Jump to content

Recommended Posts

Every 10 mins or so my wife's PC (XP SP3) gets three requests to go out to 95.169.187.63 - a site in Russia with host name ns2.km33805.keymachine.de - Malwarebytes is blocking them.

These requests are being orginated by winlogon.exe located in system32. winlogon is the same size as the one in a pc without any viruses. There are no attempts to go to any other suspicious ports (I checked with cports).

This started when my wife said she was getting unwanted pop-ups and then she couldn't surf the web. I found IE8 and Firefox had the proxy server turned on. I turned it off. I also found a lot of new entries in the windows CryptnetUrlCache folders "content" and "metadata" that occured when she had the problem - I was checking for any files changed or created in that time period. These entries where not in my other PCs. I also found about 15 or so new entries in the "scheduled tasks" folder - named something like tb1, tb2, etc. - which I deleted since she had no scheduled tasks before the virus hit.

I ran MSE then malwarebytes antimalware and finally ESET to get rid of the malware/virus. MSE stopped and deleted multiple viruses and then could find no more, then malwarebytes found three more infections and could find no more, finally ESET could find no infections. But I'm still getting the outgoing requests.

I have Combofix loaded but have not run it yet.

Thanks in advance for any help!

-------------

The Viruses that MSE found and removed are listed below:

Multiple intances of

Kargany.G

Cycbot.G

Unruy.H

Obvod.H

FakeRean

Single instance of

Faret.gfen/C

___

Below is the first malwarebytes log where it found three infections after MSE could find no more:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 911122405

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/25/2011 12:33:05 AM

mbam-log-2011-12-25 (00-33-04).txt

Scan type: Full scan (C:\|E:\|)

Objects scanned: 1123861

Time elapsed: 7 hour(s), 28 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\Temp\kna0.8408029935952036.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\sghj0.48684557069307377.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\slp8176370282357344548.tmp (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.

AFter that it could find no more infections - see log below:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 911122405

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/25/2011 2:36:12 PM

mbam-log-2011-12-25 (14-36-12).txt

Scan type: Quick scan

Objects scanned: 1

Time elapsed: 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------

Information from cports:

winlogon.jpg

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.