Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with GetSavin and InfoAtoms virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 mobysurf

mobysurf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 09 July 2013 - 05:51 PM

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 7.0.6000.21337
Run by Kayla at 17:47:42 on 2013-07-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.490 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\XXXChurch\X3Watch\X3Watch.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uProxyServer = hxxp=127.0.0.1:8777;https=127.0.0.1:8777;
uProxyOverride = <-loopback>;x3watch.heroku.com
BHO: InfoAtoms: {103089DA-0F31-4A8B-843F-7D24A7FE8345} - c:\program files\infoatoms\ie32\InfoAtomsClientIE.dll
BHO: GetSavin 5.0: {48BE5AB4-CB46-467E-83F3-2E89EF65262F} - c:\documents and settings\kayla\local settings\application data\getsavin\ie\getsavin_1365037801.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\x3watch.lnk - c:\windows\installer\{99576002-b0f9-44ed-be4c-13fefcdae854}\_259F7463736AE63173ED01.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1365016995906
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1365018016671
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{B5327BF8-56E3-4C26-98CD-75254A114CB0} : DHCPNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\28.0.1500.71\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kayla\application data\mozilla\firefox\profiles\vq7g0uyd.default\
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_224.dll
FF - ExtSQL: !HIDDEN! 2013-04-03 20:15; infoatoms@infoatoms.com; c:\program files\mozilla firefox\extensions\infoatoms@infoatoms.com
.
============= SERVICES / DRIVERS ===============
.
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
.
=============== Created Last 30 ================
.
2013-07-09 22:34:59 -------- d-----w- c:\documents and settings\kayla\local settings\application data\Google
2013-07-07 23:41:34 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2013-06-14 21:09:46 -------- d-----w- C:\f5d59cedd215d972edc37e09be76
2013-06-12 16:29:02 -------- d-----w- c:\documents and settings\kayla\local settings\application data\PCHealth
.
==================== Find3M  ====================
.
2013-07-03 02:09:53 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-03 02:09:53 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-17 20:31:28 841216 ----a-w- c:\windows\system32\wininet.dll
2013-05-17 20:31:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2013-05-17 20:31:28 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2013-05-17 20:31:27 17408 ----a-w- c:\windows\system32\corpol.dll
2013-05-16 11:01:02 389120 ----a-w- c:\windows\system32\html.iec
2013-05-03 01:26:26 2193536 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38:18 2070144 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 17:47:49.39 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 mobysurf

mobysurf
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 09 July 2013 - 08:23 PM

Mods:  Please remove this posting.  I have solved the problem using information provided on the forum in the self-help areas.  Thank you.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:41 PM

Posted 12 July 2013 - 10:16 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users