Jump to content

malware attac


Recommended Posts

For the past 10 days I seem to have had browser redirects and problems to the extent that a few days ago I had put malwarebytes (the bought one) onall my systems.

Now as I sit working on my laptop which seems to be pretty clean my desktop has blocked about 20 or so IP attacks in a 6 hour period and blocks several more whenever I reboot my desktop.

So I have followed all the instructions on running the "Im infected - What do I do now".

I have not attempted to analyse any of the text or log files- this would be interesting but frankly beyond my pc skills.

Note that I have already restored my system to an earlier date. Clearly this may have been an error by me because the malware would now be in some or all of the past profiles. I am unsure about this.

So I would be truly indebted to one of you guys if you could look through some of this stuff and tell me what the next step is.

If I have to format and start again this would be a great shame - but lets not go there yet.

Note that I run windows xp on my desktop where all the issues are

I have always used AVG as my virus software

I use zone alarm freebee as my firewall

I now use malwarebytes to keep the browser hijackers at bay

I dont think I could do any more than this.

The GMER rootkit analyser has been chugging away for about an hour so at the end of all this I will upload or attach all that is required (see below)

Attached to this is the zip file which includes, the malware log file, the dds.txt, the attach.txt and also the ark.txt that was saved after running GMER rootkit analyser - thats 4 files in total.

Link to post
Share on other sites

For the past 10 days I seem to have had browser redirects and problems to the extent that a few days ago I had put malwarebytes (the bought one) onall my systems.

Now as I sit working on my laptop which seems to be pretty clean my desktop has blocked about 20 or so IP attacks in a 6 hour period and blocks several more whenever I reboot my desktop.

So I have followed all the instructions on running the "Im infected - What do I do now".

I have not attempted to analyse any of the text or log files- this would be interesting but frankly beyond my pc skills.

Note that I have already restored my system to an earlier date. Clearly this may have been an error by me because the malware would now be in some or all of the past profiles. I am unsure about this.

So I would be truly indebted to one of you guys if you could look through some of this stuff and tell me what the next step is.

If I have to format and start again this would be a great shame - but lets not go there yet.

Note that I run windows xp on my desktop where all the issues are

I have always used AVG as my virus software

I use zone alarm freebee as my firewall

I now use malwarebytes to keep the browser hijackers at bay

I dont think I could do any more than this.

The GMER rootkit analyser has been chugging away for about an hour so at the end of all this I will upload or attach all that is required (see below)

Attached to this is the zip file which includes, the malware log file, the dds.txt, the attach.txt and also the ark.txt that was saved after running GMER rootkit analyser - thats 4 files in total.

I am sorry for this delay and thank you sincerely but I have run the GMER software for several hours an towards the end it crashes- so I start again. If it fails this next time I will zip all the other files - and perhaps this will do.

Link to post
Share on other sites

Yes of course you are absolutely correct - I could not get it to work without locking and tried for 24 hours- never mind

Ok so this is my dds file pasted and attached is the attach file-

Is there another file I should send up?

DDS (Ver_10-03-17.01) - NTFSx86

Run by DON at 17:22:32.28 on Mon 30/08/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1023.65 [GMT 10:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

H:\WINDOWS\System32\svchost.exe -k netsvcs

H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

H:\WINDOWS\system32\ZoneLabs\vsmon.exe

H:\WINDOWS\system32\spoolsv.exe

svchost.exe

H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

H:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

H:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

H:\PROGRA~1\AVG\AVG8\avgam.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\system32\inetsrv\inetinfo.exe

H:\PROGRA~1\AVG\AVG8\avgrsx.exe

H:\Program Files\Java\jre6\bin\jqs.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

H:\WINDOWS\system32\nvsvc32.exe

H:\WINDOWS\system32\svchost.exe -k imgsvc

H:\PROGRA~1\AVG\AVG8\avgemc.exe

H:\WINDOWS\system32\wuauclt.exe

H:\Program Files\AVG\AVG8\avgcsrvx.exe

H:\Program Files\Java\jre6\bin\jusched.exe

H:\WINDOWS\RTHDCPL.EXE

H:\WINDOWS\system32\RUNDLL32.EXE

H:\WINDOWS\system32\LVCOMSX.EXE

H:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

H:\Program Files\Logitech\Video\LogiTray.exe

H:\Program Files\Logitech\ImageStudio\LogiTray.exe

H:\SCANJET\PrecisionScanPro\HPLamp.exe

H:\WINDOWS\System32\svchost.exe -k HTTPFilter

H:\Program Files\Microsoft Hardware\Keyboard\type32.exe

H:\Program Files\iTunes\iTunesHelper.exe

H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

H:\Program Files\TomTom HOME 2\HOMERunner.exe

H:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

H:\Program Files\Common Files\Real\Update_OB\realsched.exe

H:\PROGRA~1\AVG\AVG8\avgtray.exe

H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

H:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

H:\WINDOWS\system32\ctfmon.exe

H:\Program Files\SecCopy\SecCopy.exe

H:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

H:\Program Files\Skype\Phone\Skype.exe

H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

H:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

H:\Program Files\Common Files\VideoMate\ComproRemote.exe

H:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe

H:\Program Files\Logitech\Logitech Internet Handset\LOGI_HDS.exe

H:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

H:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe

H:\Program Files\Logitech\Video\FxSvr2.exe

H:\Program Files\iPod\bin\iPodService.exe

H:\Program Files\Skype\Plugin Manager\skypePM.exe

H:\Program Files\Mozilla Firefox\firefox.exe

H:\Documents and Settings\DON\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.smh.com.au/

uURLSearchHooks: H - No File

uURLSearchHooks: H - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {15B735AB-F948-9BC3-3554-FC6A60DDDAEE} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\progra~1\spybot~1\SDHelper.dll

BHO: {6AC235A8-F93A-9BF3-3554-FC6A60DDDAEE} - No File

BHO: {75BDC97C-7A5B-70F3-8E2C-2760B5FE9E7B} - No File

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - h:\program files\java\jre6\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {F8D9DDD2-19C7-35AB-AD15-79FBD3059E42} - No File

uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe

uRun: [second Copy] "h:\program files\seccopy\SecCopy.exe"

uRun: [PcSync] h:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog

uRun: [NBJ] "h:\program files\ahead\nero backitup\NBJ.exe"

uRun: [skype] "h:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [spybotSD TeaTimer] h:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [sunJavaUpdateSched] "h:\program files\java\jre6\bin\jusched.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE h:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup

mRun: [NeroFilterCheck] h:\windows\system32\NeroCheck.exe

mRun: [LVCOMSX] h:\windows\system32\LVCOMSX.EXE

mRun: [LVCOMS] h:\program files\common files\logitech\qcdriver\LVCOMS.EXE

mRun: [LogitechVideoTray] h:\program files\logitech\video\LogiTray.exe

mRun: [LogitechVideoRepair] h:\program files\logitech\video\ISStart.exe

mRun: [LogitechImageStudioTray] h:\program files\logitech\imagestudio\LogiTray.exe

mRun: [LogitechGalleryRepair] h:\program files\logitech\imagestudio\ISStart.exe

mRun: [HP Lamp] h:\scanjet\precisionscanpro\HPLamp.exe

mRun: [Alcmtr] ALCMTR.EXE

mRun: [intelliType] "h:\program files\microsoft hardware\keyboard\type32.exe"

mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"

mRun: [ZoneAlarm Client] "h:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [TomTomHOME.exe] "h:\program files\tomtom home 2\HOMERunner.exe" -s

mRun: [PCSuiteTrayApplication] h:\progra~1\nokia\nokiap~1\LAUNCH~1.EXE -startup

mRun: [TkBellExe] "h:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [AVG8_TRAY] h:\progra~1\avg\avg8\avgtray.exe

mRun: [QuickTime Task] "h:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "h:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Malwarebytes' Anti-Malware] "h:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [CTFMON.EXE] h:\windows\system32\CTFMON.EXE

dRun: [Picasa Media Detector] h:\program files\picasa2\PicasaMediaDetector.exe

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - h:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - h:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\compro~2.lnk - h:\program files\common files\videomate\ComproRemote.exe

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\compro~1.lnk - h:\program files\common files\videomate\ComproSchedulerDTV.exe

StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - h:\program files\logitech\logitech internet handset\LOGI_HDS.exe

IE: Add to Google Photos Screensa&ver - h:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: {3AEE37F6-CC82-494A-828F-1310FD5C050C} = 203.2.75.132,198.142.0.51

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

AppInit_DLLs: ifdev.dll aacstream.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\don\applic~1\mozilla\firefox\profiles\5sb7vlg6.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.smh.com.au

FF - plugin: h:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: h:\program files\mozilla firefox\plugins\npitunes.dll

FF - plugin: h:\program files\picasa2\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - h:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;h:\windows\system32\drivers\avgrkx86.sys [2008-4-25 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;h:\windows\system32\drivers\avgldx86.sys [2008-4-25 335240]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;h:\windows\system32\drivers\avgmfx86.sys [2007-11-12 27784]

R1 AvgTdiX;AVG8 Network Redirector;h:\windows\system32\drivers\avgtdix.sys [2008-4-25 108552]

R1 KLIF;KLIF;h:\windows\system32\drivers\klif.sys [2007-11-25 127768]

R1 vsdatant;vsdatant;h:\windows\system32\vsdatant.sys [2007-11-25 395080]

R2 avg8emc;AVG8 E-mail Scanner;h:\progra~1\avg\avg8\avgemc.exe [2009-7-10 908056]

R2 avg8wd;AVG8 WatchDog;h:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 297752]

R2 MBAMService;MBAMService;h:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-27 304464]

R2 vsmon;TrueVector Internet Monitor;h:\windows\system32\zonelabs\vsmon.exe -service --> h:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 MBAMProtector;MBAMProtector;h:\windows\system32\drivers\mbam.sys [2010-8-27 20952]

R3 VMHybrid;VMHybrid service;h:\windows\system32\drivers\VMHybrid.sys [2006-5-9 1043072]

S2 Serv-U;Serv-U FTP Server;h:\program files\rhinosoft.com\serv-u\servudaemon.exe --> h:\program files\rhinosoft.com\serv-u\ServUDaemon.exe [?]

S3 EPUSBSTOR;EPSON USB Storage Driver;h:\windows\system32\drivers\epusbsto.sys [2001-9-10 17976]

=============== Created Last 30 ================

2010-08-30 07:12:04 0 ----a-w- h:\documents and settings\don\defogger_reenable

2010-08-27 02:56:12 0 d-----w- h:\docume~1\don\applic~1\Malwarebytes

2010-08-27 02:55:44 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys

2010-08-27 02:55:39 0 d-----w- h:\docume~1\alluse~1\applic~1\Malwarebytes

2010-08-27 02:55:13 20952 ----a-w- h:\windows\system32\drivers\mbam.sys

2010-08-27 02:55:12 0 d-----w- h:\program files\Malwarebytes' Anti-Malware

2010-08-20 12:03:34 0 d-----w- h:\windows\system32\F011A7B6C10

2010-08-20 10:50:06 0 d-----w- h:\windows\system32\F013D61599C

2010-08-20 08:01:41 0 d-----w- h:\program files\ACD Systems

2010-08-20 07:54:45 0 d-----w- h:\windows\system32\F01399A5B6B

2010-08-20 07:53:32 453120 --sh--w- h:\windows\system32\ifdev.dll

2010-08-20 07:11:57 9856 ----a-w- h:\windows\system32\drivers\pfc.sys

2010-08-20 06:59:09 0 d-----w- h:\windows\system32\wbem\Repository

2010-08-20 05:43:15 0 d-----w- h:\docume~1\don\applic~1\ACD Systems

2010-08-20 05:33:40 0 d-----w- h:\docume~1\alluse~1\applic~1\ACD Systems

2010-08-20 05:33:38 0 d-----w- h:\program files\common files\ACD Systems

2010-08-12 21:31:53 0 d-----w- H:\DVD1

2010-08-02 08:28:54 744448 -c----w- h:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-08-30 07:22:50 1472337952 --sha-w- h:\windows\system32\drivers\fidbox.dat

2010-08-30 07:15:02 17268344 --sha-w- h:\windows\system32\drivers\fidbox.idx

2010-06-30 12:31:35 149504 ----a-w- h:\windows\system32\schannel.dll

2010-06-24 12:22:03 916480 ----a-w- h:\windows\system32\wininet.dll

2010-06-23 13:44:04 1851904 ----a-w- h:\windows\system32\win32k.sys

2010-06-17 14:03:00 80384 ----a-w- h:\windows\system32\iccvid.dll

2010-06-14 07:41:45 1172480 ----a-w- h:\windows\system32\msxml3.dll

2010-06-03 02:41:44 3600384 ----a-w- h:\windows\system32\GPhotos.scr

2008-08-18 10:51:00 32768 --sha-w- h:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 17:24:58.21 ===============

Attach.txt

Link to post
Share on other sites

I have posted a typical day of IP blocks - this is from the Malwarebytes log-

It seems excessive to me to have so many blocked attacks and it is this that concerns me more than anything.

If I trace the Ip for these blocks there are many from Russia and china - obviously I am no pleased about this

------------------

05:03:59 Anne IP-BLOCK 87.242.115.49

05:04:01 Anne IP-BLOCK 87.242.115.49

05:04:05 Anne IP-BLOCK 87.242.115.49

05:04:10 Anne IP-BLOCK 89.149.209.150

05:04:12 Anne IP-BLOCK 89.149.209.150

05:04:16 Anne IP-BLOCK 89.149.209.150

08:34:01 DON MESSAGE Protection started successfully

08:34:36 DON MESSAGE IP Protection started successfully

08:38:38 DON IP-BLOCK 89.149.209.150

08:38:40 DON IP-BLOCK 89.149.209.150

08:38:44 DON IP-BLOCK 89.149.209.150

09:00:52 DON IP-BLOCK 88.85.93.35

09:00:55 DON IP-BLOCK 88.85.93.35

09:01:01 DON IP-BLOCK 88.85.93.35

09:01:08 DON IP-BLOCK 88.85.93.35

09:01:11 DON IP-BLOCK 88.85.93.35

09:01:17 DON IP-BLOCK 88.85.93.35

10:07:34 DON IP-BLOCK 115.84.178.117

10:07:36 DON IP-BLOCK 115.84.178.117

10:07:40 DON IP-BLOCK 115.84.178.117

12:29:32 DON IP-BLOCK 121.10.236.133

12:29:37 DON IP-BLOCK 121.10.236.133

12:29:42 DON IP-BLOCK 121.10.236.133

12:29:47 DON IP-BLOCK 121.10.236.133

12:29:52 DON IP-BLOCK 121.10.236.133

16:38:28 DON IP-BLOCK 89.149.209.150

16:38:30 DON IP-BLOCK 89.149.209.150

16:38:34 DON IP-BLOCK 89.149.209.150

16:38:41 DON IP-BLOCK 87.242.115.49

16:38:43 DON IP-BLOCK 87.242.115.49

16:38:47 DON IP-BLOCK 87.242.115.49

17:19:20 DON MESSAGE Protection started successfully

17:19:26 DON MESSAGE IP Protection started successfully

17:20:22 DON IP-BLOCK 115.84.178.117

17:20:24 DON IP-BLOCK 115.84.178.117

17:20:28 DON IP-BLOCK 115.84.178.117

17:21:19 DON IP-BLOCK 89.187.53.8

17:21:22 DON IP-BLOCK 89.187.53.8

17:21:28 DON IP-BLOCK 89.187.53.8

17:23:05 DON IP-BLOCK 89.149.209.150

17:23:07 DON IP-BLOCK 89.149.209.150

17:23:11 DON IP-BLOCK 89.149.209.150

17:23:18 DON IP-BLOCK 87.242.115.49

17:23:20 DON IP-BLOCK 87.242.115.49

17:23:24 DON IP-BLOCK 87.242.115.49

17:49:35 DON MESSAGE Protection started successfully

17:49:40 DON MESSAGE IP Protection started successfully

18:39:20 DON MESSAGE Protection started successfully

18:39:45 DON MESSAGE IP Protection started successfully

18:40:42 DON IP-BLOCK 89.149.209.150

18:40:44 DON IP-BLOCK 89.149.209.150

18:40:48 DON IP-BLOCK 89.149.209.150

21:49:00 DON MESSAGE Protection started successfully

21:49:05 DON MESSAGE IP Protection started successfully

Link to post
Share on other sites

After using Combofix this morning on my main PC - I have checked my log after 3 hours and three reboots. So far looking at the Malware bytes log I have not had an IP- block come up. This is promising so I hope that my earlier posts of the last log files look good.

If the logs look good then I would like to start a scan and perhaps fix on my Laptop. But should I run Combo fixt first as it seems to have proved to be the most successful tool? Note that I have had 3 IP blocks today on this laptop. Not nearly as bad as my PC.

My Laptop runs windows Vista (My pc is XP service pack 3) so there may be other issues here that you have to consider.

thank you

Don

Link to post
Share on other sites

  • Staff

Hi,

Please start a new topic for a different computer, to avoid confusion.

Next, please go to VirusTotal, and upload the following file for analysis:

h:\windows\system32\ifdev.dll

Post the results in your reply.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

There is a lot of strange stuff going on.

Below is the text log from eset.

However the securitycheck.exe seems to be killed as soon as it downloads- simply dissappears.- for this reason I have not run it

also attached is the pdf print from total virus

--------------------

follows_ log from eset

H:\Documents and Settings\Anne\Local Settings\Application Data\Mozilla\Firefox\Profiles\evo0e5ly.default\Cache\5A0EA848d01 JS/Fraud.NAB trojan cleaned by deleting - quarantined

H:\Documents and Settings\DON\Local Settings\Application Data\Identities\{8E10BF67-C6ED-497C-BDB5-B78EB27FA0D4}\Microsoft\Outlook Express\Inbox.dbx multiple threats unable to clean

H:\Documents and Settings\DON\NetHood\business on mss-00260A (Mss-00260a)\2003_files\temp graham\6P6XGHQN\java[1].htm JS/NoClose.M trojan cleaned by deleting - quarantined

H:\Documents and Settings\DON\NetHood\business on mss-00260A (Mss-00260a)\downloads\Roxio Easey Media Creater 7.5\Roxio Easy Media Creator 7.5 (2 X Cd Isos).rar probably a variant of Win32/Agent.MKLEVLM trojan deleted - quarantined

H:\Documents and Settings\Holly\Local Settings\Application Data\Mozilla\Firefox\Profiles\wiwasr8n.default\Cache(4)\45622BE0d01 HTML/ScrInject.B.Gen virus deleted - quarantined

H:\DUMP\Local\Identities\{096D1D67-7211-4FF1-AB6C-1B1E2F93FB0E}\Microsoft\Outlook Express\Inbox.dbx multiple threats unable to clean

-----------------

enclosed pdf from virustotal.

VirusTotal_dll_log.pdf

Link to post
Share on other sites

  • Staff

Hi,

Before we continue, please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

Please uninstall Limewire before continuing.

Also, note that the antivirus on your computer, AVG8, is outdated and has been replaced by AVG9--

I recommend uninstalling AVG8 and replacing it with either AVG9, avast!, AntiVir, or Microsoft Security Essentials (which is what I use). Let me know what you choose to do.

Link to post
Share on other sites

Ok I have now got rid of the P2p and paid for th upgrade to AVG latest copy.

But I still seem to be getting browser redirects to odd sites.

Is there some evidence of a known piece of Malware in the logs? if not perhaps there is something else I can try rather than a full format

thanks

Link to post
Share on other sites

So my blocker is still getting attacks-

06:18:59 DON MESSAGE Protection started successfully

06:19:09 DON MESSAGE IP Protection started successfully

06:42:52 DON IP-BLOCK 199.80.55.81

06:42:55 DON IP-BLOCK 199.80.55.81

06:43:01 DON IP-BLOCK 199.80.55.81

06:45:08 DON IP-BLOCK 208.94.233.40

06:45:11 DON IP-BLOCK 208.94.233.40

06:45:17 DON IP-BLOCK 208.94.233.40

thanks

Link to post
Share on other sites

  • Staff

Hi,

There is still malware present, so let's continue.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad. Copy and paste the text in the Code box below into Notepad:

http://forums.malwarebytes.org/index.php?showtopic=61553
Collect::
h:\windows\system32\ifdev.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"=""

Save this as CFScript.txt

CFScriptB-4.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

Also post a fresh DDS log.

Please paste the logs directly into your reply instead of attaching them.

Link to post
Share on other sites

Thanks again- after much consideration I am still not happy that I have found the source of the browser hijack in my PC.

I am still getting redirects from Firefox,

so in the interests of security and peace of mind I have decided to format and with the aid of malwarebytes and AVG, try to keep the system clean.

I thank the forum for its assistance in getting rid of 90% of the malware issues

regards.

Note that My laptop may be a separate matter

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.