Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

w32.sality!dr virus removal help [Closed]

Started by andrewm00 , Nov 12 2012 12:31 PM

  • This topic is locked This topic is locked

#1
andrewm00
Posted 12 November 2012 - 12:31 PM

andrewm00

    New Member

  • Member
  • Pip
  • 2 posts
Hello,

i need some help getting rid of a virus on a server 2008 R2 x64 domain controller/file server.

im using symantec endpoint protection small business 2013.

symantec finds and removes/quaratines the file, but it keeps coming back. as a test, i disconnected the internet, deleted the infected file and it did not reappear. as soon as i plugged the internet back in, the file reappeared.

i rebuilt the host file using hoster.exe and made the file

the file names show as xskd.exe, cjxnd.exe, vmeil.exe. when checking the properties of the files, it shows the owners of different people on the network, ie: one time it showed a user's name, i deleted file, it reappeared and showed the administrator as the owner instead.

ive tried numerous other programs, such as malwarebytes, tdsskiller, sep support tool, avg, avast, combofix, hijackthis, etc. symantec endpoint seems to be the only program so far that blocks the infection.

i used process explorer to try and get more info on the infected files, but it will not see or find the infected files listed above.

the other workstations in the enviroment have endpoint 2013 installed as well and do not show this infection. on the server, the c:\ appears clean, just the d:\ is showing the infections.

the windows firewall is enabled and the router's built-in firewall is active as well.

any thoughts or suggestions on how to get this removed will be greatly appreciated!

below is the log from OLT:

OTL logfile created on: 11/12/2012 1:12:55 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\administrator.RTC\Desktop\Anti Virus
64bit- Server Standard Edition (full installation) Service Pack 1 (Version = 6.1.7601) - Type = NTDomainController
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

10.00 Gb Total Physical Memory | 7.70 Gb Available Physical Memory | 77.06% Memory free
19.99 Gb Paging File | 18.54 Gb Available in Paging File | 92.71% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 68.23 Gb Total Space | 45.37 Gb Free Space | 66.50% Space Free | Partition Type: NTFS
Drive D: | 341.66 Gb Total Space | 271.54 Gb Free Space | 79.48% Space Free | Partition Type: NTFS

Computer Name: RTC-CINCY | User Name: administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/12 13:10:15 | 000,022,016 | ---- | M] (WhitSoft Development) -- c:\ems_temp\kf51575.exe
PRC - [2012/11/12 12:01:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\administrator.RTC\Desktop\Anti Virus\OTL.exe
PRC - [2012/10/30 09:39:19 | 000,136,784 | ---- | M] (Cisco WebEx LLC) -- C:\Windows\SysWOW64\atashost.exe
PRC - [2012/10/12 14:32:58 | 000,138,272 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\PlatformAgent32\ccSvcHst.exe
PRC - [2012/10/12 12:10:04 | 000,196,608 | ---- | M] (Kaseya) -- c:\ems_temp\KORepStatus.exe
PRC - [2012/10/12 12:10:04 | 000,196,608 | ---- | M] (Kaseya) -- c:\ems_temp\KORepCln.exe
PRC - [2012/10/08 17:44:47 | 000,212,992 | ---- | M] (Kaseya International Limited) -- c:\ems_temp\KRlyCLis.exe
PRC - [2012/10/08 17:42:17 | 000,196,608 | ---- | M] (Kaseya International Limited) -- c:\ems_temp\KRlyCCon.exe
PRC - [2012/05/16 06:58:52 | 000,484,816 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\AntiVirus\SEPAgent.exe
PRC - [2012/03/21 16:50:54 | 000,409,600 | ---- | M] (Kaseya International Limited) -- C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\KaUsrTsk.exe
PRC - [2012/03/21 16:50:46 | 000,856,064 | ---- | M] (Kaseya International Limited) -- C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\AgentMon.exe
PRC - [2011/06/29 18:04:50 | 000,386,864 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2011/06/29 18:02:26 | 001,894,280 | ---- | M] (Acronis) -- c:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe
PRC - [2011/06/29 17:44:26 | 004,599,152 | ---- | M] (Acronis) -- c:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe
PRC - [2011/06/29 17:39:06 | 000,953,320 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe
PRC - [2009/09/17 18:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Rtvscan.exe
PRC - [2009/09/17 18:55:12 | 000,050,544 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\ProtectionUtilSurrogate.exe
PRC - [2009/09/17 18:27:16 | 000,353,608 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\SescLU.exe
PRC - [2009/07/24 23:32:40 | 000,312,736 | ---- | M] (RealVNC Ltd.) -- C:\Program Files (x86)\RealVNC\VNC4\vncclipboard.exe
PRC - [2009/07/24 23:32:34 | 001,492,344 | ---- | M] (RealVNC Ltd.) -- C:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe
PRC - [2009/07/08 20:14:40 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
PRC - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2007/08/02 01:29:44 | 000,032,768 | ---- | M] (SHARP CORPORATION) -- C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe
PRC - [2007/07/25 17:29:28 | 000,692,224 | ---- | M] (SHARP CORPORATION) -- C:\Program Files (x86)\Sharp\Sharpdesk\FTPServer.exe
PRC - [2007/07/25 17:26:56 | 000,544,768 | ---- | M] (SHARP CORPORATION) -- C:\Program Files (x86)\Sharp\Sharpdesk\nsapp.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/07 13:21:10 | 000,925,696 | ---- | M] () -- C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\libkacm.dll
MOD - [2007/07/25 17:40:06 | 000,565,248 | ---- | M] () -- C:\Program Files (x86)\Sharp\Sharpdesk\SCprMfpif.dll
MOD - [2007/07/25 17:34:08 | 000,006,144 | ---- | M] () -- C:\Program Files (x86)\Sharp\Sharpdesk\discoveryps.dll
MOD - [2007/07/25 17:32:32 | 000,200,704 | ---- | M] () -- C:\Program Files (x86)\Sharp\Sharpdesk\NSSoap.dll
MOD - [2007/07/25 17:29:40 | 000,212,992 | ---- | M] () -- C:\Program Files (x86)\Sharp\Sharpdesk\FtpServerps.dll


========== Services (SafeList) ==========

SRV:64bit: - [2012/10/12 14:33:00 | 000,191,856 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\PlatformAgent\ccSvcHst.exe -- (SsPaAdm)
SRV:64bit: - [2012/10/12 14:32:58 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\PlatformAgent32\ccSvcHst.exe -- (ssPaSetMgr)
SRV:64bit: - [2012/05/16 06:58:52 | 000,484,816 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\AntiVirus\SEPAgent.exe -- (ssSpnAv)
SRV:64bit: - [2011/12/26 01:45:13 | 000,696,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dns.exe -- (DNS)
SRV:64bit: - [2010/11/20 22:25:21 | 001,020,416 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\ntfrs.exe -- (NtFrs)
SRV:64bit: - [2010/11/20 22:24:34 | 003,489,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\srmsvc.dll -- (SrmSvc)
SRV:64bit: - [2010/11/20 22:24:34 | 000,729,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dhcpssvc.dll -- (DHCPServer)
SRV:64bit: - [2010/11/20 22:24:34 | 000,343,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\WSDScanRepository.dll -- (ScanServer)
SRV:64bit: - [2010/11/20 22:24:34 | 000,076,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\srmhost.exe -- (SrmReports)
SRV:64bit: - [2010/11/20 22:24:30 | 004,518,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dfsrs.exe -- (DFSR)
SRV:64bit: - [2010/11/20 22:24:30 | 000,377,344 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dfssvc.exe -- (Dfs)
SRV:64bit: - [2010/11/20 22:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\ismserv.exe -- (IsmServ)
SRV:64bit: - [2009/09/17 18:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Rtvscan.exe -- (Symantec AntiVirus)
SRV:64bit: - [2009/09/17 18:37:56 | 003,197,256 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\Smc.exe -- (SmcService)
SRV:64bit: - [2009/09/17 17:22:16 | 000,411,976 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec.cloud\EndpointProtectionAgent\SNAC64.EXE -- (SNAC)
SRV:64bit: - [2009/07/13 20:41:53 | 000,014,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\sacsvr.dll -- (sacsvr)
SRV:64bit: - [2009/07/13 20:40:52 | 000,025,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FCRegSvc.dll -- (FCRegSvc)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/13 20:39:31 | 000,091,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rsopprov.exe -- (RSoPProv)
SRV - [2012/10/30 09:39:19 | 000,136,784 | ---- | M] (Cisco WebEx LLC) [Auto | Running] -- C:\Windows\SysWOW64\atashost.exe -- (atashost)
SRV - [2012/03/21 16:50:46 | 000,856,064 | ---- | M] (Kaseya International Limited) [Auto | Running] -- C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\AgentMon.exe -- (KAEMRMNG80234260341244)
SRV - [2011/06/29 18:06:06 | 001,083,800 | ---- | M] (Acronis) [Auto | Running] -- c:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2011/06/29 18:02:26 | 001,894,280 | ---- | M] (Acronis) [Auto | Running] -- c:\Program Files (x86)\Common Files\Acronis\Agent\agent.exe -- (AcronisAgent)
SRV - [2011/06/29 17:44:26 | 004,599,152 | ---- | M] (Acronis) [Auto | Running] -- c:\Program Files (x86)\Acronis\BackupAndRecovery\mms.exe -- (MMS)
SRV - [2010/11/20 22:25:07 | 000,487,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe -- (ADWS)
SRV - [2009/07/24 23:32:34 | 001,492,344 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files (x86)\RealVNC\VNC4\winvnc4.exe -- (WinVNC4)
SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012/11/07 11:30:00 | 000,172,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2012/10/12 10:37:53 | 000,971,360 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2012/10/12 10:37:51 | 000,272,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/06/23 10:09:02 | 000,030,792 | ---- | M] (Kaseya) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\KAPFA.sys -- (KAPFA)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 22:24:30 | 000,066,944 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\dfsrro.sys -- (DfsrRo)
DRV:64bit: - [2010/11/20 22:24:30 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:24:00 | 000,181,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Vid.sys -- (Vid)
DRV:64bit: - [2010/11/20 22:24:00 | 000,120,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsp.sys -- (storvsp)
DRV:64bit: - [2010/11/20 22:24:00 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:24:00 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 22:24:00 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2009/08/25 20:05:48 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2009/08/25 20:05:46 | 000,481,840 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\srtspl64.sys -- (SRTSPL)
DRV:64bit: - [2009/08/25 20:05:44 | 000,443,952 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,051,776 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\dfs.sys -- (DfsDriver)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 20:45:46 | 000,168,016 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\quota.sys -- (Quota)
DRV:64bit: - [2009/07/13 20:45:45 | 000,096,320 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\drivers\sacdrv.sys -- (sacdrv)
DRV:64bit: - [2009/07/13 20:45:45 | 000,079,936 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\datascrn.sys -- (Datascrn)
DRV:64bit: - [2009/07/13 19:39:20 | 000,023,040 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2009/06/10 15:35:30 | 000,035,328 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\qd260x64.sys -- (ioatdma)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:26 | 000,071,680 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bxnd60a.sys -- (l2nd)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV - [2012/10/18 07:47:26 | 002,084,000 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20121111.008\ex64.sys -- (NAVEX15)
DRV - [2012/10/18 07:47:26 | 000,484,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2012/10/18 07:47:26 | 000,138,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/10/18 07:47:26 | 000,126,112 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20121111.008\eng64.sys -- (NAVENG)
DRV - [2012/10/12 14:33:00 | 000,167,072 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\Symantec.cloud\ccSetx64.sys -- (ccSet_Cloud)
DRV - [2009/08/25 20:05:48 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\srtspx64.sys -- (SRTSPX)
DRV - [2009/08/25 20:05:46 | 000,481,840 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\srtspl64.sys -- (SRTSPL)
DRV - [2009/08/25 20:05:44 | 000,443,952 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysWOW64\drivers\srtsp64.sys -- (SRTSP)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168.10.*




O1 HOSTS File: ([2012/11/12 13:11:16 | 000,000,686 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] c:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [SymantecPaui] C:\Program Files\Symantec.cloud\PlatformAgent\PAUI.exe (Symantec Corporation)
O4 - HKLM..\Run: [AcronisTimounterMonitor] c:\Program Files (x86)\Common Files\Acronis\Timounter\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [FtpServer.exe] C:\Program Files (x86)\Sharp\Sharpdesk\FtpServer.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [IndexTray] C:\Program Files (x86)\Sharp\Sharpdesk\IndexTray.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [KASHEMRMNG80234260341244] C:\Program Files (x86)\Kaseya\EMRMNG80234260341244\KaUsrTsk.exe (Kaseya International Limited)
O4 - HKLM..\Run: [SharpTray] C:\Program Files (x86)\Sharp\Sharpdesk\SharpTray.exe (SHARP CORPORATION)
O4 - HKLM..\Run: [TypeRegChecker] C:\Program Files (x86)\Sharp\Sharpdesk\TypeRegChecker.exe (SHARP CORPORATION)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ShowSuperHidden = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 0
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} http://netwatch.emer...c/kaxRemote.dll (kasRmtHlp Class)
O16 - DPF: {B65B1DCC-D421-4F3C-8F8F-909BDD967120} http://netwatch.emer...uginManager.cab (PluginManager Class)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://symantec.web...rt/ieatgpc1.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = RTC.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8A63EE45-BE58-4760-9BA9-1CAEA3BD1765}: Domain = rtc.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8A63EE45-BE58-4760-9BA9-1CAEA3BD1765}: NameServer = 127.0.0.1,192.168.1.2
O18:64bit: - Protocol\Handler\sds - No CLSID value found
O18 - Protocol\Handler\sds {79E0F14C-9C52-4218-89A7-7C4B0563D121} - C:\Program Files (x86)\Sharp\Sharpdesk\ExplorerExtensions.dll (SHARP CORPORATION)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (pwdssp.dll) - File not found
O29 - HKLM SecurityProviders - (pwdssp.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/09 14:01:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/11/09 14:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/11/07 11:29:53 | 000,172,592 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2012/11/07 11:29:46 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2012/11/07 11:28:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec
[2012/11/07 11:28:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2012/11/07 11:28:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Symantec Shared
[2012/11/07 11:00:47 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/10/30 09:43:58 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Roaming\SPE
[2012/10/30 09:39:26 | 000,219,216 | ---- | C] (Cisco WebEx LLC) -- C:\Windows\SysWow64\atsckernel.exe
[2012/10/30 09:39:25 | 000,136,784 | ---- | C] (Cisco WebEx LLC) -- C:\Windows\SysWow64\atashost.exe
[2012/10/30 09:38:50 | 000,000,000 | ---D | C] -- C:\ProgramData\WebEx
[2012/10/30 07:56:55 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Local\NPE
[2012/10/30 07:56:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2012/10/29 12:55:46 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Local\Symantec
[2012/10/29 12:53:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2012/10/29 12:53:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Symantec.cloud
[2012/10/29 12:52:57 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\Symantec.cloud
[2012/10/29 12:52:56 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec.cloud
[2012/10/29 12:35:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec Hosted Services
[2012/10/29 12:22:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec.cloud
[2012/10/24 09:12:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2012/10/24 09:12:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2012/10/15 14:49:37 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Roaming\Macromedia
[2012/10/15 14:49:35 | 000,000,000 | ---D | C] -- C:\Users\administrator.RTC\AppData\Roaming\Adobe
[2012/10/15 14:49:25 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2012/10/15 14:49:23 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Macromed
[2012/10/15 14:48:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe

========== Files - Modified Within 30 Days ==========

[2012/11/12 13:11:16 | 000,000,686 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/11/12 05:31:48 | 000,021,344 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/12 05:31:48 | 000,021,344 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/08 10:45:21 | 000,787,988 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/11/08 10:45:21 | 000,671,188 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/11/08 10:45:21 | 000,120,238 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/11/08 10:37:34 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/11/07 11:30:00 | 000,172,592 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2012/11/07 11:30:00 | 000,007,440 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2012/11/07 11:30:00 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2012/11/01 07:43:35 | 000,001,994 | -H-- | M] () -- C:\Users\administrator.RTC\Documents\Default.rdp
[2012/10/30 09:39:19 | 000,136,784 | ---- | M] (Cisco WebEx LLC) -- C:\Windows\SysWow64\atashost.exe
[2012/10/30 09:39:17 | 000,219,216 | ---- | M] (Cisco WebEx LLC) -- C:\Windows\SysWow64\atsckernel.exe
[2012/10/29 12:22:51 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/10/29 12:16:31 | 000,804,738 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI

========== Files Created - No Company Name ==========

[2012/11/07 11:29:53 | 000,007,440 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2012/11/07 11:29:53 | 000,000,855 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2012/10/22 13:12:55 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2012/10/22 13:12:42 | 000,804,738 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/10/12 10:49:17 | 000,323,072 | ---- | C] () -- C:\Windows\SysWow64\hpcc3121.dll
[2012/10/12 09:45:18 | 000,421,286 | ---- | C] () -- C:\Users\administrator.RTC\AppData\Roaming\fontlst2.opf
[2012/10/08 20:12:07 | 000,002,412 | RHS- | C] () -- C:\ProgramData\ntuser.pol

========== ZeroAccess Check ==========

[2009/07/13 23:58:08 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012/06/09 00:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 23:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:24 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2012/10/09 18:04:32 | 000,000,000 | ---D | M] -- C:\Users\administrator.RTC\AppData\Roaming\Kaseya
[2012/10/10 17:46:28 | 000,000,000 | ---D | M] -- C:\Users\administrator.RTC\AppData\Roaming\NASNaviator2
[2012/10/12 09:45:22 | 000,000,000 | ---D | M] -- C:\Users\administrator.RTC\AppData\Roaming\Sharpdesk
[2012/10/30 09:43:58 | 000,000,000 | ---D | M] -- C:\Users\administrator.RTC\AppData\Roaming\SPE

========== Purity Check ==========



< End of report >



thanks,

Andrew
  • 0

Advertisements

#2
Essexboy
Posted 12 November 2012 - 01:53 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The following programme may need to be run several times and no guarantee can be given that the system will be usable or safe after the runs
For a file infector the best recommendation would be to reformat and reinstall, but the choice is yours

Download Sality Killer zip to your desktop and extract SalityKiller.exe

Run the utility SalityKiller.exe on the infected computer
A reboot might require after disinfection.

Download the file Sality_RegKeys.zip
unpack the file Sality_RegKeys.zip
run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

Once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key:

under Windows 2000 run the registry file SafeBootWin200.reg
under Windows XP run the registry file SafeBootWinXP.reg
under Windows 2003 run the registry file SafeBootWinServer2003.reg
under Windows Vista / 2008 run the registry file SafebootVista.reg
under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg
  • 0

#3
andrewm00
Posted 12 November 2012 - 01:58 PM

andrewm00

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
thanks for the info!
i will give that a try.
im hesitant to format and reinstall because its a domain controller....but it may come down to that.
  • 0

#4
Essexboy
Posted 12 November 2012 - 02:02 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Once sality killer comes up clean could you run a fresh OTL scan with the following script

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Posted Image
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    winsock.*
    /md5stop
    CREATERESTOREPOINT
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#5
Essexboy
Posted 16 November 2012 - 02:35 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP