davkarimz

Since I can't reboot the server right now, I will be running it without the loaded modules (I will send you another log when I can reboot it). Also, Symantec FOUND svchostl.exe and blocked it, but system_minerd.exe was running. Here is a screenshot of Symantec finding the svchostl.exe, as well as the attached log of TDSSKiller (although of course I'll be doing it again). TDSSKiller.3.0.0.11_04.10.2013_09.36.15_log.txt

Symantec doesn't show anything. I also should add I believe at some point we have run ComboFix. Here's the log: RogueKiller V8.7.1 _x64_ [Oct 3 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : Administrator [Admin rights]Mode : Scan -- Date : 10/03/2013 16:26:48| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 8 ¤¤¤[iFEO] HKLM\[...]\notepad.exe : Debugger ("C:\Program Files\Notepad2\Notepad2.exe" /z [-]) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 22 ¤¤¤[V1][sUSP PATH] At1.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At10.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At11.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At2.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At3.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At4.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At5.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At6.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At7.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At8.job : c:\windows\backup009.cmd [-] -> FOUND[V1][sUSP PATH] At9.job : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At1 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At10 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At11 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At2 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At3 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At4 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At5 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At6 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At7 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At8 : c:\windows\backup009.cmd [-] -> FOUND[V2][sUSP PATH] At9 : c:\windows\backup009.cmd [-] -> FOUND ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) (Standard disk drives) - DELL PERC S100/S300 SCSI Disk Device +++++--- User ---[MBR] 4ed4118923ad296bb7a3822a3cf2892b[bSP] b6d3bf40ddd7634b4b1fc913e02accca : Windows Vista MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 3072 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 6373376 | Size: 40960 Mo3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 90259456 | Size: 432333 MoUser = LL1 ... OK!Error reading LL2 MBR! Finished : << RKreport[0]_S_10032013_162648.txt >>RKreport[0]_S_10022013_153000.txt

We have a Server 2008 R2 SP1 running. We have an RDC connection port. We were told we have a lot of activity by our service provider, and the internet was extremely slow. We saw that two processes were running: System_Minderd.exe svchostl.exe We also saw that they were running from the following folders: C:\Windows\ltc-miner2 C:\Windows\tanechka We stopped both processes from running, as well as renaming those two folders. As soon as we stop the processes, internet looks fine (no slowdown). We have Changed the Windows password, as well as the public port for RDC. We have run MalwareBytes (with the update) with no luck. After a few hours (or after a day or two), the processes run again and the folders are created. We have recently installed Symnatec Endpoint Protection Small Business Edition v12. I've been looking around endlessly for some help online but I haven't found anything. Of course, DDS does not run on this system. Any help would be appreciated!