Ironman13
-
Posts
10 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Ironman13
-
-
I ran TDSSKiller again but it does not find anything. No threats found, nuetralized or quarantined.
Should I move on with ComboFix or am I missing something here?
-
-
Hopefully this is what you are looking for. I have not deleted any reports but dont seem to have a file that I can attach. This is from the reports function when launching TDSSKiller.
13:15:42.0712 3224 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
13:15:43.0118 3224 ============================================================
13:15:43.0118 3224 Current date / time: 2012/10/17 13:15:43.0118
13:15:43.0118 3224 SystemInfo:
13:15:43.0118 3224
13:15:43.0118 3224 OS Version: 6.1.7601 ServicePack: 1.0
13:15:43.0118 3224 Product type: Workstation
13:15:43.0118 3224 ComputerName: SMARTBOX
13:15:43.0118 3224 UserName: Administrator
13:15:43.0118 3224 Windows directory: C:\Windows
13:15:43.0118 3224 System windows directory: C:\Windows
13:15:43.0118 3224 Running under WOW64
13:15:43.0118 3224 Processor architecture: Intel x64
13:15:43.0118 3224 Number of processors: 1
13:15:43.0118 3224 Page size: 0x1000
13:15:43.0118 3224 Boot type: Normal boot
13:15:43.0118 3224 ============================================================
13:15:46.0488 3224 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
13:15:46.0503 3224 ============================================================
13:15:46.0503 3224 \Device\Harddisk0\DR0:
13:15:46.0503 3224 MBR partitions:
13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1BBC4000
13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x1BBF6800, BlocksNum 0x15CE800
13:15:46.0503 3224 ============================================================
13:15:46.0519 3224 C: <-> \Device\Harddisk0\DR0\Partition2
13:15:46.0566 3224 D: <-> \Device\Harddisk0\DR0\Partition3
13:15:46.0566 3224 ============================================================
13:15:46.0566 3224 Initialize success
13:15:46.0566 3224 ============================================================
-
It looks like this worked.
Attached are the before and after MBAM logs after having run the TDSSKiller.
Is there anything further that I need to do?
Malwarebytes Anti-Malware 1.65.0.1400
Database version: v2012.10.17.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: SMARTBOX [administrator]
10/17/2012 12:42:37 PM
mbam-log-2012-10-17 (12-42-37).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221618
Time elapsed: 7 minute(s), 1 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
Malwarebytes Anti-Malware 1.65.0.1400
Database version: v2012.10.17.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: SMARTBOX [administrator]
10/17/2012 12:59:34 PM
mbam-log-2012-10-17 (12-59-34).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221687
Time elapsed: 5 minute(s), 22 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Here is the log from Listparts64. I will begin with TDSSKiller download and instructions as listed.
ListParts by Farbar Version: 16-10-2012
Ran by Administrator (administrator) on 17-10-2012 at 11:56:30
Windows 7 (X64)
Running From: C:\Users\Administrator\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 64%
Total physical RAM: 1918.49 MB
Available physical RAM: 685.59 MB
Total Pagefile: 3836.98 MB
Available Pagefile: 1576.6 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB
======================= Partitions =========================
1 Drive c: (COMPAQ) (Fixed) (Total:221.88 GB) (Free:102.95 GB) NTFS
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:10.9 GB) (Free:2.03 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 221 GB 101 MB
Partition 3 Primary 10 GB 221 GB
======================================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 100 MB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C COMPAQ NTFS Partition 221 GB Healthy Boot
======================================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D FACTORY_IMA NTFS Partition 10 GB Healthy
======================================================================================================
==========================================================
TDL4: custom:26000022
****** End Of Log ******
-
Sorry about that. Here is the complete log.
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 10/17/2012 10:50:32
¤¤¤ Bad processes : 1 ¤¤¤
[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]
¤¤¤ Registry Entries : 7 ¤¤¤
[TASK][sUSP PATH] iMeshNAG.job : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe -> FOUND
[TASK][bLPATH] HPCustParticipation HP Officejet 6700 : "C:\Program Files\HP\HP Officejet 6700\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000 -> FOUND
[TASK][sUSP PATH] iMeshNAG : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe NAGMETHOD=Schedule -> FOUND
[TASK][sUSP PATH] {4D6D8932-EDCF-4420-8B1D-F8126BB12376} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\348DFNKM\ANTAgent_2217.exe" -d C:\Users\Administrator\Desktop -> FOUND
[TASK][sUSP PATH] {66C6677E-2A3A-4A04-9FD6-C984579FDE2E} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2IWM6OY\mp600win111ej[1].exe" -d C:\Users\Administrator\Desktop -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD25 00AAJS-65M0A SCSI Disk Device +++++
--- User ---
[MBR] c83437cae76a22bfe69c84ccb7a7b974
[bSP] c1b72764b614ea9c87e84284e8df15c3 : Windows Vista/7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 227208 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465528832 | Size: 11165 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
Thank You-Here is the report
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Administrator [Admin rights]
Mode : Scan -- Date : 10/17/2012 10:50:32
¤¤¤ Bad processes : 1 ¤¤¤
[sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc]
¤¤¤ Registry Entries : 7 ¤¤¤
[TASK][sUSP PATH] iMeshNAG.job : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe -> FOUND
[TASK][bLPATH] HPCustParticipation HP Officejet 6700 : "C:\Program Files\HP\HP Officejet 6700\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000 -> FOUND
[TASK][sUSP PATH] iMeshNAG : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe NAGMETHOD=Schedule -> FOUND
[TASK][sUSP PATH] {4D6D8932-EDCF-4420-8B1D-F8126BB12376} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\348DFNKM\ANTAgent_2217.exe" -d C:\Users\Administrator\Desktop -> FOUND
[TASK][sUSP PATH] {66C6677E-2A3A-4A04-9FD6-C984579FDE2E} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2IWM6OY\mp600win111ej[1].exe" -d C:\Users\Administrator\Desktop -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED] ¤¤¤
-
Hello, I believe you have addressed this before. But, I want to make sure that I follow the corrct steps with whatever this is.
I have run AVG as well as housecall and neither scans even see this. Malwarebytes sees it but does not delete it upon reboot.
I am unclear as to if this is a real threat or not.
Please let me know you thoughts.
Thanks,
Malwarebytes Anti-Malware 1.65.0.1400
Database version: v2012.10.15.10
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: SMARTBOX [administrator]
10/15/2012 9:00:46 PM
mbam-log-2012-10-16 (06-31-20).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 450920
Time elapsed: 2 hour(s), 4 minute(s), 55 second(s)
Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 3696 -> No action taken.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.
(end)
-
Hello, I believe you have addressed this before. But, I want to make sure that I follow the corrct steps with whatever this is.
I have run AVG as well as housecall and neither scans even see this. Malwarebytes sees it but does not delete it upon reboot.
I am unclear as to if this is a real threat or not.
Please let me know you thoughts.
Thanks,
Malwarebytes Anti-Malware 1.65.0.1400
Database version: v2012.10.15.10
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: SMARTBOX [administrator]
10/15/2012 9:00:46 PM
mbam-log-2012-10-16 (06-31-20).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 450920
Time elapsed: 2 hour(s), 4 minute(s), 55 second(s)
Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 3696 -> No action taken.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.
(end)
2 Trojan.Agent SVChost.exe unable to get deleted upon reboot
in Resolved Malware Removal Logs
Posted
MrC,
Unfortunately, I won't get this completed before I need to go out of town in the morning. Work got in the way this afternoon.
I will start a new thread refrencing ComboFix when I return in a week and maybe we can finish it all up then.
I do appreciate your help and will most certainly be making a contribution.
Thank You