Jump to content

ping.exe ans svchost being blocked 8 times a minute by MBAM


Recommended Posts

After malwarebytes successfully removed a fake security program, it has been non-stop blocking malicious IP addresses. About 8 per minute, even when no browsers are open. It is usually ping.exe that is being blocked or svchost.exe.

I dont have the tools to see which process is calling these programs to figure out problem.

I have attached quarantine logs from the removal as logs.zip.

I have attached the protection logs as Protection Logs.zip

I also ran Microsoft Security Essentials afterwards and it found and removed:

Exploit:Java/Blacole.AV

Exploit:Java/Blacole.AX

Exploit:Java/Blacole.AT

TorjanDownloader:Win32/Karagany.G

Here is the requested cut & paste

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0

Run by drule at 9:24:10 on 2011-11-16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.1964 [GMT -8:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\dellxpm09b_6124v037\wdm\stacsv.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe

C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe

svchost.exe

C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\drule.PERF.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Documents and Settings\drule.PERF.000\Local Settings\Application Data\Plaxo\3.30.0.45\PlaxoHelper_en.exe

C:\Program Files\Ipswitch\IM Client\IMClient.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\PdaNet for Android\PdaNetPC.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

C:\Program Files\Notepad++\notepad++.exe

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Documents and Settings\drule.PERF.000\My Documents\Downloads\eclipse-cpp-indigo-incubation-win32\eclipse\eclipse.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\drule.PERF.000\My Documents\Downloads\Tcpview.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\System32\ping.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcrobatInfo.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //eml:c:\documents and settings\drule.perf.000\local settings\temporary internet files\content.outlook\ezxl21lq\noname.eml

uInternet Settings,ProxyServer = 3.128.4.14:80

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\drule.perf.000\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [PlaxoUpdate] c:\documents and settings\drule.perf.000\local settings\application data\plaxo\3.30.0.45\PlaxoHelper_en.exe -a

uRun: [PlaxoSysTray] c:\documents and settings\drule.perf.000\local settings\application data\plaxo\3.30.0.45\PlaxoSysTray.exe

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_Plugin.exe -update plugin

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

StartupFolder: c:\docume~1\drulep~1.000\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\imclie~1.lnk - c:\program files\ipswitch\im client\IMClient.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab

DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.psware.com/dana-cached/sc/JuniperSetupClient.cab

TCP: DhcpNameServer = 192.168.1.15 64.105.163.106

TCP: Interfaces\{C471AC94-2C11-43F4-9B90-E20B101C2CEB} : DhcpNameServer = 192.168.1.15 64.105.163.106

TCP: Interfaces\{EF999E49-1D39-40E2-80DD-F4C263CD3A91} : DhcpNameServer = 192.168.1.15 64.105.163.106

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\drule.perf.000\application data\mozilla\firefox\profiles\ael2phq6.default\

FF - plugin: c:\documents and settings\drule.perf.000\application data\mozilla\plugins\npatgpc.dll

FF - plugin: c:\documents and settings\drule.perf.000\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\drule.perf.000\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\drule.perf.000\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\documents and settings\drule.perf.000\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 MpKsl97bc4c31;MpKsl97bc4c31;c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{153c3fce-cebc-49ff-906b-dbca7c50f09c}\MpKsl97bc4c31.sys [2011-11-15 28752]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2011-7-20 143248]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2011-7-20 41936]

R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2010-3-23 812448]

R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2010-3-23 27040]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-2 366152]

R2 MotoHelper;MotoHelper Service;c:\program files\motorola\motohelper\MotoHelperService.exe [2011-8-10 227184]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-7-6 112128]

R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2011-7-6 33832]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2011-7-6 244368]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-6 22216]

R3 NETwNx32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwNx32.sys [2011-7-6 6650752]

R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2011-9-6 9472]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2010-12-1 100560]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-12-1 111504]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-11-16 41272]

S0 cerc6;cerc6; [x]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 splunkdrv;splunkdrv;\??\c:\program files\splunk\bin\splunkdrv.sys --> c:\program files\splunk\bin\splunkdrv.sys [?]

S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2011-3-23 26112]

.

=============== Created Last 30 ================

.

2011-11-16 16:57:34 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-15 17:40:36 28752 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{153c3fce-cebc-49ff-906b-dbca7c50f09c}\MpKsl97bc4c31.sys

2011-11-15 17:40:32 56200 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{153c3fce-cebc-49ff-906b-dbca7c50f09c}\offreg.dll

2011-11-15 17:40:29 6668624 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{153c3fce-cebc-49ff-906b-dbca7c50f09c}\mpengine.dll

2011-11-15 17:40:19 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-11-02 10:00:15 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2011-11-01 18:48:10 -------- d-----w- c:\program files\Microsoft Device Emulator

2011-11-01 18:48:04 -------- d-----w- c:\program files\Microsoft SQL Server 2005 Mobile Edition

2011-11-01 18:30:48 -------- d-----w- c:\program files\HTML Help Workshop

2011-11-01 18:30:48 -------- d-----w- c:\program files\common files\Merge Modules

2011-11-01 18:30:48 -------- d-----w- c:\program files\CE Remote Tools

2011-11-01 18:30:48 -------- d-----w- c:\documents and settings\all users.windows\application data\PreEmptive Solutions

2011-11-01 18:29:38 -------- d-----w- c:\program files\Microsoft Visual Studio 8

.

==================== Find3M ====================

.

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-15 18:30:41 544656 ----a-w- c:\windows\system32\deployJava1.dll

2011-09-15 18:30:41 128000 ----a-w- c:\windows\system32\javacpl.cpl

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-09-01 01:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-30 14:47:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec

.

============= FINISH: 9:26:20.96 ===============

Attach.zip

Logs.zip

Protection Logs.zip

Link to post
Share on other sites

Hello davidarule! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

Please do not attach your log files, just post them in your reply.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.