timb120

Members

View Profile See their activity

Posts
4
Joined
September 1, 2012
Last visited
September 6, 2012

Reputation

0 Neutral

Trojan.Agent with rootkits

timb120 replied to timb120's topic in Resolved Malware Removal Logs

ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK
- September 6, 2012
- 9 replies
Trojan.Agent with rootkits

timb120 replied to timb120's topic in Resolved Malware Removal Logs

ComboFix 12-09-04.02 - Tim 09/04/2012 15:39:24.1.4 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4095.2743 [GMT -5:00] Running from: c:\users\Tim\Desktop\ComboFix.exe AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\programdata\ism_0_llatsni.pad c:\users\Tim\AppData\Roaming\FFSJ c:\users\Tim\AppData\Roaming\FFSJ\FFSJ.cfg c:\users\Tim\AppData\Roaming\Roaming c:\windows\SysWow64\tmpC354.tmp . . ((((((((((((((((((((((((( Files Created from 2012-08-04 to 2012-09-04 ))))))))))))))))))))))))))))))) . . 2012-09-04 20:46 . 2012-09-04 20:46 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2012-09-04 20:46 . 2012-09-04 20:46 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-09-04 20:26 . 2012-09-04 20:26 -------- d-----w- c:\users\Tim\AppData\Local\AVG Secure Search 2012-09-04 20:26 . 2012-09-04 20:26 -------- d-----w- c:\programdata\AVG Secure Search 2012-09-04 20:26 . 2012-09-04 20:26 31080 ----a-w- c:\windows\system32\drivers\avgtpx64.sys 2012-09-04 20:26 . 2012-09-04 20:26 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search 2012-09-04 20:26 . 2012-09-04 20:26 -------- d-----w- c:\program files (x86)\AVG Secure Search 2012-09-04 20:25 . 2012-09-04 20:25 -------- d-----w- c:\windows\SysWow64\drivers\AVG 2012-09-04 20:24 . 2012-09-04 20:24 -------- d-----w- c:\windows\system32\drivers\AVG 2012-09-04 20:24 . 2012-09-04 20:24 -------- d-----w- C:\$AVG 2012-09-04 19:53 . 2012-09-04 19:53 208216 ----a-w- c:\windows\system32\drivers\70614863.sys 2012-09-04 18:33 . 2012-08-23 06:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F4BC5975-722C-4ACF-838A-4755FFA868DA}\mpengine.dll 2012-09-01 22:54 . 2012-09-01 22:54 -------- d-----w- c:\windows\system32\SPReview 2012-09-01 22:54 . 2012-09-01 22:54 -------- d-----w- c:\windows\system32\EventProviders 2012-09-01 22:51 . 2012-08-03 09:27 62134624 ----a-w- c:\windows\system32\MRT.exe 2012-09-01 20:57 . 2012-09-01 20:56 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0EB5E7DB-7815-44DC-9D17-35E316C87A49}\gapaengine.dll 2012-09-01 20:56 . 2012-08-23 06:26 9310152 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2012-09-01 20:47 . 2012-09-01 20:47 -------- d-----w- c:\program files (x86)\Microsoft Security Client 2012-09-01 20:47 . 2012-09-01 20:48 -------- d-----w- c:\program files\Microsoft Security Client 2012-09-01 19:13 . 2012-09-04 19:58 -------- d-----w- C:\TDSSKiller_Quarantine 2012-08-28 14:36 . 2012-08-28 14:36 -------- d-----w- c:\users\Tim\AppData\Roaming\DisneyInteractiveStudios 2012-08-15 04:23 . 2012-06-29 04:55 17809920 ----a-w- c:\windows\system32\mshtml.dll 2012-08-15 04:23 . 2012-06-29 04:09 10925568 ----a-w- c:\windows\system32\ieframe.dll 2012-08-14 22:49 . 2012-07-04 22:16 73216 ----a-w- c:\windows\system32\netapi32.dll 2012-08-14 22:49 . 2012-07-04 22:13 59392 ----a-w- c:\windows\system32\browcli.dll 2012-08-14 22:49 . 2012-07-04 22:13 136704 ----a-w- c:\windows\system32\browser.dll 2012-08-14 22:49 . 2012-07-04 21:14 41984 ----a-w- c:\windows\SysWow64\browcli.dll 2012-08-14 22:49 . 2012-07-18 18:15 3148800 ----a-w- c:\windows\system32\win32k.sys 2012-08-14 22:49 . 2012-05-14 05:26 956928 ----a-w- c:\windows\system32\localspl.dll 2012-08-14 22:49 . 2010-11-20 13:27 39424 ----a-w- c:\windows\system32\Spool\prtprocs\x64\winprint.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-09-01 23:05 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll 2012-09-01 23:05 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll 2012-06-29 10:04 . 2012-07-20 16:23 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E110A141-C778-44DD-B071-A40AFDC6EBDA}\mpengine.dll 2012-06-19 22:57 . 2011-03-28 23:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2012-06-09 05:43 . 2012-07-11 13:37 14172672 ----a-w- c:\windows\system32\shell32.dll 2009-05-15 03:15 . 2009-05-15 03:15 5719400 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll 2009-05-15 03:15 . 2009-05-15 03:15 4397928 ----a-w- c:\program files\Common Files\adlmint.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}] 2012-09-04 20:26 2045024 ----a-w- c:\program files (x86)\AVG Secure Search\12.2.0.5\AVG Secure Search_toolbar.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar] "{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\12.2.0.5\AVG Secure Search_toolbar.dll" [2012-09-04 2045024] . [HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1] [HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj] . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Akamai NetSession Interface"="c:\users\Tim\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104] "amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992] "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096] "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208] "AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008] "vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-09-04 1162848] "ROC_roc_ssl_v12"="c:\program files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe" [2012-09-04 1020512] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux3"=wdmaud.drv . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-10 136176] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-03-01 2348352] R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 253600] R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x] R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2011-02-04 1436424] R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-10 136176] R3 KodakSvc;Kodak AiO Device Service;c:\program files (x86)\Kodak\printer\center\KodakSvc.exe [2008-07-25 18944] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 20992] R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-08 1255736] S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480] S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280] S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-02-22 289872] S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696] S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-03-19 383808] S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys [2012-09-04 31080] S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136] S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-07-04 5160568] S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288] S2 mi-raysat_3dsmax2010_64;mental ray 3.7 Satellite for Autodesk 3ds Max Design 2010 64-bit 64-bit;e:\programs\Autodesk\3ds Max Design 2010\mentalray\satellite\raysat_3dsmax2010_64server.exe [2009-03-12 86016] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-29 382272] S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-10-30 3580712] S2 vToolbarUpdater12.2.0;vToolbarUpdater12.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\12.2.0\ToolbarUpdater.exe [2012-09-04 927840] S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496] S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776] S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-01-17 188224] S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2010-04-12 183888] S3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [2010-04-12 122448] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 18216] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] Akamai REG_MULTI_SZ Akamai . Contents of the 'Scheduled Tasks' folder . 2012-09-04 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 20:29] . 2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-10 02:06] . 2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-10 02:06] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4] @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Tim\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168] "EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe" [2010-09-02 2045440] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files (x86)\Stardock\Fences\FencesMenu64.dll" [2010-06-22 253288] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x1 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.bing.com/ mLocal Page = c:\windows\system32\blank.htm uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local> uInternet Settings,ProxyServer = 127.0.0.1:5555 TCP: DhcpNameServer = 192.168.15.1 Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\12.2.0\ViProtocol.dll . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) SafeBoot-51898184.sys SafeBoot-84025568.sys SafeBoot-97532068.sys AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe AddRemove-OggDS - c:\windows\system32\OggDSuninst.exe AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_bc2.exe . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai] "ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_4f7fccd.dll" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-4106963553-2528403711-3970555300-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] @Allowed: (Read) (RestrictedCode) "??"=hex:d4,78,27,f9,86,e9,20,1a,7e,43,aa,74,ed,d0,16,26,80,51,10,69,eb,e2,6f, a1,d5,73,ca,58,0e,22,93,0c,b0,ae,a7,71,2d,f8,30,4c,90,47,52,a6,4e,e4,12,89,\ "??"=hex:8c,4a,e6,be,9d,76,7a,f5,62,30,78,bb,11,60,74,63 . [HKEY_USERS\S-1-5-21-4106963553-2528403711-3970555300-1001\Software\SecuROM\License information*] "datasecu"=hex:77,6b,29,c9,d4,90,8f,9b,94,16,43,1a,4c,0b,82,c5,f4,83,1c,d7,54, c6,d8,82,23,91,68,13,58,15,b5,95,30,41,42,de,bc,2d,53,6c,38,e5,b7,d3,1b,02,\ "rkeysecu"=hex:46,db,ef,6e,2d,ed,a6,bf,15,e0,0c,10,d7,b9,5f,b8 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version] "Version"=hex:99,b9,9f,44,e8,45,1c,49,13,0a,44,55,23,ba,98,fd,db,3b,09,9e,87, 85,70,7e,47,4f,51,25,a7,d1,1a,ac,7d,9c,1f,c2,b7,a5,0e,0d,5e,fa,80,34,2d,d0,\ . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version] "Version"=hex:99,b9,9f,44,e8,45,1c,49,13,0a,44,55,23,ba,98,fd,db,3b,09,9e,87, 85,70,7e,47,4f,51,25,a7,d1,1a,ac,7d,9c,1f,c2,b7,a5,0e,0d,5e,fa,80,34,2d,d0,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\windows\SysWOW64\PnkBstrA.exe c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe c:\program files (x86)\AVG\AVG2012\avgmfapx.exe c:\program files (x86)\AVG\AVG2012\idpfixx.exe c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe . ************************************************************************** . Completion time: 2012-09-04 16:00:08 - machine was rebooted ComboFix-quarantined-files.txt 2012-09-04 20:59 . Pre-Run: 36,436,455,424 bytes free Post-Run: 36,320,694,272 bytes free . - - End Of File - - 7CA84F3C30AFC490C7A5304748ECAD6F
- September 4, 2012
- 9 replies
Trojan.Agent with rootkits

timb120 replied to timb120's topic in Resolved Malware Removal Logs

Hi Maniac. Thank you so much for your quick reply. Unfortunately I have too many special programs and settings installed on my computer to reinstall my os and redo everything else. I don't wish to go through the hassle, but then again I do not do much as far as banking goes on my computer. Is there anything I can do to ensure security on my computer from these backdoor threats other than reformatting? The forum would not allow me to post the TDSSKiller log because the post would be too long. Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.09.01.06 Windows 7 x64 NTFS Internet Explorer 9.0.8112.16421 Tim :: TIM-PC [administrator] 9/1/2012 2:22:34 PM mbam-log-2012-09-01 (14-22-34).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 234092 Time elapsed: 4 minute(s), 47 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. (end) . DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 Run by Tim at 14:44:00 on 2012-09-01 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2763 [GMT -5:00] . AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\PROGRA~2\AVG\AVG2012\avgrsa.exe C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\SysWOW64\svchost.exe -k Akamai C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork E:\Programs\Autodesk\3ds Max Design 2010\mentalray\satellite\raysat_3dsmax2010_64server.exe C:\Windows\SysWOW64\PnkBstrA.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\system32\Wacom_Tablet.exe C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe C:\Windows\system32\nvvsvc.exe C:\Windows\SYSTEM32\WISPTIS.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe C:\Program Files (x86)\AVG\AVG2012\avgemca.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\Dwm.exe C:\Windows\SYSTEM32\WISPTIS.EXE C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe C:\Windows\system32\taskhost.exe C:\Users\Tim\AppData\Local\Akamai\netsession_win.exe C:\Windows\system32\WTablet\Wacom_TabletUser.exe C:\Windows\system32\Wacom_Tablet.exe C:\Users\Tim\AppData\Local\Akamai\netsession_win.exe C:\Program Files (x86)\AVG\AVG2012\avgtray.exe C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe C:\Windows\system32\wuauclt.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\svchost.exe -k SDRSVC C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\system32\taskmgr.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\DllHost.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.bing.com/ uSearch Bar = Preserve uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local> uInternet Settings,ProxyServer = 127.0.0.1:5555 mWinlogon: Userinit=userinit.exe, BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - E:\Programs\adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - E:\Programs\adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll uRun: [Akamai NetSession Interface] "C:\Users\Tim\AppData\Local\Akamai\netsession_win.exe" mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe mRun: [<NO NAME>] mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.15.1 TCP: Interfaces\{4C13C7A8-3DA7-47C0-B070-E0AC5AB8517D} : DhcpNameServer = 192.168.15.1 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll BHO-X64: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - E:\Programs\adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll BHO-X64: AVG Do Not Track - No File BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File TB-X64: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - E:\Programs\adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin mRun-x64: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe mRun-x64: [(Default)] . ============= SERVICES / DRIVERS =============== . R0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys --> C:\Windows\system32\DRIVERS\avgidsha.sys [?] R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?] R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?] R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?] R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?] R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?] R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992] R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-7-4 5160568] R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288] R2 mi-raysat_3dsmax2010_64;mental ray 3.7 Satellite for Autodesk 3ds Max Design 2010 64-bit 64-bit;E:\Programs\Autodesk\3ds Max Design 2010\mentalray\satellite\raysat_3dsmax2010_64server.exe [2009-3-12 86016] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-29 382272] R2 TabletServiceWacom;TabletServiceWacom;C:\Windows\system32\Wacom_Tablet.exe --> C:\Windows\system32\Wacom_Tablet.exe [?] R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys --> C:\Windows\system32\DRIVERS\avgidsdrivera.sys [?] R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\avgidsfiltera.sys --> C:\Windows\system32\DRIVERS\avgidsfiltera.sys [?] R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?] R3 TotRec7;Total Recorder WDM audio driver;C:\Windows\system32\drivers\TotRec7.sys --> C:\Windows\system32\drivers\TotRec7.sys [?] R3 TotRec8;Total Recorder WDM audio filter driver;\??\C:\Windows\system32\drivers\TotRec8.sys --> C:\Windows\system32\drivers\TotRec8.sys [?] R3 wacmoumonitor;Wacom Mode Helper;C:\Windows\system32\DRIVERS\wacmoumonitor.sys --> C:\Windows\system32\DRIVERS\wacmoumonitor.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-9 136176] S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-3-15 2348352] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-2 253600] S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-2-1 1436424] S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-9 136176] S3 KodakSvc;Kodak AiO Device Service;C:\Program Files (x86)\Kodak\Printer\Center\KodakSvc.exe [2008-7-25 18944] S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?] S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?] S4 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-20 655944] . =============== Created Last 30 ================ . 2012-09-01 19:13:34 -------- d-----w- C:\TDSSKiller_Quarantine 2012-08-29 15:00:52 -------- d-----w- C:\Users\Tim\AppData\Local\{4E9BA465-DA13-4410-9409-F721450A5CBB} 2012-08-29 00:15:20 -------- d-----w- C:\Users\Tim\AppData\Local\{3E94569C-3BB5-4EB5-BDAD-C74C4BA7B0F0} 2012-08-28 14:36:31 -------- d-----w- C:\Users\Tim\AppData\Roaming\DisneyInteractiveStudios 2012-08-27 15:19:36 -------- d-----w- C:\Users\Tim\AppData\Local\{255C15EA-F666-47B6-A5D2-6BC4FB6F6329} 2012-08-26 17:37:43 -------- d-----w- C:\Users\Tim\AppData\Local\{DC506FDF-4FC2-42C0-9341-D245DE788FC3} 2012-08-25 22:46:43 -------- d-----w- C:\Users\Tim\AppData\Local\{DDEB1160-8E15-4296-8939-F15F7A535E62} 2012-08-25 01:59:21 -------- d-----w- C:\Users\Tim\AppData\Local\{D8315A1A-19BA-4E91-8B6C-8AB00756696F} 2012-08-24 11:59:52 -------- d-----w- C:\Users\Tim\AppData\Local\{DE08250F-F7DC-4458-96F7-67CC6907C961} 2012-08-23 15:35:28 -------- d-----w- C:\Users\Tim\AppData\Local\{AA912F02-AB2D-459C-944A-3FC6D028368C} 2012-08-22 19:53:47 -------- d-----w- C:\Users\Tim\AppData\Local\{DCEB3BBE-AEBD-4C4D-B646-5E563024361B} 2012-08-22 04:02:55 -------- d-----w- C:\Users\Tim\AppData\Local\{047944F3-B9A0-4B4E-99BC-D31539C95DDD} 2012-08-21 16:02:34 -------- d-----w- C:\Users\Tim\AppData\Local\{8EB61DCF-0E8D-4D91-AA4F-012AF8765612} 2012-08-21 03:03:10 -------- d-----w- C:\Users\Tim\AppData\Local\{57F45B0A-AC3E-4A19-A36A-64FF7C576E87} 2012-08-20 15:02:41 -------- d-----w- C:\Users\Tim\AppData\Local\{1BAF4ED6-97F1-4238-BD42-624EFCA0F3A2} 2012-08-19 17:55:44 -------- d-----w- C:\Users\Tim\AppData\Local\{20CC452C-F422-45D6-9B4B-ABAD740C75CF} 2012-08-18 15:56:06 -------- d-----w- C:\Users\Tim\AppData\Local\{8B0668EB-2B6A-4022-BC37-B1EE33361E7B} 2012-08-16 16:04:59 -------- d-----w- C:\Users\Tim\AppData\Local\{63922353-3C24-4448-A209-EB3B4475E9E1} 2012-08-16 16:04:34 -------- d-----w- C:\Users\Tim\AppData\Local\{14D8FE61-E272-4B91-BC9B-0FB58D769091} 2012-08-15 14:26:42 -------- d-----w- C:\Users\Tim\AppData\Local\{78FF0C0C-F1D6-412C-93BB-41C12D8E8509} 2012-08-15 14:26:22 -------- d-----w- C:\Users\Tim\AppData\Local\{A273A73D-EACE-42AC-AD5A-23EBB0407F79} 2012-08-14 22:49:51 58880 ----a-w- C:\Windows\System32\browcli.dll 2012-08-14 22:49:51 41472 ----a-w- C:\Windows\SysWow64\browcli.dll 2012-08-14 22:49:51 136704 ----a-w- C:\Windows\System32\browser.dll 2012-08-14 22:49:48 3146752 ----a-w- C:\Windows\System32\win32k.sys 2012-08-14 22:49:46 956416 ----a-w- C:\Windows\System32\localspl.dll 2012-08-14 20:44:29 -------- d-----w- C:\Users\Tim\AppData\Local\{3327A51C-ABEC-49C0-9E4E-4706D367E89D} 2012-08-14 20:44:17 -------- d-----w- C:\Users\Tim\AppData\Local\{C520E885-A544-44F2-B48E-5C9B66F7F284} 2012-08-10 22:41:34 -------- d-----w- C:\Users\Tim\AppData\Local\{FF0885ED-3F4E-46EB-8C36-08628D44CD03} 2012-08-10 22:41:14 -------- d-----w- C:\Users\Tim\AppData\Local\{0227DFED-2715-482C-B38A-3AF5BF49CD65} 2012-08-08 19:12:34 -------- d-----w- C:\Users\Tim\AppData\Local\{F1A817EC-C5EE-47BB-9502-398E1FCAF515} 2012-08-08 19:11:58 -------- d-----w- C:\Users\Tim\AppData\Local\{21B17A2F-78F9-4EEC-A738-484E9AE0F895} 2012-08-07 17:36:04 -------- d-----w- C:\Users\Tim\AppData\Local\{A8ABF336-659C-4DF6-BAF7-68EF1B5B083D} 2012-08-07 17:35:46 -------- d-----w- C:\Users\Tim\AppData\Local\{46B4986A-622A-480C-B3BA-F0FCE2D8AF75} 2012-08-07 02:47:12 -------- d-----w- C:\Users\Tim\AppData\Local\{A6D24C9E-9DB9-4090-B8AB-FED6906CBA69} 2012-08-07 02:47:01 -------- d-----w- C:\Users\Tim\AppData\Local\{05BA709A-CE62-4E05-B910-2541F302C640} 2012-08-06 14:46:27 -------- d-----w- C:\Users\Tim\AppData\Local\{401F1583-CE8C-442F-B0B8-D0AB227C38B4} 2012-08-06 14:45:57 -------- d-----w- C:\Users\Tim\AppData\Local\{6E371A8C-DA3B-4A81-BAB0-53A1B365BD14} 2012-08-05 23:27:34 -------- d-----w- C:\Users\Tim\AppData\Local\{32073160-CC5D-4C50-ACB9-2B3B43EBDF6D} 2012-08-05 23:27:20 -------- d-----w- C:\Users\Tim\AppData\Local\{DCC93CCA-1314-4469-AC2B-A1B213609D05} 2012-08-04 14:55:35 -------- d-----w- C:\Users\Tim\AppData\Local\{B662A3AA-E403-4CF5-BE19-F0D4ABA943CC} 2012-08-04 14:54:57 -------- d-----w- C:\Users\Tim\AppData\Local\{863FF1EA-B6D2-4EF5-A1A5-9947EC0D03E2} 2012-08-03 23:57:31 -------- d-----w- C:\Users\Tim\AppData\Local\{930385B4-D918-4D2B-8CAC-45C8F9FC2824} 2012-08-03 23:57:18 -------- d-----w- C:\Users\Tim\AppData\Local\{EF826109-A7E8-47F0-949D-703335F88DC2} . ==================== Find3M ==================== . 2012-07-03 18:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys 2012-06-29 03:56:34 2312704 ----a-w- C:\Windows\System32\jscript9.dll 2012-06-29 03:49:11 1392128 ----a-w- C:\Windows\System32\wininet.dll 2012-06-29 03:48:07 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl 2012-06-29 03:43:49 173056 ----a-w- C:\Windows\System32\ieUnatt.exe 2012-06-29 03:39:48 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2012-06-29 00:16:58 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll 2012-06-29 00:09:01 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll 2012-06-29 00:08:59 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl 2012-06-29 00:04:43 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe 2012-06-29 00:00:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\System32\msxml6.dll 2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\System32\msxml3.dll 2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll 2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll 2009-05-15 03:15:24 5719400 ----a-w- C:\Program Files\Common Files\adlmint_libFNP.dll 2009-05-15 03:15:24 4397928 ----a-w- C:\Program Files\Common Files\adlmint.dll . ============= FINISH: 14:45:26.08 =============== TDSSKiller.2.8.8.0_01.09.2012_14.04.20_log.txt
- September 1, 2012
- 9 replies
Trojan.Agent with rootkits

timb120 posted a topic in Resolved Malware Removal Logs

Hi. Yesterday around 7:04 I got a virus. AVG alerted me to the problem. All the programs that I was running started shutting off faster than I've ever seen, my desktop went away and the toolbar at the bottom disappeared. Fearing the worst, I immediately turned off my computer and turned it back on. It started normally. I did a virus scan with both AVG and Malwarebytes. AVG returned the report of a number of rootkit infections and a javaupdatescheduler infection. I uninstalled the java update program to get rid of the infected file and it no longer appears on AVG virus scan. I can't get rid of the rookits with AVG. I've included the AVG report of the rootkits. The virus scan with Malwarebytes returned the report of 2 Trojan.Agents in svchost.exe. Malwarebytes did not show a java update scheduler infection or rookits. I hope I can get help with both the malwarebytes' scan and avg. Thanks you. Attach.txt DDS.txt avg scan.txt
- September 1, 2012
- 9 replies

Sign In

timb120

Posts

Joined

Last visited

Reputation

Trojan.Agent with rootkits

Trojan.Agent with rootkits

Trojan.Agent with rootkits

Trojan.Agent with rootkits

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information