Jump to content

MebRoot/Torpig Virus notification from ISP - next steps?


Recommended Posts

Started getting a series of emails from our ISP (Qwest/CenturyLink) that I initially thought was spam until I Googled the messages and correlated the emails with increasing symptoms on the wife's laptop. Email message indicates the following activity (multiple emails received from September 10 - 14):

The date, time (GMT) and IP addresses identified in our investigation are as follows:

Date IP Additional Info

=================== =============== =======================================================

2011-09-13 01:53:56 184.98.79.131 infection => 'torpig', detail => 'srcport 59103 destaddr 91.20.201.214'

2011-09-13 02:22:22 184.98.79.131 infection => 'torpig', detail => 'srcport 49164 destaddr 91.20.201.214'

2011-09-13 02:30:50 184.98.79.131 infection => 'torpig', detail => 'srcport 49160 destaddr 91.20.201.214'

2011-09-13 23:32:34 184.98.79.131 infection => 'torpig', detail => 'srcport 49160 destaddr 91.19.40.39'

2011-09-12 02:32:43 184.98.79.131 infection => 'mebrootTorpig', subtype => 'torpig', port => '51416', cc => 91.20.201.127 , cc_port => '80', type => 'tcp', agent => '5C97FBC381551E57', url => '91.20.201.127', count => '1', sourceSummary => 'Drone Report'

2011-09-12 02:32:43 184.98.79.131 infection => 'mebrootTorpig', subtype => 'torpig', port => '51416', cc => 91.20.201.127 , cc_port => '80', type => 'tcp', agent => '5C97FBC381551E57', url => '91.20.201.127', count => '1', sourceSummary => 'Drone Report'

The wife is reporting browser redirects, IE8 has all but stopped working, random reboots, etc. I have not noticed any untoward activity on my laptop. I began following instructions from the "I'm Infected - what to do next" thread - was hoping someone could hold my hand as how to remove the infection and suggest steps to mitigate damage caused?

  • How do I know which computer is hosting the infection?
  • Does she need to go through and reset passwords for all web activity (email account, banking, credit cards, etc.?)
  • If her laptop is the infected item, do I need to be concerned with any sniffing activity that could capture any information I transmitted via my laptop?
  • Do I need to capture/report log information for my laptop here (in the thread) as well or target repair of the symptomatic computer for now?

I ran a quick scan on my laptop, MBAM log had no negative results; hers, however, had several and is shown below. Thank you in advance for any information you can share:

MBAM log from her laptop:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7794

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

9/24/2011 10:07:08 PM

mbam-log-2011-09-24 (22-07-01).txt

Scan type: Quick scan

Objects scanned: 164043

Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemonTool (Trojan.Agent.WIMP) -> Value: NvCplDaemonTool -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\Users\kelly mcdaniel\AppData\Roaming\personal internet security 2011 (Rogue.PersonalInternetSecurity) -> No action taken.

Files Infected:

c:\Users\kelly mcdaniel\AppData\Local\Temp\0.29312440629647774.exe (Trojan.Agent) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Local\Temp\1b460 (Trojan.Agent) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Local\Temp\20444 (Trojan.Agent) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Local\Temp\24162 (Trojan.Agent) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Local\Temp\894e81ae (Trojan.Agent) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Local\Temp\installmanager.exe (Adware.Agent) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Roaming\microsoft\internet explorer\quick launch\personal internet security 2011.lnk (Rogue.PersonalInternetSecurity) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Roaming\microsoft\Windows\start menu\Programs\personal internet security 2011.lnk (Rogue.PersonalInternetSecurity) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Roaming\microsoft\Windows\start menu\personal internet security 2011.lnk (Rogue.PersonalInternetSecurity) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Local\Temp\0.312058609959562.exe (Exploit.Drop.2) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\scancdiskcd24.dll (Trojan.Agent) -> No action taken.

c:\Users\kelly mcdaniel\eoloadk69.dll (Trojan.Agent.WIMP) -> No action taken.

c:\Users\kelly mcdaniel\AppData\Roaming\personal internet security 2011\instructions.ini (Rogue.PersonalInternetSecurity) -> No action taken.

DDS log from said laptop:

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7600.16385

Run by Kelly McDaniel at 22:36:31 on 2011-09-24

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2037.1326 [GMT -7:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Sony\VAIO Care\VAIOCareService.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Sony\ISB Utility\ISBMgr.exe

C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Sony\SmartWi Connection Utility\CCP.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Sony\SmartWi Connection Utility\ThirdPartyAppMgr.exe

C:\Program Files\Sony\SmartWi Connection Utility\PowerManager.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Sony\SmartWi Connection Utility\SmartWi.exe

C:\Program Files\Sony\VAIO Care\VCsystray.exe

C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe

C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe

c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe

C:\Windows\system32\SearchProtocolHost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar = Preserve

mDefault_Page_URL = hxxp://www.google.com/webhp?rlz=1W1SNNS&brand=SNNS

mStart Page = hxxp://www.google.com/webhp?rlz=1W1SNNS&brand=SNNS

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [smartWiHelper] "c:\program files\sony\smartwi connection utility\SmartWiHelper.exe" /WindowsStartup

mRun: [iSBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"

mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

Trusted Zone: azdhs.gov\vpn

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://vpn.azdhs.gov/+CSCOL+/cscopf.cab

DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} - hxxps://vpn.azdhs.gov/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://vpn.azdhs.gov/CACHE/sdesktop/install/binaries/instweb.cab

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{2BC59591-D1AC-4406-8AD0-EA1F256FE4A8} : DhcpNameServer = 68.111.16.25 68.111.16.30

TCP: Interfaces\{F67C66F2-DD0C-49D4-B906-B177FAA39C39} : DhcpNameServer = 192.168.0.1 205.171.3.25

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 MpKsl05508c7b;MpKsl05508c7b;c:\programdata\microsoft\microsoft antimalware\definition updates\{a9340a0f-8c8a-4170-bc5e-b74013d93266}\MpKsl05508c7b.sys [2011-9-24 28752]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]

R2 VCFw;VAIO Content Folder Watcher;c:\program files\common files\sony shared\vaio content folder watcher\VCFw.exe [2009-9-14 642416]

R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2010-3-28 130672]

R3 JME;JMicron Ethernet Adapter NDIS6.20 Driver;c:\windows\system32\drivers\JME.sys [2009-12-16 92272]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]

R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2010-6-28 789856]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 65024]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2011-4-27 208944]

R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-12-2 9344]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-30 135664]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-28 43944]

S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-6-30 29472]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-30 135664]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 SampleCollector;Intel® Sample Collector;c:\program files\sony\vaio care\collsvc.exe [2010-6-30 122880]

S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\common files\sony shared\sohlib\SOHCImp.exe [2010-6-30 120104]

S3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\common files\sony shared\sohlib\SOHDBSvr.exe [2010-6-30 70952]

S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\common files\sony shared\sohlib\SOHDms.exe [2010-6-30 427304]

S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\common files\sony shared\sohlib\SOHDs.exe [2010-6-30 75048]

S3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\common files\sony shared\sohlib\SOHPlMgr.exe [2010-6-30 91432]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2010-6-30 513392]

S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2010-6-30 480624]

S3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\sony\vcm intelligent network service manager\VcmINSMgr.exe [2010-6-30 361840]

S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2010-6-30 83312]

S3 VUAgent;VUAgent;c:\program files\sony\vaio update 5\VUAgent.exe [2010-12-25 792976]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-27 1343400]

.

=============== Created Last 30 ================

.

2011-09-25 05:18:59 439632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{2c1e2fe6-175b-4054-b25b-1a663afe0071}\gapaengine.dll

2011-09-25 05:18:59 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a9340a0f-8c8a-4170-bc5e-b74013d93266}\MpKsl05508c7b.sys

2011-09-25 05:18:49 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a9340a0f-8c8a-4170-bc5e-b74013d93266}\offreg.dll

2011-09-25 05:18:44 7269712 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a9340a0f-8c8a-4170-bc5e-b74013d93266}\mpengine.dll

2011-09-25 05:13:53 -------- d-----w- c:\program files\Microsoft Security Client

2011-09-25 05:13:32 240008 ----a-w- c:\windows\system32\drivers\netio.sys

2011-09-25 05:01:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-23 23:30:42 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c516e349-28de-40c5-82be-3e596e4ea210}\mpengine.dll

.

==================== Find3M ====================

.

2011-07-22 04:56:17 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe

2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-09 04:30:52 2048 ----a-w- c:\windows\system32\tzres.dll

2011-07-09 02:26:10 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.

============= FINISH: 22:38:03.57 ===============

Attach.zip

Link to post
Share on other sites

Hello and :welcome:

Lets first do a scan for Mebroot here.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.

Close out all other open programs and windows.

Double click the file to run it and follow any prompts.

If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.

Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Link to post
Share on other sites

Thank you Elise - unfortunately, the program stops upon execution: blue window that says "This tool is not compatible with your system. Press any key to continue..." Upon pressing a key, the window closes and appears to do nothing. I'm then prompted by Windows as to whether the program installed successfully or attempt to reinstall the program. :huh:

Hello and :welcome:

Lets first do a scan for Mebroot here.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.

Close out all other open programs and windows.

Double click the file to run it and follow any prompts.

If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.

Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Link to post
Share on other sites

In that case, do the following, that should detect it as well if present.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Thank you, Elise - results from the TDSS log are as follows:

12:15:22.0720 4840 TDSS rootkit removing tool 2.6.0.0 Sep 23 2011 07:42:37

12:15:22.0752 4840 ============================================================

12:15:22.0752 4840 Current date / time: 2011/09/25 12:15:22.0752

12:15:22.0752 4840 SystemInfo:

12:15:22.0752 4840

12:15:22.0752 4840 OS Version: 6.1.7600 ServicePack: 0.0

12:15:22.0752 4840 Product type: Workstation

12:15:22.0752 4840 ComputerName: KELLYMCDANIEL

12:15:22.0752 4840 UserName: Kelly McDaniel

12:15:22.0752 4840 Windows directory: C:\Windows

12:15:22.0752 4840 System windows directory: C:\Windows

12:15:22.0752 4840 Processor architecture: Intel x86

12:15:22.0752 4840 Number of processors: 2

12:15:22.0752 4840 Page size: 0x1000

12:15:22.0752 4840 Boot type: Normal boot

12:15:22.0752 4840 ============================================================

12:15:25.0107 4840 Initialize success

12:15:39.0849 0112 ============================================================

12:15:39.0849 0112 Scan started

12:15:39.0849 0112 Mode: Manual;

12:15:39.0849 0112 ============================================================

12:15:40.0629 0112 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\drivers\1394ohci.sys

12:15:40.0629 0112 1394ohci - ok

12:15:40.0707 0112 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\drivers\ACPI.sys

12:15:40.0707 0112 ACPI - ok

12:15:40.0832 0112 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\drivers\acpipmi.sys

12:15:40.0832 0112 AcpiPmi - ok

12:15:40.0988 0112 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\drivers\adp94xx.sys

12:15:41.0019 0112 adp94xx - ok

12:15:41.0082 0112 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\drivers\adpahci.sys

12:15:41.0082 0112 adpahci - ok

12:15:41.0206 0112 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\drivers\adpu320.sys

12:15:41.0222 0112 adpu320 - ok

12:15:41.0331 0112 AFD (0db7a48388d54d154ebec120461a0fcd) C:\Windows\system32\drivers\afd.sys

12:15:41.0331 0112 AFD - ok

12:15:41.0362 0112 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys

12:15:41.0362 0112 agp440 - ok

12:15:41.0456 0112 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\drivers\djsvs.sys

12:15:41.0456 0112 aic78xx - ok

12:15:41.0534 0112 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys

12:15:41.0534 0112 aliide - ok

12:15:41.0565 0112 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys

12:15:41.0581 0112 amdagp - ok

12:15:41.0612 0112 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys

12:15:41.0612 0112 amdide - ok

12:15:41.0659 0112 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\drivers\amdk8.sys

12:15:41.0659 0112 AmdK8 - ok

12:15:41.0690 0112 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\drivers\amdppm.sys

12:15:41.0690 0112 AmdPPM - ok

12:15:41.0737 0112 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\drivers\amdsata.sys

12:15:41.0737 0112 amdsata - ok

12:15:41.0784 0112 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\drivers\amdsbs.sys

12:15:41.0784 0112 amdsbs - ok

12:15:41.0815 0112 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\drivers\amdxata.sys

12:15:41.0815 0112 amdxata - ok

12:15:41.0877 0112 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys

12:15:41.0877 0112 AppID - ok

12:15:42.0033 0112 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\drivers\arc.sys

12:15:42.0033 0112 arc - ok

12:15:42.0064 0112 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\drivers\arcsas.sys

12:15:42.0064 0112 arcsas - ok

12:15:42.0142 0112 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys

12:15:42.0158 0112 AsyncMac - ok

12:15:42.0236 0112 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys

12:15:42.0236 0112 atapi - ok

12:15:42.0376 0112 athr (76bab0c824e2d05b940c4dd40a9b08bf) C:\Windows\system32\DRIVERS\athr.sys

12:15:42.0423 0112 athr - ok

12:15:42.0595 0112 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\drivers\bxvbdx.sys

12:15:42.0595 0112 b06bdrv - ok

12:15:42.0657 0112 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys

12:15:42.0657 0112 b57nd60x - ok

12:15:42.0735 0112 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys

12:15:42.0751 0112 Beep - ok

12:15:42.0844 0112 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\drivers\blbdrive.sys

12:15:42.0844 0112 blbdrive - ok

12:15:42.0922 0112 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\Windows\system32\DRIVERS\bowser.sys

12:15:42.0922 0112 bowser - ok

12:15:42.0985 0112 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\BrFiltLo.sys

12:15:42.0985 0112 BrFiltLo - ok

12:15:43.0016 0112 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\BrFiltUp.sys

12:15:43.0016 0112 BrFiltUp - ok

12:15:43.0063 0112 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys

12:15:43.0078 0112 Brserid - ok

12:15:43.0094 0112 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys

12:15:43.0110 0112 BrSerWdm - ok

12:15:43.0141 0112 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys

12:15:43.0141 0112 BrUsbMdm - ok

12:15:43.0156 0112 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys

12:15:43.0172 0112 BrUsbSer - ok

12:15:43.0250 0112 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys

12:15:43.0250 0112 BthEnum - ok

12:15:43.0328 0112 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\drivers\bthmodem.sys

12:15:43.0328 0112 BTHMODEM - ok

12:15:43.0359 0112 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys

12:15:43.0359 0112 BthPan - ok

12:15:43.0437 0112 BTHPORT (88059ff1ded4472acd17eebabd393069) C:\Windows\System32\Drivers\BTHport.sys

12:15:43.0453 0112 BTHPORT - ok

12:15:43.0500 0112 BTHUSB (80e6384beec03b8bd45edea29802d657) C:\Windows\System32\Drivers\BTHUSB.sys

12:15:43.0500 0112 BTHUSB - ok

12:15:43.0593 0112 btusbflt (92c5b845803f3662637eb691ac0b250f) C:\Windows\system32\drivers\btusbflt.sys

12:15:43.0609 0112 btusbflt - ok

12:15:43.0656 0112 btwaudio (ce5833c144ca6623bcbde93b188aa850) C:\Windows\system32\drivers\btwaudio.sys

12:15:43.0656 0112 btwaudio - ok

12:15:43.0843 0112 btwavdt (af9148c3e844131ac954cb53ff43d971) C:\Windows\system32\DRIVERS\btwavdt.sys

12:15:43.0843 0112 btwavdt - ok

12:15:43.0968 0112 btwl2cap (aafd7cb76ba61fbb08e302da208c974a) C:\Windows\system32\DRIVERS\btwl2cap.sys

12:15:43.0968 0112 btwl2cap - ok

12:15:44.0030 0112 btwrchid (480b3d195854b2e55299cddddc50bcf9) C:\Windows\system32\DRIVERS\btwrchid.sys

12:15:44.0030 0112 btwrchid - ok

12:15:44.0092 0112 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys

12:15:44.0092 0112 cdfs - ok

12:15:44.0170 0112 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\drivers\cdrom.sys

12:15:44.0170 0112 cdrom - ok

12:15:44.0280 0112 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\drivers\circlass.sys

12:15:44.0280 0112 circlass - ok

12:15:44.0342 0112 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys

12:15:44.0358 0112 CLFS - ok

12:15:44.0404 0112 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\drivers\CmBatt.sys

12:15:44.0404 0112 CmBatt - ok

12:15:44.0482 0112 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys

12:15:44.0498 0112 cmdide - ok

12:15:44.0529 0112 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys

12:15:44.0545 0112 CNG - ok

12:15:44.0576 0112 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\drivers\compbatt.sys

12:15:44.0576 0112 Compbatt - ok

12:15:44.0654 0112 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\drivers\CompositeBus.sys

12:15:44.0654 0112 CompositeBus - ok

12:15:44.0763 0112 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\drivers\crcdisk.sys

12:15:44.0763 0112 crcdisk - ok

12:15:44.0904 0112 CSC (27c9490bdd0ae48911ab8cf1932591ed) C:\Windows\system32\drivers\csc.sys

12:15:44.0904 0112 CSC - ok

12:15:44.0982 0112 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\Windows\system32\Drivers\dfsc.sys

12:15:44.0997 0112 DfsC - ok

12:15:45.0044 0112 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys

12:15:45.0044 0112 discache - ok

12:15:45.0091 0112 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\drivers\disk.sys

12:15:45.0091 0112 Disk - ok

12:15:45.0231 0112 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys

12:15:45.0231 0112 drmkaud - ok

12:15:45.0294 0112 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys

12:15:45.0325 0112 DXGKrnl - ok

12:15:45.0496 0112 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\drivers\evbdx.sys

12:15:45.0590 0112 ebdrv - ok

12:15:45.0746 0112 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\drivers\elxstor.sys

12:15:45.0777 0112 elxstor - ok

12:15:45.0808 0112 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys

12:15:45.0808 0112 ErrDev - ok

12:15:45.0902 0112 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys

12:15:45.0902 0112 exfat - ok

12:15:45.0949 0112 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys

12:15:45.0949 0112 fastfat - ok

12:15:46.0058 0112 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\drivers\fdc.sys

12:15:46.0058 0112 fdc - ok

12:15:46.0136 0112 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys

12:15:46.0136 0112 FileInfo - ok

12:15:46.0167 0112 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys

12:15:46.0167 0112 Filetrace - ok

12:15:46.0245 0112 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\drivers\flpydisk.sys

12:15:46.0245 0112 flpydisk - ok

12:15:46.0292 0112 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys

12:15:46.0308 0112 FltMgr - ok

12:15:46.0354 0112 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys

12:15:46.0354 0112 FsDepends - ok

12:15:46.0401 0112 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys

12:15:46.0401 0112 Fs_Rec - ok

12:15:46.0448 0112 fvevol (5592f5dba26282d24d2b080eb438a4d7) C:\Windows\system32\DRIVERS\fvevol.sys

12:15:46.0448 0112 fvevol - ok

12:15:46.0542 0112 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\drivers\gagp30kx.sys

12:15:46.0542 0112 gagp30kx - ok

12:15:46.0713 0112 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys

12:15:46.0713 0112 hcw85cir - ok

12:15:46.0776 0112 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys

12:15:46.0791 0112 HdAudAddService - ok

12:15:46.0854 0112 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\drivers\HDAudBus.sys

12:15:46.0869 0112 HDAudBus - ok

12:15:46.0932 0112 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\drivers\HidBatt.sys

12:15:46.0947 0112 HidBatt - ok

12:15:46.0994 0112 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\drivers\hidbth.sys

12:15:46.0994 0112 HidBth - ok

12:15:47.0056 0112 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\drivers\hidir.sys

12:15:47.0056 0112 HidIr - ok

12:15:47.0134 0112 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\drivers\hidusb.sys

12:15:47.0134 0112 HidUsb - ok

12:15:47.0259 0112 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys

12:15:47.0259 0112 HpSAMD - ok

12:15:47.0337 0112 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys

12:15:47.0337 0112 HTTP - ok

12:15:47.0384 0112 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys

12:15:47.0384 0112 hwpolicy - ok

12:15:47.0462 0112 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys

12:15:47.0478 0112 i8042prt - ok

12:15:47.0618 0112 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\drivers\iaStorV.sys

12:15:47.0618 0112 iaStorV - ok

12:15:47.0790 0112 igfx (d0074897c6bc132f3980ea4654bf7fb9) C:\Windows\system32\DRIVERS\igdkmd32.sys

12:15:47.0961 0112 igfx - ok

12:15:48.0039 0112 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\drivers\iirsp.sys

12:15:48.0039 0112 iirsp - ok

12:15:48.0258 0112 IntcAzAudAddService (0b7e398549acec7a6f8bd755c2ce40b5) C:\Windows\system32\drivers\RTKVHDA.sys

12:15:48.0367 0112 IntcAzAudAddService - ok

12:15:48.0429 0112 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys

12:15:48.0429 0112 intelide - ok

12:15:48.0476 0112 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\drivers\intelppm.sys

12:15:48.0476 0112 intelppm - ok

12:15:48.0538 0112 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys

12:15:48.0538 0112 IpFilterDriver - ok

12:15:48.0632 0112 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\drivers\IPMIDrv.sys

12:15:48.0632 0112 IPMIDRV - ok

12:15:48.0679 0112 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys

12:15:48.0679 0112 IPNAT - ok

12:15:48.0710 0112 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys

12:15:48.0710 0112 IRENUM - ok

12:15:48.0772 0112 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys

12:15:48.0772 0112 isapnp - ok

12:15:48.0804 0112 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\drivers\msiscsi.sys

12:15:48.0819 0112 iScsiPrt - ok

12:15:48.0850 0112 JMCR (0a1b5dd3af49c91b852f23ad747973fb) C:\Windows\system32\DRIVERS\jmcr.sys

12:15:48.0866 0112 JMCR - ok

12:15:48.0897 0112 JME (8a06c7a0e701be6d618571095032dcb9) C:\Windows\system32\DRIVERS\JME.sys

12:15:48.0913 0112 JME - ok

12:15:48.0960 0112 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys

12:15:48.0960 0112 kbdclass - ok

12:15:49.0053 0112 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\drivers\kbdhid.sys

12:15:49.0053 0112 kbdhid - ok

12:15:49.0131 0112 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys

12:15:49.0131 0112 KSecDD - ok

12:15:49.0178 0112 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys

12:15:49.0178 0112 KSecPkg - ok

12:15:49.0287 0112 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys

12:15:49.0287 0112 lltdio - ok

12:15:49.0396 0112 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\drivers\lsi_fc.sys

12:15:49.0396 0112 LSI_FC - ok

12:15:49.0443 0112 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\drivers\lsi_sas.sys

12:15:49.0459 0112 LSI_SAS - ok

12:15:49.0490 0112 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\drivers\lsi_sas2.sys

12:15:49.0506 0112 LSI_SAS2 - ok

12:15:49.0552 0112 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\drivers\lsi_scsi.sys

12:15:49.0552 0112 LSI_SCSI - ok

12:15:49.0630 0112 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys

12:15:49.0630 0112 luafv - ok

12:15:49.0708 0112 MBAMSwissArmy - ok

12:15:49.0802 0112 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\drivers\megasas.sys

12:15:49.0802 0112 megasas - ok

12:15:49.0880 0112 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\drivers\MegaSR.sys

12:15:49.0896 0112 MegaSR - ok

12:15:50.0005 0112 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys

12:15:50.0005 0112 Modem - ok

12:15:50.0052 0112 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys

12:15:50.0052 0112 monitor - ok

12:15:50.0130 0112 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys

12:15:50.0130 0112 mouclass - ok

12:15:50.0208 0112 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\drivers\mouhid.sys

12:15:50.0208 0112 mouhid - ok

12:15:50.0239 0112 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys

12:15:50.0254 0112 mountmgr - ok

12:15:50.0301 0112 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\Windows\system32\DRIVERS\MpFilter.sys

12:15:50.0301 0112 MpFilter - ok

12:15:50.0332 0112 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\drivers\mpio.sys

12:15:50.0332 0112 mpio - ok

12:15:50.0488 0112 MpKsl05508c7b (5f53edfead46fa7adb78eee9ecce8fdf) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\MpKsl05508c7b.sys

12:15:50.0488 0112 MpKsl05508c7b - ok

12:15:50.0582 0112 MpNWMon (2c3489660d4a8d514c123c3f0d67df46) C:\Windows\system32\DRIVERS\MpNWMon.sys

12:15:50.0582 0112 MpNWMon - ok

12:15:50.0644 0112 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys

12:15:50.0644 0112 mpsdrv - ok

12:15:50.0707 0112 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys

12:15:50.0707 0112 MRxDAV - ok

12:15:50.0769 0112 mrxsmb (ca7570e42522e24324a12161db14ec02) C:\Windows\system32\DRIVERS\mrxsmb.sys

12:15:50.0785 0112 mrxsmb - ok

12:15:50.0832 0112 mrxsmb10 (f965c3ab2b2ae5c378f4562486e35051) C:\Windows\system32\DRIVERS\mrxsmb10.sys

12:15:50.0847 0112 mrxsmb10 - ok

12:15:50.0878 0112 mrxsmb20 (25c38264a3c72594dd21d355d70d7a5d) C:\Windows\system32\DRIVERS\mrxsmb20.sys

12:15:50.0878 0112 mrxsmb20 - ok

12:15:50.0941 0112 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\drivers\msahci.sys

12:15:50.0941 0112 msahci - ok

12:15:50.0972 0112 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\drivers\msdsm.sys

12:15:50.0972 0112 msdsm - ok

12:15:51.0034 0112 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys

12:15:51.0034 0112 Msfs - ok

12:15:51.0066 0112 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys

12:15:51.0066 0112 mshidkmdf - ok

12:15:51.0097 0112 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys

12:15:51.0097 0112 msisadrv - ok

12:15:51.0159 0112 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys

12:15:51.0159 0112 MSKSSRV - ok

12:15:51.0206 0112 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys

12:15:51.0222 0112 MSPCLOCK - ok

12:15:51.0237 0112 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys

12:15:51.0237 0112 MSPQM - ok

12:15:51.0284 0112 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys

12:15:51.0284 0112 MsRPC - ok

12:15:51.0346 0112 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys

12:15:51.0346 0112 mssmbios - ok

12:15:51.0409 0112 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys

12:15:51.0409 0112 MSTEE - ok

12:15:51.0471 0112 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\drivers\MTConfig.sys

12:15:51.0471 0112 MTConfig - ok

12:15:51.0502 0112 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys

12:15:51.0502 0112 Mup - ok

12:15:51.0565 0112 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys

12:15:51.0580 0112 NativeWifiP - ok

12:15:51.0643 0112 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys

12:15:51.0658 0112 NDIS - ok

12:15:51.0736 0112 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys

12:15:51.0752 0112 NdisCap - ok

12:15:51.0814 0112 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys

12:15:51.0830 0112 NdisTapi - ok

12:15:51.0861 0112 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys

12:15:51.0861 0112 Ndisuio - ok

12:15:51.0892 0112 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys

12:15:51.0908 0112 NdisWan - ok

12:15:51.0924 0112 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys

12:15:51.0939 0112 NDProxy - ok

12:15:51.0970 0112 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys

12:15:51.0986 0112 NetBIOS - ok

12:15:52.0033 0112 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys

12:15:52.0048 0112 NetBT - ok

12:15:52.0251 0112 netr28 (c340a607ba9d7fb82d39b12f0e829bdb) C:\Windows\system32\DRIVERS\netr28.sys

12:15:52.0282 0112 netr28 - ok

12:15:52.0360 0112 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\drivers\nfrd960.sys

12:15:52.0376 0112 nfrd960 - ok

12:15:52.0423 0112 NisDrv (7b01c6172cfd0b10116175e09200d4b4) C:\Windows\system32\DRIVERS\NisDrvWFP.sys

12:15:52.0423 0112 NisDrv - ok

12:15:52.0501 0112 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys

12:15:52.0501 0112 Npfs - ok

12:15:52.0532 0112 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys

12:15:52.0532 0112 nsiproxy - ok

12:15:52.0610 0112 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys

12:15:52.0657 0112 Ntfs - ok

12:15:52.0672 0112 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys

12:15:52.0688 0112 Null - ok

12:15:52.0750 0112 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\drivers\nvraid.sys

12:15:52.0750 0112 nvraid - ok

12:15:52.0797 0112 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\drivers\nvstor.sys

12:15:52.0813 0112 nvstor - ok

12:15:52.0875 0112 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys

12:15:52.0875 0112 nv_agp - ok

12:15:52.0953 0112 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys

12:15:52.0953 0112 ohci1394 - ok

12:15:53.0094 0112 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\drivers\parport.sys

12:15:53.0094 0112 Parport - ok

12:15:53.0156 0112 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys

12:15:53.0156 0112 partmgr - ok

12:15:53.0203 0112 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\drivers\parvdm.sys

12:15:53.0218 0112 Parvdm - ok

12:15:53.0296 0112 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\drivers\pci.sys

12:15:53.0296 0112 pci - ok

12:15:53.0374 0112 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys

12:15:53.0390 0112 pciide - ok

12:15:53.0452 0112 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\drivers\pcmcia.sys

12:15:53.0452 0112 pcmcia - ok

12:15:53.0499 0112 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys

12:15:53.0515 0112 pcw - ok

12:15:53.0577 0112 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys

12:15:53.0593 0112 PEAUTH - ok

12:15:53.0796 0112 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys

12:15:53.0796 0112 PptpMiniport - ok

12:15:53.0874 0112 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\drivers\processr.sys

12:15:53.0889 0112 Processor - ok

12:15:53.0983 0112 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys

12:15:53.0983 0112 Psched - ok

12:15:54.0108 0112 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\drivers\ql2300.sys

12:15:54.0139 0112 ql2300 - ok

12:15:54.0186 0112 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\drivers\ql40xx.sys

12:15:54.0201 0112 ql40xx - ok

12:15:54.0248 0112 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys

12:15:54.0248 0112 QWAVEdrv - ok

12:15:54.0295 0112 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys

12:15:54.0295 0112 RasAcd - ok

12:15:54.0357 0112 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys

12:15:54.0357 0112 RasAgileVpn - ok

12:15:54.0435 0112 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys

12:15:54.0435 0112 Rasl2tp - ok

12:15:54.0560 0112 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys

12:15:54.0560 0112 RasPppoe - ok

12:15:54.0591 0112 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys

12:15:54.0607 0112 RasSstp - ok

12:15:54.0638 0112 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys

12:15:54.0654 0112 rdbss - ok

12:15:54.0700 0112 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys

12:15:54.0700 0112 rdpbus - ok

12:15:54.0747 0112 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys

12:15:54.0747 0112 RDPCDD - ok

12:15:54.0810 0112 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys

12:15:54.0810 0112 RDPDR - ok

12:15:54.0919 0112 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys

12:15:54.0919 0112 RDPENCDD - ok

12:15:54.0966 0112 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys

12:15:54.0966 0112 RDPREFMP - ok

12:15:55.0028 0112 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys

12:15:55.0044 0112 RDPWD - ok

12:15:55.0106 0112 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys

12:15:55.0122 0112 rdyboost - ok

12:15:55.0200 0112 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys

12:15:55.0215 0112 RFCOMM - ok

12:15:55.0356 0112 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys

12:15:55.0356 0112 rspndr - ok

12:15:55.0496 0112 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\drivers\sbp2port.sys

12:15:55.0496 0112 sbp2port - ok

12:15:55.0590 0112 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys

12:15:55.0590 0112 scfilter - ok

12:15:55.0714 0112 sdbus (aa826e35f6d28a8e5d1efeb337f24ba2) C:\Windows\system32\DRIVERS\sdbus.sys

12:15:55.0714 0112 sdbus - ok

12:15:55.0808 0112 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

12:15:55.0824 0112 secdrv - ok

12:15:55.0902 0112 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\drivers\serenum.sys

12:15:55.0902 0112 Serenum - ok

12:15:55.0980 0112 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\drivers\serial.sys

12:15:55.0980 0112 Serial - ok

12:15:56.0042 0112 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\drivers\sermouse.sys

12:15:56.0042 0112 sermouse - ok

12:15:56.0182 0112 SFEP (8b7c1768d2cde2e02e09a66563ddfd16) C:\Windows\system32\drivers\SFEP.sys

12:15:56.0198 0112 SFEP - ok

12:15:56.0260 0112 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys

12:15:56.0260 0112 sffdisk - ok

12:15:56.0323 0112 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys

12:15:56.0323 0112 sffp_mmc - ok

12:15:56.0370 0112 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\drivers\sffp_sd.sys

12:15:56.0370 0112 sffp_sd - ok

12:15:56.0432 0112 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\drivers\sfloppy.sys

12:15:56.0432 0112 sfloppy - ok

12:15:56.0526 0112 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys

12:15:56.0526 0112 sisagp - ok

12:15:56.0557 0112 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\drivers\SiSRaid2.sys

12:15:56.0557 0112 SiSRaid2 - ok

12:15:56.0588 0112 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\drivers\sisraid4.sys

12:15:56.0604 0112 SiSRaid4 - ok

12:15:56.0650 0112 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys

12:15:56.0650 0112 Smb - ok

12:15:56.0744 0112 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys

12:15:56.0744 0112 spldr - ok

12:15:56.0838 0112 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\Windows\system32\DRIVERS\srv.sys

12:15:56.0838 0112 srv - ok

12:15:56.0869 0112 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\Windows\system32\DRIVERS\srv2.sys

12:15:56.0884 0112 srv2 - ok

12:15:56.0916 0112 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\Windows\system32\DRIVERS\srvnet.sys

12:15:56.0916 0112 srvnet - ok

12:15:57.0009 0112 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\drivers\stexstor.sys

12:15:57.0009 0112 stexstor - ok

12:15:57.0072 0112 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys

12:15:57.0072 0112 swenum - ok

12:15:57.0134 0112 SynTP (215a45246c6e2d0a9c263ce1786c8d8a) C:\Windows\system32\drivers\SynTP.sys

12:15:57.0150 0112 SynTP - ok

12:15:57.0321 0112 Tcpip (c2daaeb48f3a47c410b041a0d2382ee1) C:\Windows\system32\drivers\tcpip.sys

12:15:57.0368 0112 Tcpip - ok

12:15:57.0446 0112 TCPIP6 (c2daaeb48f3a47c410b041a0d2382ee1) C:\Windows\system32\DRIVERS\tcpip.sys

12:15:57.0462 0112 TCPIP6 - ok

12:15:57.0508 0112 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys

12:15:57.0508 0112 tcpipreg - ok

12:15:57.0555 0112 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys

12:15:57.0555 0112 TDPIPE - ok

12:15:57.0586 0112 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys

12:15:57.0586 0112 TDTCP - ok

12:15:57.0618 0112 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys

12:15:57.0633 0112 tdx - ok

12:15:57.0680 0112 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\drivers\termdd.sys

12:15:57.0680 0112 TermDD - ok

12:15:57.0789 0112 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys

12:15:57.0789 0112 tssecsrv - ok

12:15:57.0820 0112 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys

12:15:57.0836 0112 tunnel - ok

12:15:57.0898 0112 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\drivers\uagp35.sys

12:15:57.0898 0112 uagp35 - ok

12:15:57.0945 0112 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys

12:15:57.0961 0112 udfs - ok

12:15:58.0054 0112 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys

12:15:58.0070 0112 uliagpkx - ok

12:15:58.0132 0112 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys

12:15:58.0132 0112 umbus - ok

12:15:58.0195 0112 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\drivers\umpass.sys

12:15:58.0210 0112 UmPass - ok

12:15:58.0273 0112 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\drivers\usbccgp.sys

12:15:58.0273 0112 usbccgp - ok

12:15:58.0320 0112 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys

12:15:58.0320 0112 usbcir - ok

12:15:58.0366 0112 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\drivers\usbehci.sys

12:15:58.0366 0112 usbehci - ok

12:15:58.0429 0112 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\drivers\usbhub.sys

12:15:58.0444 0112 usbhub - ok

12:15:58.0507 0112 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\drivers\usbohci.sys

12:15:58.0507 0112 usbohci - ok

12:15:58.0538 0112 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\drivers\usbprint.sys

12:15:58.0538 0112 usbprint - ok

12:15:58.0600 0112 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS

12:15:58.0600 0112 USBSTOR - ok

12:15:58.0647 0112 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\drivers\usbuhci.sys

12:15:58.0663 0112 usbuhci - ok

12:15:58.0710 0112 usbvideo (f642a7e4bf78cfa359cca0a3557c28d7) C:\Windows\system32\Drivers\usbvideo.sys

12:15:58.0710 0112 usbvideo - ok

12:15:58.0866 0112 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys

12:15:58.0866 0112 vdrvroot - ok

12:15:58.0912 0112 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys

12:15:58.0912 0112 vga - ok

12:15:58.0944 0112 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys

12:15:58.0944 0112 VgaSave - ok

12:15:59.0022 0112 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\drivers\vhdmp.sys

12:15:59.0022 0112 vhdmp - ok

12:15:59.0068 0112 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys

12:15:59.0068 0112 viaagp - ok

12:15:59.0100 0112 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\drivers\viac7.sys

12:15:59.0115 0112 ViaC7 - ok

12:15:59.0146 0112 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys

12:15:59.0162 0112 viaide - ok

12:15:59.0193 0112 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\drivers\volmgr.sys

12:15:59.0209 0112 volmgr - ok

12:15:59.0256 0112 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys

12:15:59.0271 0112 volmgrx - ok

12:15:59.0302 0112 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\drivers\volsnap.sys

12:15:59.0302 0112 volsnap - ok

12:15:59.0380 0112 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\drivers\vsmraid.sys

12:15:59.0396 0112 vsmraid - ok

12:15:59.0474 0112 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys

12:15:59.0474 0112 vwifibus - ok

12:15:59.0521 0112 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys

12:15:59.0521 0112 vwififlt - ok

12:15:59.0614 0112 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\drivers\wacompen.sys

12:15:59.0614 0112 WacomPen - ok

12:15:59.0661 0112 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys

12:15:59.0661 0112 WANARP - ok

12:15:59.0677 0112 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys

12:15:59.0677 0112 Wanarpv6 - ok

12:15:59.0833 0112 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\drivers\wd.sys

12:15:59.0833 0112 Wd - ok

12:15:59.0880 0112 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys

12:15:59.0895 0112 Wdf01000 - ok

12:16:00.0004 0112 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys

12:16:00.0004 0112 WfpLwf - ok

12:16:00.0051 0112 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys

12:16:00.0051 0112 WIMMount - ok

12:16:00.0238 0112 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys

12:16:00.0238 0112 WmiAcpi - ok

12:16:00.0332 0112 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys

12:16:00.0332 0112 ws2ifsl - ok

12:16:00.0426 0112 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys

12:16:00.0426 0112 WudfPf - ok

12:16:00.0472 0112 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys

12:16:00.0472 0112 WUDFRd - ok

12:16:00.0582 0112 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0

12:16:00.0613 0112 \Device\Harddisk0\DR0 - ok

12:16:00.0628 0112 Boot (0x1200) (93111972afd75b6589d889d96e18d884) \Device\Harddisk0\DR0\Partition0

12:16:00.0628 0112 \Device\Harddisk0\DR0\Partition0 - ok

12:16:00.0660 0112 Boot (0x1200) (66ed05668ab34d3192b892b3e448ae1b) \Device\Harddisk0\DR0\Partition1

12:16:00.0660 0112 \Device\Harddisk0\DR0\Partition1 - ok

12:16:00.0660 0112 ============================================================

12:16:00.0660 0112 Scan finished

12:16:00.0660 0112 ============================================================

12:16:00.0691 1112 Detected object count: 0

12:16:00.0691 1112 Actual detected object count: 0

12:16:51.0063 2492 Deinitialize success

Link to post
Share on other sites

No torpig detected there.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

ComboFix log as follows:

ComboFix 11-09-26.01 - Kelly McDaniel 09/25/2011 14:46:43.1.2 - x86

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2037.1006 [GMT -7:00]

Running from: c:\users\Kelly McDaniel\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Object\bhO_project.dll

c:\users\Kelly McDaniel\AppData\Roaming\Microsoft\Windows\Recent\energy.tmp

c:\users\Kelly McDaniel\AppData\Roaming\Microsoft\Windows\Recent\SM.exe

c:\users\Kelly McDaniel\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv

c:\users\Kelly McDaniel\AppData\Roaming\Microsoft\Windows\Recent\tjd.tmp

c:\users\Kelly McDaniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery

c:\users\Kelly McDaniel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Uninstall Windows 7 Recovery.lnk

.

.

((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))

.

.

2011-09-25 21:57 . 2011-09-25 21:58 -------- d-----w- c:\users\Kelly McDaniel\AppData\Local\temp

2011-09-25 21:57 . 2011-09-25 21:57 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-25 05:18 . 2011-09-25 05:18 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\MpKsl05508c7b.sys

2011-09-25 05:18 . 2011-09-25 05:18 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2C1E2FE6-175B-4054-B25B-1A663AFE0071}\gapaengine.dll

2011-09-25 05:18 . 2011-09-25 05:18 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\offreg.dll

2011-09-25 05:18 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\mpengine.dll

2011-09-25 05:13 . 2011-09-25 05:14 -------- d-----w- c:\program files\Microsoft Security Client

2011-09-25 05:13 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys

2011-09-25 05:01 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-23 23:30 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C516E349-28DE-40C5-82BE-3E596E4EA210}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-22 04:56 . 2011-08-10 18:19 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-16 04:37 . 2011-08-10 18:19 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-07-16 04:34 . 2011-08-10 18:19 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 04:31 . 2011-08-10 18:19 271360 ----a-w- c:\windows\system32\conhost.exe

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 18:19 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 18:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-09 04:30 . 2011-08-25 04:22 2048 ----a-w- c:\windows\system32\tzres.dll

2011-07-09 02:26 . 2011-08-10 18:19 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-01 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-23 8120864]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-23 1578280]

"SmartWiHelper"="c:\program files\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2009-10-05 80384]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2009-08-27 320880]

"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2009-10-24 597792]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-23 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-23 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-23 150552]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2009-12-01 02:20 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 21:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2010-07-01 04:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 135664]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-28 43944]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-12-28 29472]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 135664]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R3 SampleCollector;Intel® Sample Collector;c:\program files\Sony\VAIO Care\collsvc.exe [2009-09-17 122880]

R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2009-10-15 120104]

R3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [2009-10-15 70952]

R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Common Files\Sony Shared\SOHLib\SOHDms.exe [2009-10-15 427304]

R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Common Files\Sony Shared\SOHLib\SOHDs.exe [2009-10-15 75048]

R3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [2009-10-15 91432]

R3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2009-12-17 513392]

R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2009-09-16 480624]

R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2009-09-02 361840]

R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2009-09-09 83312]

R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [2011-04-20 792976]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-27 1343400]

S1 MpKsl05508c7b;MpKsl05508c7b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\MpKsl05508c7b.sys [2011-09-25 28752]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]

S2 VCFw;VAIO Content Folder Watcher;c:\program files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2009-09-15 642416]

S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2010-02-19 130672]

S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver;c:\windows\system32\DRIVERS\JME.sys [2009-12-17 92272]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]

S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28.sys [2010-06-29 789856]

S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-12-01 9344]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 39035790

*NewlyCreated* - FGLYQPOB

*NewlyCreated* - MPKSL05508C7B

*NewlyCreated* - MPNWMON

*NewlyCreated* - NISDRV

*Deregistered* - 39035790

*Deregistered* - fglyqpob

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 04:31]

.

2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 04:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com/webhp?rlz=1W1SNNS&brand=SNNS

Trusted Zone: azdhs.gov\vpn

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://vpn.azdhs.gov/+CSCOL+/cscopf.cab

DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} - hxxps://vpn.azdhs.gov/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://vpn.azdhs.gov/CACHE/sdesktop/install/binaries/instweb.cab

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SampleCollector]

"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-09-25 15:03:25

ComboFix-quarantined-files.txt 2011-09-25 22:03

.

Pre-Run: 212,783,071,232 bytes free

Post-Run: 213,696,503,808 bytes free

.

- - End Of File - - E3A19BFB6ADF168D9E7AC8CDFC2FAA5E

Link to post
Share on other sites

I see some rootkit evidence here, but no mebroot.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Driver::
39035790
fglyqpob

Rootkit::
c:\windows\system32\drivers\fglyqpob.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Good evening, Elise - ComboFix log as follows:

ComboFix 11-09-26.01 - Kelly McDaniel 09/26/2011 16:24:19.2.2 - x86

Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2037.1047 [GMT -7:00]

Running from: c:\users\Kelly McDaniel\Desktop\ComboFix.exe

Command switches used :: c:\users\Kelly McDaniel\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_39035790

-------\Legacy_FGLYQPOB

-------\Service_fglyqpob

.

.

((((((((((((((((((((((((( Files Created from 2011-08-26 to 2011-09-26 )))))))))))))))))))))))))))))))

.

.

2011-09-25 05:18 . 2011-09-25 05:18 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\MpKsl05508c7b.sys

2011-09-25 05:18 . 2011-09-25 05:18 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2C1E2FE6-175B-4054-B25B-1A663AFE0071}\gapaengine.dll

2011-09-25 05:18 . 2011-09-26 23:36 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\offreg.dll

2011-09-25 05:18 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\mpengine.dll

2011-09-25 05:13 . 2011-09-25 05:14 -------- d-----w- c:\program files\Microsoft Security Client

2011-09-25 05:13 . 2010-04-09 07:24 240008 ----a-w- c:\windows\system32\drivers\netio.sys

2011-09-25 05:01 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-23 23:30 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C516E349-28DE-40C5-82BE-3E596E4EA210}\mpengine.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-22 04:56 . 2011-08-10 18:19 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-07-16 04:37 . 2011-08-10 18:19 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-07-16 04:34 . 2011-08-10 18:19 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-07-16 04:31 . 2011-08-10 18:19 271360 ----a-w- c:\windows\system32\conhost.exe

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll

2011-07-16 04:19 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 18:19 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 18:19 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 18:19 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:21 . 2011-08-10 18:19 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-07-09 04:30 . 2011-08-25 04:22 2048 ----a-w- c:\windows\system32\tzres.dll

2011-07-09 02:26 . 2011-08-10 18:19 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-01 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-23 8120864]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-12-23 1578280]

"SmartWiHelper"="c:\program files\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2009-10-05 80384]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2009-08-27 320880]

"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2009-10-24 597792]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-23 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-23 173592]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-23 150552]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2009-12-01 02:20 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk

backup=c:\windows\pss\Bluetooth.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 21:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2010-07-01 04:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 135664]

R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-28 43944]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-12-28 29472]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 135664]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R3 SampleCollector;Intel® Sample Collector;c:\program files\Sony\VAIO Care\collsvc.exe [2009-09-17 122880]

R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2009-10-15 120104]

R3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [2009-10-15 70952]

R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Common Files\Sony Shared\SOHLib\SOHDms.exe [2009-10-15 427304]

R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Common Files\Sony Shared\SOHLib\SOHDs.exe [2009-10-15 75048]

R3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [2009-10-15 91432]

R3 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [2009-12-17 513392]

R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2009-09-16 480624]

R3 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [2009-09-02 361840]

R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2009-09-09 83312]

R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [2011-04-20 792976]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-27 1343400]

S1 MpKsl05508c7b;MpKsl05508c7b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A9340A0F-8C8A-4170-BC5E-B74013D93266}\MpKsl05508c7b.sys [2011-09-25 28752]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]

S2 VCFw;VAIO Content Folder Watcher;c:\program files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2009-09-15 642416]

S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2010-02-19 130672]

S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver;c:\windows\system32\DRIVERS\JME.sys [2009-12-17 92272]

S3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28.sys [2010-06-29 789856]

S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-12-01 9344]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 04:31]

.

2011-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-01 04:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com/webhp?rlz=1W1SNNS&brand=SNNS

Trusted Zone: azdhs.gov\vpn

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://vpn.azdhs.gov/+CSCOL+/cscopf.cab

DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} - hxxps://vpn.azdhs.gov/CACHE/sdesktop/install/binaries/instweb.cab

DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://vpn.azdhs.gov/CACHE/sdesktop/install/binaries/instweb.cab

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SampleCollector]

"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(3448)

c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\system32\taskhost.exe

c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\windows\system32\DllHost.exe

c:\program files\Sony\VAIO Event Service\VESMgrSub.exe

c:\program files\Sony\VAIO Care\VAIOCareService.exe

c:\windows\system32\conhost.exe

c:\program files\Sony\VAIO Care\VCsystray.exe

c:\program files\Sony\VAIO Update 5\VAIOUpdt.exe

c:\windows\system32\sppsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2011-09-26 16:43:36 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-26 23:43

ComboFix2.txt 2011-09-25 22:03

.

Pre-Run: 213,618,880,512 bytes free

Post-Run: 213,450,973,184 bytes free

.

- - End Of File - - 0F31276BB15EC050640E232A580FF5CD

Link to post
Share on other sites

Hi, please use the computer for a bit. I haven't seen any rootkit evidence, so for now no need to change passwords, although it can't hurt.

Mebroot infected computers usually tend to slow down a computer. So, when testing, try to pay attention to how smooth everything is running.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7.
  • Look for "JDK 7 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Please launch Malwarebytes Antimalware, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.