Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4 infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 _ragdoll

_ragdoll

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 April 2011 - 05:27 AM

Picked up a TDL4 infection, though Christ knows how.

DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by voidSkipper at 19:41:47.38 on 04/10/2011 Sun
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Home Premium 6.1.7600.0.932.81.1033.18.2047.899 [GMT 9.5:30]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\voidSkipper\Downloads\dds\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
StartupFolder: c:\users\voidsk~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\voidsk~1\appdata\roaming\mozilla\firefox\profiles\m83mnh7m.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54323
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\voidskipper\appdata\roaming\mozilla\firefox\profiles\m83mnh7m.default\extensions\furiganainserter@zorkzero.net\components\YomikataDictionary.dll
FF - component: c:\users\voidskipper\appdata\roaming\mozilla\firefox\profiles\m83mnh7m.default\extensions\twitternotifier@naan.net\platform\winnt\components\nsTwitterFoxSign.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\users\voidskipper\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Net Usage Item: {DA1B0AB5-7DD3-4066-BC2A-64AABBDD0A8B} - %profile%\extensions\{DA1B0AB5-7DD3-4066-BC2A-64AABBDD0A8B}
FF - Ext: Rikaichan: {0AA9101C-D3C1-4129-A9B7-D778C6A17F82} - %profile%\extensions\{0AA9101C-D3C1-4129-A9B7-D778C6A17F82}
FF - Ext: Furigana Inserter: furiganainserter@zorkzero.net - %profile%\extensions\furiganainserter@zorkzero.net
FF - Ext: HTML Ruby: {e10bc159-aa26-41d8-aa24-65de9464ca5a} - %profile%\extensions\{e10bc159-aa26-41d8-aa24-65de9464ca5a}
FF - Ext: Japanese-English Dictionary for rikaichan: {6D898772-AD34-4c16-86BB-9DE787A5DEA0} - %profile%\extensions\{6D898772-AD34-4c16-86BB-9DE787A5DEA0}
FF - Ext: Names Dictionary for rikaichan: {566D6332-1439-43bf-857E-7AD5F137AD0C} - %profile%\extensions\{566D6332-1439-43bf-857E-7AD5F137AD0C}
FF - Ext: Furigana Inserter Dictionary: furiganainserter-dictionary@zorkzero.net - %profile%\extensions\furiganainserter-dictionary@zorkzero.net
FF - Ext: Echofon: twitternotifier@naan.net - %profile%\extensions\twitternotifier@naan.net
FF - Ext: Rikaichan Japanese-English Dictionary File: rikaichan-jpen@polarcloud.com - %profile%\extensions\rikaichan-jpen@polarcloud.com
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
============= SERVICES / DRIVERS ===============
.
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-3-13 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2009-10-13 49152]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-2-3 115432]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 14856]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-21 1343400]
.
=============== Created Last 30 ================
.
2011-04-10 09:39:10 -------- d--h--w- c:\windows\PIF
2011-04-10 07:05:42 -------- d-----w- c:\program files\EPSON Print CD
2011-04-10 07:05:25 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-04-10 07:05:25 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-04-10 07:05:25 225280 ------w- c:\program files\common files\installshield\iscript\iscript.dll
2011-04-10 07:05:25 176128 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-04-10 07:05:24 614532 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2011-04-02 07:03:41 -------- d-----w- c:\program files\Yuna Software
2011-03-26 08:50:49 -------- d-----w- c:\program files\WinDirStat
2011-03-24 09:10:43 -------- d-----w- c:\program files\common files\Deterministic Networks
2011-03-24 09:10:41 -------- d-----w- c:\program files\Cisco Systems
2011-03-24 09:08:31 -------- d-----w- c:\users\voidskipper\Oracle
2011-03-24 09:07:49 -------- d-----w- C:\sqlplus
2011-03-12 01:58:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-04-09 06:17:52 16 ----a-w- c:\windows\system32\msvcsv60.dll
2011-01-17 04:06:56 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2006-05-02 23:00:00 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-20 23:00:00 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-15 23:00:00 216064 --sh--r- c:\windows\system32\nbDX.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD5000AAKS-00YGA0 rev.12.01C02 -> Harddisk1\DR1 -> \Device\Ide\IdePort3 P3T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85F0C5D9]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85f12970]; MOV EAX, [0x85f129ec]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82C55448] -> \Device\Harddisk1\DR1[0x85EE8620]
3 CLASSPNP[0x88F9359E] -> ntkrnlpa!IofCallDriver[0x82C55448] -> [0x85DA4918]
5 ACPI[0x8348C3B2] -> ntkrnlpa!IofCallDriver[0x82C55448] -> \IdeDeviceP3T0L0-5[0x85A06030]
\Driver\atapi[0x85EF78B8] -> IRP_MJ_CREATE -> 0x85F0C5D9
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP3T0L0-5 -> \??\IDE#DiskWDC_WD5000AAKS-00YGA0___________________12.01C02#5&643f929&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 19:43:03.27 ===============


Also, when I ran MalwareBytes from safemode, it annihilated all of my startup items. Were they infected, or was it being heavy-handed?
MWB log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5509

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

4/10/2011 7:13:56 PM
mbam-log-2011-04-10 (19-13-56).txt

Scan type: Quick scan
Objects scanned: 158622
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 96
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 72

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPsb (Malware.Packer.Gen) -> Value: MqmPsb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqmnsb (Malware.Packer.Gen) -> Value: Mqmnsb -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqmnsb (Malware.Packer.Gen) -> Value: Mqmnsb -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPsb (Malware.Packer.Gen) -> Value: MqmPsb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Trojan.Agent) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtpf (Trojan.Agent) -> Value: MqmPtpf -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtpf (Trojan.Agent) -> Value: MqmPtpf -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPwpc (Password.Stealer) -> Value: MqmPwpc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPwpc (Password.Stealer) -> Value: MqmPwpc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPth (Trojan.Agent) -> Value: MqmPth -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPth (Trojan.Agent) -> Value: MqmPth -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPusc (Trojan.Agent) -> Value: MqmPusc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPusc (Trojan.Agent) -> Value: MqmPusc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mquta (Trojan.Agent) -> Value: Mquta -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mquta (Trojan.Agent) -> Value: Mquta -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqva (Trojan.Agent) -> Value: Mqva -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqva (Trojan.Agent) -> Value: Mqva -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Value: NoFolderOptions -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqmne5 (Trojan.Downloader.Gen) -> Value: Mqmne5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqmne5 (Trojan.Downloader.Gen) -> Value: Mqmne5 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmnzI (Trojan.Downloader.Gen) -> Value: MqmnzI -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmnzI (Trojan.Downloader.Gen) -> Value: MqmnzI -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmnwpK (Trojan.Downloader.Gen) -> Value: MqmnwpK -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmnwpK (Trojan.Downloader.Gen) -> Value: MqmnwpK -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmnrK (Trojan.Downloader.Gen) -> Value: MqmnrK -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmnrK (Trojan.Downloader.Gen) -> Value: MqmnrK -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmnxYc (Trojan.Downloader.Gen) -> Value: MqmnxYc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmnxYc (Trojan.Downloader.Gen) -> Value: MqmnxYc -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqmnbc (Trojan.Downloader.Gen) -> Value: Mqmnbc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqmnbc (Trojan.Downloader.Gen) -> Value: Mqmnbc -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqmnz6c (Trojan.Downloader.Gen) -> Value: Mqmnz6c -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqmnz6c (Trojan.Downloader.Gen) -> Value: Mqmnz6c -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqrta (Trojan.Downloader) -> Value: Mqrta -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqrta (Trojan.Downloader) -> Value: Mqrta -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPxb (Trojan.Downloader.Gen) -> Value: MqmPxb -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPxb (Trojan.Downloader.Gen) -> Value: MqmPxb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPrc (Trojan.Downloader.Gen) -> Value: MqmPrc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPrc (Trojan.Downloader.Gen) -> Value: MqmPrc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPeP (Trojan.Downloader.Gen) -> Value: MqmPeP -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPeP (Trojan.Downloader.Gen) -> Value: MqmPeP -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPkbc (Trojan.Downloader.Gen) -> Value: MqmPkbc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPkbc (Trojan.Downloader.Gen) -> Value: MqmPkbc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPzZ (Trojan.Downloader.Gen) -> Value: MqmPzZ -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPzZ (Trojan.Downloader.Gen) -> Value: MqmPzZ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPusK (Trojan.Downloader.Gen) -> Value: MqmPusK -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPusK (Trojan.Downloader.Gen) -> Value: MqmPusK -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtpJ (Trojan.Downloader.Gen) -> Value: MqmPtpJ -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtpJ (Trojan.Downloader.Gen) -> Value: MqmPtpJ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPus0 (Trojan.Downloader.Gen) -> Value: MqmPus0 -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPus0 (Trojan.Downloader.Gen) -> Value: MqmPus0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqsZ (Trojan.Downloader) -> Value: MqsZ -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqsZ (Trojan.Downloader) -> Value: MqsZ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPwe (Trojan.Downloader.Gen) -> Value: MqmPwe -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPwe (Trojan.Downloader.Gen) -> Value: MqmPwe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPf (Trojan.Downloader.Gen) -> Value: MqmPf -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPf (Trojan.Downloader.Gen) -> Value: MqmPf -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqqZ (Trojan.Downloader) -> Value: MqqZ -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqqZ (Trojan.Downloader) -> Value: MqqZ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPY (Trojan.Downloader.Gen) -> Value: MqmPY -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPY (Trojan.Downloader.Gen) -> Value: MqmPY -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPz9 (Trojan.Downloader.Gen) -> Value: MqmPz9 -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPz9 (Trojan.Downloader.Gen) -> Value: MqmPz9 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdc (Trojan.Downloader.Gen) -> Value: MqmPtdc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdc (Trojan.Downloader.Gen) -> Value: MqmPtdc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPVc (Trojan.Downloader.Gen) -> Value: MqmPVc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPVc (Trojan.Downloader.Gen) -> Value: MqmPVc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPwI (Trojan.Downloader.Gen) -> Value: MqmPwI -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPwI (Trojan.Downloader.Gen) -> Value: MqmPwI -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdK (Trojan.Downloader.Gen) -> Value: MqmPtdK -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdK (Trojan.Downloader.Gen) -> Value: MqmPtdK -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPVK (Trojan.Downloader.Gen) -> Value: MqmPVK -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPVK (Trojan.Downloader.Gen) -> Value: MqmPVK -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtd0 (Trojan.Downloader.Gen) -> Value: MqmPtd0 -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtd0 (Trojan.Downloader.Gen) -> Value: MqmPtd0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdj (Trojan.Downloader.Gen) -> Value: MqmPtdj -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdj (Trojan.Downloader.Gen) -> Value: MqmPtdj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgc (Trojan.Downloader.Gen) -> Value: MqmPtdgc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgc (Trojan.Downloader.Gen) -> Value: MqmPtdgc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgK (Trojan.Downloader.Gen) -> Value: MqmPtdgK -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgK (Trojan.Downloader.Gen) -> Value: MqmPtdgK -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdg0 (Trojan.Downloader.Gen) -> Value: MqmPtdg0 -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdg0 (Trojan.Downloader.Gen) -> Value: MqmPtdg0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgj (Trojan.Downloader.Gen) -> Value: MqmPtdgj -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgj (Trojan.Downloader.Gen) -> Value: MqmPtdgj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdggc (Trojan.Downloader.Gen) -> Value: MqmPtdggc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdggc (Trojan.Downloader.Gen) -> Value: MqmPtdggc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdggK (Trojan.Downloader.Gen) -> Value: MqmPtdggK -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdggK (Trojan.Downloader.Gen) -> Value: MqmPtdggK -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgg0 (Trojan.Downloader.Gen) -> Value: MqmPtdgg0 -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgg0 (Trojan.Downloader.Gen) -> Value: MqmPtdgg0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdggj (Trojan.Downloader.Gen) -> Value: MqmPtdggj -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdggj (Trojan.Downloader.Gen) -> Value: MqmPtdggj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgggc (Trojan.Downloader.Gen) -> Value: MqmPtdgggc -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqmPtdgggc (Trojan.Downloader.Gen) -> Value: MqmPtdgggc -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Bad: (C:\Users\VOIDSK~1\AppData\Local\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\drweb.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\4026869225.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\676377588.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\avp32 .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\cmd .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\drweb .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\iexplarer .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\nvsvc32 .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\services .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\setup .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\sysedit .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\sysmgm .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\win .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\winamp .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\winlogon .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\cmd .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\install .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\mdm .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\services .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Windows\win .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Users\voidskipper\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\voidskipper\AppData\Local\Temp\0.46342902740082736.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\voidskipper\AppData\Local\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\iexplarer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\win.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\avp32 .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\sysmgm .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\services .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\winamp .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\sysedit .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\win .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\nvsvc32 .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\sysedit.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\winamp.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\avp32.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\qx7sdbx0.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\sysmgm.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\winlogon .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\iexplarer .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\winlogon .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\mdm.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\setup.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\win.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\cmd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Temp\cmd.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\nvsvc32.exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\cmd .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\setup .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\cmd .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\svchost .exe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.


I've got a GMER log coming shortly.
EDIT: GMER log here:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-10 20:08:13
Windows 6.1.7600 Harddisk1\DR1 -> \Device\Ide\IdePort3 WDC_WD5000AAKS-00YGA0 rev.12.01C02
Running: gmer.exe; Driver: C:\Users\VOIDSK~1\AppData\Local\Temp\pwliakob.sys


---- System - GMER 1.0.15 ----

Code 87834C4C ZwTraceEvent
Code 87834C4B NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!NtTraceEvent 82C4BE24 5 Bytes JMP 87834C50
.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82C5C589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C81092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\drivers\kgxjskw.sys The system cannot find the path specified. !
? C:\Users\VOIDSK~1\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[560] ntdll.dll!NtProtectVirtualMemory 778351C0 3 Bytes JMP 0084000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[560] ntdll.dll!NtProtectVirtualMemory + 4 778351C4 1 Byte [89]
.text C:\Program Files\Mozilla Firefox\firefox.exe[560] ntdll.dll!NtWriteVirtualMemory 77835D40 5 Bytes JMP 0085000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[560] ntdll.dll!KiUserExceptionDispatcher 77836298 5 Bytes JMP 0083000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[560] ntdll.dll!LdrLoadDll 7784F5B5 5 Bytes JMP 00A913F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtProtectVirtualMemory 778351C0 5 Bytes JMP 0059000A
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtWriteVirtualMemory 77835D40 5 Bytes JMP 005A000A
.text C:\Windows\system32\svchost.exe[1004] ntdll.dll!KiUserExceptionDispatcher 77836298 5 Bytes JMP 0025000A
.text C:\Windows\system32\svchost.exe[1004] ole32.dll!CoCreateInstance 76A9590C 5 Bytes JMP 0062000A
.text C:\Windows\system32\svchost.exe[1004] USER32.dll!GetCursorPos 766DC198 5 Bytes JMP 010E000A
.text C:\Windows\Explorer.EXE[2596] ntdll.dll!NtProtectVirtualMemory 778351C0 5 Bytes JMP 0190000A
.text C:\Windows\Explorer.EXE[2596] ntdll.dll!NtWriteVirtualMemory 77835D40 5 Bytes JMP 0191000A
.text C:\Windows\Explorer.EXE[2596] ntdll.dll!KiUserExceptionDispatcher 77836298 5 Bytes JMP 018C000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3760] USER32.dll!TrackPopupMenu 76704B3B 5 Bytes JMP 6A0F2024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP3T0L0-5 -> \??\IDE#DiskWDC_WD5000AAKS-00YGA0___________________12.01C02#5&643f929&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @DisplayName SUPER ? Version 2010.bld.42 (Nov 7, 2010)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @UninstallString C:\PROGRA~1\ERIGHT~1\SUPER\Setup.exe /remove /q0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @InstallDate 2010-12-19 17:34:09
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @InstallLocation C:\Program Files\eRightSoft\SUPER
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @InstallSource C:\Users\voidSkipper\Downloads
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @DisplayIcon C:\Program Files\eRightSoft\SUPER\SUPER.exe
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @DisplayVersion Version 2010.bld.42 (Nov 7, 2010)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @VersionMajor 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @VersionMinor 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @Publisher eRightSoft
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @HelpLink http://www.eRightSoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @URLInfoAbout http://www.eRightSoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @URLUpdateInfo http://www.eRightSoft.com
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SUPER @Contact support@eRightSoft.com

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk1\DR1 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk1\DR1 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ITLA82AK\viewid=1869459[1].htm 209 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ITLA82AK\viewid=24379620[1].htm 1042 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ITLA82AK\filmannex[1].htm 1061 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ITLA82AK\adoapn_AppNexusDemoActionTag_1[1].htm 238 bytes
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ORV9T6IG\viewid=1869459[1].htm 1691 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[3].txt 1879 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@altitudedigitalpartners[2].txt 206 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@data.digitalnetworksales.com[1].txt 215 bytes
File C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@filmannex[2].txt 707 bytes

---- EOF - GMER 1.0.15 ----


EDIT:
Current symptoms are general slowness, programs opened show up in task manager but don't appear unless run in adminstrator mode, also obviously all my startup entries are missing.

Initial symptoms were an enormous spam of "hello1, hello2, hello3" windows on startup, absurd amounts of duplicate tasks in task manager choking my CPU to 100% and forcing a crash/reboot eventually. I didn't see how the infection started as I was downstairs having dinner, but my computer had "recovered from a serious error" and rebooted when I returned, and this had happened. There were no symptoms at all prior and I hadn't downloaded or installed any new programs for some time.

Edited by RPMcMurphy, 10 April 2011 - 08:46 AM.
Removed code tags


BC AdBot (Login to Remove)

 


#2 _ragdoll

_ragdoll
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 10 April 2011 - 08:17 AM

I realized that with the turnaround time of this forum, if I backed up, fumbled my way through a fix attempt and broke something and was forced to reformat, it'd still be faster. No disrespect intended, of course, you guys do great work, I'm just on a tight schedule.

For those with identical symptoms:

Kapersky's TDSSKiller.exe killed the rootkit in this case.

The reason MalwareBytes killed all of my startup entries is because the virus' payload had created a new EXE in each startup folder with the same name as the startup exe, then renamed the original startup exes from "name.exe" to "name .exe". Restoring the registry entries from quarantine and renaming the startup files to their original filename solved this problem.

Spybot Search and Destroy's Teatimer.exe was completely deleted by this virus, and thus that program required a reinstall.

I would guess that this infection was some kid messing around with the TDSS source, since the virus was very unsubtle, didn't try to get me to buy anything, and crashed my computer shortly after startup regardless of whether I was connected to the internet or not. I suspect I may have been infected through IRC, since that is the only program I had running while I left my computer unattended.

Either way, all my logs look clean now, no rootkit-fix programs are turning up anything suspicious and my computer is functioning as normal, so please feel free to disregard this thread.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 PM

Posted 10 April 2011 - 04:26 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users