Jump to content

Am I infected


Maggi

Recommended Posts

Malware butes keeps blocking the IP address 222.186.13.212 and another one similar to it. I ran ComboFix and here is the log but I have no idea what any of it means. If you can help I'd appreciate it. Thanks!

ComboFix 10-09-16.07 - HP_Administrator 09/17/2010 19:30:40.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.558 [GMT -4:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: Security Suite *On-access scanning enabled* (Updated) {F5E52F41-190C-46f6-9FC3-55470285CC2B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))

.

2010-09-11 23:12 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys

2010-09-11 23:12 . 2001-08-17 17:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS

2010-09-05 20:07 . 2010-09-05 20:07 -------- d-----w- c:\program files\iPod

2010-09-05 20:07 . 2010-09-05 20:08 -------- d-----w- c:\program files\iTunes

2010-09-05 20:01 . 2010-09-05 20:02 -------- d-----w- c:\program files\QuickTime

2010-09-05 19:52 . 2010-09-05 19:52 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

2010-09-05 12:26 . 2010-09-05 12:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2010-09-05 12:25 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-05 12:25 . 2010-09-05 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-05 12:25 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-05 12:25 . 2010-09-05 12:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-05 12:00 . 2010-09-17 23:26 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-09-05 11:59 . 2010-09-17 23:26 -------- d-----w- c:\program files\Norton Security Suite

2010-09-05 11:59 . 2010-09-05 11:59 -------- d-----w- c:\program files\Windows Sidebar

2010-09-05 11:55 . 2010-09-05 11:55 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings

2010-09-05 11:08 . 2010-09-05 11:08 -------- d-----w- c:\program files\Enigma Software Group

2010-09-05 11:07 . 2010-09-05 17:15 -------- d-----w- c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP

2010-09-05 11:07 . 2010-09-05 11:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-09-05 00:45 . 2010-09-05 12:16 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\evpixalnf

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-13 00:37 . 2010-06-11 22:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Canon

2010-09-05 20:07 . 2010-05-31 13:28 -------- d-----w- c:\program files\Common Files\Apple

2010-09-05 11:59 . 2009-01-21 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-09-05 11:55 . 2009-01-21 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-08-29 00:43 . 2009-01-21 02:03 -------- d-----w- c:\program files\Common Files\Adobe

2010-08-21 01:03 . 2010-08-15 12:44 -------- d-----w- c:\program files\Softonic-Eng7

2010-08-17 13:17 . 2009-01-12 01:19 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-15 12:44 . 2010-08-15 12:44 -------- d-----w- c:\program files\Conduit

2010-08-13 22:15 . 2010-08-13 22:15 -------- d-----w- c:\program files\Citrix

2010-08-13 22:15 . 2010-08-13 22:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix

2010-08-06 08:00 . 2010-08-06 08:00 503808 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-52e01b4f-n\msvcp71.dll

2010-08-06 08:00 . 2010-08-06 08:00 499712 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-52e01b4f-n\jmc.dll

2010-08-06 08:00 . 2010-08-06 08:00 348160 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-52e01b4f-n\msvcr71.dll

2010-08-06 08:00 . 2010-08-06 08:00 61440 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-66288473-n\decora-sse.dll

2010-08-06 08:00 . 2010-08-06 08:00 12800 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-66288473-n\decora-d3d.dll

2010-07-30 20:52 . 2010-07-30 20:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\CyberLink

2010-07-30 20:52 . 2010-07-30 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink

2010-07-26 19:54 . 2010-07-26 19:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2010-07-26 19:54 . 2010-07-24 15:57 -------- d-----w- c:\program files\McAfee Security Scan

2010-07-24 15:57 . 2010-07-24 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-07-24 15:57 . 2010-07-24 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan

2010-07-22 15:49 . 2009-01-12 01:19 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2010-05-31 17:57 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-12 21:47 . 2010-06-29 22:07 28948 ---ha-w- c:\windows\system32\mlfcache.dat

2010-07-09 22:18 . 2010-05-31 13:33 34800 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-30 12:31 . 2009-01-12 01:19 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2009-01-12 01:19 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2009-01-12 01:19 1851904 ------w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2009-01-12 01:19 354304 ------w- c:\windows\system32\drivers\srv.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-08-21 2734688]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

2010-08-21 01:03 2734688 ----a-w- c:\program files\Softonic-Eng7\tbSof1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-08-21 2734688]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof1.dll" [2010-08-21 2734688]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-10-26 17021440]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-26 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-26 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-26 137752]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Citrix Access Gateway.lnk - c:\program files\Citrix\Secure Access Client\nsload.exe [2009-3-27 1323672]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/5/2010 8:25 AM 304464]

R2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/27/2009 10:11 PM 135168]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/5/2010 8:25 AM 20952]

R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/27/2009 10:11 PM 73368]

R4 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100916.001\IDSxpx86.sys --> c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100916.001\IDSxpx86.sys [?]

R4 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS --> c:\windows\system32\drivers\N360\0402000.00C\SYMDS.SYS [?]

R4 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS --> c:\windows\system32\drivers\N360\0402000.00C\SYMEFA.SYS [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/2/2010 10:13 PM 136176]

S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]

S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]

S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [1/20/2009 9:49 PM 712704]

--- Other Services/Drivers In Memory ---

*Deregistered* - BHDrvx86

*Deregistered* - ccHP

*Deregistered* - NAVENG

*Deregistered* - NAVEX15

*Deregistered* - SRTSPX

.

Contents of the 'Scheduled Tasks' folder

2010-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-03 02:13]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-03 02:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2405280

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fr5hlvun.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2405280&SearchSource=13

FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fr5hlvun.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fr5hlvun.default\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}\components\RadioWMPCore.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-17 19:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-09-17 19:39:13

ComboFix-quarantined-files.txt 2010-09-17 23:39

Pre-Run: 108,137,992,192 bytes free

Post-Run: 108,165,058,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5E30815C91D522ACA0DB668699941769

Link to post
Share on other sites

Malware butes keeps blocking the IP address 222.186.13.212 and another one similar to it
Sounds like MBAM is doing it's job unless you're in China.

IP Information for 222.186.13.212

IP Location: China Beijing Chinanet Jiangsu Province Network

IP Address: 222.186.13.212

inetnum: 222.184.0.0 - 222.191.255.255

netname: CHINANET-JS

descr: CHINANET jiangsu province network

descr: China Telecom

descr: A12,Xin-Jie-Kou-Wai Street

descr: Beijing 100088

country: CN

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.