Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with W32Infector.Gen8


  • This topic is locked This topic is locked
6 replies to this topic

#1 hawkeyedjb

hawkeyedjb

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 PM

Posted 23 January 2014 - 08:43 AM

Symptoms: I first noticed an obvious browser virus when starting to logon to a bank website - the browser page asked for a lot of security verification info that a legitimate page would not ask for (I shut down the browser without filling in any responses). 

 

Avira has detected a lot of infections. 

 

I can not scan/stop/ antivirus software; I receive the message "Windows cannot open this program because it has been prevented by a software restriction policy."   I have never set any policies (don't know how).

 

DDS.txt log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.5.1
Run by djb at 6:19:54 on 2014-01-23
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.283 [GMT -7:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Documents and Settings\djb\Desktop\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Documents and Settings\djb\Desktop\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Documents and Settings\djb\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\SkyGolf\CaddieSync Express\CaddieSyncExpress.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\VIRTUA~1\CitiVAN.exe
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files\Citrix\GoToMeeting\1172\g2mstart.exe
C:\Program Files\Citrix\GoToAssist Express Expert\309\g2ax_start.exe
C:\WINDOWS\system32\OBroker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Citrix\GoToAssist Express Expert\309\g2ax_comm_expert.exe
C:\Program Files\Citrix\GoToAssist Express Expert\309\g2ax_user_expert.exe
C:\Program Files\Citrix\GoToMeeting\1172\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\1172\g2mlauncher.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = 127.0.0.1:9421;<local>;*.local
BHO: Virtual Account Numbers Helper: {17424104-1444-4810-85D7-B4DA413C5A9A} - c:\program files\virtual account numbers\CitiVANHelper.dll
BHO: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Advertising Cookie Opt-out: {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} - c:\program files\google\advertising cookie opt-out\opt_out.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
TB: Virtual Account Numbers: {7A21A046-B886-4A62-9D69-EF2059B0A27B} - c:\program files\virtual account numbers\CitiVANToolbar.dll
TB: Avira SearchFree Toolbar: {41564952-412D-5637-00A7-7A786E7484D7} -
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\1172\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [GoToAssist Express Expert] "c:\program files\citrix\gotoassist express expert\309\g2ax_start.exe" "/Trigger RunAtLogon"
uRun: [comssink] c:\windows\system32\cliplpr.exe
uRun: [conismui] c:\windows\system32\clipsass.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl03a\BrStDvPt.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CaddieSyncConduit] c:\program files\skygolf\caddiesync express\CaddieSyncExpress.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Virtual Account Numbers] c:\progra~1\virtua~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\codecp~1.lnk - c:\windows\system32\c2mp\UpdateChecker.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Windows\System: EnableSmartScreen = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Download with &Media Finder - c:\program files\media finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {93B08541-9F6B-4697-9F9A-7058F1E33785} - hxxps://na.ntrsupport.com/nv/inquiero/mod/setup/ntractivex1182_2.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{489E87C0-9BCA-412E-AAED-77D51B36B24C} : DHCPNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\djb.blabbermouth\application data\mozilla\firefox\profiles\kxhnszwb.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com
FF - plugin: c:\documents and settings\djb.blabbermouth\local settings\application data\citrix\plugins\104\npappdetector.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\citrix\ica client\npicaN.dll
FF - plugin: c:\program files\citrix\ica client\npURLInterceptorPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-11-26 13560]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-8-27 37352]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-8-27 440376]
R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-8-27 440376]
R2 AntiVirWebService;Avira Web Protection;c:\program files\avira\antivir desktop\avwebgrd.exe [2013-8-27 1011768]
R2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2013-12-20 166352]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-8-27 90400]
R2 MBAMScheduler;MBAMScheduler;c:\documents and settings\djb\desktop\malwarebytes' anti-malware\mbamscheduler.exe [2014-1-22 418376]
R2 MBAMService;MBAMService;c:\documents and settings\djb\desktop\malwarebytes' anti-malware\mbamservice.exe [2014-1-22 701512]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2009-3-30 1677824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-4 22856]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2011-5-17 2944]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2011-5-17 61952]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2011-5-17 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2011-5-17 10368]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-2-20 23456]
S3 MFE_RR;MFE_RR;\??\c:\docume~1\djb~1.bla\locals~1\temp\mfe_rr.sys --> c:\docume~1\djb~1.bla\locals~1\temp\mfe_rr.sys [?]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S3 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-9 47128]
S3 rm;rm;\??\c:\windows\system32\drivers\rm.sys --> c:\windows\system32\drivers\rm.sys [?]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
.
=============== Created Last 30 ================
.
2019-12-31 22:15:39 -------- d-----w- c:\program files\Microsoft Money Plus
2014-01-22 22:39:55 -------- d-----w- C:\avtest
2014-01-22 22:25:11 3642 ----a-w- c:\documents and settings\djb.blabbermouth\local settings\application data\dfl31z32.dll
2014-01-22 22:20:07 4662 ----a-w- c:\documents and settings\djb.blabbermouth\local settings\application data\wsr31zt32.dll
2014-01-22 22:12:05 254976 ----a-w- c:\windows\system32\clipsass.exe
2014-01-22 16:41:59 -------- d-sha-r- C:\cmdcons
2014-01-22 16:40:56 -------- d-----w- C:\ComboFix
2014-01-22 15:09:45 -------- d--h--w- c:\windows\PIF
2014-01-22 15:07:21 -------- d--h--w- c:\windows\system32\GroupPolicy
.
==================== Find3M  ====================
.
2014-01-23 12:56:28 604160 ----a-w- c:\windows\system32\clipsrv.exe
2014-01-23 00:28:18 1167360 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2014-01-23 00:11:15 666112 ----a-w- c:\windows\sed.exe
2014-01-22 19:41:37 1985536 ----a-w- c:\windows\system32\mmc.exe
2014-01-22 18:08:06 1769984 ----a-w- c:\windows\system32\ntbackup.exe
2013-12-21 01:46:50 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-11-25 14:40:04 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
.
============= FINISH:  6:20:43.12 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 PM

Posted 24 January 2014 - 07:58 PM

Hello,

 

Avira has detected a lot of infections.

Can you please post up the log file of Avira that lists all these infections?

 

There are hints in your log that a nasty file infector might be on board..

Let's have a look:

 

 

Please download Combofix (by sUBs) and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start Combofix.exe and follow its instructions.
  • Do not use the computer while the scan is running. This may cause the program to stall.
  • When finished, a log file will be displayed (that can also be found at C:\Combofix.txt).
    Please copy and paste the contents of this file into your next post.

Note: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." after the scan, just restart the computer.
(You can find more detailed instructions in this guide on using Combofix.)



#3 hawkeyedjb

hawkeyedjb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 PM

Posted 25 January 2014 - 08:17 AM

Attached is a log from Avira.  Unfortunately, this computer is not able to run Combofix.  It extracts files, backs up registry, then hangs and won't go any further.

 

I split the Avira log into two files, it was too big to upload.

 

thanks,
Dave


Second half of Avira log

Attached Files



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 PM

Posted 25 January 2014 - 07:53 PM

Unfortunately the suspicion has proven true: Your computer is infected with what is called a file infector (or a "virus").

This nasty type of infection tries to gain persistency by infecting all executables in the system, even important system files.

Although disinfection is not impossible, it is very tedious because one single infected file that survives is enough to fully infect the system again.

What's more: Even if disinfection is successful, chances are pretty high that it leaves behind considerable damage that calls for further repair.

Therefor I'd strongly recommend to backup your data (no programs or executable files, just personal documents, pictures, music, ..), format the hard drive and reinstall the operating system.

 

What do you think?

 

(And as a side note: You are still running Windows XP. This operating system is reaching End-of-Support in less than 3 months: http://windows.microsoft.com/en-us/windows/end-support-help

Connecting a XP machine to the internet becomes risky after this deadline since security vulnerabilities will not be patched anymore.

So the combination of this deadline with your severe infection would make this a good point in time to bid farewell to XP and set up a more modern operating system like Windows 7 or Windows 8.1 now.)



#5 hawkeyedjb

hawkeyedjb
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:43 PM

Posted 26 January 2014 - 07:56 AM

Yes, I agree that your recommendation is probably the correct one, unfortunately.  A couple of questions:

 

-You mentioned backing up the non-executables.  Is there a possibility that any of these are infected, or is it only the executables/system files that are subject to this infection?

 

-Is there any antivirus program that is effective in preventing these type of infections? 

 

Thank you for your assistance,

Dave



#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 PM

Posted 28 January 2014 - 01:35 PM

Hello Dave,

 

 

You mentioned backing up the non-executables.  Is there a possibility that any of these are infected, or is it only the executables/system files that are subject to this infection?

 

This infection should only target executables and not your data files. (There is other malware that also tries to infect those.)

But it's best anyway to thoroughly scan all your backed up files before bringing them into contact with the new and clean system.

 

 

Is there any antivirus program that is effective in preventing these type of infections?

 

Actually every antivirus program should do this job.. But no product can always detect everything in time.

So if you want me to recommend something it would be to buy a license of Emsisoft Anti-Malware (not the freeware version as this is a on-demand only scanner without protection). But in the end it's really not that crucial what product you choose.



#7 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:43 PM

Posted 27 February 2014 - 03:24 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users