possible infection

Hello!

I believe my PC has been infected or hacked. I got this computer recently, maybe two or three months ago, from a good friend who bought a new one. I didn't format disks nor reinstall windows, but I did delete, defragment etc. and scan the PC thoroughly - it was clean. I installed Eset smart security. I am not totally ignorant when it comes to computers, so I also manually set many parameters, including services. I say this because I remember I disabled everything related to remote access.
About a month ago I noticed my cursor moving on its own over desktop and that the PC's overall performance became a bit slower. When I went to control panel/system, I found out that the remote access was turned on (as I said - I KNOW i disabled it). Nevertheless, I disabled it again, scanned computer thoroughly and found NOTHING! I thought I fixed whatever it was.
Well, today I saw exactly the same thing - cursor moving on its own all over the desktop. So I went to safe mode and scanned it again - with Eset, Spybot, Malwarebytes, Housecall, Kaspersky online - again nothing! But i have to say that during scanning my PC suddenly turned off three times with no apparent reason.
Finally I used Hijackthis and Combofix - combofix did delete some files and found some locked items in my registry. When i tried to open it, I couldn't, and when i tried to set new permissions, i got - Unable to display security information.

I know I has to be some sort of virus or somebody hacked into my PC. I am most worried about those remote access settings. Here's Combofix and Hijackthis logs. See if you can help.

Thanks!

Hi,

Please do the following:


Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Hello!

I did as I was told. Here is the log file.

I also scanned my PC with Ad-aware, and it found three possible infections (I deleted those files):

Quarantined items:
Description: C:\WINDOWS\system32\softLCP.exe Family Name: Suspicious Object Engine: 1 Clean status: Reboot required Item ID: 0 Family ID: 0
Description: c:\system volume information\_restore{7bd94de3-436f-42a4-ae08-7fe2df3a7dcd}\rp6\a0001162.exe Family Name: Trojan.Win32.Generic!BT Engine: 3 Clean status: Success Item ID: 1 Family ID: 0 MD5: 395330fa972f719d637cf3e49762e008
Description: e:\documents and settings\my documents\my documents\my pictures\wallpapers\mountain-village.jpg Family Name: Trojan.Win32.Jpgiframe (v) Engine: 3 Clean status: Success Item ID: 2 Family ID: 0 MD5: aef4fb483b8d7a26bad144712eed3b15


Thanks for helping me!

p.s. I forgot to mention that a while ago Eset (I believe) found a mebroot trojan, so I ran a removal tool - mebroot fixer from Eset. It removed it. I ran the tool again and it said no mebroot found on my computer.

Hi,

Please do the following:

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan completes, press the LIST OF THREATS FOUND button
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
• Include the contents of this report in your next reply.
• Press the BACK button.
• Press Finish

I scanned again with both MalwareBytes and Eset online scan, following your instructions.

Malware didn't find any threats. Eset online did find one, a variant of Win32/HackTool.Patcher.A application. It's a patch for a dictionary application that I have been using for several years now. I used it on my old PC, and I had no problems whatsoever, neither with the dictionary, nor with the viruses, at least not this one mentioned.

I have two .rar files on my computer with the installation files for that dictionary - on my E disc and on my G disc, which is external. I have just checked - my Eset did quarantine the file from the external disc, but not the one from the E disc. Apart from the online scan, I have just scanned that file with my Eset, and it showed nothing. I deleted the file from the E disc.

Here are the log files you asked for.


Thanks!

Please run the following:

Please download DDS from one of the following links and save it to your desktop.

• • DDS.scr
  • DDS.pif
• Disable any script blocking protection (How to Disable your Security Programs)
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
• When done, DDS.txt will open.
• After a few moments, attach.txt will open in a second window.
• Save both reports to your desktop.

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Hi!

I ran dds.scr and here are the log files.

Yesterday I scanned my PC with Gmer - it found nothing suspicious. I also tried to reset permissions in registry and I ran this command: “secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose”, but I still can't open some registry keys.

This morning when I turned my PC on, the starting up was slower than usual. I restared it, and it was OK.

Would it best for me to format discs and reinstall Windows?



Thank you very much for your help!



DDS.txt
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by xxx at 9:54:57 on 2011-07-12
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.2046.1345 [GMT 2:00]
.
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\softOSD\softosd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{1555CE17-EA04-4E7F-8BC6-AC10165E5741} : NameServer = 8.8.8.8,8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jelena\application data\mozilla\firefox\profiles\a4e4473m.default\
FF - prefs.js: browser.search.selectedEngine - WordReference
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\jelena\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 se32;EnTech softEngine;c:\windows\system32\drivers\se32.sys [2007-5-3 12112]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.sys [2008-3-23 3584]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 softOSD;softOSD;c:\program files\softosd\softOSD.exe [2007-9-13 260344]
R2 WpsPeppy;WpsPeppy;c:\windows\system32\drivers\WpsPeppy.SYS [2000-1-21 31968]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 RadPciNT;RadPciNT;c:\windows\system32\drivers\RadPciNT.sys [2000-4-24 9417]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-20 1691480]
S3 EMebFix;EMebFix;\??\c:\docume~1\jelena\locals~1\temp\eolmalikfixer\emebfix.sys --> c:\docume~1\jelena\locals~1\temp\eolmalikfixer\EMebFix.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-6-20 2151640]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-6-20 15232]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-7 22712]
S3 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-7 366640]
S3 qcusbser;ACER Android USB Device for Legacy Serial Communication;c:\windows\system32\drivers\qcusbser.sys [2010-2-15 105984]
S3 vmfilter323;323 filter service, Normal;c:\windows\system32\drivers\vmfilter323.sys --> c:\windows\system32\drivers\vmfilter323.sys [?]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
S3 ZSMC326;Vimicro USB2.0 PC Camera(VC0323);c:\windows\system32\drivers\usbvm323.sys --> c:\windows\system32\drivers\usbvm323.sys [?]
S4 AcerSyncServiceWinService;AcerSyncServiceWinService;c:\program files\acer\acersync\acersyncservice.exe -p --> c:\program files\acer\acersync\AcerSyncService.exe -p [?]
.
=============== Created Last 30 ================
.
2011-07-11 19:49:07 -------- d-----w- c:\program files\Windows Resource Kits
2011-07-11 11:48:55 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-11 09:42:23 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-11 09:36:41 -------- d-----w- c:\program files\Lavasoft
2011-07-08 10:12:02 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-08 08:51:51 -------- d-----w- c:\documents and settings\jelena\application data\Registry Mechanic
2011-07-08 08:31:42 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2011-07-08 08:31:42 658432 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2011-07-08 08:31:42 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2011-07-08 08:31:42 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2011-07-08 08:31:42 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2011-07-08 08:31:40 -------- d-----w- c:\program files\common files\PC Tools
2011-07-07 16:45:07 -------- d-----w- c:\windows\ie8updates
2011-07-07 12:13:12 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 12:13:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-07 12:13:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 11:48:31 105472 -c--a-w- c:\windows\system32\dllcache\mup.sys
2011-07-07 11:27:00 -------- d-sha-r- C:\cmdcons
2011-07-07 11:26:15 98816 ----a-w- c:\windows\sed.exe
2011-07-07 11:26:15 518144 ----a-w- c:\windows\SWREG.exe
2011-07-07 11:26:15 256000 ----a-w- c:\windows\PEV.exe
2011-07-07 11:26:15 208896 ----a-w- c:\windows\MBR.exe
2011-07-03 22:53:25 49664 ----a-w- c:\windows\unvise32.exe
2011-07-03 22:53:22 -------- d-----w- c:\program files\Active Ports
2011-07-03 22:35:45 -------- d-----w- c:\documents and settings\jelena\application data\ElevatedDiagnostics
2011-06-23 16:16:54 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-23 16:16:53 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-17 07:51:31 -------- d-----w- c:\documents and settings\jelena\application data\3v
2011-06-17 07:51:03 -------- d-----w- c:\program files\RadarSync
2011-06-16 10:29:25 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation
2011-06-16 10:29:20 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-06-16 10:29:16 273344 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-06-16 10:29:16 273344 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-06-16 10:29:16 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-06-16 10:28:56 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-06-16 10:28:55 899688 ----a-w- c:\windows\system32\nvdispco3220150.dll
2011-06-16 10:28:55 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-06-16 10:28:55 5332992 ----a-w- c:\windows\system32\nvcuda.dll
2011-06-16 10:28:55 2808936 ----a-w- c:\windows\system32\nvcuvid.dll
2011-06-16 10:28:55 2082408 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-06-16 10:28:55 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-06-16 10:28:34 -------- d-----w- c:\program files\NVIDIA Corporation
2011-06-16 10:28:10 -------- d-----w- C:\NVIDIA
2011-06-16 10:05:37 -------- d-----w- c:\documents and settings\jelena\application data\Carambis
2011-06-16 10:05:13 -------- d-----w- c:\program files\Carambis
.
==================== Find3M ====================
.
2011-05-25 06:09:23 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-05-25 06:09:23 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2011-05-25 06:09:23 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-05-25 06:09:22 13895272 ----a-w- c:\windows\system32\nvcpl.dll
2011-05-25 06:09:21 16068608 ----a-w- c:\windows\system32\nvoglnt.dll
2011-05-25 06:09:21 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-05-25 06:09:20 4198272 ----a-w- c:\windows\system32\nv4_disp.dll
2011-05-25 06:09:20 2328576 ----a-w- c:\windows\system32\nvapi.dll
2011-05-25 06:09:20 12753664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-17 10:24:34 0 ----a-w- c:\documents and settings\jelena\reset.cmd
.
============= FINISH: 9:55:41,03 ===============

Please try this

Please download and run FixTDSS from Symantec

Download FixTDSS.exe to your desktop > follow the prompts to run it


http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

I ran the tool - TDSS has not been found on my computer.

We tried everything. I still believe I have something in my system. I think the safest way is to reinstall Windows, which I am going to do. Since I've started using this computer recently, most of my files are still on my external drive.

Can you please advise me how to make sure nothing contiguous gets there when I back up the rest?


Thank you very much for your time.

you should be fine backing up your documents, pictures, music etc. usually any issue would be with executables, but those you are likely going to re-install from disk any way. If you save everything to an external drive, then run that external drive through an on-line scanner,ESET. Just select the external drive to be scanned rather than the local drive.

Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan completes, press the LIST OF THREATS FOUND button
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
• Include the contents of this report in your next reply.
• Press the BACK button.
• Press Finish

Thanks again for your help!

you are welcome

good luck with the reformat

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.