I can't get rid of trojans and Virtools they keep coming back when I reboot

stposton · February 18, 2014

I've run malwarebyte, malware root kit and MS Forefront Endpoint Protection. They find the malware/viruses and say they have removed them. I restart my computer and they come right back within an hour.

A few of the detected items are:

Trojan:JS/Magnitude.A

Trojan:Win32/Alureon.GQ

VirTool:Win32/Vbinder

TrojanDownloader:Win32/Upatre.B

Virtool:Win32/CeeInject.gen/KK

and several more.

I've run MWB at least 20 times the last 2 days and 50 within the last week and followed up with ComboFix and it hasn't helped a bit.

The only way to keep my cpu from slowing down is to open Process Explorer, find regsvr32 and suspend the 4 iexplore.exe's that keep popping up.

Any help would be greatly appreciated.

Thanks.

Psychotic · February 18, 2014

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Please post up the content of C:\combofix.txt as well as the MBAM logs.

Also, do the following:

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Press Start Scan
If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Show All ( should be unchecked by default )
[*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

stposton · February 18, 2014

I tried to paste this but it sazid the post was too long. I attached it.

TDSSKiller.3.0.0.23_18.02.2014_10.19.45_log.txt

stposton · February 18, 2014

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-02-18 10:30:22
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2561GSY rev.MC001D 232.89GB
Running: 0m2ef09r.exe; Driver: C:\Users\sposton\AppData\Local\Temp\kwlcyuoc.sys

---- Threads - GMER 2.1 ----

Thread   C:\Windows\SysWOW64\regsvr32.exe [3304:3492]                                                                                                                                                        000000006ea82f18
Thread   C:\Windows\SysWOW64\regsvr32.exe [3304:3504]                                                                                                                                                        000000006ea82f18
Thread   C:\Windows\SysWOW64\regsvr32.exe [3304:3508]                                                                                                                                                        000000006ea82f18
Thread   C:\Program Files (x86)\Internet Explorer\iexplore.exe [4392:5860]                                                                                                                                   0000000000222f18
Thread   C:\Program Files (x86)\Internet Explorer\iexplore.exe [5236:4380]                                                                                                                                   0000000000402f18
Thread   C:\Program Files (x86)\Internet Explorer\iexplore.exe [5580:6028]                                                                                                                                   0000000000432f18
Thread   C:\Program Files (x86)\Internet Explorer\iexplore.exe [5580:5912]                                                                                                                                   0000000000432f18
---- Processes - GMER 2.1 ----

Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\AT&T\AT&T AllAccess\AllAccess.exe [3180](2014-01-27 03:16:12)                                 0000000002ab0000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Windows\SysWOW64\regsvr32.exe [3304](2014-01-27 03:16:12)                                                         0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\DesktopCentral_Agent\bin\dcagenttrayicon.exe [3604](2014-01-27 03:16:12)                      0000000000260000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [4036](2014-01-27 03:16:12)                           0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe [3596](2014-01-27 03:16:12)                                     0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Sharp\Sharpdesk\FTPServer.exe [2988](2014-01-27 03:16:12)                                     0000000000250000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [4144](2014-01-27 03:16:12) 0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [4152](2014-01-27 03:16:12)                         0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\AT&T\AT&T AllAccess\AllAccess_AppStart.exe [4160](2014-01-27 03:16:12)                        0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Sharp\Sharpdesk\nsapp.exe [4180](2014-01-27 03:16:12)                                         0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Windows\CCM\SCNotification.exe [5276](2014-01-27 03:16:12)                                                        0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4392](2014-01-27 03:16:12)                                    0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [3456](2014-01-27 03:16:12)                                    0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_12_0_0_44_ActiveX.exe [3156](2014-01-27 03:16:12)                     0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [5236](2014-01-27 03:16:12)                                    0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [5508](2014-01-27 03:16:12)                                    0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [5580](2014-01-27 03:16:12)                                    0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Citrix\GoToMeeting\1082\g2mstart.exe [8028](2014-01-27 03:16:12)                              0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Citrix\GoToMeeting\1082\g2mlauncher.exe [3396](2014-01-27 03:16:12)                           0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4640](2014-01-27 03:16:12)                                    0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4600](2014-01-27 03:16:12)                                    0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [7956](2014-01-27 03:16:12)                                    0000000010000000
Library C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4448](2014-01-27 03:16:12)                                    0000000010000000

---- Registry - GMER 2.1 ----

Reg      HKLM\SYSTEM\CurrentControlSet\services\swcustcfg
Reg      HKLM\SYSTEM\CurrentControlSet\services\swcustcfg
Reg      HKLM\SYSTEM\ControlSet002\services\swcustcfg (not active ControlSet)

---- EOF - GMER 2.1 ----

Psychotic · February 18, 2014

Combofix

Combofix should only be run when adviced by a team member!

Link

Important - Save the file to your desktop!

Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
Run Combofix.exe

When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

stposton · February 18, 2014

ComboFix 14-02-16.01 - sposton 02/18/2014 10:36:25.7.4 - x64
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.3993.2500 [GMT -5:00]
Running from: c:\users\sposton\Desktop\ComboFix.exe
AV: Microsoft Forefront Endpoint Protection 2010 *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Forefront Endpoint Protection 2010 *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-18 to 2014-02-18 )))))))))))))))))))))))))))))))
.
.
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\william.terry\AppData\Local\temp
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\sysadmin\AppData\Local\temp
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\pterry\AppData\Local\temp
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\matthew.billingsley\AppData\Local\temp
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\ksmith\AppData\Local\temp
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\jirvin\AppData\Local\temp
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\etillisch-admin\AppData\Local\temp
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\dwall\AppData\Local\temp
2014-02-18 15:42 . 2014-02-18 15:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-18 14:56 . 2014-02-18 14:58 -------- d-----w- C:\FRST
2014-02-18 14:19 . 2014-02-18 14:19 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1044A185-51FB-40C1-8211-E3BF6A494CD6}\offreg.dll
2014-02-18 04:33 . 2010-11-20 13:24 345088 ----a-w- c:\windows\system32\sethc.exe
2014-02-18 02:34 . 2014-02-06 09:01 10536864 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1044A185-51FB-40C1-8211-E3BF6A494CD6}\mpengine.dll
2014-02-18 02:21 . 2014-02-18 04:23 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-02-18 02:19 . 2014-02-18 03:50 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-02-18 02:07 . 2014-02-18 02:07 -------- d-----w- c:\users\Administrator
2014-02-16 23:54 . 2014-02-17 04:22 -------- d-----w- c:\windows\ERUNT
2014-02-16 23:41 . 2014-02-17 15:19 -------- d-----w- C:\AdwCleaner
2014-02-05 17:27 . 2014-02-05 17:27 -------- d-----w- c:\windows\system32\appmgmt
2014-02-05 02:25 . 2013-11-15 01:26 482816 ----a-w- c:\program files\Internet Explorer\ieinstal.exe
2014-02-05 01:50 . 2013-10-04 02:16 116736 ----a-w- c:\windows\system32\drivers\drmk.sys
2014-02-05 01:50 . 2013-10-04 01:36 230400 ----a-w- c:\windows\system32\drivers\portcls.sys
2014-02-05 01:50 . 2013-11-27 01:41 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys
2014-02-05 01:50 . 2013-11-27 01:41 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2014-02-05 01:50 . 2013-11-27 01:41 53248 ----a-w- c:\windows\system32\drivers\usbehci.sys
2014-02-05 01:50 . 2013-11-27 01:41 325120 ----a-w- c:\windows\system32\drivers\usbport.sys
2014-02-05 01:50 . 2013-11-27 01:41 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2014-02-05 01:50 . 2013-11-27 01:41 7808 ----a-w- c:\windows\system32\drivers\usbd.sys
2014-02-05 01:50 . 2013-11-27 01:41 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2014-02-05 01:20 . 2013-10-19 02:18 81408 ----a-w- c:\windows\system32\imagehlp.dll
2014-02-05 01:20 . 2013-10-19 01:36 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2014-01-30 18:02 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-28 20:26 . 2014-01-28 20:26 -------- d-----w- c:\users\sposton\AppData\Roaming\Malwarebytes
2014-01-28 20:26 . 2014-01-28 20:26 -------- d-----w- c:\programdata\Malwarebytes
2014-01-28 20:26 . 2014-02-11 18:24 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2014-01-28 20:26 . 2014-01-28 20:26 -------- d-----w- c:\users\sposton\AppData\Local\Programs
2014-01-27 03:16 . 2014-01-27 03:16 -------- d-----w- c:\users\sposton\AppData\Local\Icsoft
2014-01-24 13:37 . 2013-11-26 10:32 3156480 ----a-w- c:\windows\system32\win32k.sys
2014-01-24 13:35 . 2013-10-12 02:31 202752 ----a-w- c:\windows\system32\scrrun.dll
2014-01-24 13:35 . 2013-10-12 02:03 163840 ----a-w- c:\windows\SysWow64\scrrun.dll
2014-01-24 13:35 . 2013-10-12 02:32 150016 ----a-w- c:\windows\system32\wshom.ocx
2014-01-24 13:35 . 2013-10-12 02:04 121856 ----a-w- c:\windows\SysWow64\wshom.ocx
2014-01-24 13:35 . 2013-10-12 01:33 156160 ----a-w- c:\windows\system32\cscript.exe
2014-01-24 13:35 . 2013-10-12 01:33 168960 ----a-w- c:\windows\system32\wscript.exe
2014-01-24 13:35 . 2013-10-12 01:15 141824 ----a-w- c:\windows\SysWow64\wscript.exe
2014-01-24 13:35 . 2013-10-12 01:15 126976 ----a-w- c:\windows\SysWow64\cscript.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-04 19:17 . 2012-04-17 23:22 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-02-04 19:17 . 2011-09-22 21:06 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-01-19 07:33 . 2011-06-15 16:02 270496 ------w- c:\windows\system32\MpSigStub.exe
2013-12-04 03:28 . 2011-08-10 15:23 10315576 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AllAccess.exe"="c:\program files (x86)\AT&T\AT&T AllAccess\AllAccess.exe" [2013-04-04 158072]
"GoToMeeting"="c:\program files (x86)\Citrix\GoToMeeting\1082\g2mstart.exe" [2013-03-29 40376]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2013-04-22 911040]
"Icsoft"="c:\users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll" [2014-01-27 20480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SharpTray.exe"="c:\program files (x86)\Sharp\Sharpdesk\SharpTray.exe" [2010-03-08 131584]
"FtpServer.exe"="c:\program files (x86)\Sharp\Sharpdesk\FtpServer.exe" [2010-02-22 819712]
"IndexTray.exe"="c:\program files (x86)\Sharp\Sharpdesk\IndexTray.exe" [2010-03-08 395264]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 90448]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"AllAccess_AppStart.exe"="c:\program files (x86)\AT&T\AT&T AllAccess\AllAccess_AppStart.exe" [2013-03-29 247672]
.
c:\users\sposton\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 246472]
~$2PMplan.xlsm [2013-2-27 165]
~$PMplan.xlsm [2013-2-27 165]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell System Manager.lnk - c:\program files\Dell\Dell System Manager\DCPSysMgr.exe [2011-1-20 1552240]
ManageEngine Desktop Central Agent.lnk - c:\program files (x86)\DesktopCentral_Agent\bin\dcagenttrayicon.exe [2010-8-5 695432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 ManageEngine Desktop Central - Agent;ManageEngine Desktop Central 7 - Agent;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe;c:\program files (x86)\DesktopCentral_Agent\bin\dcagentservice.exe [x]
R2 O2SDIOAssist;O2SDIOAssist;c:\windows\SysWOW64\srvany.exe;c:\windows\SysWOW64\srvany.exe [x]
R3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys;c:\windows\SYSNATIVE\DRIVERS\Accelern.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]
R3 lppsvc;Microsoft Policy Platform Processor;c:\program files\Microsoft Policy Platform\policyHost.exe;c:\program files\Microsoft Policy Platform\policyHost.exe [x]
R3 ManageEngine Desktop Central - Remote Control;ManageEngine Desktop Central 7 - Remote Control;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe;c:\program files (x86)\DesktopCentral_Agent\bin\dcrdservice.exe [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys;c:\windows\SYSNATIVE\DRIVERS\MpNWMon.sys [x]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7x64.sys;c:\windows\SYSNATIVE\drivers\O2MDFw7x64.sys [x]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\O2MDRw7x64.sys [x]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\o2sdjw7x64.sys [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 swiwdmbx;Sierra Wireless USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbx.sys;c:\windows\SYSNATIVE\DRIVERS\swiwdmbx.sys [x]
R3 swiwdmbxum;Sierra Wireless UM USB Bus Service;c:\windows\system32\DRIVERS\swiwdmbxum.sys;c:\windows\SYSNATIVE\DRIVERS\swiwdmbxum.sys [x]
R3 swUMmbb00;Sierra Wireless QMI USB-NDIS UM 6.20 miniport device;c:\windows\system32\DRIVERS\swUMmbb00.sys;c:\windows\SYSNATIVE\DRIVERS\swUMmbb00.sys [x]
R3 swUMser00;Sierra Wireless QMI USB Device for UM Legacy Serial Port Communication;c:\windows\system32\DRIVERS\swUMser00.sys;c:\windows\SYSNATIVE\DRIVERS\swUMser00.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys;c:\windows\SYSNATIVE\drivers\Synth3dVsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AdtAgent;System Center Audit Forwarding;c:\windows\system32\AdtAgent.exe;c:\windows\SYSNATIVE\AdtAgent.exe [x]
R4 CmRcService;Configuration Manager Remote Control;c:\windows\CCM\RemCtrl\CmRcService.exe;c:\windows\CCM\RemCtrl\CmRcService.exe [x]
S2 AdminHelper.exe;AdminHelper.exe;c:\program files (x86)\AT&T\AT&T AllAccess\AdminHelper.exe;c:\program files (x86)\AT&T\AT&T AllAccess\AdminHelper.exe [x]
S2 dcpsysmgrsvc;Dell System Manager Service;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe;c:\program files\Dell\Dell System Manager\DCPSysMgrSvc.exe [x]
S2 HealthService;System Center Management;c:\program files\System Center Operations Manager\Agent\HealthService.exe;c:\program files\System Center Operations Manager\Agent\HealthService.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 SCWFPFilter;SCWFPFilter;c:\windows\system32\DRIVERS\WFPFilter.sys;c:\windows\SYSNATIVE\DRIVERS\WFPFilter.sys [x]
S2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe;c:\program files (x86)\Sierra Wireless Inc\Common\SwiCardDetect64.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 24739978
*NewlyCreated* - KWLCYUOC
*Deregistered* - 24739978
*Deregistered* - kwlcyuoc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-04 19:28 1211720 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.107\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 19:17]
.
2014-02-18 c:\windows\Tasks\DCAgentUpdater.job
- c:\program files (x86)\DesktopCentral_Agent\bin\dcagentupdater.exe [2010-08-05 19:10]
.
2014-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-23 14:34]
.
2014-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-02-23 14:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2011-01-18 6492672]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 1436224]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-31 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-31 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-31 418328]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.25.10 192.168.25.24 192.168.30.50
TCP: Interfaces\{B9918D96-ED79-40AD-AA7D-1EF5BC312555}: NameServer = 172.26.38.1 172.26.38.2
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
Binary file temp00 matches
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1778012520-2118264811-924725345-7084_Classes\CLSID]
@DACL=(02 0000)
.
[HKEY_USERS\S-1-5-21-1778012520-2118264811-924725345-7084_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}]
@DACL=(02 0000)
@="GoToMeeting Outlook COM Addin"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_44_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_44_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_44_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_44_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_44.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-02-18 10:45:11
ComboFix-quarantined-files.txt 2014-02-18 15:45
ComboFix2.txt 2014-02-18 03:31
ComboFix3.txt 2014-02-16 22:01
ComboFix4.txt 2014-02-16 01:52
ComboFix5.txt 2014-02-18 15:34
.
Pre-Run: 149,356,728,320 bytes free
Post-Run: 149,309,145,088 bytes free
.
- - End Of File - - A18A4DD06743114D3C4A646691191F2C
A36C5E4F47E84449FF07ED3517B43A31

stposton · February 19, 2014

You haven't forgot about me have you?

Psychotic · February 19, 2014

No, I haven´t!

You told us that you removed several items with Malwarebytes´ Antimalware. This tool creates a log on every run and we need to see them.

The logs can be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Zip any and all of these logs and attach the file to your next reply.

Also, please upload C:\Users\sposton\AppData\Local\Icsoft\RpcUtilClock8.dll here: http://www.bleepingcomputer.com/submit-malware.php?channel=156

AdvancedSetup · February 24, 2014

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

I can't get rid of trojans and Virtools they keep coming back when I reboot

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information