Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Server x86: Malwarebytes/HitmanPro keep reporting viruses with each scan


  • This topic is locked This topic is locked
15 replies to this topic

#1 AtariBaby

AtariBaby

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 01 May 2015 - 03:20 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 29-04-2015 01
Ran by Administrator (administrator) on SVCTAG-HMPHCP1 on 01-05-2015 13:03:30
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: Administrator)
Platform: Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 7 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> msdtc.exe
Failed to access process -> AgentMon.exe
Failed to access process -> mysqld-nt.exe
Failed to access process -> svchost.exe
Failed to access process -> snmp.exe
Failed to access process -> tvnserver.exe
Failed to access process -> winvnc4.exe
Failed to access process -> Lua.exe
Failed to access process -> Lua.exe
Failed to access process -> svchost.exe
Failed to access process -> Kaseya.AgentEndpoint.exe
Failed to access process -> hmpsched.exe
Failed to access process -> explorer.exe
Failed to access process -> MtxHotPlugService.exe
Failed to access process -> tvnserver.exe
Failed to access process -> KaUsrTsk.exe
Failed to access process -> ctfmon.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> svchost.exe
Failed to access process -> KaseyaRemoteControlHost.exe
Failed to access process -> KaseyaRemoteControlHost.exe
Failed to access process -> firefox.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> msiexec.exe
Failed to access process -> FRST.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MtxHotPlugService] => C:\WINDOWS\system32\MtxHotPlugService.exe [26880 2011-05-19] ()
HKLM\...\Run: [LogMeIn GUI] => "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
HKLM\...\Run: [tvncontrol] => C:\Program Files\TightVNC\tvnserver.exe [815704 2010-07-08] (GlavSoft LLC.)
HKLM\...\Run: [KASHKSAASC51184681212415] => C:\Program Files\Kaseya\KSAASC51184681212415\KaUsrTsk.exe [574992 2015-03-03] (Kaseya International Limited)
HKLM\...\Run: [WFN Start] => C:\Documents and Settings\All Users\Application Data\HQBWXA\WFN.exe
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll [2011-10-07] (LogMeIn, Inc.)
HKLM\...\Policies\Explorer\Run: [62910] => C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msxwuwa.bat
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2011-05-19] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2011-05-19] (Microsoft Corporation)
HKU\S-1-5-21-3278006748-4131657999-3033233441-500\...\CurrentVersion\Windows: [Load] C:\WINDOWS\system32\Microsoft.com <===== ATTENTION
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2011-05-19] (Microsoft Corporation)
IFEO\AvastSvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\AvastUI.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avcenter.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avconfig.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgcsrvx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgidsagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgnt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgrsx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avguard.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgwdsvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avp.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avscan.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\bdagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ccuac.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ComboFix.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\egui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\hijackthis.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\instup.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\keyscrambler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbam.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbampt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamscheduler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamservice.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MpCmdRun.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MSASCui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MsMpEng.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\msseces.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\rstrui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\spybotsd.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\wireshark.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\zlclient.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-3278006748-4131657999-3033233441-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
HKU\S-1-5-21-3278006748-4131657999-3033233441-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2011-02-17] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2011-02-17] (Microsoft Corporation)
Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Tcpip\..\Interfaces\{A0BFE666-411E-4DB3-97E9-42CA2516FD75}: [NameServer] 65.87.16.20,65.87.24.20
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
Locked "efhemupqe" service was unlocked successfully. <===== ATTENTION
Locked "haspo" service was unlocked successfully. <===== ATTENTION
Locked "mgrzgrczu" service was unlocked successfully. <===== ATTENTION
 
S3 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2011-05-19] (Microsoft Corporation)
S2 efhemupqe; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
S2 haspo; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
S2 HitmanPro37CrusaderBoot; C:\Program Files\HitmanPro\HitmanPro.exe [10109856 2015-04-28] (SurfRight B.V.)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106248 2015-04-28] (SurfRight B.V.)
S4 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2011-05-19] (Microsoft Corporation)
R2 KAKSAASC51184681212415; C:\Program Files\Kaseya\KSAASC51184681212415\AgentMon.exe [1152528 2015-03-03] (Kaseya International Limited)
S4 kdc; C:\WINDOWS\System32\lsass.exe [13312 2011-05-19] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2011-05-19] (Microsoft Corporation)
U2 mgrzgrczu; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
S3 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2011-05-19] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2011-05-19] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2011-05-19] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2011-05-19] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2011-05-19] (Microsoft Corporation)
R2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [815704 2010-07-08] (GlavSoft LLC.)
R2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [1696496 2011-08-18] (RealVNC Ltd)
R2 Eventlog;  [X]
R2 MySQL; c:\mysql\bin\mysqld-nt MySQL [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2011-05-19] (Microsoft Corporation)
R3 dfmirage; C:\WINDOWS\System32\DRIVERS\dfmirage.sys [34128 2014-10-08] (DemoForge, LLC)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2011-05-19] (Microsoft Corporation)
R3 G200ew; C:\WINDOWS\System32\DRIVERS\g200ewm.sys [205696 2011-05-19] (Matrox Graphics Inc.)
R3 KAPFA; C:\WINDOWS\system32\drivers\KAPFA.SYS [31248 2015-03-03] (Kaseya)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2011-05-19] (Microsoft Corporation)
S4 adpu320; No ImagePath
S4 afcnt; No ImagePath
S4 AmdIde; No ImagePath
S4 arc; No ImagePath
S4 cpqarry2; No ImagePath
S4 cpqcissm; No ImagePath
S4 cpqfcalm; No ImagePath
S4 dellcerc; No ImagePath
S4 elxstor; No ImagePath
S4 hpcisss; No ImagePath
S4 hpt3xx; No ImagePath
S4 iirsp; No ImagePath
S4 IntelIde; No ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; No ImagePath
U3 LicenseInfo; No ImagePath
R2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
S4 LMIRfsClientNP; No ImagePath
S4 lp6nds35; No ImagePath
S4 nfrd960; No ImagePath
S4 ql2100; No ImagePath
S4 ql2200; No ImagePath
S4 ql2300; No ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2011-05-19] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2011-05-19] (Microsoft Corporation)
S4 symmpi; No ImagePath
U1 WS2IFSL; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
NETSVC: haspo -> C:\WINDOWS\system32\ztwfm.dll ()
NETSVC: efhemupqe -> C:\WINDOWS\system32\ztwfm.dll ()
NETSVC: mgrzgrczu -> C:\WINDOWS\system32\ztwfm.dll ()
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-01 13:03 - 2015-05-01 13:03 - 00011675 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-05-01 13:03 - 2015-05-01 13:03 - 00000000 ____D () C:\FRST
2015-05-01 13:02 - 2015-05-01 13:02 - 00000000 ____D () C:\WINDOWS\system32\appmgmt
2015-05-01 13:01 - 2015-05-01 13:01 - 01140736 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2015-04-30 17:00 - 2015-04-30 17:00 - 00001189 _____ () C:\WINDOWS\KB2620712.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00004081 _____ () C:\WINDOWS\KB2676562.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003433 _____ () C:\WINDOWS\KB2803821-v2.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003410 _____ () C:\WINDOWS\KB3046306.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003409 _____ () C:\WINDOWS\KB2631813.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003406 _____ () C:\WINDOWS\KB3046049.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003333 _____ () C:\WINDOWS\KB3039066.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003323 _____ () C:\WINDOWS\KB2929961.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003262 _____ () C:\WINDOWS\KB2705219-v2.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003173 _____ () C:\WINDOWS\KB2544893-v2.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003153 _____ () C:\WINDOWS\KB2893294.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003464 _____ () C:\WINDOWS\KB3030398.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003160 _____ () C:\WINDOWS\KB3046482.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003160 _____ () C:\WINDOWS\KB2876217.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003156 _____ () C:\WINDOWS\KB3023562.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003155 _____ () C:\WINDOWS\KB3032323.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003154 _____ () C:\WINDOWS\KB3006226.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003153 _____ () C:\WINDOWS\KB2957509.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003152 _____ () C:\WINDOWS\KB3020393.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003152 _____ () C:\WINDOWS\KB2926765.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00003156 _____ () C:\WINDOWS\KB2898715.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00003155 _____ () C:\WINDOWS\KB2862152.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00003070 _____ () C:\WINDOWS\KB2653956.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002990 _____ () C:\WINDOWS\KB2922229.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002987 _____ () C:\WINDOWS\KB2864063.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002985 _____ () C:\WINDOWS\KB3004361.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002984 _____ () C:\WINDOWS\KB2598479.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002910 _____ () C:\WINDOWS\KB2780091.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002908 _____ () C:\WINDOWS\KB3033889.log
2015-04-30 16:53 - 2015-04-30 16:57 - 00000000 ____D () C:\WINDOWS\LastGood
2015-04-30 15:31 - 2015-04-30 15:31 - 00511180 _____ () C:\WINDOWS\msxml6-KB933579-enu-x86.LOG
2015-04-30 15:29 - 2015-04-30 15:29 - 03028352 _____ (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB2286198-x86-ENU.exe
2015-04-30 15:26 - 2015-04-30 15:26 - 00000000 ____D () C:\Program Files\RealVNC
2015-04-30 15:26 - 2015-04-30 15:26 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\RealVNC
2015-04-24 09:27 - 2015-04-24 09:27 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\boost_interprocess
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-01 13:03 - 2011-05-19 16:49 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-05-01 13:02 - 2011-05-19 17:05 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\LogMeIn
2015-05-01 13:02 - 2011-05-19 17:04 - 00000000 ____D () C:\Program Files\LogMeIn
2015-05-01 13:02 - 2011-05-19 16:43 - 01812390 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-01 12:34 - 2014-09-17 12:52 - 00003430 _____ () C:\WINDOWS\system32\.crusader
2015-05-01 12:32 - 2011-05-19 09:25 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-05-01 11:27 - 2014-08-21 13:54 - 00000000 ____D () C:\kworking
2015-04-30 17:00 - 2011-05-20 20:16 - 00000000 ___HD () C:\WINDOWS\$hf_mig$
2015-04-30 17:00 - 2011-05-19 09:38 - 00363038 _____ () C:\WINDOWS\setupapi.log
2015-04-30 16:53 - 2011-05-19 09:31 - 00000000 ____D () C:\WINDOWS\Help
2015-04-30 15:50 - 2011-05-19 09:39 - 00500148 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-04-30 15:46 - 2011-05-19 16:49 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-04-30 15:41 - 2011-05-19 16:49 - 00010106 _____ () C:\WINDOWS\Tasks\SchedLgU.Txt
2015-04-30 15:41 - 2011-05-19 16:49 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-04-30 15:36 - 2011-05-20 20:16 - 00027309 _____ () C:\WINDOWS\KB958644.log
2015-04-28 09:46 - 2015-03-07 11:57 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\wor
2015-04-28 09:46 - 2015-01-28 06:17 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\LDTUDY
 
==================== Files in the root of some directories =======
 
2015-02-17 09:11 - 2015-02-17 09:11 - 0036352 ___SH () C:\Documents and Settings\All Users\ms3330F7F3.dat
2015-02-17 10:05 - 2015-02-17 10:05 - 0036352 ___SH () C:\Documents and Settings\All Users\ms3362805F.dat
2015-02-17 11:08 - 2015-02-17 11:08 - 0036352 ___SH () C:\Documents and Settings\All Users\ms339C604A.dat
 
Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\nircmd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\TeraCopy.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wget.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
 
==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 02 May 2015 - 10:18 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi AtariBaby,
 
A couple of questions for you:

  • Have you purposely installed a keylogger on this server?
  • Have you set debuggers on Avast software using a microsoft.com file?
  • Do you have plans to upgrade to a newer server OS, as updates for this version end in a couple of months?

xXToffeeXx~


Edited by xXToffeeXx, 02 May 2015 - 10:19 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 02 May 2015 - 03:50 PM

Hi Toffee

 

Thank you for the help!

 

I definitely didn't install keylogger software on there, just remote access software (kaseya and vnc)

 

Avast has either not been in use on this server ever, or for a very long time, that I'm aware of.

 

There is a plan to upgrade servers. However, this is a struggling nonprofit and that may be a little while.


Edited by AtariBaby, 02 May 2015 - 03:54 PM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 03 May 2015 - 08:49 AM

Hi AtariBaby,
 

There is a plan to upgrade servers. However, this is a struggling nonprofit and that may be a little while.

No worries, I can understand this.
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKLM\...\Run: [WFN Start] => C:\Documents and Settings\All Users\Application Data\HQBWXA\WFN.exe
C:\Documents and Settings\All Users\Application Data\HQBWXA
HKLM\...\Policies\Explorer\Run: [62910] => C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msxwuwa.bat
C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msxwuwa.bat
HKU\S-1-5-21-3278006748-4131657999-3033233441-500\...\CurrentVersion\Windows: [Load] C:\WINDOWS\system32\Microsoft.com <===== ATTENTION
C:\WINDOWS\system32\Microsoft.com
IFEO\AvastSvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\AvastUI.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avcenter.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avconfig.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgcsrvx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgidsagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgnt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgrsx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avguard.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgwdsvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avp.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avscan.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\bdagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ccuac.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ComboFix.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\egui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\hijackthis.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\instup.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\keyscrambler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbam.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbampt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamscheduler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamservice.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MpCmdRun.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MSASCui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MsMpEng.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\msseces.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\rstrui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\spybotsd.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\wireshark.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\zlclient.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
CMD: netsh winsock reset
S2 efhemupqe; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
S2 haspo; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
U2 mgrzgrczu; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
NETSVC: haspo -> C:\WINDOWS\system32\ztwfm.dll ()
NETSVC: efhemupqe -> C:\WINDOWS\system32\ztwfm.dll ()
NETSVC: mgrzgrczu -> C:\WINDOWS\system32\ztwfm.dll ()
C:\WINDOWS\system32\ztwfm.dll
2015-02-17 09:11 - 2015-02-17 09:11 - 0036352 ___SH () C:\Documents and Settings\All Users\ms3330F7F3.dat
2015-02-17 10:05 - 2015-02-17 10:05 - 0036352 ___SH () C:\Documents and Settings\All Users\ms3362805F.dat
2015-02-17 11:08 - 2015-02-17 11:08 - 0036352 ___SH () C:\Documents and Settings\All Users\ms339C604A.dat
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 03 May 2015 - 02:13 PM

Posting Fixlog.txt first, then FRST.txt

 

-----

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 29-04-2015 01

Ran by Administrator at 2015-05-03 11:59:48 Run:1
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: Administrator)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\Run: [WFN Start] => C:\Documents and Settings\All Users\Application Data\HQBWXA\WFN.exe
C:\Documents and Settings\All Users\Application Data\HQBWXA
HKLM\...\Policies\Explorer\Run: [62910] => C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msxwuwa.bat
C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msxwuwa.bat
HKU\S-1-5-21-3278006748-4131657999-3033233441-500\...\CurrentVersion\Windows: [Load] C:\WINDOWS\system32\Microsoft.com <===== ATTENTION
C:\WINDOWS\system32\Microsoft.com
IFEO\AvastSvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\AvastUI.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avcenter.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avconfig.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgcsrvx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgidsagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgnt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgrsx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avguard.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgwdsvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avp.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avscan.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\bdagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ccuac.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ComboFix.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\egui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\hijackthis.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\instup.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\keyscrambler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbam.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbampt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamscheduler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamservice.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MpCmdRun.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MSASCui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MsMpEng.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\msseces.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\rstrui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\spybotsd.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\wireshark.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\zlclient.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
Winsock: Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000 2008-06-20] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
CMD: netsh winsock reset
S2 efhemupqe; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
S2 haspo; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
U2 mgrzgrczu; C:\WINDOWS\system32\ztwfm.dll [164347 2007-04-18] () [File not signed]
NETSVC: haspo -> C:\WINDOWS\system32\ztwfm.dll ()
NETSVC: efhemupqe -> C:\WINDOWS\system32\ztwfm.dll ()
NETSVC: mgrzgrczu -> C:\WINDOWS\system32\ztwfm.dll ()
C:\WINDOWS\system32\ztwfm.dll
2015-02-17 09:11 - 2015-02-17 09:11 - 0036352 ___SH () C:\Documents and Settings\All Users\ms3330F7F3.dat
2015-02-17 10:05 - 2015-02-17 10:05 - 0036352 ___SH () C:\Documents and Settings\All Users\ms3362805F.dat
2015-02-17 11:08 - 2015-02-17 11:08 - 0036352 ___SH () C:\Documents and Settings\All Users\ms339C604A.dat
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\WFN Start => value deleted successfully.
C:\Documents and Settings\All Users\Application Data\HQBWXA => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\62910 => Value not found.
"C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msxwuwa.bat" => File/Directory not found.
HKU\S-1-5-21-3278006748-4131657999-3033233441-500\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully.
"C:\WINDOWS\system32\Microsoft.com" => File/Directory not found.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avconfig.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgcsrvx.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgidsagent.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgnt.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgwdsvc.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avscan.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe" => Key Deleted successfully.
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
 
=========  netsh winsock reset =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.
 
 
========= End of CMD: =========
 
efhemupqe => Service deleted successfully.
haspo => Service deleted successfully.
mgrzgrczu => Service deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs haspo => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs efhemupqe => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs mgrzgrczu => Value deleted successfully.
Could not move "C:\WINDOWS\system32\ztwfm.dll" => Scheduled to move on reboot.
C:\Documents and Settings\All Users\ms3330F7F3.dat => Moved successfully.
C:\Documents and Settings\All Users\ms3362805F.dat => Moved successfully.
C:\Documents and Settings\All Users\ms339C604A.dat => Moved successfully.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-05-03 12:04:58)<=
 
C:\WINDOWS\system32\ztwfm.dll => Is moved successfully.
 
==== End of Fixlog 12:04:58 ====
 
-----

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 29-04-2015 01
Ran by Administrator (administrator) on SVCTAG-HMPHCP1 on 03-05-2015 12:07:55
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: Administrator)
Platform: Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 7 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> winlogon.exe
Failed to access process -> services.exe
Failed to access process -> lsass.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> msdtc.exe
Failed to access process -> AgentMon.exe
Failed to access process -> mysqld-nt.exe
Failed to access process -> svchost.exe
Failed to access process -> snmp.exe
Failed to access process -> tvnserver.exe
Failed to access process -> winvnc4.exe
Failed to access process -> Lua.exe
Failed to access process -> Lua.exe
Failed to access process -> Kaseya.AgentEndpoint.exe
Failed to access process -> svchost.exe
Failed to access process -> KaseyaRemoteControlHost.exe
Failed to access process -> hmpsched.exe
Failed to access process -> KaseyaRemoteControlHost.exe
Failed to access process -> explorer.exe
Failed to access process -> notepad.exe
Failed to access process -> MtxHotPlugService.exe
Failed to access process -> tvnserver.exe
Failed to access process -> KaUsrTsk.exe
Failed to access process -> ctfmon.exe
Failed to access process -> wmiprvse.exe
Failed to access process -> FRST.exe
Failed to access process -> svchost.exe
Failed to access process -> wmiprvse.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MtxHotPlugService] => C:\WINDOWS\system32\MtxHotPlugService.exe [26880 2011-05-19] ()
HKLM\...\Run: [LogMeIn GUI] => "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
HKLM\...\Run: [tvncontrol] => C:\Program Files\TightVNC\tvnserver.exe [815704 2010-07-08] (GlavSoft LLC.)
HKLM\...\Run: [KASHKSAASC51184681212415] => C:\Program Files\Kaseya\KSAASC51184681212415\KaUsrTsk.exe [574992 2015-03-20] (Kaseya International Limited)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll [2011-10-07] (LogMeIn, Inc.)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKLM\...\Command Processor:  <======= ATTENTION
HKU\S-1-5-19\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2011-05-19] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2011-05-19] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [44032 2011-05-19] (Microsoft Corporation)
Lsa: [Notification Packages] RASSFM KDCSVC WDIGEST scecli
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-3278006748-4131657999-3033233441-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
HKU\S-1-5-21-3278006748-4131657999-3033233441-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2011-02-17] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2011-02-17] (Microsoft Corporation)
Winsock: Catalog5 03 %SystemRoot%\system32\NLAapi.dll File Not found
Tcpip\..\Interfaces\{A0BFE666-411E-4DB3-97E9-42CA2516FD75}: [NameServer] 65.87.16.20,65.87.24.20
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Dfs; C:\WINDOWS\system32\Dfssvc.exe [164864 2011-05-19] (Microsoft Corporation)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106248 2015-04-28] (SurfRight B.V.)
S4 IsmServ; C:\WINDOWS\System32\ismserv.exe [40448 2011-05-19] (Microsoft Corporation)
R2 KAKSAASC51184681212415; C:\Program Files\Kaseya\KSAASC51184681212415\AgentMon.exe [1155088 2015-03-20] (Kaseya International Limited)
S4 kdc; C:\WINDOWS\System32\lsass.exe [13312 2011-05-19] (Microsoft Corporation)
S4 LicenseService; C:\WINDOWS\System32\llssrv.exe [94720 2011-05-19] (Microsoft Corporation)
S3 NtFrs; C:\WINDOWS\system32\ntfrs.exe [792064 2011-05-19] (Microsoft Corporation)
S3 RSoPProv; C:\WINDOWS\system32\RSoPProv.exe [67072 2011-05-19] (Microsoft Corporation)
S3 sacsvr; C:\WINDOWS\system32\sacsvr.dll [12288 2011-05-19] (Microsoft Corporation)
S4 TrkSvr; C:\WINDOWS\system32\trksvr.dll [50688 2011-05-19] (Microsoft Corporation)
S4 Tssdis; C:\WINDOWS\System32\tssdis.exe [71168 2011-05-19] (Microsoft Corporation)
R2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [815704 2010-07-08] (GlavSoft LLC.)
R2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [1696496 2011-08-18] (RealVNC Ltd)
R2 Eventlog;  [X]
R2 MySQL; c:\mysql\bin\mysqld-nt MySQL [X]
S3 WinHttpAutoProxySvc; winhttp.dll [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 ClusDisk; C:\WINDOWS\System32\DRIVERS\ClusDisk.sys [69120 2011-05-19] (Microsoft Corporation)
R3 dfmirage; C:\WINDOWS\System32\DRIVERS\dfmirage.sys [34128 2014-10-08] (DemoForge, LLC)
R0 DfsDriver; C:\WINDOWS\System32\drivers\Dfs.sys [34816 2011-05-19] (Microsoft Corporation)
R3 G200ew; C:\WINDOWS\System32\DRIVERS\g200ewm.sys [205696 2011-05-19] (Matrox Graphics Inc.)
R3 KAPFA; C:\WINDOWS\system32\drivers\KAPFA.SYS [30992 2015-03-20] (Kaseya)
S3 WLBS; C:\WINDOWS\System32\DRIVERS\wlbs.sys [169984 2011-05-19] (Microsoft Corporation)
S4 adpu320; No ImagePath
S4 afcnt; No ImagePath
S4 AmdIde; No ImagePath
S4 arc; No ImagePath
S4 cpqarry2; No ImagePath
S4 cpqcissm; No ImagePath
S4 cpqfcalm; No ImagePath
S4 dellcerc; No ImagePath
S4 elxstor; No ImagePath
S4 hpcisss; No ImagePath
S4 hpt3xx; No ImagePath
S4 iirsp; No ImagePath
S4 IntelIde; No ImagePath
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S4 ipsraidn; No ImagePath
U3 LicenseInfo; No ImagePath
S2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
S4 LMIRfsClientNP; No ImagePath
S4 lp6nds35; No ImagePath
S4 nfrd960; No ImagePath
S4 ql2100; No ImagePath
S4 ql2200; No ImagePath
S4 ql2300; No ImagePath
U5 sacdrv; C:\Windows\System32\Drivers\sacdrv.sys [72704 2011-05-19] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [105472 2011-05-19] (Microsoft Corporation)
S4 symmpi; No ImagePath
U1 WS2IFSL; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
NETSVC: Sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
NETSVC: TrkSvr -> C:\Windows\system32\trksvr.dll (Microsoft Corporation)
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-01 13:03 - 2015-05-03 12:08 - 00008346 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-05-01 13:03 - 2015-05-03 12:07 - 00000000 ____D () C:\FRST
2015-05-01 13:03 - 2015-05-01 13:03 - 00012605 _____ () C:\Documents and Settings\Administrator\Desktop\Addition.txt
2015-05-01 13:02 - 2015-05-01 13:02 - 00000000 ____D () C:\WINDOWS\system32\appmgmt
2015-05-01 13:01 - 2015-05-01 13:01 - 01140736 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2015-04-30 17:00 - 2015-04-30 17:00 - 00001189 _____ () C:\WINDOWS\KB2620712.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00004081 _____ () C:\WINDOWS\KB2676562.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003433 _____ () C:\WINDOWS\KB2803821-v2.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003410 _____ () C:\WINDOWS\KB3046306.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003409 _____ () C:\WINDOWS\KB2631813.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003406 _____ () C:\WINDOWS\KB3046049.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003333 _____ () C:\WINDOWS\KB3039066.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003323 _____ () C:\WINDOWS\KB2929961.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003262 _____ () C:\WINDOWS\KB2705219-v2.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003173 _____ () C:\WINDOWS\KB2544893-v2.log
2015-04-30 16:59 - 2015-04-30 16:59 - 00003153 _____ () C:\WINDOWS\KB2893294.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003464 _____ () C:\WINDOWS\KB3030398.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003160 _____ () C:\WINDOWS\KB3046482.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003160 _____ () C:\WINDOWS\KB2876217.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003156 _____ () C:\WINDOWS\KB3023562.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003155 _____ () C:\WINDOWS\KB3032323.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003154 _____ () C:\WINDOWS\KB3006226.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003153 _____ () C:\WINDOWS\KB2957509.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003152 _____ () C:\WINDOWS\KB3020393.log
2015-04-30 16:58 - 2015-04-30 16:58 - 00003152 _____ () C:\WINDOWS\KB2926765.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00003156 _____ () C:\WINDOWS\KB2898715.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00003155 _____ () C:\WINDOWS\KB2862152.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00003070 _____ () C:\WINDOWS\KB2653956.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002990 _____ () C:\WINDOWS\KB2922229.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002987 _____ () C:\WINDOWS\KB2864063.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002985 _____ () C:\WINDOWS\KB3004361.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002984 _____ () C:\WINDOWS\KB2598479.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002910 _____ () C:\WINDOWS\KB2780091.log
2015-04-30 16:57 - 2015-04-30 16:57 - 00002908 _____ () C:\WINDOWS\KB3033889.log
2015-04-30 15:31 - 2015-04-30 15:31 - 00511180 _____ () C:\WINDOWS\msxml6-KB933579-enu-x86.LOG
2015-04-30 15:29 - 2015-04-30 15:29 - 03028352 _____ (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB2286198-x86-ENU.exe
2015-04-30 15:26 - 2015-04-30 15:26 - 00000000 ____D () C:\Program Files\RealVNC
2015-04-30 15:26 - 2015-04-30 15:26 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\RealVNC
2015-04-24 09:27 - 2015-04-24 09:27 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\boost_interprocess
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-03 12:08 - 2011-05-19 16:49 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-05-03 12:07 - 2011-05-19 09:39 - 00500148 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-05-03 12:04 - 2011-05-19 09:25 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-05-03 12:03 - 2014-08-21 13:54 - 00000000 ____D () C:\kworking
2015-05-03 12:03 - 2011-05-19 16:49 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-05-03 12:00 - 2011-05-19 16:49 - 00010482 _____ () C:\WINDOWS\Tasks\SchedLgU.Txt
2015-05-03 12:00 - 2011-05-19 16:49 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-05-03 12:00 - 2011-05-19 16:43 - 01812776 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-01 22:55 - 2014-08-20 21:54 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Kaseya
2015-05-01 13:02 - 2011-05-19 17:05 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\LogMeIn
2015-05-01 13:02 - 2011-05-19 17:04 - 00000000 ____D () C:\Program Files\LogMeIn
2015-05-01 12:34 - 2014-09-17 12:52 - 00003430 _____ () C:\WINDOWS\system32\.crusader
2015-04-30 17:00 - 2011-05-20 20:16 - 00000000 ___HD () C:\WINDOWS\$hf_mig$
2015-04-30 17:00 - 2011-05-19 09:38 - 00363038 _____ () C:\WINDOWS\setupapi.log
2015-04-30 16:53 - 2011-05-19 09:31 - 00000000 ____D () C:\WINDOWS\Help
2015-04-30 15:36 - 2011-05-20 20:16 - 00027309 _____ () C:\WINDOWS\KB958644.log
2015-04-28 09:46 - 2015-03-07 11:57 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\wor
2015-04-28 09:46 - 2015-01-28 06:17 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\LDTUDY
 
Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\nircmd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\TeraCopy.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wget.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
 

 

==================== End Of Log ============================

Edited by AtariBaby, 03 May 2015 - 02:16 PM.


#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 03 May 2015 - 03:05 PM

Hi AtariBaby,

 

How is the server running? Does malwarebytes and HitmanPro still report malware?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 03 May 2015 - 04:31 PM

Hi

 

Two things:

 

1. I have been chasing this problem around a couple of computers in the office. Should I start a new thread to get help with the other one, or post here? I think this stuff has been jumping around. The newer computers seem to be okay after rigorous removal attempts, but one XP machine is acting similarly.

 

2. Hitman Pro did find one "worm". It wants to reboot to finish deletion, but I have to wait until an appropriate time to do so. Its log is here:

 

HitmanPro 3.7.9.240
www.hitmanpro.com
 
   Computer name . . . . : SVCTAG-HMPHCP1
   Windows . . . . . . . : 5.2.2.3790.X86/4
   User name . . . . . . : SVCTAG-HMPHCP1\Administrator
   License . . . . . . . : Paid (137 days left)
 
   Scan date . . . . . . : 2015-05-03 14:22:49
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 46s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 1
   Traces  . . . . . . . : 4
 
   Objects scanned . . . : 218,501
   Files scanned . . . . : 4,950
   Remnants scanned  . . : 21,911 files / 191,640 keys
 
Malware _____________________________________________________________________
 
   C:\WINDOWS\system32\ztwfm.dll
      Size . . . . . . . : 164,347 bytes
      Age  . . . . . . . : 2937.2 days (2007-04-18 09:25:36)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : 02195FC4D719FAA8002B4157D2C912ECE7B1E7149BF4B45EEA760304EFBDF2CC
    > G Data . . . . . . : Win32.Worm.Downadup.Gen (Engine-A)
      Fuzzy  . . . . . . : 123.0
 
 
Suspicious files ____________________________________________________________
 
   C:\Documents and Settings\Administrator\Desktop\FRST.exe
      Size . . . . . . . : 1,140,736 bytes
      Age  . . . . . . . : 2.1 days (2015-05-01 13:01:23)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : ECA4F08D2CFBDC6546CF506723427D8DA5A6F9CFA56BB55DB7C8F604635AFD25
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      References
         HKU\S-1-5-21-3278006748-4131657999-3033233441-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Desktop\FRST.exe
      Forensic Cluster
         -36.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\0\update.status
         -36.3s C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\webapps\webapps.json
         -35.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\DB432750B5803B35CAB38D2E73F3305207060F1E
         -35.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\1C40B430263888E04BF8436916B4E15447757755
         -30.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\B1C7FD804F71964C5EA2082FA929FA6C76150CFD
         -28.9s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\DF5645BA0177C9F0871569CD3476A4F9CE0D7769
         -28.7s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\123A5F3CFF062101DF37149EEFBA78FFB2B5381D
         -28.7s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\B940A29B14942B72836F85566870C2B094E5D8CE
         -28.7s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\A9F0F2F2409AA5DB7030E741E600F96AC301B5F8
         -28.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\15A0EDC0D589FEA363948F2F5D52267F1B5BE369
         -28.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\211DACEBCE79BCEA6F149A43AE79CC7C476CB859
         -28.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\FD6037B860360EC7D0768F5694876024D81F503F
         -28.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\DA5C7A16B154BD6841981708A734D28C1199D0E2
         -28.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\EE5749AA65B97C7399480A2604A0EF530FBBED14
         -28.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\1BE8DF3028E4A2BA92741D47B4861B69455AF499
         -28.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\12FFD5FF89E470BB4A176A9089B63408E347E93C
         -28.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\999C852C9E1472E724696F4BE06C1BFC6B9BCCA8
         -28.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\ABB898AB73F6059FAF229B0B12D276E8898CC2D7
         -28.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\47A6F0FA2D0F23467B9F9F5AF722C41B71B74E99
         -28.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\A01B3C31B9057290C1D7B844149EC45899239D32
         -28.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\98AD08CF520EB769850461AEA5AF485C373969A8
         -28.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\39CC8AA9054EC6244CA281EEA4BD937517E2861D
         -28.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\11B2FBD3031745CCE81CDFE784E09926D6B2059E
         -28.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\64E47DCEA12EC237CDD40D100FFEED0AE39CFEDD
         -28.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E36C78544AA7937A5125BB7C6C70667C0765B120
         -28.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E21F0EFF8DF77DFB7F21FA7BCE7F16AF6DF74BA0
         -28.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\05897DFFE05C6A7E565D75F9E656F7356FA0745F
         -27.9s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\C2AB2ED0767EE16F1A61AD62E4BCA1A23EF007F1
         -27.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\FB4D1C5F36CCD48FF901A47289298D73E648DC38
         -27.7s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E62A837C98F251D00802FEE2D79B5B63A837E5F5
         -27.7s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\EA98F652F801293635583D460E1558C290AB8706
         -27.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E24458271EC96AFD4244A695B2DE1DE24DE910C7
         -27.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\60CA8A297AD53F35CB7F6D20086656B8AE60FE1F
         -27.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\48FD2CA992BE418382997A5FEFE1EA8280B1452B
         -27.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\66961B0C77796D7C2026A81A125FDDBD571CCF0F
         -27.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\9B243ECA8B1103A0FF09DF30474D09BD0F0CA0D1
         -27.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\914D33D93A3702B6E10517D04FA3BB0858CF3B86
         -27.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\1D30C758D28733C25C2DCBFC42C23623EA122102
         -27.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\6D5C9785876A86B701EDE49021BE9A1CDF872B18
         -27.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\37BA2275328C257622107A55C05D94544C50B3D1
         -27.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E05BA8ACB0EC8340E9724596901A9ECBEFEAD8A1
         -27.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\AB7DBD0144A4BDA1C844B449577BCF9EF316EAF4
         -27.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\F6C4F43B76F5A38C23CDB36CA27FBBF2AF80A3FF
         -27.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\F4754352506FC40628E43C7372BFD1C938C0D50D
         -27.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\A5069964FF1F4B95DC69E979032ED02DEC378DF0
         -27.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\68962A4D977D4AD671D5B7ED2CF5A9BF93CD98F0
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E3B9E5E5499E5DDE5BB47900B5C91CDC0B8395DB
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\885571F9F46EE98C10F74C489BADB184DF5131BA
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\D2A4725F7F2209DF1D791678A0C79F3C568907AB
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-badbinurl-shavar.pset
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-downloadwhite-digest256.cache
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-downloadwhite-digest256.pset
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-downloadwhite-digest256.sbstore
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-malware-shavar.pset
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-phish-shavar.pset
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\test-malware-simple.cache
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\test-malware-simple.pset
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\test-malware-simple.sbstore
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\test-phish-simple.cache
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\test-phish-simple.pset
         -27.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\940B1C381174E692592EA6F195AC76A8A50F37CF
         -27.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\test-phish-simple.sbstore
         -27.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\5CAEC3D0D90DF6B886C99010079EFEBB04B87DE2
         -27.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\1E7B066CB60B0AB96C414D01097633EDBF9D1F5D
         -27.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\0120D87C2324F232CE26D47859D47315430778F4
         -27.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\D703AB582D234A6E9D4B7D0243A96BDE601DA5CA
         -27.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\D4D7ECA54A3422FAB1A280D3D38D056B04997277
         -27.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\BAEF1C11B47DE1E7E12D2E9798DE3E82A87D0C23
         -26.9s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\8EAA55FE931AC6938925C62F5D108BB2C67E4E55
         -26.9s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E8F558EB4AD2B58EC42D6C34D60662E33958341B
         -26.9s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\9D2BD72FECAE6A8F00F75B8AF5231756792AEDAA
         -26.9s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\0652FF02325929533B371A91FF43A8BFE2E7DC62
         -26.9s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\5A39FCB4CCAE4A6C76307026D7C882B4AE85B1F9
         -26.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\DEEFAA2254A226C6EA19DE7D39BFC86E753B4BE3
         -26.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\BC71450FAA79D968303778F5139D734E454DFB31
         -26.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\12E0F3924A90E3D1DD357A7FD2E262CACA87EFB5
         -26.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\4725DAA1C253F1DA17392958B168F2502F2B317D
         -26.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\0A0B0427DED0FB1808E44BC5CA64826DDBA77631
         -26.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E3D8F3CAEFBB4BD10CE93CBF49CBD15DBD09120F
         -26.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\B6841E2BA109E56F07819A94D167C7E6CEAC4E6A
         -26.1s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-badbinurl-shavar.sbstore
         -26.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-badbinurl-shavar.cache
         -25.9s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\371E19D91153173C21FC87F13B51F4976FBE5A4D
         -24.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-malware-shavar.sbstore
         -24.7s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-malware-shavar.cache
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-phish-shavar.sbstore
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\safebrowsing\goog-phish-shavar.cache
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\F9871A24F9863088E5BD49BF2AA60625DF1B852A
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\C7D339AA2E0D60E7E1D7E1BF75C2B2E836631A92
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\12819442A28C3B0BE842D22BE70CA63B55D6D3F4
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\8D86F0505DA1DE60ECEF81AF7BBD7CAF2DA7C287
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\DB634D82C74543E9C5B40CFA9800AEA473245ED4
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\3247FF607BCC5C0F0976C6C5E07FAFD6EC0A51D0
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\EAD08D442316E290CE4188ABEB4AE892B3886937
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\0806C67CBB6186106B99B5E6C023B4997E6432C5
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\E04092DE2D45038FA4A42F4942518B864BB705F4
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\B8F77369F4C20E4E7307DE8F74CFB575CD151F1B
         -24.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\3F212A6860833C7F63F394FA8F114370EDA2689D
         -24.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\D36FD0721F11A7AE28A82198D72211B81B3A7CD3
         -24.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\3D6C8AD2BA361C2EAADEC8B94DBE2DAB53048C0C
         -24.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\C9A6C5464ACC6FDB16825461DFC05BA73900BA18
         -24.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\83F1DC0A7BA851873DF0B4090B37CC3238559601
         -24.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\B3967A1CD8DAD35256AB7CCF58BAF2A316B8885F
         -24.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\1E9E39E353451A3D225D299C50A83AB370B1BBBB
         -23.8s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\D58A2231F94C3BAEACB2852D5EFE1B12E159D6BA
         -19.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\C475A213F72C9FD8261C76C91BCA35C76524E3A3
         -19.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\63F96FFB2451F01C20E503DCB1D7F21D652EF7C8
         -19.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\95EA667D4D2DE43B5E8CEEE88E517AAA028F72EC
         -19.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\7D5AC2484ED47178069DC48E620385FF92C857A3
         -19.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\886536730430DE318CC726495E1D144E96F0D4BC
         -19.3s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\C6259B16C93ECBFFC9AC5E8D84CF9C2F3A79255A
         -15.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\A894DE58FAAD2F8F407FBED1D1D3356A967C0488
         -4.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\thumbnails\561871919eab5b4b76bba8890c5c6555.png
         -3.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\AAE34B251AD1A99E5F57CD3CDB966D7524D90489
         -3.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\80C1CC557E671BA7A1C177ECF4C78F50F332E600
         -3.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\911EFA0437A22E60DAFB204A92C1083BBFFAFBAC
         -3.6s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\77A1226C1BB3634129B187CEAF816529E97EFF26
         -3.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\EAD3116982D64A9E75BC742A5F542F8FA44F45B3
         -3.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\9E065C2AEC1252A9937623475FD5EF068C3F61FE
         -3.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\2D21DDE48622B4CA74729182CB5129ED3E4FCD61
         -3.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\4A9A33C52D7CC10DF7E2D1AD2DDE3BC45064502C
         -3.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\3CF79ECB336EF67670D20A208B9012E82EDC7E1A
         -3.4s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\45049732595E2D1ED79C0C1D4CC325939557E9F4
         -3.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\451DC91187D805678A5B015A3307329C07C26E60
         -3.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\CB273AB7235C72E2D249EF2864AD021191630457
         -3.2s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\4531F777332D49C8D2E08F4DD02E9DCD22D27157
         -2.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\3A666A3CA6E279E238DB869726BEB4B8A2844346
         -2.0s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\05B1EBA3329C8D30C04885BC7187C6CC2115752B
         -0.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\A23F75F6C96734C505E438F0C83569E8C817022B
         -0.5s C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cache2\entries\D112C39C67D637C5B8228297A78BA49933788383
          0.0s C:\Documents and Settings\Administrator\Desktop\FRST.exe
         20.0s C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\crashes\store.json.mozlz4
 
 
Cookies _____________________________________________________________________
 
   C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lb2xj0n7.default\cookies.sqlite:doubleclick.net
 
 
I


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 04 May 2015 - 06:11 AM

Hi AtariBaby,
 
I see you opened a topic for another computer, it does indeed have the same worm infection. I replied to it.
 
If you remove and then reboot, is that file still found? :)
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 04 May 2015 - 01:28 PM

Hi

 

I have to report that the same worm and only that worm is listed after removal/reboot/rescan with Hitman Pro.

 

Gregory


Edited by AtariBaby, 04 May 2015 - 01:28 PM.


#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 06 May 2015 - 02:28 PM

Hi AtariBaby,
 
Lets see if this tool will do it.
 
Blitzblank is a powerful tool and care must be taken to follow the steps carefully. Please note the warning you will receive when the program is launched.

  • Download Blitzblank and save it to your Desktop
  • Double click the icon and select Run
  • Click OK on the warning screen
  • Click the Script tab
  • Copy and paste the following inside the script window
DeleteFile:
C:\WINDOWS\system32\ztwfm.dll
  • Click Execute Now
  • Click OK on the warning window
  • Click OK on the System reboot window
  • You will see a black screen with writing on it indicating the actions being taken
  • Locate C:\blitzblank.txt and copy and paste the contents of that document in your reply

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 06 May 2015 - 04:11 PM

 
BlitzBlank 1.0.0.32
 
File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\windows\system32\ztwfm.dll", destinationFile = "(null)", replaceWithDummy = 0
 
 
NOTE: HitmanPro reports no threats found!  :guitar:


#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 07 May 2015 - 10:02 AM

Hi AtariBaby,
 
Great, looks like the worm is gone :)
 
Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 07 May 2015 - 01:37 PM

I spoke too soon. It appears to have returned. Also, it seems I'm unable to go directly to the link above. I also cannot use the download link at http://www.bleepingcomputer.com/download/emsisoft-emergency-kit/dl/102/ Firefox and IE both just give generic "webpage cannot be displayed" messages.



#14 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 07 May 2015 - 03:15 PM

I was able to get it from the other computer I had downloaded it to, but it says it can't connect to server during update. I appear to reach most other websites fine and without redirects, that I can detect.



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:28 AM

Posted 09 May 2015 - 12:14 PM

Hi AtariBaby,
 
Strange that EEK cannot connect.

  • Double click the blitzblank icon and select Run
  • Click OK on the warning screen
  • Click the Script tab
  • Copy and paste the following inside the script window
DeleteFile: [ReplaceWithDummy]
C:\WINDOWS\system32\ztwfm.dll
  • Click Execute Now
  • Click OK on the warning window
  • Click OK on the System reboot window
  • You will see a black screen with writing on it indicating the actions being taken
  • Locate C:\blitzblank.txt and copy and paste the contents of that document in your reply

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users