Jump to content

Recommended Posts

I work for an large sized company and manage around 450 machines. Within the last 3-4 months several of our machines have had this same problem.

I will only show logs for one infected machine for sanity reasons.

I have ran the following thus far. (Rkill, TDSS Killer, aswMBR, kaspersky's stand alone scanner, Malware bytes, Malwarebytes Anti-rootkit, and combofix.)

I can rescan and provide newer logs as needed. (I was working one this yesterday and today)

I am going to attach all of these log files.

I clean all of our virus/malware problems but this particular one is severely stubborn!!!

Any help is greatly appreciated.

- Jarrod

aswMBR.txt

attach.txt

ComboFix.txt

combolog.txt

dds.txt

MBAM-log-2013-02-19 (12-24-15).txt

mbar-log-2013-02-18 (14-05-23).txt

Rkill.txt

system-log.txt

TDSSKiller.2.8.16.0_18.02.2013_10.58.43_log.txt

Link to post
Share on other sites

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

http://tigzy.geeksto...ueKillerX64.exe <---use this one for 64 bit systems

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>
The removal of malware isn't instantaneous, please be patient.

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

DDS.txt LOG

---------------------------------

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.13.2

Run by User at 9:25:24 on 2013-02-20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.994.428 [GMT -6:00]

.

AV: AVG Internet Security Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ================

.

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Kaseya\DLLBRT82204215057080\AgentMon.exe

C:\Program Files\Kaseya\DLLBRT82204215057080\KasAVSrv.exe

C:\Rey\Bin\Ucsinsvc.exe

C:\rey\bin\PscVersionService.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Kaseya\DLLBRT82204215057080\LiveConnect.exe

C:\Program Files\Kaseya\DLLBRT82204215057080\DesktopAccess\Ktvnserver.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaseya\DLLBRT82204215057080\DesktopAccess\Ktvnserver.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Kaseya\DLLBRT82204215057080\KaUsrTsk.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [KASHDLLBRT82204215057080] "c:\program files\kaseya\dllbrt82204215057080\KaUsrTsk.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1361301019140

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 10.12.188.10 205.171.3.65 205.171.2.65

TCP: Interfaces\{7459364D-FC91-4E39-9D04-2D42B0A7A6EB} : DHCPNameServer = 10.12.188.10 205.171.3.65 205.171.2.65

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

============= SERVICES / DRIVERS ===============

.

R0 11858103;11858103;c:\windows\system32\drivers\11858103.sys [2013-2-18 133208]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2012-1-26 52872]

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2011-1-3 24064]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2012-1-26 226016]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2012-1-26 29712]

R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2012-1-26 308136]

R2 KADLLBRT82204215057080;Kaseya Agent;c:\program files\kaseya\dllbrt82204215057080\AgentMon.exe [2012-1-26 847872]

R2 KaseyaAVService;Kaseya Security Service;c:\program files\kaseya\dllbrt82204215057080\KasAVSrv.exe [2012-1-26 229376]

R2 REY Install NT Service;REY Install NT Service;c:\rey\bin\UcsInSvc.exe [2011-7-29 106496]

R2 REY PSCVersionService;REY PSCVersionService;c:\rey\bin\PSCVersionService.exe [2011-12-14 61440]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2011-1-3 44800]

R3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [2012-1-26 17920]

R3 Ktvn_DLLBRT82204215057080;Ktvn_DLLBRT82204215057080;c:\program files\kaseya\dllbrt82204215057080\desktopaccess\KtvnServer.exe [2012-6-13 825344]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 UCS Install NT Service;UCS Install NT Service;c:\ucc\services\ucsinsvc.exe --> c:\ucc\services\UcsInSvc.exe [?]

S3 uti3ndu1;AVZ Kernel Driver;c:\windows\system32\drivers\uti3ndu1.sys [2013-2-18 7168]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]

.

=============== Created Last 30 ================

.

2013-02-19 19:10:53 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2013-02-19 18:33:31 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess

2013-02-19 18:22:30 -------- d-----w- c:\program files\RealVNC

2013-02-18 22:13:15 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes

2013-02-18 22:12:42 -------- d-----w- c:\documents and settings\user\local settings\application data\Sun

2013-02-18 22:09:49 -------- d-sh--w- c:\documents and settings\user\PrivacIE

2013-02-18 22:09:37 -------- d-----w- c:\documents and settings\user\application data\RealNetworks

2013-02-18 22:07:50 -------- d-----w- c:\documents and settings\user\local settings\application data\Temp

2013-02-18 22:07:50 -------- d-----w- c:\documents and settings\user\local settings\application data\Adobe

2013-02-18 22:04:52 -------- d-----w- c:\documents and settings\user\local settings\application data\Google

2013-02-18 22:04:09 -------- d-sh--w- c:\documents and settings\user\IETldCache

2013-02-18 21:45:05 7168 ----a-w- c:\windows\system32\drivers\uti3ndu1.sys

2013-02-18 20:09:28 -------- d--h--w- c:\windows\PIF

2013-02-18 17:14:54 133208 ----a-w- c:\windows\system32\drivers\11858103.sys

2013-02-18 16:42:06 -------- d-sha-r- C:\cmdcons

2013-02-18 16:34:42 98816 ----a-w- c:\windows\sed.exe

2013-02-18 16:34:42 256000 ----a-w- c:\windows\PEV.exe

2013-02-18 16:34:42 208896 ----a-w- c:\windows\MBR.exe

2013-02-18 16:21:50 861088 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-02-18 16:21:37 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-02-15 16:00:01 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-02-15 15:59:58 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-15 15:59:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2013-02-18 16:21:18 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-02-18 16:21:18 143872 ----a-w- c:\windows\system32\javacpl.cpl

2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-15 15:34:42 226016 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2013-01-07 01:19:45 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-07 00:37:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax

2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll

2012-12-26 20:16:29 916480 ----a-w- c:\windows\system32\wininet.dll

2012-12-26 20:16:28 43520 ------w- c:\windows\system32\licmgr10.dll

2012-12-26 20:16:28 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-12-26 13:11:35 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-26 13:11:34 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-24 06:40:59 385024 ------w- c:\windows\system32\html.iec

2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 9:25:57.62 ===============

ATTACH.txt LOG

-------------------------------

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 11/23/2011 10:19:38 AM

System Uptime: 2/20/2013 9:21:37 AM (0 hours ago)

.

Motherboard: Hewlett-Packard | | 0AA8h

Processor: Intel® Core2 Duo CPU E6550 @ 2.33GHz | XU1 PROCESSOR | 2327/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 75 GiB total, 58.96 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}

Description: PS/2 Compatible Mouse

Device ID: ACPI\PNP0F13\4&16E8443F&0

Manufacturer: Microsoft

Name: PS/2 Compatible Mouse

PNP Device ID: ACPI\PNP0F13\4&16E8443F&0

Service: i8042prt

.

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}

Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard

Device ID: ACPI\PNP0303\4&16E8443F&0

Manufacturer: (Standard keyboards)

Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard

PNP Device ID: ACPI\PNP0303\4&16E8443F&0

Service: i8042prt

.

==== System Restore Points ===================

.

RP1: 2/18/2013 3:58:32 PM - System Checkpoint

RP2: 2/19/2013 1:14:25 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader X (10.1.3)

Adobe SVG Viewer 3.0

AVG 9.0

ERA Software Manager

Google Chrome

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB2756822)

Hotfix for Windows XP (KB2779562)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Intel® Graphics Media Accelerator Driver

Java 7 Update 13

Java Auto Updater

Java 6 Update 27

Kaseya Agent (frcad-servicechris.cad.fremont.siddillon - dillonsecure.com)

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2698023)

Microsoft .NET Framework 1.1 Security Update (KB2742597)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

RealDownloader

RealNetworks - Microsoft Visual C++ 2008 Runtime

RealNetworks - Microsoft Visual C++ 2010 Runtime

RealUpgrade 1.1

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2699988)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2761465)

Security Update for Windows Internet Explorer 8 (KB2792100)

Security Update for Windows Internet Explorer 8 (KB2797052)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2685939)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219)

Security Update for Windows XP (KB2707511)

Security Update for Windows XP (KB2709162)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2718523)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135)

Security Update for Windows XP (KB2724197)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2731847)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2761226)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2778344)

Security Update for Windows XP (KB2779030)

Security Update for Windows XP (KB2780091)

Security Update for Windows XP (KB2799494)

Security Update for Windows XP (KB2802968)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982665)

SIplugin

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows Internet Explorer 8 (KB2632503)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2492386)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2718704)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VNC Enterprise Edition E4.6.3

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format 11 runtime

Windows Media Player 11

Windows Search 4.0

.

==== Event Viewer Messages From Past Week ========

.

2/18/2013 10:08:46 AM, error: Service Control Manager [7034] - The RealNetworks Downloader Resolver Service service terminated unexpectedly. It has done this 1 time(s).

2/15/2013 11:25:15 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

2/15/2013 10:56:12 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt

2/15/2013 10:56:08 AM, error: Service Control Manager [7000] - The UCS Install NT Service service failed to start due to the following error: The system cannot find the path specified.

2/15/2013 1:56:26 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VNC Server Version 4 service to connect.

.

==== End Of File ===========================

----------------------------

ROUGE Killer LOG

RogueKiller V8.5.1 [Feb 19 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : User [Admin rights]

Mode : Scan -- Date : 02/20/2013 09:35:14

| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤

[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Hook\rndlchrome10browserrecordhelper.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 4 ¤¤¤

[services][ROGUE ST] HKLM\[...]\ControlSet001\Services\11858103 (C:\WINDOWS\system32\DRIVERS\11858103.sys) -> FOUND

[services][ROGUE ST] HKLM\[...]\ControlSet002\Services\11858103 (C:\WINDOWS\system32\DRIVERS\11858103.sys) -> FOUND

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721680PLA380 +++++

--- User ---

[MBR] faf4875e06bac6d61ce1c3bbaa85a444

[bSP] f75830ab6405da1bbf439930afef5e24 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_02202013_02d0935.txt >>

RKreport[1]_S_02202013_02d0935.txt

Link to post
Share on other sites

Please find this file and upload to VirusTotal for a free scan, let me know the results (just copy back the url)

http://www.virustotal.com/

c:\windows\system32\drivers\11858103.sys

--------------------------

Java™ 6 Update 27 <---please uninstall this from add/remove programs

Java 7 Update 13 <-------update this, should be Update 15

Go to control panel > Java > Update Tab > Update Now

Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

Let me know....MrC

Link to post
Share on other sites

https://www.virustotal.com/en/file/a8c1577876cf16186610f26d7d859f8fda4057aafc33e8212339f56da6a5f874/analysis/1361376215/

Uninstalled Java 6 Update 27

Updated Java 7 to version 15.

What!!! you don't like the Ask toolbar!!! haha jk (was Mcafee this time)

when updating java 7 to build 15 an error occured (msie.exe) but then said it needed a reboot to finish installing. After reboot there is no longer a java icon in control panel but it is in add/remove programs. FYI

Link to post
Share on other sites

To restore the Java in your control panel:

Copy this file:

C:\Program Files\Java\jre7\bin\javacpl.cpl

into this folder:

C:\WINDOWS\system32

-------------------------------------------

OK, that file is Good.

---------------------------------------

Please run TDSSKiller like this:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Here's a video that explains how to run it if needed:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    clip.jpg
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
    If in doubt about an entry....please ask or choose Skip
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

MrC

Link to post
Share on other sites

one odd one popped up and ran it through virustotal

https://www.virustot...sis/1361378923/

says it is a threat. - I didn't remove it so i could get you the log file

I also scanned TrueSight but that looks clean.

Link https://www.virustot...sis/1361379104/

I didn't remove anything and attached is the TDSS Log.

TDSSKiller.2.8.16.0_20.02.2013_10.45.31_log.txt

Link to post
Share on other sites

Also i just noticed two directory's in the root of C: titled 0b5fd28126e470145fba3953 and 50847d97b9b706. inside these folders are subfolder titled 1025 through 3082 with some numbers missing. Access is denied when attempting to open the subdirectories.

These weren't here before.

Link to post
Share on other sites

Can you zip that file up and attach it: Then delete it.

c:\windows\system32\drivers\uti3ndu1.sys

---------------------------------------

You can use GrantPerms to check the permissions on that folder and/or files:

http://www.bleepingc...antperms/dl/79/

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe

Copy and paste the following in the edit box:

(Just copy in the path of the file or folder you want to unlock)

Click Unlock. When it is done click "OK".

Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Then you should be able to check the files/folders in the folder.

Let me know.......MrC

Link to post
Share on other sites

zip file attached and delete successful.

I grated perms one one of the folder and opened up eula.rtf in notpad and it is full of lines like the listed below.

}{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\leveltemplateid67698693\'01\u-3929 ?;}{\levelnumbers;}\f10\fbias0 \fi-360\li2160\jclisttab\tx2160\lin2160 }{\listlevel\levelnfc23

\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\leveltemplateid67698689\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0 \fi-360\li2880\jclisttab\tx2880\lin2880 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0

they also contain Localizeddata.xml and setupresources.dll

uti3ndu1.zip

Link to post
Share on other sites

Those may be from a windows update.

Download and Run MBAR again and make sure you update it before running it:

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

You understand that this machine is compromised.....not to be trusted.

Here's the standard warning we give on this type of infection:

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You ran MBAR twice and it came up clean the second time???

--------------------------------

If so please run ComboFix now, download a fresh copy please:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

COMBOFIX LOG

ComboFix 13-02-20.01 - User 02/20/2013 13:18:34.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.994.613 [GMT -6:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: AVG Internet Security Network Edition *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\javacpl.exe

.

.

((((((((((((((((((((((((( Files Created from 2013-01-20 to 2013-02-20 )))))))))))))))))))))))))))))))

.

.

2013-02-20 16:09 . 2013-02-20 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2013-02-19 19:10 . 2012-06-02 21:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2013-02-19 18:33 . 2013-02-20 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess

2013-02-19 18:22 . 2013-02-19 18:22 -------- d-----w- c:\program files\RealVNC

2013-02-18 22:02 . 2013-02-20 17:59 -------- d-----w- c:\documents and settings\User

2013-02-18 20:09 . 2013-02-18 20:09 -------- d--h--w- c:\windows\PIF

2013-02-18 17:14 . 2013-02-19 00:19 133208 ----a-w- c:\windows\system32\drivers\11858103.sys

2013-02-18 16:22 . 2013-02-18 16:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sun

2013-02-18 16:22 . 2013-02-18 16:22 -------- d-----w- c:\program files\Common Files\Java

2013-02-18 16:21 . 2013-02-18 16:21 861088 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-02-15 16:00 . 2013-02-15 16:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2013-02-15 16:00 . 2013-02-15 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2013-02-15 15:59 . 2013-02-15 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-02-15 15:59 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-02-15 15:41 . 2013-02-15 15:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-02-18 16:21 . 2011-12-03 22:27 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-01-26 03:55 . 2008-04-14 16:00 552448 ----a-w- c:\windows\system32\oleaut32.dll

2013-01-15 15:34 . 2012-01-26 23:50 226016 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2013-01-07 01:19 . 2008-04-14 16:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-01-07 00:37 . 2008-04-14 00:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-01-04 01:20 . 2008-04-14 16:00 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-01-02 06:49 . 2008-04-14 16:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax

2013-01-02 06:49 . 2008-04-14 16:00 1292288 ----a-w- c:\windows\system32\quartz.dll

2012-12-26 20:16 . 2008-04-14 16:00 916480 ----a-w- c:\windows\system32\wininet.dll

2012-12-26 20:16 . 2008-04-14 16:00 43520 ------w- c:\windows\system32\licmgr10.dll

2012-12-26 20:16 . 2008-04-14 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-12-26 13:11 . 2012-06-07 12:05 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-12-26 13:11 . 2012-03-07 15:48 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-12-24 06:40 . 2008-04-14 16:00 385024 ------w- c:\windows\system32\html.iec

2012-12-16 12:23 . 2008-04-14 16:00 290560 ----a-w- c:\windows\system32\atmfd.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2011-01-03 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-01-03 1044480]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-03 143360]

"KASHDLLBRT82204215057080"="c:\program files\Kaseya\DLLBRT82204215057080\KaUsrTsk.exe" [2012-03-21 409600]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-03 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-03 172032]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2009-03-08 128512]

.

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2012-01-26 23:50 12536 ----a-w- c:\windows\system32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KADLLBRT82204215057080]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-07-03 15:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"RealNetworks Downloader Resolver Service"=2 (0x2)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\kworking\\KRlyCCon.exe"=

"c:\\ReynoldsCommon\\ERAccess\\wIntegSM.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

"c:\\Program Files\\Kaseya\\DLLBRT82204215057080\\LiveConnect.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

"5713:TCP"= 5713:TCP:Reynolds5713

"5713:UDP"= 5713:UDP:Reynolds5713

"5714:TCP"= 5714:TCP:Reynolds5714

"5714:UDP"= 5714:UDP:Reynolds5714

"5715:TCP"= 5715:TCP:Reynolds5715

"5715:UDP"= 5715:UDP:Reynolds5715

"5281:TCP"= 5281:TCP:Reynolds5281

"5281:UDP"= 5281:UDP:Reynolds5281

.

R0 11858103;11858103;c:\windows\system32\drivers\11858103.sys [2/18/2013 11:14 AM 133208]

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/26/2012 5:50 PM 52872]

R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [1/3/2011 2:57 PM 24064]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/26/2012 5:50 PM 226016]

R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/26/2012 5:50 PM 308136]

R2 KADLLBRT82204215057080;Kaseya Agent;c:\program files\Kaseya\DLLBRT82204215057080\AgentMon.exe [1/26/2012 1:39 PM 847872]

R2 KaseyaAVService;Kaseya Security Service;c:\program files\Kaseya\DLLBRT82204215057080\KasAVSrv.exe [1/26/2012 5:46 PM 229376]

R2 REY Install NT Service;REY Install NT Service;c:\rey\Bin\UcsInSvc.exe [7/29/2011 2:06 PM 106496]

R2 REY PSCVersionService;REY PSCVersionService;c:\rey\Bin\PSCVersionService.exe [12/14/2011 2:18 PM 61440]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/3/2011 2:56 PM 44800]

R3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.sys [1/26/2012 1:39 PM 17920]

S2 UCS Install NT Service;UCS Install NT Service;c:\ucc\Services\UcsInSvc.exe --> c:\ucc\Services\UcsInSvc.exe [?]

S3 uti3ndu1;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uti3ndu1.sys --> c:\windows\system32\Drivers\uti3ndu1.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [11/29/2012 8:31 PM 38608]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - 03309957

*NewlyCreated* - 39853416

*Deregistered* - 03309957

*Deregistered* - 39853416

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-01-30 21:30 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

TCP: DhcpNameServer = 10.12.188.10 205.171.3.65 205.171.2.65

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-03309957.sys

SafeBoot-09633550.sys

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-02-20 13:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2013-02-20 13:23:39

ComboFix-quarantined-files.txt 2013-02-20 19:23

ComboFix2.txt 2013-02-18 16:54

.

Pre-Run: 63,074,283,520 bytes free

Post-Run: 63,056,359,424 bytes free

.

- - End Of File - - 23BD53C9904AE7B06CE971090349EB94

Link to post
Share on other sites

No I don't think so, ComboFix would have caught at least one of those files.

I believe it's caused by one of the programs you have installed.

Let me check and in the man time...

Download and run SUPERAntiSpyware Portable Scanner Personal Edition:

http://www.superanti...ag=SAS_HOMEPAGE

Just make sure you update it before you run it.

MrC

Link to post
Share on other sites

Now I remember: This is the reason for those 299 detections...............

Kaseya agent needs updating, ensure you are running the most recent version of the Kaseya product. When using older versions of Kaseya, part of Kaseya interacts badly with mbam.exe and causes ghost detections.

MrC

Link to post
Share on other sites

How in the world did you find out that kaseya plays bad with mbam? I am glad you did :) Just got done cleaning with SAS(found some tracking cookies).

Ran MAR and came back with Zero infections. Your the man! I will talk with my boss about your donation icon :) If he won't pay I will personally.

This machine was not a critical machine but I have seen this same virus before and really wanted to know how to clean it. And i have seen the ghosting of the same amount of infections before and been baffled.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.