Jump to content

Lingering Infection

p0ng

By p0ng
in Resolved Malware Removal Logs

 Share

Recommended Posts

p0ng

p0ng

Posted
Posted

I had an infection in July that pretended to be an antivirus which asked me to pay for registration. The effects are still lingering.

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26

Run by Michael D'Amico at 21:05:07 on 2011-08-08

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1470 [GMT -4:00]

.

AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}

FW: ZoneAlarm Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\System32\ezSP_Px.exe

C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Documents and Settings\All Users\Application Data\LGMOBILEAX\BYR_Client\VZWNotiAgent.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe

C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [bMUpdate] c:\windows\system32\BMUpdate.exe

uRun: [Google Update] "c:\documents and settings\michael d'amico\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe

mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"

mRun: [OneTouch Monitor] c:\program files\visioneer onetouch\OneTouchMon.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [bYR_AGENT] c:\documents and settings\all users\application data\lgmobileax\byr_client\VZWNotiAgent.exe

mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar

mRun: [Panda Security URL Filtering] "c:\documents and settings\all users\application data\panda security url filtering\Panda_URL_Filtering.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280104430609

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280116085125

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{874582AC-2E8D-49B2-A853-812278A2FCA3} : DhcpNameServer = 192.168.1.1

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\michael d'amico\application data\mozilla\firefox\profiles\ccdgjkr9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - component: c:\documents and settings\michael d'amico\application data\mozilla\firefox\profiles\ccdgjkr9.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll

FF - plugin: c:\documents and settings\michael d'amico\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\microsoft silverlight\3.0.50106.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

.

============= SERVICES / DRIVERS ===============

.

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-3-28 28552]

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 129992]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-21 532224]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-14 366640]

R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2011-4-28 140608]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-7-5 143752]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 97096]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111688]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112456]

R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2007-11-21 86098]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-14 22712]

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-4-23 224896]

S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys --> c:\windows\system32\drivers\klif.sys [?]

S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.sys [2007-12-28 40672]

S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]

S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

.

=============== Created Last 30 ================

.

2011-08-07 21:42:32 -------- d-----w- c:\documents and settings\michael d'amico\application data\Panda Security

2011-08-07 19:47:47 -------- d-----w- c:\documents and settings\michael d'amico\local settings\application data\panda2_0dn

2011-08-07 19:47:46 -------- d-----w- c:\documents and settings\all users\application data\Panda Security URL Filtering

2011-08-07 19:47:13 -------- d-----w- c:\documents and settings\all users\application data\Panda Security

2011-08-07 19:46:51 -------- d-----w- C:\temp

2011-08-01 03:39:30 44544 ----a-w- c:\windows\system32\msxml4a.dll

2011-08-01 03:38:44 -------- d-----w- c:\documents and settings\all users\application data\LGMOBILEAX

2011-08-01 03:34:56 -------- d-----w- c:\program files\LG Electronics

2011-08-01 03:29:21 -------- d-----w- c:\documents and settings\michael d'amico\local settings\application data\Spotify

2011-08-01 03:29:21 -------- d-----w- c:\documents and settings\michael d'amico\application data\Spotify

2011-08-01 03:29:18 -------- d-----w- c:\program files\Spotify

2011-07-15 11:05:24 -------- d-----w- c:\documents and settings\michael d'amico\application data\Malwarebytes

2011-07-15 02:52:12 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-15 02:52:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-07-15 02:52:08 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-15 02:52:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

2011-07-05 16:12:43 143752 ----a-w- c:\windows\system32\drivers\PSINAflt.sys

.

============= FINISH: 21:06:52.15 ===============

Attach.zip

mbam-log-2011-07-15 (07-15-00).txt

Link to post
Share on other sites
Elise

Elise

Posted
Posted

Hello and :welcome:

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.