Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with W32/Infector.G8


  • This topic is locked This topic is locked
1 reply to this topic

#1 hawkeyedjb

hawkeyedjb

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:00 AM

Posted 23 January 2014 - 08:33 AM

Symptoms: I first noticed an obvious browser virus when starting to logon to a bank website - the browser page asked for a lot of security verification info that a legitimate page would not ask for (I shut down the browser without filling in any responses). 

 

Avira has detected a lot of infections. 

 

I can not scan/stop/ antivirus software; I receive the message "Windows cannot open this program because it has been prevented by a software restriction policy."   I have never set any policies (don't know how).

 

DDS.txt log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.5.1
Run by djb at 6:19:54 on 2014-01-23
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.283 [GMT -7:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Documents and Settings\djb\Desktop\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Documents and Settings\djb\Desktop\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Documents and Settings\djb\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\SkyGolf\CaddieSync Express\CaddieSyncExpress.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\VIRTUA~1\CitiVAN.exe
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files\Citrix\GoToMeeting\1172\g2mstart.exe
C:\Program Files\Citrix\GoToAssist Express Expert\309\g2ax_start.exe
C:\WINDOWS\system32\OBroker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Citrix\GoToAssist Express Expert\309\g2ax_comm_expert.exe
C:\Program Files\Citrix\GoToAssist Express Expert\309\g2ax_user_expert.exe
C:\Program Files\Citrix\GoToMeeting\1172\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\1172\g2mlauncher.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = 127.0.0.1:9421;<local>;*.local
BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85D7-B4DA413C5A9A} - c:\program files\virtual account numbers\CitiVANHelper.dll
BHO: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Advertising Cookie Opt-out: {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
TB: Virtual Account Numbers: {7A21A046-B886-4A62-9D69-EF2059B0A27B} - c:\program files\virtual account numbers\CitiVANToolbar.dll
TB: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\1172\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [GoToAssist Express Expert] "c:\program files\citrix\gotoassist express expert\309\g2ax_start.exe" "/Trigger RunAtLogon"
uRun: [comssink] c:\windows\system32\cliplpr.exe
uRun: [conismui] c:\windows\system32\clipsass.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl03a\BrStDvPt.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CaddieSyncConduit] c:\program files\skygolf\caddiesync express\CaddieSyncExpress.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Virtual Account Numbers] c:\progra~1\virtua~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\codecp~1.lnk - c:\windows\system32\c2mp\UpdateChecker.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Windows\System: EnableSmartScreen = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Download with &Media Finder - c:\program files\media finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {93B08541-9F6B-4697-9F9A-7058F1E33785} - hxxps://na.ntrsupport.com/nv/inquiero/mod/setup/ntractivex1182_2.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{489E87C0-9BCA-412E-AAED-77D51B36B24C} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\djb.blabbermouth\application data\mozilla\firefox\profiles\kxhnszwb.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com
FF - plugin: c:\documents and settings\djb.blabbermouth\local settings\application data\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\citrix\ica client\npicaN.dll
FF - plugin: c:\program files\citrix\ica client\npURLInterceptorPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-11-26 13560]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-8-27 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-8-27 440376]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-8-27 440376]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-8-27 1011768]
R2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2013-12-20 166352]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-8-27 90400]
R2 MBAMScheduler;MBAMScheduler;c:\documents and settings\djb\desktop\malwarebytes' anti-malware\mbamscheduler.exe [2014-1-22 418376]
R2 MBAMService;MBAMService;c:\documents and settings\djb\desktop\malwarebytes' anti-malware\mbamservice.exe [2014-1-22 701512]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2009-3-30 1677824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-4 22856]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2011-5-17 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2011-5-17 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2011-5-17 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2011-5-17 10368]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-2-20 23456]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\djb~1.bla\locals~1\temp\mfe_rr.sys --> c:\docume~1\djb~1.bla\locals~1\temp\mfe_rr.sys [?]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S3 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-9 47128]
S3 rm;rm;\??\c:\windows\system32\drivers\rm.sys --> c:\windows\system32\drivers\rm.sys [?]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
.
=============== Created Last 30 ================
.
2019-12-31 22:15:39 -------- d-----w- c:\program files\Microsoft Money Plus
2014-01-22 22:39:55 -------- d-----w- C:\avtest
2014-01-22 22:25:11 3642 ----a-w- c:\documents and settings\djb.blabbermouth\local settings\application data\dfl31z32.dll
2014-01-22 22:20:07 4662 ----a-w- c:\documents and settings\djb.blabbermouth\local settings\application data\wsr31zt32.dll
2014-01-22 22:12:05 254976 ----a-w- c:\windows\system32\clipsass.exe
2014-01-22 16:41:59 -------- d-sha-r- C:\cmdcons
2014-01-22 16:40:56 -------- d-----w- C:\ComboFix
2014-01-22 15:09:45 -------- d--h--w- c:\windows\PIF
2014-01-22 15:07:21 -------- d--h--w- c:\windows\system32\GroupPolicy
.
==================== Find3M  ====================
.
2014-01-23 12:56:28 604160 ----a-w- c:\windows\system32\clipsrv.exe
2014-01-23 00:28:18 1167360 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2014-01-23 00:11:15 666112 ----a-w- c:\windows\sed.exe
2014-01-22 19:41:37 1985536 ----a-w- c:\windows\system32\mmc.exe
2014-01-22 18:08:06 1769984 ----a-w- c:\windows\system32\ntbackup.exe
2013-12-21 01:46:50 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-11-25 14:40:04 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
.
============= FINISH:  6:20:43.12 ===============
 


Edited by hawkeyedjb, 23 January 2014 - 08:35 AM.


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 24 January 2014 - 08:01 PM

This is a double post: http://www.bleepingcomputer.com/forums/t/521821/infected-with-w32infectorgen8/

I'll close this topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users