Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection ?


  • Please log in to reply
6 replies to this topic

#1 sunshah

sunshah

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 18 March 2009 - 12:35 AM

Every time I connect to any streaming TV software like (TVU , OOX ) able to connect & watch the streaming TV properly . but after that not able to connect to internet . every time I had to reboot my wireless router to connect again .

I observed following additional entry (195.245.119.131 browser-security.microsoft.com)
in my windows host file (C:\WINDOWS\SYSTEM32\DRIVERS\etc\HOSTS)


ran the superAntispyware & MBAM also but could not find anything .. am I infected . please help

****************************************************

# Copyright 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

195.245.119.131 browser-security.microsoft.com

******************

Thanks in Advance

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:43 AM

Posted 18 March 2009 - 01:18 AM

That sounds like the leftovers of an infection. Run this scan, which will check for malware and also reset the HOSTS file (assuming you have XP).

Please print out and follow these instructions: "How to use SDFix". This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 sunshah

sunshah
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 20 March 2009 - 10:33 PM

Hi Budapest

My applogies for not replying . I was away . here is SDFix log

**************
SDFix: Version 1.240
Run by Sanjay on Fri 03/20/2009 at 23:15

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\1cb\syscheck.log - Deleted



Folder C:\Temp\1cb - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 23:22:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\gaopdxmlimxdoy.sys"
"group"="file system"
"userdata"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules]
"gaopdxserv"="\\?\globalroot\systemroot\system32\drivers\gaopdxmlimxdoy.sys"
"gaopdxl"="\\?\globalroot\systemroot\system32\gaopdxjgktbwop.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\gaopdxmlimxdoy.sys"
"group"="file system"
"userdata"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules]
"gaopdxserv"="\\?\globalroot\systemroot\system32\drivers\gaopdxmlimxdoy.sys"
"gaopdxl"="\\?\globalroot\systemroot\system32\gaopdxjgktbwop.dll"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Last Counter"=dword:00001b96
"Last Help"=dword:00001b97

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"="C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Mercury Interactive\\LoadRunner\\bin\\rcmdl.exe"="C:\\Program Files\\Mercury Interactive\\LoadRunner\\bin\\rcmdl.exe:*:Enabled:Remote Command Launcher"
"C:\\Program Files\\Mercury Interactive\\LoadRunner\\bin\\mercpmap.exe"="C:\\Program Files\\Mercury Interactive\\LoadRunner\\bin\\mercpmap.exe:*:Enabled:Portmapper"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"="C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe:*:Enabled:Dell Network Assistant"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Documents and Settings\\Sanjay\\Application Data\\mjusbsp\\magicJack.exe"="C:\\Documents and Settings\\Sanjay\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 23 Sep 2008 6,108,728 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Sat 14 Mar 2009 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Sat 14 Mar 2009 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sat 26 Jul 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 14 Mar 2009 242,743,296 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\BIT18.tmp"
Wed 17 Dec 2008 723,120 A..H. --- "C:\Documents and Settings\Sanjay\Application Data\mjusbsp\ar00000\install.exe"
Wed 17 Dec 2008 6,529,320 A..H. --- "C:\Documents and Settings\Sanjay\Application Data\mjusbsp\in00000\setup.exe"
Wed 17 Dec 2008 723,120 A..H. --- "C:\Documents and Settings\Sanjay\Application Data\mjusbsp\Upgrade\install1.exe"
Wed 17 Dec 2008 6,529,320 A..H. --- "C:\Documents and Settings\Sanjay\Application Data\mjusbsp\Upgrade\setup1.exe"
Fri 18 Jan 2008 64,512 ...H. --- "C:\Documents and Settings\Amee\My Documents\QATesting work\RESUME10\Amee\~WRL1030.tmp"
Sat 19 Jan 2008 64,512 ...H. --- "C:\Documents and Settings\Amee\My Documents\QATesting work\RESUME10\Amee\~WRL1047.tmp"
Sat 19 Jan 2008 64,512 ...H. --- "C:\Documents and Settings\Amee\My Documents\QATesting work\RESUME10\Amee\~WRL1737.tmp"
Sat 19 Jan 2008 64,512 ...H. --- "C:\Documents and Settings\Amee\My Documents\QATesting work\RESUME10\Amee\~WRL2300.tmp"
Sat 19 Jan 2008 65,536 ...H. --- "C:\Documents and Settings\Amee\My Documents\QATesting work\RESUME10\Amee\~WRL2748.tmp"
Sat 19 Jan 2008 64,512 ...H. --- "C:\Documents and Settings\Amee\My Documents\QATesting work\RESUME10\Amee\~WRL2807.tmp"
Sat 1 Dec 2007 8 A..H. --- "C:\Documents and Settings\Amee\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 1 Dec 2007 8 A..H. --- "C:\Documents and Settings\Amee\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 1 Dec 2007 8 A..H. --- "C:\Documents and Settings\Amee\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 1 Dec 2007 8 A..H. --- "C:\Documents and Settings\Amee\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 10 Dec 2007 8 A..H. --- "C:\Documents and Settings\Amee\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"

Finished!

#4 sunshah

sunshah
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 20 March 2009 - 10:49 PM

after this , I ran the MBAM again & found some infections below is the log & reboot the box after this
***********************************************************
Malwarebytes' Anti-Malware 1.34
Database version: 1861
Windows 5.1.2600 Service Pack 3

3/20/2009 11:37:16 PM
mbam-log-2009-03-20 (23-37-16).txt

Scan type: Quick Scan
Objects scanned: 96578
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Failed to unload process.

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abc42510-9b22-41c1-9dcd-8182a2d07c63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abc42510-9b22-41c1-9dcd-8182a2d07c63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{abc42510-9b22-41c1-9dcd-8182a2d07c63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Spyware.Passwords) -> Data: mcenspc.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mcenspc.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:43 AM

Posted 22 March 2009 - 04:45 PM

Reboot your computer, run the Malwarebytes Full Scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 sunshah

sunshah
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 23 March 2009 - 06:24 AM

Thanks . MBAM execution log after the reboot

*************************
Malwarebytes' Anti-Malware 1.34
Database version: 1880
Windows 5.1.2600 Service Pack 3

3/23/2009 7:23:04 AM
mbam-log-2009-03-23 (07-23-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167480
Time elapsed: 52 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:43 AM

Posted 23 March 2009 - 04:11 PM

How's your computer running now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users