Jump to content

Hijacked ping.exe...


Recommended Posts

I am running xp sp3 with MSE. I got hit with security center 2011. It has left behind a very active, very hijacked PING.EXE file. I am posting a TXT log from a DDS scan and from MBAM. Curious though I could not post this from the infected computer, I could view the forms but not post, it gave me an “IE could not open this page” error. Any correlation?

I was on damnyouautocorrect.com reading some funny made up auto correct post when I got hit. I had not clicked on ay links was just reading and laughing, WTF

Thanks for all the help you guys put into helping us, :D

David

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 10:31:00 on 2011-12-15

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.306 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Workspace\offSyncService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

svchost.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Workspace\WorkspaceUpdate.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6959

uStart Page = hxxp://www.google.com/

mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6959

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [starfield Updater] "c:\program files\workspace\WorkspaceUpdate.exe"

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [<NO NAME>]

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: mswsock.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280323188156

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{AF9FE757-B11E-481B-B9E1-05CB87D97EFB} : DhcpNameServer = 192.168.1.1

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]

R1 MpKsle057ba17;MpKsle057ba17;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4f9e6f2f-46c6-4fa2-a725-614f23114e06}\MpKsle057ba17.sys [2011-12-15 29904]

R2 File Backup;File Backup Service;c:\program files\workspace\offSyncService.exe [2011-2-2 1185008]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-14 366152]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-14 22216]

S1 MpKsl2e063917;MpKsl2e063917;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3419efdd-5498-4e9d-90f1-6ba1013f7ec1}\mpksl2e063917.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3419efdd-5498-4e9d-90f1-6ba1013f7ec1}\MpKsl2e063917.sys [?]

S1 MpKsl3eb34910;MpKsl3eb34910;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a9458ca2-dc79-4c72-811f-d03a41bbf57c}\mpksl3eb34910.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a9458ca2-dc79-4c72-811f-d03a41bbf57c}\MpKsl3eb34910.sys [?]

S1 MpKsl4e4fc432;MpKsl4e4fc432;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4a723bdd-a410-40b4-913e-d3f932322a68}\mpksl4e4fc432.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4a723bdd-a410-40b4-913e-d3f932322a68}\MpKsl4e4fc432.sys [?]

S1 MpKsl8ed834d5;MpKsl8ed834d5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{863bdc92-fa65-4971-bac7-ed65582110b8}\mpksl8ed834d5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{863bdc92-fa65-4971-bac7-ed65582110b8}\MpKsl8ed834d5.sys [?]

S1 MpKsle426664c;MpKsle426664c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{14b76854-43e8-4d39-9718-3bd96b56ead2}\mpksle426664c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{14b76854-43e8-4d39-9718-3bd96b56ead2}\MpKsle426664c.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-28 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-28 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

.

=============== Created Last 30 ================

.

2011-12-15 14:35:12 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4f9e6f2f-46c6-4fa2-a725-614f23114e06}\MpKsle057ba17.sys

2011-12-15 14:35:06 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4f9e6f2f-46c6-4fa2-a725-614f23114e06}\offreg.dll

2011-12-14 20:48:55 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2011-12-14 20:48:47 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-14 20:48:44 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-14 20:48:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-14 15:49:17 856 ----a-w- C:\exe.reg

2011-12-13 15:04:41 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4f9e6f2f-46c6-4fa2-a725-614f23114e06}\mpengine.dll

2011-12-13 15:02:36 -------- d-----w- C:\Dreamweaver

2011-11-21 13:21:10 -------- d-----w- c:\program files\Windows Media Connect 2

2011-11-21 13:19:52 -------- d-----w- c:\windows\system32\LogFiles

2011-11-16 14:18:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 10:33:21.35 ===============

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8375

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/15/2011 11:02:58 AM

mbam-log-2011-12-15 (11-02-58).txt

Scan type: Quick scan

Objects scanned: 206102

Time elapsed: 28 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

============================================================

09:35:18 Administrator MESSAGE Protection started successfully

09:35:23 Administrator MESSAGE IP Protection started successfully

09:36:34 Administrator MESSAGE IP Protection stopped

09:36:34 Administrator MESSAGE Scheduled update executed successfully

09:36:38 Administrator MESSAGE Database updated successfully

09:36:40 Administrator MESSAGE IP Protection started successfully

09:37:43 Administrator IP-BLOCK 77.91.231.166 (Type: outgoing)

09:37:46 Administrator IP-BLOCK 77.91.231.166 (Type: outgoing)

09:37:52 Administrator IP-BLOCK 77.91.231.166 (Type: outgoing)

09:38:04 Administrator IP-BLOCK 212.36.9.58 (Type: outgoing)

09:38:07 Administrator IP-BLOCK 212.36.9.58 (Type: outgoing)

09:38:13 Administrator IP-BLOCK 212.36.9.58 (Type: outgoing)

09:44:55 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:44:58 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:04 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:05 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:08 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:12 Administrator IP-BLOCK 83.133.125.41 (Type: outgoing)

09:45:14 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:15 Administrator IP-BLOCK 83.133.125.41 (Type: outgoing)

09:45:16 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:19 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:21 Administrator IP-BLOCK 83.133.125.41 (Type: outgoing)

09:45:25 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:26 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:29 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:33 Administrator IP-BLOCK 83.133.121.147 (Type: outgoing)

09:45:35 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:36 Administrator IP-BLOCK 83.133.121.147 (Type: outgoing)

09:45:37 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:40 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:42 Administrator IP-BLOCK 83.133.121.147 (Type: outgoing)

09:45:46 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:47 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:50 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:54 Administrator IP-BLOCK 83.133.121.155 (Type: outgoing)

09:45:56 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:45:57 Administrator IP-BLOCK 83.133.121.155 (Type: outgoing)

09:45:58 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:01 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:03 Administrator IP-BLOCK 83.133.121.155 (Type: outgoing)

09:46:07 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:10 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:13 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:15 Administrator IP-BLOCK 83.133.124.245 (Type: outgoing)

09:46:18 Administrator IP-BLOCK 83.133.124.245 (Type: outgoing)

09:46:19 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:19 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:22 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:24 Administrator IP-BLOCK 83.133.124.245 (Type: outgoing)

09:46:28 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:31 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:34 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:36 Administrator IP-BLOCK 83.133.121.147 (Type: outgoing)

09:46:39 Administrator IP-BLOCK 83.133.121.147 (Type: outgoing)

09:46:40 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:41 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:44 Administrator IP-BLOCK 146.185.250.210 (Type: outgoing)

09:46:45 Administrator IP-BLOCK 83.133.121.147 (Type: outgoining).......and so on, really big list like this one.

Ok, so I ran combo fix. It did find something and removed it. seems that everyting is ok now. Here is the log report if anyone is interested.

Thanks again for your time.

((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))

.

.

2011-12-16 16:44 . 2011-12-16 16:44 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F9E6F2F-46C6-4FA2-A725-614F23114E06}\offreg.dll

2011-12-15 17:39 . 2011-12-15 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

2011-12-15 17:33 . 2011-12-15 17:38 -------- d-----w- c:\program files\PopCap Games

2011-12-14 20:48 . 2011-12-14 20:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-12-14 20:48 . 2011-12-14 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-12-14 20:48 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-14 20:48 . 2011-12-14 20:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-14 17:04 . 2011-12-14 17:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-12-14 15:49 . 2011-12-14 15:55 856 ----a-w- C:\exe.reg

2011-12-13 15:04 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4F9E6F2F-46C6-4FA2-A725-614F23114E06}\mpengine.dll

2011-12-13 15:02 . 2011-12-13 15:02 -------- d-----w- C:\Dreamweaver

2011-11-21 13:51 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2011-11-21 13:21 . 2011-11-21 13:21 -------- d-----w- c:\program files\Windows Media Connect 2

2011-11-21 13:19 . 2011-12-14 17:18 -------- d-----w- c:\windows\system32\LogFiles

2011-11-21 13:19 . 2011-11-21 13:20 -------- d-----w- c:\windows\system32\drivers\UMDF

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-16 15:44 . 2006-06-17 09:23 17920 ----a-w- c:\windows\system32\ping.exe

2011-11-21 10:47 . 2010-07-30 00:41 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-11-16 14:18 . 2011-11-16 14:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2006-06-17 09:38 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06 . 2006-06-17 09:23 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2006-06-17 09:23 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2006-06-17 09:23 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\WRE54G_v3\\WRE54G_v3_wizard\\Setup.exe"=

"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

.

R2 File Backup;File Backup Service;c:\program files\Workspace\offSyncService.exe [2/2/2011 10:12 AM 1185008]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/14/2011 3:48 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/14/2011 3:48 PM 22216]

S1 MpKsl2e063917;MpKsl2e063917;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3419EFDD-5498-4E9D-90F1-6BA1013F7EC1}\MpKsl2e063917.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3419EFDD-5498-4E9D-90F1-6BA1013F7EC1}\MpKsl2e063917.sys [?]

S1 MpKsl3eb34910;MpKsl3eb34910;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A9458CA2-DC79-4C72-811F-D03A41BBF57C}\MpKsl3eb34910.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A9458CA2-DC79-4C72-811F-D03A41BBF57C}\MpKsl3eb34910.sys [?]

S1 MpKsl4e4fc432;MpKsl4e4fc432;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A723BDD-A410-40B4-913E-D3F932322A68}\MpKsl4e4fc432.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4A723BDD-A410-40B4-913E-D3F932322A68}\MpKsl4e4fc432.sys [?]

S1 MpKsl8ed834d5;MpKsl8ed834d5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{863BDC92-FA65-4971-BAC7-ED65582110B8}\MpKsl8ed834d5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{863BDC92-FA65-4971-BAC7-ED65582110B8}\MpKsl8ed834d5.sys [?]

S1 MpKsle426664c;MpKsle426664c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{14B76854-43E8-4D39-9718-3BD96B56EAD2}\MpKsle426664c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{14B76854-43E8-4D39-9718-3BD96B56EAD2}\MpKsle426664c.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2010 11:23 AM 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/28/2010 11:23 AM 136176]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-28 16:22]

.

2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-28 16:22]

.

2011-12-16 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-16 11:44

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1291741016-2212812740-3929369913-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,95,95,32,b4,31,e2,44,84,d6,54,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3d,95,95,32,b4,31,e2,44,84,d6,54,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3788)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

.

**************************************************************************

.

Completion time: 2011-12-16 11:59:37 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-16 16:59

.

Pre-Run: 50,801,737,728 bytes free

Post-Run: 52,491,513,856 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - F7ED84D3EDF952A5CE0677786D3B7E9A

Link to post
Share on other sites

  • 1 month later...
  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.