ChasFal

Members
  • Content count

    2
  • Joined

  • Last visited

About ChasFal

  • Rank
    New Member
  1. ok, thanks very much for the advice and direction. I'm going to change my user names a p/words today as you recommended. have 2 questions: The infected PC is offline now. If i backup my files before reformatting the drive, do i need to worry about the infection residing in itunes, .pdf or any Msoft Office file types? I'm concerned that i'd reinfect my laptop if i copy my files back after reloading Windows. I'm on another machine now. Before i reset all my passwords, is this one clean? Thanks again..... RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6001 Service Pack 1) 32 bits version Started in : Normal mode User : Rob McCormick [Admin rights] Mode : Scan -- Date : 04/25/2013 11:45:24 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤ [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ SSDT[64] : NtCreateKey @ 0x8262DFA5 -> HOOKED (Unknown @ 0xA03AAFC0) SSDT[72] : NtCreateProcess @ 0x826DA72B -> HOOKED (Unknown @ 0xA03AA200) SSDT[73] : NtCreateProcessEx @ 0x826DA776 -> HOOKED (Unknown @ 0xA03AA4C0) SSDT[75] : NtCreateSection @ 0x8268F689 -> HOOKED (Unknown @ 0xA03ABC80) SSDT[78] : NtCreateThread @ 0x826DA560 -> HOOKED (Unknown @ 0xA03AC160) SSDT[123] : NtDeleteKey @ 0x825FB83C -> HOOKED (Unknown @ 0xA03AB540) SSDT[126] : NtDeleteValueKey @ 0x825F621F -> HOOKED (Unknown @ 0xA03AB800) SSDT[165] : NtLoadDriver @ 0x825B5AD0 -> HOOKED (Unknown @ 0xA03AC4A0) SSDT[194] : NtOpenProcess @ 0x82657EF2 -> HOOKED (Unknown @ 0xA03AAA40) SSDT[197] : NtOpenSection @ 0x8266EBA2 -> HOOKED (Unknown @ 0xA03ABE20) SSDT[324] : NtSetValueKey @ 0x8262EDD1 -> HOOKED (Unknown @ 0xA03AB280) SSDT[334] : NtTerminateProcess @ 0x826292F0 -> HOOKED (Unknown @ 0xA03AAD00) SSDT[358] : NtWriteVirtualMemory @ 0x82654033 -> HOOKED (Unknown @ 0xA03ABFC0) SSDT[382] : NtCreateThreadEx @ 0x82647F82 -> HOOKED (Unknown @ 0xA03AC300) SSDT[383] : NtCreateUserProcess @ 0x8260EE26 -> HOOKED (Unknown @ 0xA03AA780) S_SSDT[572] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0xA03ACB00) S_SSDT[573] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xA03AC920) _INLINE_ : NtCreateKey -> HOOKED (Unknown @ 0xA03AAFC5) _INLINE_ : NtCreateProcess -> HOOKED (Unknown @ 0xA03AA205) _INLINE_ : NtCreateProcessEx -> HOOKED (Unknown @ 0xA03AA4C5) _INLINE_ : NtCreateSection -> HOOKED (Unknown @ 0xA03ABC85) _INLINE_ : NtCreateThread -> HOOKED (Unknown @ 0xA03AC165) _INLINE_ : NtDeleteKey -> HOOKED (Unknown @ 0xA03AB545) _INLINE_ : NtDeleteValueKey -> HOOKED (Unknown @ 0xA03AB805) _INLINE_ : NtLoadDriver -> HOOKED (Unknown @ 0xA03AC4A5) _INLINE_ : NtOpenProcess -> HOOKED (Unknown @ 0xA03AAA45) _INLINE_ : NtOpenSection -> HOOKED (Unknown @ 0xA03ABE25) _INLINE_ : NtSetValueKey -> HOOKED (Unknown @ 0xA03AB285) _INLINE_ : NtTerminateProcess -> HOOKED (Unknown @ 0xA03AAD05) _INLINE_ : NtWriteVirtualMemory -> HOOKED (Unknown @ 0xA03ABFC5) _INLINE_ : NtCreateThreadEx -> HOOKED (Unknown @ 0xA03AC305) _INLINE_ : NtCreateUserProcess -> HOOKED (Unknown @ 0xA03AA785) ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: HITACHI HTS541616J9SA00 +++++ --- User --- [MBR] 2de4c9e623116fefb281e08d7256f4d0 [bSP] 22542c83ee86097459dc05da1780809c : Windows Vista MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: IMD-0 +++++ --- User --- [MBR] 7ac7cfe9c18d4f619b97a8c759ffd7dc [bSP] 3e29b9212929285cc4c2dd61ea901aa8 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 63 | Size: 512 Mo Error reading LL1 MBR! Error reading LL2 MBR! Finished : << RKreport[1]_S_04252013_02d1145.txt >> RKreport[1]_S_04252013_02d1145.txt
  2. Hi, i'm seeing a svchost.exe process increment up in memory usage and CPU. CPU will hit 99% at times. there is an audio device that shows up in the audio mixer, and random clips are played out intermittently. This started yesterday. Malwarebytes picked off 2 trojans yesterday from safe mode, but the problem persists. I'm notified that Malwarebytes is blocking traffic to 204.145.83.230 on port 49620. I'd appreciate any help or direction that could be offered to get rid of this thing. here's the log from Rogue Killer: RogueKiller V8.5.4 [Mar 18 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : rmccormick [Admin rights] Mode : Scan -- Date : 04/25/2013 09:21:45 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] rpcld.exe -- C:\ProgramData\Rpcnet\Bin\rpcld.exe [-] -> KILLED [TermProc] ¤¤¤ Registry Entries : 5 ¤¤¤ [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$3c45e405818ee654faaf70ded16263ec\@ [-] --> FOUND [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1830819319-1975652134-394877016-23726\$3c45e405818ee654faaf70ded16263ec\@ [-] --> FOUND [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$3c45e405818ee654faaf70ded16263ec\U --> FOUND [ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1830819319-1975652134-394877016-23726\$3c45e405818ee654faaf70ded16263ec\U --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$3c45e405818ee654faaf70ded16263ec\L --> FOUND [ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1830819319-1975652134-394877016-23726\$3c45e405818ee654faaf70ded16263ec\L --> FOUND ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts