Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS 2003 Infected With Possible Rustock Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 FineTime

FineTime

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 27 August 2010 - 01:49 PM

Hi, my company's server's (SBS 2003) IP address has been recently blacklisted for having a possible Rustock Virus. Turns out there appears to be a spambot sending out lots and lots of spam. I've included GMER and HijackThis logs. I would greatly appreciate your help. Thanks.

GMER LOG

---- System - GMER 1.0.15 ----

SSDT 8B121388 ZwAlertResumeThread
SSDT 8B122480 ZwAlertThread
SSDT 8A9D3198 ZwAllocateVirtualMemory
SSDT 8A8CDC50 ZwCreateMutant
SSDT 8AF79C08 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB9742350]
SSDT 8A6E08E0 ZwFreeVirtualMemory
SSDT 8A9D40E8 ZwImpersonateAnonymousToken
SSDT 8B0B56D0 ZwImpersonateThread
SSDT 8B3E65F0 ZwMapViewOfSection
SSDT 8AF79F68 ZwOpenEvent
SSDT 8A9D3260 ZwOpenProcessToken
SSDT 8A8CCCC8 ZwOpenThreadToken
SSDT 8A91EB60 ZwQueryValueKey
SSDT 8B115738 ZwResumeThread
SSDT 8A6E2C10 ZwSetContextThread
SSDT 8A86DE80 ZwSetInformationProcess
SSDT 8A9D3B28 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB9742580]
SSDT 8AA18188 ZwSuspendProcess
SSDT 8A86D170 ZwSuspendThread
SSDT 8A91EA20 ZwTerminateProcess
SSDT 8B0B55C8 ZwTerminateThread
SSDT 8B0B88A0 ZwUnmapViewOfSection
SSDT 8A8CE150 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution + DE8 80834330 4 Bytes CALL 2B0DE075
.text ntkrnlpa.exe!ZwYieldExecution + 109C 808345E4 8 Bytes JMP 55C88A91

---- User code sections - GMER 1.0.15 ----

.text D:\Program Files\Exchsrvr\bin\store.exe[5224] kernel32.dll!TerminateProcess 77E42014 5 Bytes JMP 005F3C9A D:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)
.text D:\Program Files\Exchsrvr\bin\store.exe[5224] kernel32.dll!ExitProcess 77E668F9 5 Bytes JMP 005F3C6B D:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\rserver30\RServer3.exe[3584] @ C:\WINDOWS\system32\user32.dll [ntdll.dll!NtQueryValueKey] [01401030] C:\WINDOWS\system32\rserver30\RServer3.exe (Radmin Server/Famatech International Corp.)
IAT C:\WINDOWS\system32\rserver30\RServer3.exe[3584] @ C:\WINDOWS\system32\GDI32.dll [ntdll.dll!NtQueryValueKey] [01401030] C:\WINDOWS\system32\rserver30\RServer3.exe (Radmin Server/Famatech International Corp.)
IAT C:\WINDOWS\system32\rserver30\RServer3.exe[3584] @ C:\WINDOWS\system32\ADVAPI32.dll [ntdll.dll!NtQueryValueKey] [01401030] C:\WINDOWS\system32\rserver30\RServer3.exe (Radmin Server/Famatech International Corp.)
IAT D:\Program Files\Exchsrvr\bin\exmgmt.exe[4456] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] D:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT D:\Program Files\Exchsrvr\bin\exmgmt.exe[4456] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] D:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT D:\Program Files\Exchsrvr\bin\mad.exe[4648] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] D:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT D:\Program Files\Exchsrvr\bin\mad.exe[4648] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] D:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT D:\Program Files\Exchsrvr\bin\store.exe[5224] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] D:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT D:\Program Files\Exchsrvr\bin\store.exe[5224] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] D:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[5808] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] D:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[5808] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] D:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\sbscrexe.exe (*** hidden *** ) [AUTO] SBCore <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Type 16
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Type 16
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

HIJACK THIS LOG

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\agent\pbeagent.exe
d:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\server\PBESER~1.EXE
C:\Program Files\Canon\DIAS\CnxDIAS.exe
D:\program files\sav\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaPimSvc.exe
D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaRemSvc.exe
D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaStoreSvc.exe
D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaUpdSvc.exe
D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaWatchSvc.exe
D:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\WINDOWS\system32\rserver30\RServer3.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\WSSADMIN.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\program files\sav\Rtvscan.exe
C:\WINDOWS\system32\tcpsvcs.exe
D:\Program Files\Exchsrvr\bin\exmgmt.exe
D:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Exchsrvr\bin\store.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\rserver30\FamItrfc.Exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\sav\VPTray.exe
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-888029092-2427811083-2853853053-1579\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: BGINFO.lnk = C:\Program Files\BATS\bginfo.cmd
O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RSCC.local
O17 - HKLM\Software\..\Telephony: DomainName = RSCC.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5BF5810-85D9-4F71-B052-62C1019DF1E8}: NameServer = 192.168.100.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = RSCC.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - d:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - d:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\program files\sav\DefWatch.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Ninja Plugin Manager Service (NinjaPimSvc) - Sunbelt Software, Inc. - D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaPimSvc.exe
O23 - Service: Ninja Remoting Service (NinjaRemSvc) - Sunbelt Software, Inc. - D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaRemSvc.exe
O23 - Service: Ninja Store Scanner Service (NinjaStoreSvc) - Sunbelt Software, Inc. - D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaStoreSvc.exe
O23 - Service: Ninja Updates Service (NinjaUpdSvc) - Sunbelt Software, Inc. - D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaUpdSvc.exe
O23 - Service: Ninja Monitoring Service (NinjaWatchSvc) - Sunbelt Software, Inc. - D:\Program Files\Sunbelt Software\Sunbelt Messaging Ninja\NinjaWatchSvc.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - D:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\program files\sav\Rtvscan.exe

--
End of file - 8218 bytes





BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:58 AM

Posted 02 September 2010 - 12:36 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold

    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Push the button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:58 AM

Posted 20 September 2010 - 10:55 AM

Due to lack of feedback, this topic is now Closed

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users