Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


So many problems I don't know where to start

  • This topic is locked This topic is locked
2 replies to this topic

#1 street9009


  • Members
  • 50 posts
  • Gender:Male
  • Local time:12:01 PM

Posted 11 June 2009 - 06:21 PM

I have a PC I'm trying to fix for a friend of mine and it is loaded with crap. Combofix won't run on it and I had to rename the Malwarebytes and Spybot executables to even get them to run. However, they don't appear to be making any headway. They run and clean stuff, but then the computer is still just as infected as it was.

I also tried running SmitFraudFix but that reports an error and closes.

Also, results from Google appear to be Hijacked. I thought it was an IE only thing (IE6 was on this PC when I got it- I upgraded to IE8 and had the same problem) so I installed Firefox. It is also doing it. It isn't the hosts file doing a redirect, something must be running and changing the links as the page loads. The only way to get to a result is to copy and paste the link. Then it works fine.

I also thought I'd try my work's copy of Endpoint just to get it cleaned up enough to run some other scans. The critical service for Endpoint won't start.

Anyway, I hope someone can help. I have never seen a PC eat up like this before.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 18:57:14.64 on Thu 06/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1370 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.gateway.com/
uSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" TRAY
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ledpointer] CNYHKey.exe
mRun: [showwnd] showwnd.exe
mRun: [<NO NAME>]
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
IE: &Search - ?p=ZKxdm174YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\9ib5z3fw.default\

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-11 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081120.024\NAVENG.SYS [2009-6-11 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081120.024\NAVEX15.SYS [2009-6-11 876112]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-06-11 18:30 38,056 a------- c:\windows\system32\drivers\WGX.SYS
2009-06-11 17:44 92,488 a------- c:\windows\system32\drivers\SysPlant.sys
2009-06-11 17:44 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-11 17:44 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-11 17:44 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-06-11 17:44 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-06-11 17:44 <DIR> --d----- c:\program files\Symantec
2009-06-11 17:42 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-06-11 17:41 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-06-11 17:40 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-06-11 17:39 <DIR> -cd-h--- c:\windows\ie8
2009-06-11 16:57 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-06-11 16:37 <DIR> --d----- c:\windows\system32\scripting
2009-06-11 16:37 <DIR> --d----- c:\windows\system32\en
2009-06-11 16:37 <DIR> --d----- c:\windows\system32\bits
2009-06-11 16:37 <DIR> --d----- c:\windows\l2schemas
2009-06-11 16:36 <DIR> --d----- c:\windows\ServicePackFiles
2009-06-11 16:12 <DIR> --d----- c:\windows\pss
2009-06-11 15:37 1,908 a------- c:\windows\wininit.ini
2009-06-11 13:45 3,320 a------- c:\windows\system32\tmp.reg
2009-06-11 13:18 <DIR> --d----- c:\windows\system32\CatRoot2
2009-06-11 11:29 <DIR> --d----- c:\program files\CCleaner
2009-06-11 11:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-11 11:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-11 11:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-06-11 11:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 11:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 11:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-30 21:41 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-30 21:11 375,296 a------- c:\windows\system32\winexplorer.dll
2009-05-30 21:11 <DIR> --d----- c:\program files\common files\Uninstall

==================== Find3M ====================

2009-06-11 16:38 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-26 03:58 256 ac------ c:\documents and settings\owner\pool.bin
2007-01-01 20:01 872 ac------ c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 19:00:52.28 ===============

Attached Files

BC AdBot (Login to Remove)



#2 street9009

  • Topic Starter

  • Members
  • 50 posts
  • Gender:Male
  • Local time:12:01 PM

Posted 13 June 2009 - 04:50 PM

Nevermind, I managed to get it cleaned up. Had a windowsclick infection that had installed a non-plug-and-play driver. Found removal instructions (here) which then allowed me to start making progress with Symantec, Spybot, and MalwareBytes. Seems to be clean now.

Thanks for all you guys do.

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests

Posted 14 June 2009 - 08:07 AM

Thank you for letting us know street9009. :thumbup2:

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users