Jump to content

MalwareBytes - IP Block occuring multiple times per day


Recommended Posts

Hello.

Recently, I was infected with the Data Recovery scareware. I used MalwareBytes, Hitman Pro, and ComboFix to remove it from my system.

After it was removed, the computer showed no symptoms of being infected, other than a continued series of IP blocks at a rate faster than I am comfortable with.

An example:

15:29:00 Dan IP-BLOCK **.**.228.60 (Type: outgoing)

Its always three of the same IP in succession, and its seemingly random in terms of timing. There are no significant events that I am doing that prompts it to happen. (Its three of the same IP. I only posted a partial because I don't think it proper to post someone else's IP, and the IP could belong to an infected computer of an innocent person) I didn't post the whole log, but its occurred about 6 times today, none yesterday, and 3 on Wednesday.

This is the log from my most recent MWB scan (The DDS Log follows, with the other logs in the attachment.)

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7724

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/16/2011 11:17:15 AM

mbam-log-2011-09-16 (11-17-15).txt

Scan type: Full scan (C:\|)

Objects scanned: 220909

Time elapsed: 38 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

##################

The DDS Log

##################

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27

Run by Dan at 15:38:16 on 2011-09-16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.778 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe

C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\Common Files\Lenovo\Logger\logmon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Lenovo\Client Security Solution\cssauth.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\WINDOWS\system32\TpShocks.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe

C:\Program Files\ThinkVantage\AMSG\Amsg.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe

C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.lenovo.com/welcome/thinkpad

uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/welcome/thinkpad

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [TpShocks] TpShocks.exe

mRun: [TP4EX] tp4ex.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe

mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [PDService.exe] "c:\program files\lenovo\safeguard privatedisk\pdservice.exe"

mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent

mRun: [LenovoAutoScrollUtility] c:\program files\lenovo\virtscrl\virtscrl.exe

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

StartupFolder: c:\docume~1\dan\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\dan\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe

StartupFolder: c:\docume~1\dan\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\dan\startm~1\programs\startup\autoru~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{4352B1AE-EE9E-4EB3-BD3D-78175ECEABBF} : DhcpNameServer = 192.168.1.1

Notify: AtiExtEvent - Ati2evxx.dll

Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll

Notify: psfus - psqlpwd.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\dan\application data\mozilla\firefox\profiles\4lgu1jln.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

.

============= SERVICES / DRIVERS ===============

.

R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-8-24 13680]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 MpKsl080db8c8;MpKsl080db8c8;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4e93c422-c2c1-40e9-bb5e-1015a925cece}\MpKsl080db8c8.sys [2011-9-16 28752]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-13 366152]

R2 PrivateDisk;PrivateDisk;c:\program files\lenovo\safeguard privatedisk\privatediskm.sys [2006-3-13 58368]

R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-7-14 3968]

R2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2006-4-25 3456]

R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\lenovo\hotkey\tphkload.exe [2011-8-24 130920]

R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2011-8-24 64952]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-13 22216]

S1 MpKslab69d58d;MpKslab69d58d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{036aa5d4-165a-471e-a8d7-f77282a4f698}\mpkslab69d58d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{036aa5d4-165a-471e-a8d7-f77282a4f698}\MpKslab69d58d.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2011-8-24 45496]

S3 Aken;Aken;\??\c:\documents and settings\dan\local settings\application data\0 a.d. alpha\binaries\system\aken.sys --> c:\documents and settings\dan\local settings\application data\0 a.d. alpha\binaries\system\aken.sys [?]

S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-09-16 19:23:36 -------- d-sh--w- c:\documents and settings\dan\PrivacIE

2011-09-16 12:37:32 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4e93c422-c2c1-40e9-bb5e-1015a925cece}\MpKsl080db8c8.sys

2011-09-16 11:39:17 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4e93c422-c2c1-40e9-bb5e-1015a925cece}\mpengine.dll

2011-09-15 07:33:45 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2011-09-15 07:11:51 98816 ----a-w- c:\windows\sed.exe

2011-09-15 07:11:51 518144 ----a-w- c:\windows\SWREG.exe

2011-09-15 07:11:51 256000 ----a-w- c:\windows\PEV.exe

2011-09-15 07:11:51 208896 ----a-w- c:\windows\MBR.exe

2011-09-15 07:00:38 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-09-14 22:53:18 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-09-14 22:53:18 215920 ----a-w- c:\windows\system32\muweb.dll

2011-09-14 22:53:18 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-09-14 21:12:36 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-09-14 21:12:36 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-09-14 03:21:43 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-09-14 03:18:06 -------- d-----w- c:\program files\Microsoft Security Client

2011-09-14 03:03:21 12872 ----a-w- c:\windows\system32\bootdelete.exe

2011-09-14 03:00:52 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-09-14 02:51:23 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-09-14 02:50:57 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-09-14 02:14:25 -------- d-----w- c:\documents and settings\dan\application data\Malwarebytes

2011-09-14 02:14:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-09-14 02:14:17 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-14 02:14:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-12 14:34:02 -------- d-----w- c:\documents and settings\dan\local settings\application data\Identities

2011-09-11 05:31:01 -------- d-----w- c:\program files\SplitMediaLabs

2011-09-09 18:43:07 -------- d-----w- c:\documents and settings\dan\application data\OpenOffice.org

2011-09-09 17:56:04 -------- d-----w- c:\program files\OpenOffice.org 3

2011-09-09 00:24:41 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll

2011-09-09 00:24:41 528216 ----a-w- c:\windows\system32\XAudio2_6.dll

2011-09-09 00:24:40 238936 ----a-w- c:\windows\system32\xactengine3_6.dll

2011-09-09 00:24:39 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

2011-09-09 00:24:22 -------- d-----w- c:\program files\Microsoft XNA

2011-09-06 15:38:48 -------- d-----w- c:\documents and settings\dan\local settings\application data\Adobe

2011-09-05 04:50:36 -------- d-----w- c:\program files\Mount&Blade

2011-09-05 04:40:25 -------- d-----w- c:\documents and settings\dan\application data\Mount&Blade Warband

2011-09-05 04:40:22 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll

2011-09-05 04:40:20 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll

2011-09-03 21:20:10 -------- d-----w- c:\documents and settings\dan\application data\.minecraft

2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll

2011-09-02 00:02:42 453456 ----a-w- c:\windows\system32\d3dx10_41.dll

2011-09-02 00:02:42 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll

2011-09-02 00:02:42 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll

2011-09-02 00:02:41 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2011-09-02 00:02:41 517448 ----a-w- c:\windows\system32\XAudio2_4.dll

2011-09-02 00:02:41 235352 ----a-w- c:\windows\system32\xactengine3_4.dll

2011-09-02 00:02:41 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll

2011-09-02 00:01:34 -------- d-----w- c:\windows\system32\AGEIA

2011-08-29 06:34:23 -------- d-----w- c:\documents and settings\dan\local settings\application data\PDF24

2011-08-29 05:53:21 -------- d-----w- c:\program files\PDF24

2011-08-28 04:58:59 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys

2011-08-28 04:58:59 17024 ----a-w- c:\windows\system32\dllcache\ccdecode.sys

2011-08-28 04:58:54 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

2011-08-28 04:58:54 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys

2011-08-28 04:58:48 91136 ----a-w- c:\windows\system32\kswdmcap.ax

2011-08-28 04:58:48 61952 ----a-w- c:\windows\system32\kstvtune.ax

2011-08-28 04:58:48 53760 ----a-w- c:\windows\system32\vfwwdm32.dll

2011-08-28 04:58:48 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll

2011-08-28 04:58:48 43008 ----a-w- c:\windows\system32\ksxbar.ax

2011-08-28 04:58:48 20992 ----a-w- c:\windows\system32\dshowext.ax

2011-08-28 04:58:44 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-08-28 04:58:44 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

2011-08-28 02:11:16 -------- d-----w- c:\program files\SystemRequirementsLab

2011-08-27 23:28:28 -------- d-----w- c:\documents and settings\dan\riotsGamesLogs

2011-08-27 06:43:59 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll

2011-08-27 05:07:42 -------- d-----w- c:\documents and settings\dan\application data\SplitMediaLabs

2011-08-27 04:49:38 -------- d-----w- c:\documents and settings\all users\application data\SplitMediaLabs

2011-08-26 01:18:14 -------- d-----w- c:\documents and settings\dan\application data\LolClient

2011-08-25 20:14:53 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-25 20:14:51 45568 ------w- c:\windows\system32\dllcache\wab.exe

2011-08-25 20:13:41 954368 ------w- c:\windows\system32\dllcache\mfc40.dll

2011-08-25 20:13:41 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2011-08-25 20:13:27 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2011-08-25 20:12:37 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys

2011-08-25 20:11:18 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-25 20:11:09 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-08-25 04:54:51 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-08-25 04:54:51 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-08-25 04:22:24 -------- d-----w- c:\windows\system32\scripting

2011-08-25 04:22:24 -------- d-----w- c:\windows\system32\en

2011-08-25 04:22:24 -------- d-----w- c:\windows\system32\bits

2011-08-25 04:22:24 -------- d-----w- c:\windows\l2schemas

2011-08-25 04:19:43 -------- d-----w- c:\windows\network diagnostic

2011-08-25 04:18:01 -------- d-----w- c:\windows\EHome

2011-08-25 04:07:59 -------- d-----w- c:\windows\system32\XPSViewer

2011-08-25 04:07:42 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

2011-08-25 04:07:34 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2011-08-25 04:07:34 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2011-08-25 04:07:34 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2011-08-25 04:07:34 575488 ------w- c:\windows\system32\xpsshhdr.dll

2011-08-25 04:07:34 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2011-08-25 04:07:34 1676288 ------w- c:\windows\system32\xpssvcs.dll

2011-08-25 04:07:34 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2011-08-25 04:07:34 117760 ------w- c:\windows\system32\prntvpt.dll

2011-08-25 04:05:37 -------- d-----w- c:\program files\MSXML 6.0

2011-08-25 04:03:59 -------- d-sh--w- c:\documents and settings\dan\IETldCache

2011-08-25 03:45:38 -------- d-----w- c:\windows\ie8updates

2011-08-25 03:45:17 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2011-08-25 03:45:17 602112 ------w- c:\windows\system32\dllcache\msfeeds.dll

2011-08-25 03:45:17 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-08-25 03:45:17 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2011-08-25 03:45:17 1991680 ------w- c:\windows\system32\dllcache\iertutil.dll

2011-08-25 03:45:17 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2011-08-25 03:45:17 11081728 ------w- c:\windows\system32\dllcache\ieframe.dll

2011-08-25 03:44:52 -------- dc----w- c:\windows\ie8

2011-08-25 03:37:18 -------- d-----w- c:\windows\system32\LogFiles

2011-08-25 03:17:16 0 ----a-w- c:\windows\ativpsrm.bin

2011-08-25 03:07:02 729088 ------w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll

2011-08-25 03:07:02 69715 ------w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll

2011-08-25 03:07:02 5632 ------w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe

2011-08-25 03:07:02 266240 ------w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll

2011-08-25 03:07:02 192512 ------w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll

2011-08-25 03:07:01 311428 ------w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll

2011-08-25 03:07:01 188548 ------w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll

2011-08-25 03:06:15 290816 ----a-w- c:\windows\system32\atiok3x2.dll

2011-08-25 03:06:14 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll

2011-08-25 03:06:14 126976 ----a-w- c:\windows\system32\atiadlxx.dll

2011-08-25 03:06:14 118784 ----a-w- c:\windows\system32\atibrtmon.exe

2011-08-25 03:06:13 49664 ----a-w- c:\windows\system32\amdpcom32.dll

2011-08-25 03:05:30 13680 ----a-w- c:\windows\system32\drivers\smiif32.sys

2011-08-25 03:04:48 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll

2011-08-25 03:04:34 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll

2011-08-25 03:04:32 120104 ----a-w- c:\windows\system32\SynTPCo9.dll

2011-08-25 03:04:02 144128 ------w- c:\windows\system32\dllcache\usbport.sys

2011-08-25 03:03:59 593960 ----a-w- c:\windows\qfeA1.tmp

2011-08-25 03:03:30 525624 ----a-w- c:\windows\qfe97.tmp

2011-08-25 03:03:03 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys

2011-08-25 03:02:20 534920 ----a-w- c:\windows\qfe73.tmp

2011-08-25 01:54:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-25 00:54:17 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll

2011-08-25 00:54:17 509448 ----a-w- c:\windows\system32\XAudio2_2.dll

2011-08-25 00:54:16 467984 ----a-w- c:\windows\system32\d3dx10_39.dll

2011-08-25 00:54:16 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

2011-08-25 00:54:14 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll

2011-08-25 00:54:10 -------- d-----w- c:\windows\Logs

2011-08-25 00:50:19 -------- d-----w- C:\Riot Games

2011-08-24 10:01:46 -------- d-----w- c:\windows\ServicePackFiles

2011-08-24 10:01:02 -------- d-----w- c:\program files\MSXML 4.0

2011-08-24 05:48:52 -------- d-----w- c:\documents and settings\dan\local settings\application data\PMB Files

2011-08-24 05:48:49 -------- d-----w- c:\documents and settings\all users\application data\PMB Files

2011-08-24 05:47:05 -------- d-----w- c:\program files\Pando Networks

2011-08-24 05:27:54 -------- d-----r- c:\program files\Skype

2011-08-24 05:17:31 -------- d-----w- c:\documents and settings\dan\local settings\application data\PackageAware

2011-08-24 05:13:41 -------- d-----w- c:\program files\common files\Steam

2011-08-24 05:11:56 272128 ------w- c:\windows\system32\drivers\bthport.sys

2011-08-24 05:11:56 272128 ------w- c:\windows\system32\dllcache\bthport.sys

2011-08-24 05:11:36 357888 ------w- c:\windows\system32\dllcache\srv.sys

2011-08-24 05:09:32 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2011-08-24 05:09:23 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2011-08-24 04:58:15 203136 ------w- c:\windows\system32\dllcache\rmcast.sys

2011-08-24 04:57:58 331776 ------w- c:\windows\system32\dllcache\msadce.dll

2011-08-24 04:49:18 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll

2011-08-24 04:48:46 337408 ------w- c:\windows\system32\dllcache\netapi32.dll

2011-08-24 04:48:40 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll

2011-08-24 04:42:42 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-08-24 04:42:42 218112 ------w- c:\windows\system32\dllcache\wordpad.exe

2011-08-24 04:38:45 -------- d-----w- c:\windows\system32\PreInstall

2011-08-24 04:30:59 2106216 ------w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-08-24 04:30:59 19416 ------w- c:\program files\mozilla firefox\AccessibleMarshal.dll

2011-08-24 04:30:59 125912 ------w- c:\program files\mozilla firefox\crashreporter.exe

2011-08-24 04:27:29 -------- d-----w- c:\windows\system32\SoftwareDistribution

2011-08-24 04:25:27 -------- d-----w- c:\windows\system32\Client Security Solution

2011-08-24 04:07:42 25840 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll

2011-08-24 04:07:42 24816 ----a-w- c:\windows\system32\mdimon.dll

2011-08-24 04:01:44 -------- d-sh--r- C:\RRbackups

2011-08-24 04:00:41 115880 ----a-w- c:\windows\system32\pxinsi64.exe

2011-08-24 04:00:41 114856 ----a-w- c:\windows\system32\pxcpyi64.exe

2011-08-24 03:59:39 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2011-08-24 03:59:33 -------- d-----w- c:\program files\SMI2

2011-08-24 03:59:32 -------- d-----w- c:\program files\TVT SMBus

2011-08-24 03:59:28 -------- d-----w- C:\SWSHARE

2011-08-24 03:59:26 7012 ----a-w- c:\windows\system32\drivers\pmemnt.sys

2011-08-24 03:59:25 23552 ----a-w- c:\windows\system32\drivers\psasrv.exe

2011-08-24 03:58:55 583232 ----a-w- c:\windows\system32\tvt_gina.dll

2011-08-24 03:58:55 288320 ----a-w- c:\windows\system32\tvt_gina_api.dll

2011-08-24 03:58:53 6016 ----a-w- c:\windows\system32\drivers\IBMBLDID.sys

2011-08-24 03:58:53 11520 ----a-w- c:\windows\system32\drivers\ANC.sys

2011-08-24 03:58:39 -------- d-----w- c:\program files\Diskeeper Corporation

2011-08-24 03:58:32 -------- d-----w- c:\windows\Downloaded Installations

2011-08-24 03:58:13 114688 ----a-w- c:\windows\desktopset.exe

2011-08-24 03:52:49 -------- d-----w- c:\program files\Symantec Client Security

2011-08-24 03:52:49 -------- d-----w- c:\program files\common files\Symantec Shared

2011-08-24 03:52:49 -------- d-----w- c:\documents and settings\all users\application data\Symantec

2011-08-24 03:51:52 -------- d-----w- c:\program files\PCDR5

2011-08-24 03:51:18 -------- d-----w- c:\program files\common files\Lenovo

2011-08-24 03:50:55 -------- d-----w- c:\program files\Multimedia Center for Think Offerings

2011-08-24 03:50:32 -------- d-----w- c:\program files\common files\Sonic Shared

2011-08-24 03:49:58 21060 ----a-w- c:\windows\system32\drivers\iviaspi.sys

2011-08-24 03:49:26 -------- d-----w- c:\program files\common files\InterVideo

2011-08-24 03:49:07 204800 ----a-w- c:\windows\system32\IVIresizeW7.dll

2011-08-24 03:49:07 20480 ----a-w- c:\windows\system32\IVIresize.dll

2011-08-24 03:49:07 200704 ----a-w- c:\windows\system32\IVIresizeA6.dll

2011-08-24 03:49:07 192512 ----a-w- c:\windows\system32\IVIresizeP6.dll

2011-08-24 03:49:07 192512 ----a-w- c:\windows\system32\IVIresizeM6.dll

2011-08-24 03:49:07 188416 ----a-w- c:\windows\system32\IVIresizePX.dll

2011-08-24 03:49:01 -------- d-----w- c:\program files\InterVideo

2011-08-24 03:48:40 44544 ----a-w- c:\windows\system32\msxml4a.dll

2011-08-24 03:48:39 -------- d-----w- c:\documents and settings\all users\application data\Lenovo

2011-08-24 03:47:46 917504 ----a-w- c:\windows\system32\ahlprun.exe

2011-08-24 03:47:46 -------- d-----w- C:\Icons

2011-08-24 03:47:30 -------- d-----w- c:\program files\ThinkVantage

2011-08-24 03:41:42 53248 ----a-w- c:\windows\system32\wdmioctl.dll

2011-08-24 03:40:23 7168 ----a-w- c:\windows\system32\drivers\TSMAPIP.SYS

2011-08-24 03:40:15 77824 ----a-r- c:\windows\system32\athcfg11res.dll

2011-08-24 03:40:15 651264 ----a-w- c:\windows\system32\libeay32.dll

2011-08-24 03:40:15 393216 ----a-w- c:\windows\system32\wcapi.dll

2011-08-24 03:40:15 372736 ----a-r- c:\windows\system32\athcfg11.dll

2011-08-24 03:40:15 360532 ----a-w- c:\windows\system32\acs.exe

2011-08-24 03:40:15 344155 ----a-w- c:\windows\system32\wcapiU.dll

2011-08-24 03:40:15 299102 ----a-w- c:\windows\system32\athcfg20U.dll

2011-08-24 03:40:15 237568 ----a-w- c:\windows\system32\athcfg20.dll

2011-08-24 03:40:15 163840 ----a-w- c:\windows\system32\oemres.dll

2011-08-24 03:40:15 147456 ----a-w- c:\windows\system32\ssleay32.dll

2011-08-24 03:40:15 114791 ----a-w- c:\windows\system32\athcfg20resU.dll

2011-08-24 03:40:15 114765 ----a-w- c:\windows\system32\athcfg20res.dll

2011-08-24 03:38:55 88576 ----a-w- c:\windows\system32\drivers\shockprf.sys

2011-08-24 03:37:59 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll

2011-08-24 03:36:40 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll

2011-08-24 03:35:52 28672 ----a-w- c:\windows\system32\verclsid.exe

2011-08-24 03:35:46 614532 ------w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe

2011-08-24 03:34:14 -------- d-----w- c:\program files\Windows Media Connect 2

2011-08-24 03:31:55 819200 ------w- c:\program files\windows media player\wmsetsdk.exe

2011-08-24 03:31:55 47616 ------w- c:\program files\windows media player\msoobci.dll

2011-08-24 03:31:38 -------- d-----w- c:\windows\RegisteredPackages

2011-08-24 03:28:57 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-08-24 03:28:55 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2011-08-24 03:28:51 14208 ----a-w- c:\windows\system32\drivers\battc.sys

2011-08-24 03:28:51 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys

2011-08-24 03:28:50 13952 ----a-w- c:\windows\system32\drivers\cmbatt.sys

2011-08-24 03:28:39 7168 ----a-w- c:\windows\system32\hccoin.dll

2011-08-24 03:28:39 30208 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-08-24 03:28:24 19584 ----a-w- c:\windows\system32\drivers\rasirda.sys

2011-08-24 03:28:22 88192 ----a-w- c:\windows\system32\drivers\irda.sys

2011-08-24 03:28:22 8192 ----a-w- c:\windows\system32\wshirda.dll

2011-08-24 03:28:22 151552 ----a-w- c:\windows\system32\irftp.exe

2011-08-24 03:28:21 28672 ----a-w- c:\windows\system32\drivers\nscirda.sys

2011-08-24 03:20:52 -------- d-----w- C:\SWTOOLS

2011-08-24 03:17:30 -------- d---a-w- C:\I386

.

==================== Find3M ====================

.

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 15:38:43.57 ===============

Logs.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, grab a fresh copy of ComboFix, run it, and post its log.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Ok - so ESET picked up an infection and got rid of it. I'm monitoring everything for now, and rescanning with ESET to be sure it actually got deleted.

Here is everything you had wanted. Thank you very much for the help - if you can keep this topic open for a day or two, just in case it wasn't what ESET detected which was causing the issue, I would appreciate that.

=====

ESET

=====

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=7853edb1334dea428ffcc13d3f6adf58

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-24 01:04:58

# local_time=2011-09-23 09:04:58 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=1024 16777215 100 0 0 0 0 0

# compatibility_mode=5891 16776533 42 87 0 12754616 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=67131

# found=1

# cleaned=1

# scan_time=2953

C:\System Volume Information\_restore{3BEEC17C-D923-47C4-8980-270374C47ECD}\RP54\A0016243.exe a variant of Win32/1AntiVirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

=====

SECURITY CHECK

=====

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Microsoft Security Essentials

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 27

Adobe Flash Player 10.3.183.7

Adobe Reader X (10.1.1)

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Microsoft Security Essentials msseces.exe

Microsoft Security Client Antimalware MsMpEng.exe

``````````End of Log````````````

Link to post
Share on other sites

Another IP block came up.

In another note, I'm certain that they are all from Skype, as they do not appear when Skype is not running. I am removing and reinstalling Skype at the moment to see if that has any effect (I saw this, which had the exact same IP issue, exact same IP at some points, and a person who went through a plethora of scans like myself to no avail. I figure its a quick little step that I can rule out on my own, then resume using anything you suggest I do.)

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.