Jump to content

jt83

Members
  • Posts

    6
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I was asked to take a look at a Dell Optiplex 330 running Vista Business SP2 because it had picked up the ZeroAccess rootkit/trojan. The PC was running McAfee Security as a Service, but the subscription was no longer up to date. I have run MBAM several times, sometimes detecting the infection, sometimes not. McAfee was not removing the infection, only detecting/blocking it, so I removed McAfee and replaced with Microsoft Security Essentials so it would, at the least, remain updated. Running a full scan overnight detected the infection again. I tried removing and rebooting, but then the PC began to act strangely. For starters, when I rebooted, every icon from the desktop (not just fixes against the infection) vanished, only to return about 1 full hour into a complete MBAM scan. Durring the scan, I noticed Internet Explorer starting to redirect me for the first time to some fake "AVG" search site. MBAM's full scan found a PUP, but identified Kaspersky's TDSS Killer as the culprit. I downloaded it from CNET and assumed it to be the genuine article, but who knows. My quick scans from Security Essentials are coming up clean now, but I am not sure if I can trust it. I have attached both the DDS and Attach logs. Any further info or instructions to check if this thing is clean or not would be greatly appreciated. It never seems this easy to get rid of a rootkit, so I am suspicious that it is still lying in waiting. Thanks, jt83 DDS_Attach.zip
  2. Just an FYI - I believe I succesfully removed the malware by removing this "O20 - Winlogon Notify: wminotify - Invalid registry found" with Hijack This, manually deleting the regitry keys, and using Spybot's File Shredder program to delete locked dll's. I have run three full scans since with Avira, and they come up clean. Problem is, there were some things I had to try to fix after the fact. Like reconfiging ports and loopback for the internal website, but DNS is effed and I can't configure it, and for some reason, when I try to reinstall, it doesn't even prompt me for a CD and does nothing. Until I get this fixed, no one's getting to the Internet. I don't know all of your forum guidelines, so this might get closed since I have removed the malware, but I will take any help I can get if anyone has any tips about reinstalling DNS. I've Googled many pages, but in the end, it doesn't install. Thanks, John
  3. Looks like Avira and Hijack This logs didn't upload properly, so here's the ol' cut-n-paste : AntiVir Server Report file date: Friday, February 18, 2011 22:30 Scanning for 3106646 virus strains. The program is running as a fully functional evaluation version. Online services are available: Licensee : 30 Days Evaluation License Serial number : 0000149999-OEJIM-0000025 Platform : Windows Server 2003 Windows version : (Service Pack 2) [5.2.3790] Boot mode : Normally booted Username : SYSTEM Computer name : DCM-SBS Version information: BUILD.DAT : 10.0.0.1795 33335 Bytes 11/30/2010 18:04:00 AVSCAN.EXE : 10.0.3.5 435368 Bytes 11/30/2010 22:56:40 AVSCAN.DLL : 10.0.3.0 46440 Bytes 11/30/2010 22:56:55 LUKE.DLL : 10.0.3.2 220008 Bytes 11/30/2010 22:56:46 LUKERES.DLL : 10.0.0.0 12648 Bytes 1/14/2010 18:48:24 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42 VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03 VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 22:56:47 VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 22:56:48 VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 22:56:50 VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 22:56:51 VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 22:56:52 VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 22:56:52 VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 22:56:52 VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 22:56:52 VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 22:56:53 VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 22:56:53 VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 22:56:53 VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 22:56:53 VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 22:56:53 VBASE018.VDF : 7.10.14.15 142848 Bytes 11/17/2010 22:56:53 VBASE019.VDF : 7.10.14.41 134144 Bytes 11/19/2010 22:56:53 VBASE020.VDF : 7.10.14.63 128000 Bytes 11/22/2010 22:56:53 VBASE021.VDF : 7.10.14.87 143872 Bytes 11/24/2010 22:56:53 VBASE022.VDF : 7.10.14.116 140800 Bytes 11/26/2010 22:56:53 VBASE023.VDF : 7.10.14.117 2048 Bytes 11/26/2010 22:56:53 VBASE024.VDF : 7.10.14.118 2048 Bytes 11/26/2010 22:56:54 VBASE025.VDF : 7.10.14.119 2048 Bytes 11/26/2010 22:56:54 VBASE026.VDF : 7.10.14.120 2048 Bytes 11/26/2010 22:56:54 VBASE027.VDF : 7.10.14.121 2048 Bytes 11/26/2010 22:56:54 VBASE028.VDF : 7.10.14.122 2048 Bytes 11/26/2010 22:56:54 VBASE029.VDF : 7.10.14.123 2048 Bytes 11/26/2010 22:56:54 VBASE030.VDF : 7.10.14.124 2048 Bytes 11/26/2010 22:56:54 VBASE031.VDF : 7.10.14.143 138240 Bytes 11/30/2010 20:58:14 Engine version : 8.2.4.114 AEVDF.DLL : 8.1.2.1 106868 Bytes 11/30/2010 22:56:36 AESCRIPT.DLL : 8.1.3.47 1294716 Bytes 11/30/2010 22:56:36 AESCN.DLL : 8.1.7.2 127349 Bytes 11/30/2010 22:56:35 AESBX.DLL : 8.1.3.2 254324 Bytes 11/30/2010 22:56:35 AERDL.DLL : 8.1.9.2 635252 Bytes 11/30/2010 22:56:35 AEPACK.DLL : 8.2.3.11 471416 Bytes 11/30/2010 22:56:34 AEOFFICE.DLL : 8.1.1.10 201084 Bytes 11/30/2010 22:56:34 AEHEUR.DLL : 8.1.2.46 3088759 Bytes 11/30/2010 22:56:34 AEHELP.DLL : 8.1.15.0 246135 Bytes 11/30/2010 22:56:31 AEGEN.DLL : 8.1.4.2 401781 Bytes 11/30/2010 22:56:31 AEEMU.DLL : 8.1.3.0 393589 Bytes 11/30/2010 22:56:30 AECORE.DLL : 8.1.18.1 196984 Bytes 11/30/2010 22:56:30 AEBB.DLL : 8.1.1.0 53618 Bytes 11/30/2010 22:56:30 AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 18:47:55 AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 18:47:52 AVREP.DLL : 10.0.0.8 62209 Bytes 2/23/2010 19:21:44 AVREG.DLL : 10.0.3.2 53096 Bytes 11/30/2010 22:56:40 AVSCPLR.DLL : 10.0.3.2 84328 Bytes 11/30/2010 22:56:40 AVARKT.DLL : 10.0.22.6 231784 Bytes 11/30/2010 22:56:37 AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 11/30/2010 22:56:38 SQLITE3.DLL : 3.6.19.0 355585 Bytes 2/1/2010 14:47:50 AVSMTP.DLL : 10.0.0.17 63848 Bytes 11/30/2010 22:56:40 NETNT.DLL : 10.0.0.0 11624 Bytes 2/23/2010 19:35:57 RCIMAGE.DLL : 10.0.0.29 2647912 Bytes 3/16/2010 20:10:32 RCTEXT.DLL : 10.0.46.1 96616 Bytes 3/10/2010 15:21:25 Configuration settings for the scan: Job name............................: Complete system scan Configuration file..................: C:\Program Files\Avira\AntiVir Server\sysscan.avp Reporting...........................: low Primary action......................: quarantine Secondary action....................: ignore Scanning master boot sectors........: on Scanning boot sectors...............: on Boot sectors........................: C:, Scanning active processes...........: on Scan registry.......................: on Integrity checking of system files..: off File scan mode......................: Use smart extensions Scan archives.......................: on Limit recursion depth...............: 20 Archive smart extensions............: on Macro virus heuristics..............: on File heuristics.....................: medium Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR, Start scan: Friday, February 18, 2011 22:30 Starting scan of running processes Scanning process 'avscan.exe' - '1' module(s) scanned Scanning process 'mmc.exe' - '1' module(s) scanned Scanning process 'avgnt.exe' - '1' module(s) scanned Scanning process 'sched.exe' - '1' module(s) scanned Scanning process 'avshadow.exe' - '1' module(s) scanned Scanning process 'avguard.exe' - '1' module(s) scanned Scanning process 'cidaemon.exe' - '1' module(s) scanned Scanning process 'cidaemon.exe' - '1' module(s) scanned Scanning process 'cidaemon.exe' - '1' module(s) scanned Scanning process 'WindowsSearch.exe' - '1' module(s) scanned Scanning process 'sqlmangr.exe' - '1' module(s) scanned Scanning process 'qbupdate.exe' - '1' module(s) scanned Scanning process 'TeaTimer.exe' - '1' module(s) scanned Scanning process 'ctfmon.exe' - '1' module(s) scanned Scanning process 'MSASCui.exe' - '1' module(s) scanned Scanning process 'w3wp.exe' - '1' module(s) scanned Scanning process 'Explorer.EXE' - '1' module(s) scanned Scanning process 'QBDBMgrN.exe' - '1' module(s) scanned Scanning process 'wmiprvse.exe' - '1' module(s) scanned Scanning process 'store.exe' - '1' module(s) scanned Scanning process 'SearchIndexer.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'SQLAGENT90.EXE' - '1' module(s) scanned Scanning process 'mssearch.exe' - '1' module(s) scanned Scanning process 'mad.exe' - '1' module(s) scanned Scanning process 'exmgmt.exe' - '1' module(s) scanned Scanning process 'fxssvc.exe' - '1' module(s) scanned Scanning process 'wmiprvse.exe' - '1' module(s) scanned Scanning process 'WsusService.exe' - '1' module(s) scanned Scanning process 'wins.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'sqlwriter.exe' - '1' module(s) scanned Scanning process 'sqlbrowser.exe' - '1' module(s) scanned Scanning process 'sqlagent.EXE' - '1' module(s) scanned Scanning process 'OWSTIMER.EXE' - '1' module(s) scanned Scanning process 'sbscrexe.exe' - '1' module(s) scanned Scanning process 'ReportingServicesService.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'QBCFMonitorService.exe' - '1' module(s) scanned Scanning process 'ntfrs.exe' - '1' module(s) scanned Scanning process 'sqlservr.exe' - '1' module(s) scanned Scanning process 'sqlservr.exe' - '1' module(s) scanned Scanning process 'sqlservr.exe' - '1' module(s) scanned Scanning process 'sqlservr.exe' - '1' module(s) scanned Scanning process 'llssrv.exe' - '1' module(s) scanned Scanning process 'inetinfo.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'Dfssvc.exe' - '1' module(s) scanned Scanning process 'cisvc.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'msdtc.exe' - '1' module(s) scanned Scanning process 'spoolsv.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'MsMpEng.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'lsass.exe' - '1' module(s) scanned Scanning process 'services.exe' - '1' module(s) scanned Scanning process 'winlogon.exe' - '1' module(s) scanned Scanning process 'csrss.exe' - '1' module(s) scanned Scanning process 'smss.exe' - '1' module(s) scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Starting boot sector scan: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan executable files (registry): The registration entry <HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD> was removed successfully. C:\WINDOWS\system32\wminotify.dll [DETECTION] Is the TR/Dldr.Age.32768.F Trojan [NOTE] The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wminotify\DllName> was removed successfully. [WARNING] An error occurred while creating the back-up copy and the file was not deleted. ErrorID: 26003 [WARNING] The file could not be deleted! [WARNING] The file was ignored. The registry was scanned ( '303' files ). Starting scan of selected files: Begin scan in 'C:\' C:\Documents and Settings\Administrator\Application Data\cppJabbSrv.exe [DETECTION] Is the TR/ATRAPS.Gen Trojan [NOTE] The file was moved to quarantine directory and named '57138362.qua'! C:\Documents and Settings\Administrator\Application Data\%SESSIONNAME%\vwdye.cc3 [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan [NOTE] The file was moved to quarantine directory and named '0540dc05.qua'! C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostaei.zip [DETECTION] Contains suspicious code GEN/PwdZIP [NOTE] The detection was classified as suspicious. [NOTE] The file was moved to quarantine directory and named '637990a9.qua'! C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostaei1.zip [DETECTION] Contains suspicious code GEN/PwdZIP [NOTE] The detection was classified as suspicious. [NOTE] The file was moved to quarantine directory and named '26fdbd90.qua'! C:\Documents and Settings\John (NAME DELETED)\Desktop\Desktop\effin virus\dds.pif [DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted) [NOTE] The file was moved to quarantine directory and named '59f98f95.qua'! C:\Documents and Settings\John (NAME DELETED)\Desktop\Desktop\New Software\Keyfinder 2.0.1\keyfinder.exe [DETECTION] Contains recognition pattern of the SPR/Tool.PassView.XA program [NOTE] The file was moved to quarantine directory and named '154bacae.qua'! C:\Shared Files\John's Flash Drive\Keyfinder 2.0.1 - Copy\keyfinder.exe [DETECTION] Contains recognition pattern of the SPR/Tool.PassView.XA program [NOTE] The file was moved to quarantine directory and named '6953e012.qua'! C:\Shared Files\Keyfinder 2.0.1\keyfinder.exe [DETECTION] Contains recognition pattern of the SPR/Tool.PassView.XA program [NOTE] The file was moved to quarantine directory and named '4409f037.qua'! C:\WINDOWS\system32\winet.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [WARNING] An error occurred while creating the back-up copy and the file was not deleted. ErrorID: 26003 [WARNING] The file could not be deleted! [WARNING] The file was ignored. C:\WINDOWS\system32\wminotify.dll [DETECTION] Is the TR/Dldr.Age.32768.F Trojan [WARNING] An error occurred while creating the back-up copy and the file was not deleted. ErrorID: 26003 [WARNING] The file could not be deleted! [WARNING] The file was ignored. End scan: Friday, February 18, 2011 23:36 Time elapsed: 1:05:55 Hour(s) The scan has been fully performed. 14809 Scanning directories 454444 Files were scanned 9 Viruses and/or malware detected 2 Files were classified as suspicious: 0 Files were deleted 0 Viruses/ malware were repaired 8 files were moved to quarantine 0 files were renamed 0 Files cannot be scanned 454433 Uninfected files 10615 Archives were scanned 3 Alerts 9 Notes ---------------------------------------------------------------------------------- AntiVir Server Report file date: Saturday, February 19, 2011 06:36 Scanning for 3106646 virus strains. The program is running as a fully functional evaluation version. Online services are available: Licensee : 30 Days Evaluation License Serial number : 0000149999-OEJIM-0000025 Platform : Windows Server 2003 Windows version : (Service Pack 2) [5.2.3790] Boot mode : Normally booted Username : SYSTEM Computer name : DCM-SBS Version information: BUILD.DAT : 10.0.0.1795 33335 Bytes 11/30/2010 18:04:00 AVSCAN.EXE : 10.0.3.5 435368 Bytes 11/30/2010 22:56:40 AVSCAN.DLL : 10.0.3.0 46440 Bytes 11/30/2010 22:56:55 LUKE.DLL : 10.0.3.2 220008 Bytes 11/30/2010 22:56:46 LUKERES.DLL : 10.0.0.0 12648 Bytes 1/14/2010 18:48:24 VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36 VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:27:49 VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:37:42 VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 21:37:42 VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:29:03 VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 22:56:47 VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 22:56:48 VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 22:56:50 VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 22:56:51 VBASE009.VDF : 7.10.13.80 2265600 Bytes 11/2/2010 22:56:52 VBASE010.VDF : 7.10.13.81 2048 Bytes 11/2/2010 22:56:52 VBASE011.VDF : 7.10.13.82 2048 Bytes 11/2/2010 22:56:52 VBASE012.VDF : 7.10.13.83 2048 Bytes 11/2/2010 22:56:52 VBASE013.VDF : 7.10.13.116 147968 Bytes 11/4/2010 22:56:53 VBASE014.VDF : 7.10.13.147 146944 Bytes 11/7/2010 22:56:53 VBASE015.VDF : 7.10.13.180 123904 Bytes 11/9/2010 22:56:53 VBASE016.VDF : 7.10.13.211 122368 Bytes 11/11/2010 22:56:53 VBASE017.VDF : 7.10.13.243 147456 Bytes 11/15/2010 22:56:53 VBASE018.VDF : 7.10.14.15 142848 Bytes 11/17/2010 22:56:53 VBASE019.VDF : 7.10.14.41 134144 Bytes 11/19/2010 22:56:53 VBASE020.VDF : 7.10.14.63 128000 Bytes 11/22/2010 22:56:53 VBASE021.VDF : 7.10.14.87 143872 Bytes 11/24/2010 22:56:53 VBASE022.VDF : 7.10.14.116 140800 Bytes 11/26/2010 22:56:53 VBASE023.VDF : 7.10.14.117 2048 Bytes 11/26/2010 22:56:53 VBASE024.VDF : 7.10.14.118 2048 Bytes 11/26/2010 22:56:54 VBASE025.VDF : 7.10.14.119 2048 Bytes 11/26/2010 22:56:54 VBASE026.VDF : 7.10.14.120 2048 Bytes 11/26/2010 22:56:54 VBASE027.VDF : 7.10.14.121 2048 Bytes 11/26/2010 22:56:54 VBASE028.VDF : 7.10.14.122 2048 Bytes 11/26/2010 22:56:54 VBASE029.VDF : 7.10.14.123 2048 Bytes 11/26/2010 22:56:54 VBASE030.VDF : 7.10.14.124 2048 Bytes 11/26/2010 22:56:54 VBASE031.VDF : 7.10.14.143 138240 Bytes 11/30/2010 20:58:14 Engine version : 8.2.4.114 AEVDF.DLL : 8.1.2.1 106868 Bytes 11/30/2010 22:56:36 AESCRIPT.DLL : 8.1.3.47 1294716 Bytes 11/30/2010 22:56:36 AESCN.DLL : 8.1.7.2 127349 Bytes 11/30/2010 22:56:35 AESBX.DLL : 8.1.3.2 254324 Bytes 11/30/2010 22:56:35 AERDL.DLL : 8.1.9.2 635252 Bytes 11/30/2010 22:56:35 AEPACK.DLL : 8.2.3.11 471416 Bytes 11/30/2010 22:56:34 AEOFFICE.DLL : 8.1.1.10 201084 Bytes 11/30/2010 22:56:34 AEHEUR.DLL : 8.1.2.46 3088759 Bytes 11/30/2010 22:56:34 AEHELP.DLL : 8.1.15.0 246135 Bytes 11/30/2010 22:56:31 AEGEN.DLL : 8.1.4.2 401781 Bytes 11/30/2010 22:56:31 AEEMU.DLL : 8.1.3.0 393589 Bytes 11/30/2010 22:56:30 AECORE.DLL : 8.1.18.1 196984 Bytes 11/30/2010 22:56:30 AEBB.DLL : 8.1.1.0 53618 Bytes 11/30/2010 22:56:30 AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 18:47:55 AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 18:47:52 AVREP.DLL : 10.0.0.8 62209 Bytes 2/23/2010 19:21:44 AVREG.DLL : 10.0.3.2 53096 Bytes 11/30/2010 22:56:40 AVSCPLR.DLL : 10.0.3.2 84328 Bytes 11/30/2010 22:56:40 AVARKT.DLL : 10.0.22.6 231784 Bytes 11/30/2010 22:56:37 AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 11/30/2010 22:56:38 SQLITE3.DLL : 3.6.19.0 355585 Bytes 2/1/2010 14:47:50 AVSMTP.DLL : 10.0.0.17 63848 Bytes 11/30/2010 22:56:40 NETNT.DLL : 10.0.0.0 11624 Bytes 2/23/2010 19:35:57 RCIMAGE.DLL : 10.0.0.29 2647912 Bytes 3/16/2010 20:10:32 RCTEXT.DLL : 10.0.46.1 96616 Bytes 3/10/2010 15:21:25 Configuration settings for the scan: Job name............................: Complete system scan Configuration file..................: C:\Program Files\Avira\AntiVir Server\sysscan.avp Reporting...........................: low Primary action......................: quarantine Secondary action....................: ignore Scanning master boot sectors........: on Scanning boot sectors...............: on Boot sectors........................: C:, Scanning active processes...........: on Scan registry.......................: on Integrity checking of system files..: off File scan mode......................: Use smart extensions Scan archives.......................: on Limit recursion depth...............: 20 Archive smart extensions............: on Macro virus heuristics..............: on File heuristics.....................: medium Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR, Start scan: Saturday, February 19, 2011 06:36 Starting scan of running processes Scanning process 'avscan.exe' - '1' module(s) scanned Scanning process 'mmc.exe' - '1' module(s) scanned Scanning process 'SearchFilterHost.exe' - '1' module(s) scanned Scanning process 'SearchProtocolHost.exe' - '1' module(s) scanned Scanning process 'WindowsSearch.exe' - '1' module(s) scanned Scanning process 'sqlmangr.exe' - '1' module(s) scanned Scanning process 'qbupdate.exe' - '1' module(s) scanned Scanning process 'TeaTimer.exe' - '1' module(s) scanned Scanning process 'ctfmon.exe' - '1' module(s) scanned Scanning process 'avgnt.exe' - '1' module(s) scanned Scanning process 'MSASCui.exe' - '1' module(s) scanned Scanning process 'Reader_sl.exe' - '1' module(s) scanned Scanning process 'Explorer.EXE' - '1' module(s) scanned Scanning process 'cidaemon.exe' - '1' module(s) scanned Scanning process 'cidaemon.exe' - '1' module(s) scanned Scanning process 'cidaemon.exe' - '1' module(s) scanned Scanning process 'w3wp.exe' - '1' module(s) scanned Scanning process 'alg.exe' - '1' module(s) scanned Scanning process 'QBDBMgrN.exe' - '1' module(s) scanned Scanning process 'store.exe' - '1' module(s) scanned Scanning process 'wmiprvse.exe' - '1' module(s) scanned Scanning process 'SearchIndexer.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'mssearch.exe' - '1' module(s) scanned Scanning process 'wmiprvse.exe' - '1' module(s) scanned Scanning process 'mad.exe' - '1' module(s) scanned Scanning process 'exmgmt.exe' - '1' module(s) scanned Scanning process 'fxssvc.exe' - '1' module(s) scanned Scanning process 'tcpsvcs.exe' - '1' module(s) scanned Scanning process 'WsusService.exe' - '1' module(s) scanned Scanning process 'wins.exe' - '1' module(s) scanned Scanning process 'WbLogSvc.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'sqlwriter.exe' - '1' module(s) scanned Scanning process 'SQLAGENT90.EXE' - '1' module(s) scanned Scanning process 'sqlbrowser.exe' - '1' module(s) scanned Scanning process 'sqlagent.EXE' - '1' module(s) scanned Scanning process 'OWSTIMER.EXE' - '1' module(s) scanned Scanning process 'sbscrexe.exe' - '1' module(s) scanned Scanning process 'ReportingServicesService.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'QBCFMonitorService.exe' - '1' module(s) scanned Scanning process 'ntfrs.exe' - '1' module(s) scanned Scanning process 'sqlservr.exe' - '1' module(s) scanned Scanning process 'sqlservr.exe' - '1' module(s) scanned Scanning process 'sqlservr.exe' - '1' module(s) scanned Scanning process 'sqlservr.exe' - '1' module(s) scanned Scanning process 'llssrv.exe' - '1' module(s) scanned Scanning process 'inetinfo.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'Dfssvc.exe' - '1' module(s) scanned Scanning process 'avshadow.exe' - '1' module(s) scanned Scanning process 'cisvc.exe' - '1' module(s) scanned Scanning process 'avguard.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'msdtc.exe' - '1' module(s) scanned Scanning process 'spoolsv.exe' - '1' module(s) scanned Scanning process 'sched.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'MsMpEng.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'svchost.exe' - '1' module(s) scanned Scanning process 'lsass.exe' - '1' module(s) scanned Scanning process 'services.exe' - '1' module(s) scanned Scanning process 'winlogon.exe' - '1' module(s) scanned Scanning process 'csrss.exe' - '1' module(s) scanned Scanning process 'smss.exe' - '1' module(s) scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Starting boot sector scan: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan executable files (registry): The registry was scanned ( '349' files ). Starting scan of selected files: Begin scan in 'C:\' C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostaei.zip [DETECTION] Contains suspicious code GEN/PwdZIP [NOTE] The detection was classified as suspicious. [NOTE] The file was moved to quarantine directory and named '4f863c7a.qua'! C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinQhostaei1.zip [DETECTION] Contains suspicious code GEN/PwdZIP [NOTE] The detection was classified as suspicious. [NOTE] The file was moved to quarantine directory and named '571113dd.qua'! C:\Documents and Settings\John (NAME DELETED)\Desktop\Desktop\effin virus\dds.pif [DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted) [NOTE] The file was moved to quarantine directory and named '055149cf.qua'! C:\Documents and Settings\John (NAME DELETED)\Desktop\Desktop\New Software\Keyfinder 2.0.1\keyfinder.exe [DETECTION] Contains recognition pattern of the SPR/Tool.PassView.XA program [NOTE] The file was moved to quarantine directory and named '636c0973.qua'! C:\Shared Files\John's Flash Drive\Keyfinder 2.0.1 - Copy\keyfinder.exe [DETECTION] Contains recognition pattern of the SPR/Tool.PassView.XA program [NOTE] The file was moved to quarantine directory and named '26e8303e.qua'! C:\Shared Files\Keyfinder 2.0.1\keyfinder.exe [DETECTION] Contains recognition pattern of the SPR/Tool.PassView.XA program [NOTE] The file was moved to quarantine directory and named '59f33d2d.qua'! C:\WINDOWS\system32\winet.dll [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan [WARNING] An error occurred while creating the back-up copy and the file was not deleted. ErrorID: 26003 [WARNING] The file could not be deleted! [WARNING] The file was ignored. C:\WINDOWS\system32\wminotify.dll [DETECTION] Is the TR/Dldr.Age.32768.F Trojan [NOTE] The file was moved to quarantine directory and named '69435aed.qua'! End scan: Saturday, February 19, 2011 07:48 Time elapsed: 1:11:35 Hour(s) The scan has been fully performed. 14786 Scanning directories 454407 Files were scanned 6 Viruses and/or malware detected 2 Files were classified as suspicious: 0 Files were deleted 0 Viruses/ malware were repaired 7 files were moved to quarantine 0 files were renamed 0 Files cannot be scanned 454399 Uninfected files 10619 Archives were scanned 1 Alerts 7 Notes ---------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:42:51 PM, on 2/19/2011 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir Server\sched.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir Server\avguard.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\Dfssvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avira\AntiVir Server\avshadow.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe C:\WINDOWS\system32\ntfrs.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows Small Business Server\monitoring\WbLogSvc.exe C:\WINDOWS\System32\wins.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Exchsrvr\bin\exmgmt.exe C:\Program Files\Exchsrvr\bin\mad.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Exchsrvr\bin\store.exe c:\windows\system32\inetsrv\w3wp.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Avira\AntiVir Server\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\mmc.exe C:\Program Files\Avira\AntiVir Server\avscan.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Server\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O14 - IERESET.INF: START_PAGE_URL=http://companyweb O15 - ESC Trusted Zone: http://*.get.adobe.com O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = (DOMAIN NAME REMOVED).local O17 - HKLM\Software\..\Telephony: DomainName = (DOMAIN NAME REMOVED).local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = (DOMAIN NAME REMOVED).local O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) O20 - Winlogon Notify: wminotify - Invalid registry found O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Avira AntiVir Server scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir Server\sched.exe O23 - Service: Avira AntiVir Server (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Server\avguard.exe -- End of file - 5120 bytes
  4. Need a lot of help here. I am the IT guy at a small manufacturing company of about 10 employees. I mbam-log-2011-02-17 (22-33-52).txt 127.0.0.1_4d5f99d1.log 127.0.0.1_4d5fbee5.log ark.txt hijackthis.log
  5. Forgive me. I typed this whole thing out and forgot to copy and paste the logs. At any rate, it looks like running Spybot a second time removed it. You can lock this up if you like. I'll let you guys know if anything else pops up.
  6. Quick System Specs: OS: Microsoft Windows Server 2003 for Small Business Server Service Pack 2 Processor: Intel Xeon CPU E5335 @ 2.00GHz Memory: 4.00 GB of RAM Antivirus Software: Computer Associates eTrust Antivirus version 7.0.140 Antimalware Software: MBAM (was on machine before discovering Trojan) and Spybot S&D (installed after discovering Trojan) Hello, The other day I received an e-mail from the security division of a very large, well known bank. It seems a machine on our network was trying to attack one of their Websites. After doing a quick check of our server, I found an instance of the Trojan csrrs.exe within the folder C:\WINDOWS\Temp. I know that csrrs.exe is a normal, essential Windows process, but I also know it resides within the System32 folder, not the Temp folder. I also know I shouldn
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.