1-17 44144]
R3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\drivers\BTHPRINT.SYS [2009-7-13 50688]
R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\drivers\btwampfl.sys [2013-1-17 302120]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2013-1-17 33832]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2013-1-17 33832]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2008-3-14 3712]
R3 FirehkMP;FirehkMP;c:\windows\system32\drivers\firehk.sys [2013-1-17 44680]
R3 HIPK;McAfee Inc. HIPK;c:\windows\system32\drivers\HIPK.sys [2013-1-17 107928]
R3 HIPPSK;McAfee Inc. HIPPSK;c:\windows\system32\drivers\HIPPSK.sys [2013-1-17 38680]
R3 HIPQK;McAfee Inc. HIPQK;c:\windows\system32\drivers\HIPQK.sys [2013-1-17 35552]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2013-1-17 269824]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2013-1-17 180072]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2013-1-17 7434240]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2013-1-17 63848]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 cleanhlp;cleanhlp;c:\eek\run\cleanhlp32.sys [2013-7-25 50208]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 Firehk;McAfee NDIS Intermediate Filter;c:\windows\system32\drivers\firehk.sys [2013-1-17 44680]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2013-1-17 132480]
S3 ManageEngine AssetExplorer RemoteControl;ManageEngine AssetExplorer RemoteControl;c:\program files\manageengine\assetexplorer\remotecontrol\Service.exe [2012-1-10 282624]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2013-1-17 41088]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2013-1-17 59288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2013-1-17 87808]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2013-1-17 60904]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2013-1-17 62440]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]
S3 tcm;tcm;c:\windows\system32\drivers\tcm.sys [2013-1-17 12952]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-11 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-4-24 1343400]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
.
=============== Created Last 30 ================
.
2013-07-25 22:19:59 -------- d-----w- c:\users\papagdi1\appdata\local\VirtualStore
2013-07-25 22:18:57 40328 ----a-w- c:\windows\system32\HIPIS0e011b8.dll
2013-07-25 13:15:31 0 ----a-w- c:\users\papagdi1\notepad.exe
2013-07-25 13:15:29 147456 ----a-w- c:\users\papagdi1\googleupdate.exe
2013-07-25 12:33:57 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-25 12:33:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-25 04:42:44 -------- d-----w- C:\EEK
2013-07-25 04:37:21 -------- d-----w- c:\users\papagdi1\appdata\local\Skype™ 5.8
2013-07-25 04:17:19 -------- d-----w- c:\programdata\jrll
2013-07-25 03:45:23 -------- d-----w- c:\users\papagdi1\appdata\roaming\Malwarebytes
2013-07-25 03:44:52 -------- d-----w- c:\programdata\Malwarebytes
2013-07-25 03:44:29 -------- d-----w- c:\users\papagdi1\appdata\local\Programs
2013-07-25 01:19:06 -------- d-----w- c:\users\papagdi1\appdata\local\e6653d6c-00f9-49f9-b9d5-627826c3d56bad
2013-07-23 23:44:30 -------- d-----w- c:\users\papagdi1\appdata\local\Skype
2013-07-12 16:01:56 988672 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2013-07-12 16:01:56 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2013-07-12 16:01:56 936448 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2013-07-12 16:01:56 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2013-07-12 16:00:18 680960 ----a-w- c:\program files\windows defender\MpSvc.dll
2013-07-12 16:00:18 392704 ----a-w- c:\program files\windows defender\MpClient.dll
2013-07-12 16:00:18 224768 ----a-w- c:\program files\windows defender\MpCommu.dll
2013-07-11 16:00:18 509440 ----a-w- c:\windows\system32\qedit.dll
2013-07-01 23:30:00 -------- d-----w- c:\program files\common files\DivX Shared
2013-07-01 23:27:38 -------- d-----w- c:\program files\DivX
2013-07-01 23:26:36 -------- d-----w- c:\programdata\DivX
.
==================== Find3M  ====================
.
2013-06-10 13:58:00 140992 ----a-w- c:\windows\system32\KevlarSigs.dll
2013-06-05 03:05:09 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-05-27 05:02:03 981504 ----a-w- c:\windows\system32\wininet.dll
2013-05-27 03:20:41 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2013-05-13 04:45:55 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- c:\windows\system32\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- c:\windows\system32\cryptnet.dll
2013-05-13 03:08:10 903168 ----a-w- c:\windows\system32\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- c:\windows\system32\certenc.dll
2013-05-08 05:38:00 1293672 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-05-06 05:06:47 3968872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-05-06 05:06:47 3913576 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-06 04:56:35 1620480 ----a-w- c:\windows\system32\WMVDECOD.DLL
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: SAMSUNG_ rev.AXM0 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x8360D000]<< >>UNKNOWN [0x8C3B6000]<< >>UNKNOWN [0x8C7DB000]<< >>UNKNOWN [0x8C9E2000]<< >>UNKNOWN [0x8C0A2000]<< >>UNKNOWN [0x83A20000]<< >>UNKNOWN [0x8C227000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL;  }
1 ntkrnlpa!IofCallDriver[0x83643BBA] -> \Device\Harddisk0\DR0[0x87CEFAC8]
\Driver\Disk[0x87E2F7D8] -> IRP_MJ_CREATE -> 0x8C3BA39F
3 [0x8C3BA59E] -> ntkrnlpa!IofCallDriver[0x83643BBA] -> [0x87CF5860]
\Driver\stdcfltn[0x87E217D8] -> IRP_MJ_CREATE -> 0x8C9E261C
5 [0x8C9E3854] -> ntkrnlpa!IofCallDriver[0x83643BBA] -> [0x8608C950]
\Driver\ACPI[0x85E96F38] -> IRP_MJ_CREATE -> 0x8C0AB4CC
7 [0x8C0AB3D4] -> ntkrnlpa!IofCallDriver[0x83643BBA] -> \Device\Ide\IAAStorageDevice-1[0x8606A028]
\Driver\iastor[0x86079848] -> IRP_MJ_CREATE -> 0x8C24A09C
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [bP+0x0], 0x0;  }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:30:36.11 ===============
 

 

 

 

 

 

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 1/17/2013 6:04:49 PM
System Uptime: 7/25/2013 6:18:40 PM (0 hours ago)
.
Motherboard: Dell Inc. |  | 087HK7
Processor: Intel® Core i7-2620M CPU @ 2.70GHz | CPU 1 | 2701/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 119 GiB total, 77.18 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP36: 5/30/2013 9:04:39 AM - Removed AT&T Connect Participant Application v9.5.35.
RP37: 5/30/2013 9:05:17 AM - Installed AT&T Connect Participant Application v9.5.35.
RP38: 6/13/2013 12:47:07 PM - Windows Update
RP39: 7/10/2013 12:00:11 PM - Windows Update
RP40: 7/11/2013 12:00:10 PM - Windows Update
RP41: 7/12/2013 12:00:10 PM - Windows Update
RP42: 7/25/2013 9:35:27 AM - Removed Java 7 Update 7
.
==== Installed Programs ======================
.
AccelerometerP11
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.4)
Adobe Shockwave Player 11.6
AT&T Connect Participant Application v9.5.35
Canon IJ Network Scanner Selector EX
Canon IJ Network Tool
Canon MX420 series MP Drivers
Configuration Manager Client
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Touchpad
DHTML Editing Component
DivX Setup
ECL Viewer
Greenshot
IDT Audio
Imprivata OneSign Agent
Intel® Control Center
Intel® Processor Graphics
Juniper Networks Host Checker
Juniper Networks Network Connect 7.2.0
Juniper Networks, Inc. Setup Client
Lotus Notes 8.5.3
Malwarebytes Anti-Malware version 1.75.0.1300
ManageEngine AssetExplorer Agent
McAfee Agent
McAfee Host Intrusion Prevention
McAfee VirusScan Enterprise
MDOP MBAM
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft redistributable runtime DLLs VS2008 SP1(x86)
Microsoft Silverlight
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4.0 redistributable
PDFCreator
SAP GUI for Windows 7.20
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Excel 2010 (KB2597126) 32-Bit Edition
Security Update for Microsoft Filter Pack 2.0 (KB2553501) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2687422) 32-Bit Edition
Security Update for Microsoft InfoPath 2010 (KB2760406) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553447) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2597986) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687276) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft OneNote 2010 (KB2760600) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
Security Update for Microsoft Visio 2010 (KB2810068) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2687505) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2760410) 32-Bit Edition
Skype™ 5.8
swMSM
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553378) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2597090) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2598240) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 32-Bit Edition
VC80CRTRedist - 8.0.50727.6195
vcredist_x86
WIDCOMM Bluetooth Software
Windows Driver Package - OMNIKEY (cxru0wdm) SmartCardReader  (04/23/2009 1.2.0.14)
XImage
.
==== Event Viewer Messages From Past Week ========
.
7/25/2013 9:34:52 AM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {1CCB96F4-B8AD-4B43-9688-B273F58E0910}  and APPID  {AD65A69D-3831-40D7-9629-9B0B50A93843}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/25/2013 9:17:34 AM, Error: Service Control Manager [7034]  - The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 3 time(s).
7/25/2013 9:17:32 AM, Error: Service Control Manager [7031]  - The Juniper Network Connect Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/25/2013 9:17:11 AM, Error: Service Control Manager [7031]  - The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/25/2013 9:17:09 AM, Error: Microsoft-Windows-Smartcard-Server [602]  - WDM Reader driver initialization cannot open reader device:  The handle is invalid.
7/25/2013 9:17:03 AM, Error: Service Control Manager [7031]  - The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
7/25/2013 9:17:02 AM, Error: Service Control Manager [7031]  - The SMS Agent Host service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The SSO Manager Host service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The O2FLASH service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The Multi-user Cleanup Service service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The ManageEngine AssetExplorer Agent service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The Lotus Notes Smart Upgrade Service service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The Lotus Notes Diagnostics service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The DameWare Mini Remote Control service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The BitLocker Management Client Service service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The Andrea ST Filters Service service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7034]  - The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 9:17:01 AM, Error: Service Control Manager [7031]  - The Bluetooth Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/25/2013 9:17:00 AM, Error: Service Control Manager [7034]  - The Audio Service service terminated unexpectedly.  It has done this 1 time(s).
7/25/2013 8:16:27 AM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 8:16:24 AM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 8:16:04 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache spldr Wanarpv6
7/25/2013 6:21:32 PM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067]  - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
7/25/2013 6:20:04 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}  and APPID  {B292921D-AF50-400C-9B75-0C57A7F29BA1}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/25/2013 6:19:59 PM, Error: Microsoft-Windows-GroupPolicy [1129]  - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
7/25/2013 6:18:57 PM, Error: NETLOGON [5719]  - This computer was not able to set up a secure session with a domain controller in domain EMEA due to the following:  There are currently no logon servers available to service the logon request.  This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
7/25/2013 5:58:43 PM, Error: Microsoft-Windows-Smartcard-Server [610]  - Smart Card Reader 'Broadcom Corp Contacted SmartCard 0' rejected IOCTL GET_STATE: The handle is invalid.  If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX
7/25/2013 3:33:43 PM, Error: Microsoft-Windows-DistributedCOM [10016]  - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {EE1BD859-AACD-48FE-A9B6-9358DC21ADAE}  and APPID  {AD65A69D-3831-40D7-9629-9B0B50A93843}  to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
7/25/2013 12:41:42 AM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk1\DR4.
7/25/2013 12:35:01 AM, Error: Disk [11]  - The driver detected a controller error on \...\DR1.
7/25/2013 11:42:17 AM, Error: Service Control Manager [7001]  - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 11:02:03 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
7/25/2013 11:02:03 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
7/25/2013 11:01:57 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/25/2013 11:01:57 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/25/2013 11:01:57 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
7/25/2013 11:01:57 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/25/2013 11:01:56 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/25/2013 11:01:51 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/25/2013 11:01:41 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
7/25/2013 11:01:40 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD CSC DfsC discache FireTDI mfehidk mfetdik NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:  A device attached to the system is not functioning.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error:  A device attached to the system is not functioning.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The Netlogon service depends on the Workstation service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error:  A device attached to the system is not functioning.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:  The dependency service or group failed to start.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
7/25/2013 11:01:40 AM, Error: Service Control Manager [7001]  - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error:  A device attached to the system is not functioning.
7/25/2013 11:01:37 AM, Error: Microsoft-Windows-BitLocker-Driver [24636]  - Bootmgr failed to obtain the BitLocker volume master key from the TPM.
7/24/2013 9:40:36 PM, Error: Service Control Manager [7034]  - The Office Software Protection Platform service terminated unexpectedly.  It has done this 1 time(s).
7/24/2013 11:59:22 PM, Error: Service Control Manager [7031]  - The Windows Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/24/2013 11:49:15 PM, Error: Service Control Manager [7034]  - The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 4 time(s).
7/24/2013 11:48:57 PM, Error: Service Control Manager [7031]  - The WMI Performance Adapter service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.
7/24/2013 11:48:57 PM, Error: Service Control Manager [7031]  - The Software Protection service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.
7/24/2013 11:48:56 PM, Error: Service Control Manager [7031]  - The Windows Installer service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 300000 milliseconds: Restart the service.
7/24/2013 11:46:56 PM, Error: Service Control Manager [7031]  - The WMI Performance Adapter service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/24/2013 11:46:56 PM, Error: Service Control Manager [7031]  - The Software Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
7/19/2013 11:22:02 AM, Error: NETLOGON [5719]  - This computer was not able to set up a secure session with a domain controller in domain EMEA due to the following:  The RPC server is unavailable.  This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
7/19/2013 1:33:56 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk2\DR5.
7/19/2013 1:27:58 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk2\DR4.
.
==== End Of File ===========================
 

Link to post
Share on other sites

Hello maxmodder and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.

    Vista/Windows 7 users right-click and select Run As Administrator.

  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.

  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
----------Step 5----------------

In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

 

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

Malewarebytes Anti-Rootkit:  When I try to run this, it says "system volume seesm inaccessible or encrypted.  Scan can't continue.

Combo fix - Downloaded it.  Saved it to desktop. Icon says combofix.  Publisher is ISFreemium.  When I go to install, it asks me if I want to install all this other crap like delta tool bar and get savin.  What is this junk?  I didn't bother with this and stopped the install of combo fix. 

 

Here's the TDSS log.  It didn't find anything.

 

19:27:32.0136 6012  TDSS rootkit removing tool 2.8.18.0 Jun 10 2013 21:44:19
19:27:32.0682 6012  ============================================================
19:27:32.0682 6012  Current date / time: 2013/07/25 19:27:32.0682
19:27:32.0682 6012  SystemInfo:
19:27:32.0682 6012 
19:27:32.0682 6012  OS Version: 6.1.7601 ServicePack: 1.0
19:27:32.0682 6012  Product type: Workstation
19:27:32.0682 6012  ComputerName: USCIMHR9RYN1
19:27:32.0682 6012  UserName:

19:27:32.0682 6012  Windows directory: C:\Windows
19:27:32.0682 6012  System windows directory: C:\Windows
19:27:32.0682 6012  Processor architecture: Intel x86
19:27:32.0682 6012  Number of processors: 4
19:27:32.0682 6012  Page size: 0x1000
19:27:32.0682 6012  Boot type: Normal boot
19:27:32.0682 6012  ============================================================
19:27:32.0931 6012  Drive \Device\Harddisk0\DR0 - Size: 0x1DCF856000 (119.24 Gb), SectorSize: 0x200, Cylinders: 0x3CCE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
19:27:32.0931 6012  Drive \Device\Harddisk1\DR1 - Size: 0x3BA300000 (14.91 Gb), SectorSize: 0x200, Cylinders: 0x79A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
19:27:32.0931 6012  ============================================================
19:27:32.0931 6012  \Device\Harddisk0\DR0:
19:27:32.0931 6012  MBR partitions:
19:27:32.0931 6012  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x96000
19:27:32.0931 6012  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x96800, BlocksNum 0xEDE5000
19:27:32.0931 6012  \Device\Harddisk1\DR1:
19:27:32.0931 6012  MBR partitions:
19:27:32.0931 6012  \Device\Harddisk1\DR1\Partition1: MBR, Type 0xC, StartLBA 0x20, BlocksNum 0x1DD17E0
19:27:32.0931 6012  ============================================================
19:27:32.0931 6012  C: <-> \Device\Harddisk0\DR0\Partition2
19:27:32.0931 6012  ============================================================
19:27:32.0931 6012  Initialize success
19:27:32.0931 6012  ============================================================
19:27:56.0550 4372  ============================================================
19:27:56.0550 4372  Scan started
19:27:56.0550 4372  Mode: Manual;
19:27:56.0550 4372  ============================================================
19:27:56.0690 4372  ================ Scan system memory ========================
19:27:56.0690 4372  System memory - ok
19:27:56.0690 4372  ================ Scan services =============================
19:27:56.0706 4372  1394ohci - ok
19:27:56.0706 4372  A2DDA - ok
19:27:56.0706 4372  Acceler - ok
19:27:56.0706 4372  ACPI - ok
19:27:56.0721 4372  AcpiPmi - ok
19:27:56.0721 4372  AdobeARMservice - ok
19:27:56.0721 4372  AdobeFlashPlayerUpdateSvc - ok
19:27:56.0721 4372  adp94xx - ok
19:27:56.0721 4372  adpahci - ok
19:27:56.0737 4372  adpu320 - ok
19:27:56.0737 4372  AeLookupSvc - ok
19:27:56.0737 4372  AESTFilters - ok
19:27:56.0737 4372  AFD - ok
19:27:56.0752 4372  agp440 - ok
19:27:56.0752 4372  aic78xx - ok
19:27:56.0752 4372  ALG - ok
19:27:56.0752 4372  aliide - ok
19:27:56.0752 4372  amdagp - ok
19:27:56.0768 4372  amdide - ok
19:27:56.0768 4372  AmdK8 - ok
19:27:56.0768 4372  AmdPPM - ok
19:27:56.0768 4372  amdsata - ok
19:27:56.0768 4372  amdsbs - ok
19:27:56.0768 4372  amdxata - ok
19:27:56.0784 4372  ApfiltrService - ok
19:27:56.0784 4372  AppID - ok
19:27:56.0784 4372  AppIDSvc - ok
19:27:56.0784 4372  Appinfo - ok
19:27:56.0784 4372  AppMgmt - ok
19:27:56.0799 4372  arc - ok
19:27:56.0799 4372  arcsas - ok
19:27:56.0799 4372  aspnet_state - ok
19:27:56.0799 4372  AsyncMac - ok
19:27:56.0815 4372  atapi - ok
19:27:56.0815 4372  AudioEndpointBuilder - ok
19:27:56.0815 4372  Audiosrv - ok
19:27:56.0815 4372  AxInstSV - ok
19:27:56.0830 4372  b06bdrv - ok
19:27:56.0830 4372  b57nd60x - ok
19:27:56.0830 4372  BDESVC - ok
19:27:56.0830 4372  Beep - ok
19:27:56.0830 4372  BFE - ok
19:27:56.0846 4372  BITS - ok
19:27:56.0846 4372  blbdrive - ok
19:27:56.0846 4372  bowser - ok
19:27:56.0846 4372  BrFiltLo - ok
19:27:56.0846 4372  BrFiltUp - ok
19:27:56.0862 4372  Browser - ok
19:27:56.0862 4372  Brserid - ok
19:27:56.0862 4372  BrSerWdm - ok
19:27:56.0862 4372  BrUsbMdm - ok
19:27:56.0862 4372  BrUsbSer - ok
19:27:56.0877 4372  BthEnum - ok
19:27:56.0877 4372  BTHMODEM - ok
19:27:56.0877 4372  BthPan - ok
19:27:56.0877 4372  BTHPORT - ok
19:27:56.0877 4372  BTHprint - ok
19:27:56.0893 4372  bthserv - ok
19:27:56.0893 4372  BTHUSB - ok
19:27:56.0893 4372  BTWAMPFL - ok
19:27:56.0893 4372  btwaudio - ok
19:27:56.0893 4372  btwavdt - ok
19:27:56.0908 4372  btwdins - ok
19:27:56.0908 4372  btwl2cap - ok
19:27:56.0908 4372  btwrchid - ok
19:27:56.0908 4372  CcmExec - ok
19:27:56.0908 4372  cdfs - ok
19:27:56.0924 4372  cdrom - ok
19:27:56.0924 4372  CertPropSvc - ok
19:27:56.0924 4372  circlass - ok
19:27:56.0940 4372  cleanhlp - ok
19:27:56.0940 4372  CLFS - ok
19:27:56.0940 4372  clr_optimization_v2.0.50727_32 - ok
19:27:56.0940 4372  clr_optimization_v4.0.30319_32 - ok
19:27:56.0955 4372  CmBatt - ok
19:27:56.0955 4372  cmdide - ok
19:27:56.0955 4372  CNG - ok
19:27:56.0955 4372  Compbatt - ok
19:27:56.0955 4372  CompositeBus - ok
19:27:56.0955 4372  COMSysApp - ok
19:27:56.0971 4372  crcdisk - ok
19:27:56.0971 4372  CryptSvc - ok
19:27:56.0971 4372  CSC - ok
19:27:56.0971 4372  CscService - ok
19:27:56.0971 4372  cvusbdrv - ok
19:27:56.0986 4372  dcdbas - ok
19:27:56.0986 4372  DcomLaunch - ok
19:27:56.0986 4372  defragsvc - ok
19:27:56.0986 4372  DfsC - ok
19:27:57.0002 4372  Dhcp - ok
19:27:57.0002 4372  discache - ok
19:27:57.0002 4372  Disk - ok
19:27:57.0002 4372  dmvsc - ok
19:27:57.0002 4372  Dnscache - ok
19:27:57.0018 4372  dot3svc - ok
19:27:57.0018 4372  DPS - ok
19:27:57.0018 4372  drmkaud - ok
19:27:57.0018 4372  dsNcAdpt - ok
19:27:57.0018 4372  dsNcService - ok
19:27:57.0033 4372  DwMirror - ok
19:27:57.0033 4372  dwmrcs - ok
19:27:57.0033 4372  dwvkbd - ok
19:27:57.0033 4372  DXGKrnl - ok
19:27:57.0049 4372  e1cexpress - ok
19:27:57.0049 4372  E1G60 - ok
19:27:57.0049 4372  EapHost - ok
19:27:57.0049 4372  ebdrv - ok
19:27:57.0064 4372  EFS - ok
19:27:57.0064 4372  ehRecvr - ok
19:27:57.0064 4372  ehSched - ok
19:27:57.0064 4372  elxstor - ok
19:27:57.0064 4372  enterceptAgent - ok
19:27:57.0064 4372  ErrDev - ok
19:27:57.0080 4372  EventSystem - ok
19:27:57.0080 4372  exfat - ok
19:27:57.0080 4372  fastfat - ok
19:27:57.0080 4372  Fax - ok
19:27:57.0080 4372  fdc - ok
19:27:57.0096 4372  fdPHost - ok
19:27:57.0096 4372  FDResPub - ok
19:27:57.0096 4372  FileInfo - ok
19:27:57.0096 4372  Filetrace - ok
19:27:57.0096 4372  Firehk - ok
19:27:57.0111 4372  FirehkMP - ok
19:27:57.0111 4372  firelm01 - ok
19:27:57.0111 4372  FirePM - ok
19:27:57.0111 4372  FireTDI - ok
19:27:57.0111 4372  flpydisk - ok
19:27:57.0127 4372  FltMgr - ok
19:27:57.0127 4372  FontCache - ok
19:27:57.0127 4372  FontCache3.0.0.0 - ok
19:27:57.0127 4372  FsDepends - ok
19:27:57.0127 4372  Fs_Rec - ok
19:27:57.0142 4372  fvevol - ok
19:27:57.0142 4372  gagp30kx - ok
19:27:57.0142 4372  gpsvc - ok
19:27:57.0142 4372  hcw85cir - ok
19:27:57.0142 4372  HDAudBus - ok
19:27:57.0158 4372  HidBatt - ok
19:27:57.0158 4372  HidBth - ok
19:27:57.0158 4372  HidIr - ok
19:27:57.0158 4372  hidserv - ok
19:27:57.0158 4372  HidUsb - ok
19:27:57.0174 4372  HIPK - ok
19:27:57.0174 4372  HIPPSK - ok
19:27:57.0174 4372  HIPQK - ok
19:27:57.0174 4372  hips - ok
19:27:57.0174 4372  hkmsvc - ok
19:27:57.0189 4372  HomeGroupListener - ok
19:27:57.0189 4372  HomeGroupProvider - ok
19:27:57.0189 4372  HpSAMD - ok
19:27:57.0189 4372  HTTP - ok
19:27:57.0189 4372  hwpolicy - ok
19:27:57.0189 4372  i8042prt - ok
19:27:57.0205 4372  iastor - ok
19:27:57.0205 4372  iaStorV - ok
19:27:57.0205 4372  idsvc - ok
19:27:57.0205 4372  igfx - ok
19:27:57.0220 4372  iirsp - ok
19:27:57.0220 4372  IKEEXT - ok
19:27:57.0220 4372  Impcd - ok
19:27:57.0220 4372  IntcDAud - ok
19:27:57.0236 4372  intelide - ok
19:27:57.0236 4372  intelppm - ok
19:27:57.0236 4372  IPBusEnum - ok
19:27:57.0236 4372  IpFilterDriver - ok
19:27:57.0236 4372  iphlpsvc - ok
19:27:57.0252 4372  IPMIDRV - ok
19:27:57.0252 4372  IPNAT - ok
19:27:57.0252 4372  IRENUM - ok
19:27:57.0252 4372  isapnp - ok
19:27:57.0252 4372  iScsiPrt - ok
19:27:57.0267 4372  kbdclass - ok
19:27:57.0267 4372  kbdhid - ok
19:27:57.0267 4372  KeyIso - ok
19:27:57.0267 4372  KSecDD - ok
19:27:57.0267 4372  KSecPkg - ok
19:27:57.0283 4372  KtmRm - ok
19:27:57.0283 4372  LanmanServer - ok
19:27:57.0283 4372  LanmanWorkstation - ok
19:27:57.0283 4372  lltdio - ok
19:27:57.0283 4372  lltdsvc - ok
19:27:57.0298 4372  lmhosts - ok
19:27:57.0298 4372  LNSUSvc - ok
19:27:57.0298 4372  Lotus Notes Diagnostics - ok
19:27:57.0298 4372  Lotus Notes Single Logon - ok
19:27:57.0314 4372  LSI_FC - ok
19:27:57.0314 4372  LSI_SAS - ok
19:27:57.0314 4372  LSI_SAS2 - ok
19:27:57.0314 4372  LSI_SCSI - ok
19:27:57.0330 4372  luafv - ok
19:27:57.0330 4372  ManageEngine AssetExplorer Agent - ok
19:27:57.0330 4372  ManageEngine AssetExplorer RemoteControl - ok
19:27:57.0330 4372  MBAMAgent - ok
19:27:57.0345 4372  McAfeeFramework - ok
19:27:57.0345 4372  McShield - ok
19:27:57.0345 4372  McTaskManager - ok
19:27:57.0345 4372  Mcx2Svc - ok
19:27:57.0345 4372  megasas - ok
19:27:57.0361 4372  MegaSR - ok
19:27:57.0361 4372  MEI - ok
19:27:57.0361 4372  mfeapfk - ok
19:27:57.0361 4372  mfeavfk - ok
19:27:57.0376 4372  mfeavfk01 - ok
19:27:57.0376 4372  mfebopk - ok
19:27:57.0376 4372  mfehidk - ok
19:27:57.0376 4372  mferkdet - ok
19:27:57.0376 4372  mfetdik - ok
19:27:57.0392 4372  mfevtp - ok
19:27:57.0392 4372  mfewfpk - ok
19:27:57.0392 4372  Microsoft SharePoint Workspace Audit Service - ok
19:27:57.0392 4372  MMCSS - ok
19:27:57.0392 4372  Modem - ok
19:27:57.0408 4372  monitor - ok
19:27:57.0408 4372  mouclass - ok
19:27:57.0408 4372  mouhid - ok
19:27:57.0408 4372  mountmgr - ok
19:27:57.0408 4372  mpio - ok
19:27:57.0423 4372  mpsdrv - ok
19:27:57.0423 4372  MpsSvc - ok
19:27:57.0423 4372  MRxDAV - ok
19:27:57.0423 4372  mrxsmb - ok
19:27:57.0423 4372  mrxsmb10 - ok
19:27:57.0423 4372  mrxsmb20 - ok
19:27:57.0439 4372  msahci - ok
19:27:57.0439 4372  msdsm - ok
19:27:57.0439 4372  MSDTC - ok
19:27:57.0439 4372  Msfs - ok
19:27:57.0454 4372  mshidkmdf - ok
19:27:57.0454 4372  msisadrv - ok
19:27:57.0454 4372  MSiSCSI - ok
19:27:57.0454 4372  msiserver - ok
19:27:57.0470 4372  MSKSSRV - ok
19:27:57.0470 4372  MSPCLOCK - ok
19:27:57.0470 4372  MSPQM - ok
19:27:57.0470 4372  MsRPC - ok
19:27:57.0486 4372  mssmbios - ok
19:27:57.0486 4372  MSTEE - ok
19:27:57.0486 4372  MTConfig - ok
19:27:57.0486 4372  Multi-user Cleanup Service - ok
19:27:57.0486 4372  Mup - ok
19:27:57.0501 4372  napagent - ok
19:27:57.0501 4372  NativeWifiP - ok
19:27:57.0501 4372  NDIS - ok
19:27:57.0501 4372  NdisCap - ok
19:27:57.0501 4372  NdisTapi - ok
19:27:57.0517 4372  Ndisuio - ok
19:27:57.0517 4372  NdisWan - ok
19:27:57.0517 4372  NDProxy - ok
19:27:57.0517 4372  NetBIOS - ok
19:27:57.0517 4372  NetBT - ok
19:27:57.0532 4372  Netlogon - ok
19:27:57.0532 4372  Netman - ok
19:27:57.0532 4372  NetMsmqActivator - ok
19:27:57.0532 4372  NetPipeActivator - ok
19:27:57.0548 4372  netprofm - ok
19:27:57.0548 4372  NetTcpActivator - ok
19:27:57.0548 4372  NetTcpPortSharing - ok
19:27:57.0548 4372  NETwNs32 - ok
19:27:57.0548 4372  nfrd960 - ok
19:27:57.0564 4372  NlaSvc - ok
19:27:57.0564 4372  Npfs - ok
19:27:57.0564 4372  nsi - ok
19:27:57.0564 4372  nsiproxy - ok
19:27:57.0579 4372  Ntfs - ok
19:27:57.0579 4372  Null - ok
19:27:57.0579 4372  nvraid - ok
19:27:57.0579 4372  nvstor - ok
19:27:57.0579 4372  nv_agp - ok
19:27:57.0595 4372  O2FLASH - ok
19:27:57.0595 4372  O2MDFRDR - ok
19:27:57.0595 4372  O2MDRRDR - ok
19:27:57.0595 4372  O2SDJRDR - ok
19:27:57.0610 4372  ohci1394 - ok
19:27:57.0610 4372  ose - ok
19:27:57.0610 4372  osppsvc - ok
19:27:57.0610 4372  p2pimsvc - ok
19:27:57.0610 4372  p2psvc - ok
19:27:57.0626 4372  Parport - ok
19:27:57.0626 4372  partmgr - ok
19:27:57.0626 4372  Parvdm - ok
19:27:57.0626 4372  PcaSvc - ok
19:27:57.0626 4372  pci - ok
19:27:57.0642 4372  pciide - ok
19:27:57.0642 4372  pcmcia - ok
19:27:57.0642 4372  pcw - ok
19:27:57.0642 4372  PEAUTH - ok
19:27:57.0642 4372  PeerDistSvc - ok
19:27:57.0657 4372  pla - ok
19:27:57.0657 4372  PlugPlay - ok
19:27:57.0673 4372  PNRPAutoReg - ok
19:27:57.0673 4372  PNRPsvc - ok
19:27:57.0673 4372  PolicyAgent - ok
19:27:57.0673 4372  Power - ok
19:27:57.0673 4372  PptpMiniport - ok
19:27:57.0688 4372  prepdrvr - ok
19:27:57.0688 4372  Processor - ok
19:27:57.0688 4372  ProfSvc - ok
19:27:57.0688 4372  ProtectedStorage - ok
19:27:57.0704 4372  Psched - ok
19:27:57.0704 4372  ql2300 - ok
19:27:57.0704 4372  ql40xx - ok
19:27:57.0704 4372  QWAVE - ok
19:27:57.0704 4372  QWAVEdrv - ok
19:27:57.0704 4372  RasAcd - ok
19:27:57.0720 4372  RasAgileVpn - ok
19:27:57.0720 4372  RasAuto - ok
19:27:57.0720 4372  Rasl2tp - ok
19:27:57.0720 4372  RasMan - ok
19:27:57.0735 4372  RasPppoe - ok
19:27:57.0735 4372  RasSstp - ok
19:27:57.0735 4372  rdbss - ok
19:27:57.0735 4372  rdpbus - ok
19:27:57.0735 4372  RDPCDD - ok
19:27:57.0751 4372  RDPDR - ok
19:27:57.0751 4372  RDPENCDD - ok
19:27:57.0751 4372  RDPREFMP - ok
19:27:57.0751 4372  RdpVideoMiniport - ok
19:27:57.0766 4372  RDPWD - ok
19:27:57.0766 4372  rdyboost - ok
19:27:57.0766 4372  RemoteAccess - ok
19:27:57.0766 4372  RemoteRegistry - ok
19:27:57.0766 4372  RFCOMM - ok
19:27:57.0782 4372  RpcEptMapper - ok
19:27:57.0782 4372  RpcLocator - ok
19:27:57.0782 4372  RpcSs - ok
19:27:57.0782 4372  rspndr - ok
19:27:57.0798 4372  s3cap - ok
19:27:57.0798 4372  SamSs - ok
19:27:57.0798 4372  sbp2port - ok
19:27:57.0798 4372  SCardSvr - ok
19:27:57.0798 4372  scfilter - ok
19:27:57.0813 4372  Schedule - ok
19:27:57.0813 4372  SCPolicySvc - ok
19:27:57.0813 4372  SDRSVC - ok
19:27:57.0813 4372  secdrv - ok
19:27:57.0813 4372  seclogon - ok
19:27:57.0829 4372  SENS - ok
19:27:57.0829 4372  SensrSvc - ok
19:27:57.0829 4372  Serenum - ok
19:27:57.0829 4372  Serial - ok
19:27:57.0844 4372  sermouse - ok
19:27:57.0844 4372  SessionEnv - ok
19:27:57.0844 4372  sffdisk - ok
19:27:57.0844 4372  sffp_mmc - ok
19:27:57.0860 4372  sffp_sd - ok
19:27:57.0860 4372  sfloppy - ok
19:27:57.0860 4372  SharedAccess - ok
19:27:57.0860 4372  ShellHWDetection - ok
19:27:57.0860 4372  sisagp - ok
19:27:57.0876 4372  SiSRaid2 - ok
19:27:57.0876 4372  SiSRaid4 - ok
19:27:57.0876 4372  Smb - ok
19:27:57.0876 4372  smstsmgr - ok
19:27:57.0891 4372  SNMPTRAP - ok
19:27:57.0891 4372  spldr - ok
19:27:57.0891 4372  Spooler - ok
19:27:57.0891 4372  sppsvc - ok
19:27:57.0907 4372  sppuinotify - ok
19:27:57.0907 4372  srv - ok
19:27:57.0907 4372  srv2 - ok
19:27:57.0907 4372  srvnet - ok
19:27:57.0907 4372  SSDPSRV - ok
19:27:57.0922 4372  SSOManHost - ok
19:27:57.0922 4372  SstpSvc - ok
19:27:57.0922 4372  STacSV - ok
19:27:57.0922 4372  stdcfltn - ok
19:27:57.0938 4372  stexstor - ok
19:27:57.0938 4372  STHDA - ok
19:27:57.0938 4372  StiSvc - ok
19:27:57.0954 4372  storflt - ok
19:27:57.0954 4372  StorSvc - ok
19:27:57.0954 4372  storvsc - ok
19:27:57.0954 4372  swenum - ok
19:27:57.0954 4372  swprv - ok
19:27:57.0969 4372  Synth3dVsc - ok
19:27:57.0969 4372  SysMain - ok
19:27:57.0969 4372  TabletInputService - ok
19:27:57.0969 4372  TapiSrv - ok
19:27:57.0985 4372  TBS - ok
19:27:57.0985 4372  tcm - ok
19:27:57.0985 4372  Tcpip - ok
19:27:57.0985 4372  TCPIP6 - ok
19:27:57.0985 4372  tcpipreg - ok
19:27:58.0000 4372  TDPIPE - ok
19:27:58.0000 4372  TDTCP - ok
19:27:58.0000 4372  tdx - ok
19:27:58.0016 4372  TermDD - ok
19:27:58.0016 4372  terminpt - ok
19:27:58.0016 4372  TermService - ok
19:27:58.0016 4372  Themes - ok
19:27:58.0016 4372  THREADORDER - ok
19:27:58.0032 4372  TPM - ok
19:27:58.0032 4372  TrkWks - ok
19:27:58.0032 4372  TrustedInstaller - ok
19:27:58.0032 4372  tssecsrv - ok
19:27:58.0047 4372  TsUsbFlt - ok
19:27:58.0047 4372  TsUsbGD - ok
19:27:58.0047 4372  tsusbhub - ok
19:27:58.0047 4372  tunnel - ok
19:27:58.0047 4372  uagp35 - ok
19:27:58.0063 4372  udfs - ok
19:27:58.0063 4372  UI0Detect - ok
19:27:58.0063 4372  uliagpkx - ok
19:27:58.0078 4372  umbus - ok
19:27:58.0078 4372  UmPass - ok
19:27:58.0078 4372  UmRdpService - ok
19:27:58.0078 4372  upnphost - ok
19:27:58.0078 4372  usbccgp - ok
19:27:58.0094 4372  usbcir - ok
19:27:58.0094 4372  usbehci - ok
19:27:58.0094 4372  usbhub - ok
19:27:58.0094 4372  usbohci - ok
19:27:58.0110 4372  usbprint - ok
19:27:58.0110 4372  USBSTOR - ok
19:27:58.0110 4372  usbuhci - ok
19:27:58.0110 4372  usbvideo - ok
19:27:58.0110 4372  UxSms - ok
19:27:58.0125 4372  VaultSvc - ok
19:27:58.0125 4372  vdrvroot - ok
19:27:58.0125 4372  vds - ok
19:27:58.0125 4372  vga - ok
19:27:58.0141 4372  VgaSave - ok
19:27:58.0141 4372  VGPU - ok
19:27:58.0141 4372  vhdmp - ok
19:27:58.0141 4372  viaagp - ok
19:27:58.0141 4372  ViaC7 - ok
19:27:58.0156 4372  viaide - ok
19:27:58.0156 4372  vmbus - ok
19:27:58.0156 4372  VMBusHID - ok
19:27:58.0156 4372  volmgr - ok
19:27:58.0156 4372  volmgrx - ok
19:27:58.0172 4372  volsnap - ok
19:27:58.0172 4372  vsmraid - ok
19:27:58.0172 4372  VSS - ok
19:27:58.0172 4372  vwifibus - ok
19:27:58.0188 4372  vwififlt - ok
19:27:58.0188 4372  vwifimp - ok
19:27:58.0188 4372  W32Time - ok
19:27:58.0188 4372  WacomPen - ok
19:27:58.0203 4372  WANARP - ok
19:27:58.0203 4372  Wanarpv6 - ok
19:27:58.0203 4372  WatAdminSvc - ok
19:27:58.0203 4372  wbengine - ok
19:27:58.0219 4372  WbioSrvc - ok
19:27:58.0219 4372  wcncsvc - ok
19:27:58.0219 4372  WcsPlugInService - ok
19:27:58.0219 4372  Wd - ok
19:27:58.0234 4372  Wdf01000 - ok
19:27:58.0234 4372  WdiServiceHost - ok
19:27:58.0234 4372  WdiSystemHost - ok
19:27:58.0234 4372  WebClient - ok
19:27:58.0234 4372  Wecsvc - ok
19:27:58.0250 4372  wercplsupport - ok
19:27:58.0250 4372  WerSvc - ok
19:27:58.0250 4372  WfpLwf - ok
19:27:58.0250 4372  WIMMount - ok
19:27:58.0266 4372  WinDefend - ok
19:27:58.0266 4372  WinHttpAutoProxySvc - ok
19:27:58.0266 4372  Winmgmt - ok
19:27:58.0281 4372  WinRM - ok
19:27:58.0281 4372  WinUsb - ok
19:27:58.0281 4372  Wlansvc - ok
19:27:58.0297 4372  WmiAcpi - ok
19:27:58.0297 4372  wmiApSrv - ok
19:27:58.0297 4372  WMPNetworkSvc - ok
19:27:58.0297 4372  WPCSvc - ok
19:27:58.0312 4372  WPDBusEnum - ok
19:27:58.0312 4372  ws2ifsl - ok
19:27:58.0312 4372  wscsvc - ok
19:27:58.0312 4372  WSDPrintDevice - ok
19:27:58.0328 4372  WSDScan - ok
19:27:58.0328 4372  WSearch - ok
19:27:58.0328 4372  wuauserv - ok
19:27:58.0328 4372  WudfPf - ok
19:27:58.0344 4372  WUDFRd - ok
19:27:58.0344 4372  wudfsvc - ok
19:27:58.0344 4372  WwanSvc - ok
19:27:58.0359 4372  ================ Scan global ===============================
19:27:58.0359 4372  [Global] - ok
19:27:58.0359 4372  ================ Scan MBR ==================================
19:27:58.0359 4372  [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
19:27:58.0468 4372  \Device\Harddisk0\DR0 - ok
19:27:58.0468 4372  [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk1\DR1
19:27:58.0484 4372  \Device\Harddisk1\DR1 - ok
19:27:58.0484 4372  ================ Scan VBR ==================================
19:27:58.0484 4372  [ D67BBAFBEBA5ADBE3DA700689EE183BB ] \Device\Harddisk0\DR0\Partition1
19:27:58.0484 4372  \Device\Harddisk0\DR0\Partition1 - ok
19:27:58.0484 4372  [ 09C34A4301AD1B05BBE1A23535D078BE ] \Device\Harddisk0\DR0\Partition2
19:27:58.0484 4372  \Device\Harddisk0\DR0\Partition2 - ok
19:27:58.0500 4372  [ 9BFD1BDFEBECFEFA305C9F22C162492B ] \Device\Harddisk1\DR1\Partition1
19:27:58.0500 4372  \Device\Harddisk1\DR1\Partition1 - ok
19:27:58.0500 4372  ============================================================
19:27:58.0500 4372  Scan finished
19:27:58.0500 4372  ============================================================
19:27:58.0500 4308  Detected object count: 0
19:27:58.0500 4308  Actual detected object count: 0
19:28:13.0101 3816  Deinitialize success
 

Heres the log from MBAR:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.25.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
papagdi1 :: USCIMHR9RYN1 [administrator]

7/25/2013 7:31:25 PM
mbar-log-2013-07-25 (19-31-25).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 0
Time elapsed: 8 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

Here's the security check

 

 Results of screen317's Security Check version 0.99.71 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
McAfee VirusScan Enterprise  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader 10.1.4 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 McAfee VirusScan Enterprise vstskmgr.exe 
 McAfee VirusScan Enterprise mfeann.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

I downloaded it from the link that was provided. It wasn't the right file and the link provided is not a direct link to the download.  I went to majorgeeks.com and found a legit copy.  I can't run it however because I need a password for McAfee 8.8 and I do not have the password.  Is there a way to disable the virus scanner within the process in windows task manager?  Which processes do I stop?  Firetray.exe and Mctray.exe?  It cannot be disabled by the conventional method becuse the user interface is locked and I do not have the password.

Link to post
Share on other sites

Yeah it would be best to reinstall it when you're all clean, and it shouldn't be a problem.

As of now I don't see anything being picked up by the scans you've run so far- ComboFix should give me some more insight as to what might still be on your system.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.