Jump to content

svchost.exe starting ping.exe


Recommended Posts

Hi i noticed i got a virus xmas eve night via processes, grekcn5.com, che.exe and ping are the new ones i noticed. i seen in process explorer that svchost was starting ping, also mpcmd.exe pops up too.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by bob at 18:51:22 on 2011-12-26

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2430.1308 [GMT -8:00]

.

AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskmgr.exe

svchost.exe

C:\WINDOWS\system32\netdde.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk

mDefault_Page_URL = hxxp://www.yahoo.com

mStart Page = hxxp://www.yahoo.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: WinZip Courier BHO: {a8fb70fa-0fdf-4601-9dc4-bfa1b357204f} - c:\progra~1\winzip~1\wzwmcie.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [doubleTwist] c:\program files\doubletwist 2.0\DoubleTwist.DeviceHelper.exe

uRun: [Facebook Update] "c:\documents and settings\bob\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 68.87.64.150 68.87.75.198

TCP: Interfaces\{3B036327-BEFE-4D85-B3C5-D19269E78672} : DhcpNameServer = 68.87.64.150 68.87.75.198

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bob\application data\mozilla\firefox\profiles\70aqwzt3.default\

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\documents and settings\bob\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\winzip courier\npwzwmc.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]

R1 MpKsle6d6998b;MpKsle6d6998b;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e184e42a-a926-48a3-8aec-8d6bedd90acd}\MpKsle6d6998b.sys [2011-12-26 28752]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-26 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-26 22216]

R4 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S1 MpKslbb97eaf2;MpKslbb97eaf2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{960f6dbc-d439-43ce-a736-51d3bf826f7d}\mpkslbb97eaf2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{960f6dbc-d439-43ce-a736-51d3bf826f7d}\MpKslbb97eaf2.sys [?]

S2 iPodDrv;iPodDrv;\??\c:\windows\system32\drivers\ipoddrv.sys --> c:\windows\system32\drivers\iPodDrv.sys [?]

S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscnusb.sys [2009-12-6 103552]

S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]

.

=============== Created Last 30 ================

.

2011-12-27 02:09:15 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-27 02:09:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-12-27 01:22:17 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e184e42a-a926-48a3-8aec-8d6bedd90acd}\MpKsle6d6998b.sys

2011-12-26 10:34:13 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e184e42a-a926-48a3-8aec-8d6bedd90acd}\mpengine.dll

2011-12-26 10:33:14 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-12-26 10:33:14 -------- d-----w- c:\windows\system32\wbem\Repository

2011-12-25 08:08:50 -------- d-----w- c:\windows\pss

2011-12-25 07:35:46 -------- d-----w- c:\documents and settings\bob\application data\Malwarebytes

2011-12-25 07:35:39 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-12-22 17:42:33 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2011-12-22 17:42:33 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.

==================== Find3M ====================

.

2011-11-15 22:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 18:51:58.68 ===============

attach.txt

Link to post
Share on other sites

  • 1 month later...

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.