Ironman13

MrC, Unfortunately, I won't get this completed before I need to go out of town in the morning. Work got in the way this afternoon. I will start a new thread refrencing ComboFix when I return in a week and maybe we can finish it all up then. I do appreciate your help and will most certainly be making a contribution. Thank You

I ran TDSSKiller again but it does not find anything. No threats found, nuetralized or quarantined. Should I move on with ComboFix or am I missing something here?

TDSSKiller.2.8.13.0_17.10.2012_12.01.14_log.txt TDSSKiller.2.8.13.0_17.10.2012_12.32.40_log.txt TDSSKiller.2.8.13.0_17.10.2012_13.15.42_log.txt TDSSKiller.2.8.13.0_17.10.2012_12.16.45_log.txt I should have checked that. Here they are.

Hopefully this is what you are looking for. I have not deleted any reports but dont seem to have a file that I can attach. This is from the reports function when launching TDSSKiller. 13:15:42.0712 3224 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47 13:15:43.0118 3224 ============================================================ 13:15:43.0118 3224 Current date / time: 2012/10/17 13:15:43.0118 13:15:43.0118 3224 SystemInfo: 13:15:43.0118 3224 13:15:43.0118 3224 OS Version: 6.1.7601 ServicePack: 1.0 13:15:43.0118 3224 Product type: Workstation 13:15:43.0118 3224 ComputerName: SMARTBOX 13:15:43.0118 3224 UserName: Administrator 13:15:43.0118 3224 Windows directory: C:\Windows 13:15:43.0118 3224 System windows directory: C:\Windows 13:15:43.0118 3224 Running under WOW64 13:15:43.0118 3224 Processor architecture: Intel x64 13:15:43.0118 3224 Number of processors: 1 13:15:43.0118 3224 Page size: 0x1000 13:15:43.0118 3224 Boot type: Normal boot 13:15:43.0118 3224 ============================================================ 13:15:46.0488 3224 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x7E2D, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040 13:15:46.0503 3224 ============================================================ 13:15:46.0503 3224 \Device\Harddisk0\DR0: 13:15:46.0503 3224 MBR partitions: 13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000 13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1BBC4000 13:15:46.0503 3224 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x1BBF6800, BlocksNum 0x15CE800 13:15:46.0503 3224 ============================================================ 13:15:46.0519 3224 C: <-> \Device\Harddisk0\DR0\Partition2 13:15:46.0566 3224 D: <-> \Device\Harddisk0\DR0\Partition3 13:15:46.0566 3224 ============================================================ 13:15:46.0566 3224 Initialize success 13:15:46.0566 3224 ============================================================

It looks like this worked. Attached are the before and after MBAM logs after having run the TDSSKiller. Is there anything further that I need to do? Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Database version: v2012.10.17.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Administrator :: SMARTBOX [administrator] 10/17/2012 12:42:37 PM mbam-log-2012-10-17 (12-42-37).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 221618 Time elapsed: 7 minute(s), 1 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully. (end) Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Database version: v2012.10.17.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Administrator :: SMARTBOX [administrator] 10/17/2012 12:59:34 PM mbam-log-2012-10-17 (12-59-34).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 221687 Time elapsed: 5 minute(s), 22 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

Here is the log from Listparts64. I will begin with TDSSKiller download and instructions as listed. ListParts by Farbar Version: 16-10-2012 Ran by Administrator (administrator) on 17-10-2012 at 11:56:30 Windows 7 (X64) Running From: C:\Users\Administrator\Desktop Language: 0409 ************************************************************ ========================= Memory info ====================== Percentage of memory in use: 64% Total physical RAM: 1918.49 MB Available physical RAM: 685.59 MB Total Pagefile: 3836.98 MB Available Pagefile: 1576.6 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ======================= Partitions ========================= 1 Drive c: (COMPAQ) (Fixed) (Total:221.88 GB) (Free:102.95 GB) NTFS 2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:10.9 GB) (Free:2.03 GB) NTFS ==>[system with boot components (obtained from reading drive)] Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 232 GB 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 100 MB 1024 KB Partition 2 Primary 221 GB 101 MB Partition 3 Primary 10 GB 221 GB ====================================================================================================== Disk: 0 Partition 1 Type : 07 Hidden: No Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 SYSTEM NTFS Partition 100 MB Healthy System (partition with boot components) ====================================================================================================== Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 C COMPAQ NTFS Partition 221 GB Healthy Boot ====================================================================================================== Disk: 0 Partition 3 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 D FACTORY_IMA NTFS Partition 10 GB Healthy ====================================================================================================== ========================================================== TDL4: custom:26000022 ****** End Of Log ******

Sorry about that. Here is the complete log. RogueKiller V8.1.1 [10/01/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Administrator [Admin rights] Mode : Scan -- Date : 10/17/2012 10:50:32 ¤¤¤ Bad processes : 1 ¤¤¤ [sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 7 ¤¤¤ [TASK][sUSP PATH] iMeshNAG.job : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe -> FOUND [TASK][bLPATH] HPCustParticipation HP Officejet 6700 : "C:\Program Files\HP\HP Officejet 6700\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000 -> FOUND [TASK][sUSP PATH] iMeshNAG : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe NAGMETHOD=Schedule -> FOUND [TASK][sUSP PATH] {4D6D8932-EDCF-4420-8B1D-F8126BB12376} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\348DFNKM\ANTAgent_2217.exe" -d C:\Users\Administrator\Desktop -> FOUND [TASK][sUSP PATH] {66C6677E-2A3A-4A04-9FD6-C984579FDE2E} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2IWM6OY\mp600win111ej[1].exe" -d C:\Users\Administrator\Desktop -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD25 00AAJS-65M0A SCSI Disk Device +++++ --- User --- [MBR] c83437cae76a22bfe69c84ccb7a7b974 [bSP] c1b72764b614ea9c87e84284e8df15c3 : Windows Vista/7 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 227208 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465528832 | Size: 11165 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[1].txt >> RKreport[1].txt

Thank You-Here is the report RogueKiller V8.1.1 [10/01/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website: http://tigzy.geekstogo.com/roguekiller.php Blog: http://tigzyrk.blogspot.com Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Administrator [Admin rights] Mode : Scan -- Date : 10/17/2012 10:50:32 ¤¤¤ Bad processes : 1 ¤¤¤ [sVCHOST] svchost.exe -- \\.\globalroot\systemroot\svchost.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 7 ¤¤¤ [TASK][sUSP PATH] iMeshNAG.job : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe -> FOUND [TASK][bLPATH] HPCustParticipation HP Officejet 6700 : "C:\Program Files\HP\HP Officejet 6700\Bin\HPCustPartic.exe" /UA 9.5 /DDV 0x1000 -> FOUND [TASK][sUSP PATH] iMeshNAG : C:\Users\ADMINI~1\AppData\Local\Temp\iMesh_setup.exe NAGMETHOD=Schedule -> FOUND [TASK][sUSP PATH] {4D6D8932-EDCF-4420-8B1D-F8126BB12376} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\348DFNKM\ANTAgent_2217.exe" -d C:\Users\Administrator\Desktop -> FOUND [TASK][sUSP PATH] {66C6677E-2A3A-4A04-9FD6-C984579FDE2E} : C:\Windows\system32\pcalua.exe -a "C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2IWM6OY\mp600win111ej[1].exe" -d C:\Users\Administrator\Desktop -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED] ¤¤¤

Hello, I believe you have addressed this before. But, I want to make sure that I follow the corrct steps with whatever this is. I have run AVG as well as housecall and neither scans even see this. Malwarebytes sees it but does not delete it upon reboot. I am unclear as to if this is a real threat or not. Please let me know you thoughts. Thanks, Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Database version: v2012.10.15.10 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Administrator :: SMARTBOX [administrator] 10/15/2012 9:00:46 PM mbam-log-2012-10-16 (06-31-20).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 450920 Time elapsed: 2 hour(s), 4 minute(s), 55 second(s) Memory Processes Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> 3696 -> No action taken. Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> No action taken. (end) dds.txt attach.txt

Hello, I believe you have addressed this before. But, I want to make sure that I follow the corrct steps with whatever this is. I have run AVG as well as housecall and neither scans even see this. Malwarebytes sees it but does not delete it upon reboot. I am unclear as to if this is a real threat or not. Please let me know you thoughts. Thanks, Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Database version: v2012.10.15.10 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Administrator :: SMARTBOX [administrator] 10/15/2012 9:00:46 PM mbam-log-2012-10-16 (06-31-20).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 450920 Time elapsed: 2 hour(s), 4 minute(s), 55 second(s) Memory Processes Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> 3696 -> No action taken. Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Windows\svchost.exe (Trojan.Agent) -> No action taken. (end)