Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probable malware infection


  • Please log in to reply
No replies to this topic

#1 MartyL

MartyL

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 11 September 2010 - 01:11 PM

I am running a Pentium 4 (3 GHz) HP desktop with 512 meg (PC 2700) RAM. It has a WD 240 GB HD with 147 GB free

My problem started with the computer being unusably slow for first 15 minutes or so. Taskmanager showed that wuauclt.exe was hogging memory. So was one of the processes running under svchost.

I poked around the Internet and found some suggestions that it was malware causing the problem. I ran Malwarebytes and it found nothing. I have a subscription to ESET NOD32 so I ran a scan with it. It found nothing. I contacted ESET and they suggetsed I download the newest version of NOD32. I couldn't find the link on their website to get the download. In course of communication with them I finally got so frustrated that I uninstalled NOD 32 and installed Microsoft Security Essentials. It too found nothing.

I poked around the internet more and found a post somewhere that said the issue was with Microsoft Update and that if you switched to Windows Update the problem would go away. Sure enough, it did.

I then contacted Microsoft Support because I was having an issue with a Windows Update failing (it was (2) HID Updates). They resolved the problem and I complained about the wuauclt.exe issue. The Tech who contacted me was not of much help. His solution for fixing the wuauclt problem was just don't use Microsoft Update. I want to use Microsoft Update. I have other Microsoft programs that I want kept up to date. Anyway on to the current problems.

He had me run ComboFix and directed me to this web site (bleepingcomputer.com) for instructions on how to run it. I did that. It completed successfully. However there have been several strange behaviors since then.

1.) When ComboFix rebooted my machine IE came up (I run IE 8) and told me all of my security settings had been changed. It offered to fix my security settings. I thought it was ComboFix that was doing this so I allowed it. Now when I go into the Security tab of IE I can change the Security level for the Internet Zone to High, Medium High or Medium. Custom is not available. On every other zone the settings are Custom and I can't change them (Custom isn't available).

2.) I run WinPatrol on my PC. About 30 minutes after I ran ComboFix WinPatrol warned me that CryptSvc was trying to install itself as a new Service. That seemed strange to me so I told WinPatrol No to not allow it to install. I later checked the Services and CryptSvc was installed, set to Manual and Running. I stopped it and disabled it just in case.

3.) At some point, and I don't remember how soon it was after ComboFix ran, WinPatrol warned me that something was trying to change my Hosts file. At least what WinPatrol reported was that it wanted to change it to exactly what it currently was. I kept not allowing it and it kept coming up so I finally allowed it and I went in and deleted the line "127.0.0.1 localhost" and copied what was in an old version of Hosts into it (it was all of the commented out lines about how to use the file and the line 127.0.0.1 localhost).

4.) I didn't know what else to do so I figured that since these problems surfaced after I ran ComboFix I would run it again (I did find the log file first and rename the first one before I ran it again in case that is helpful). It completed successfully and no IE Security issues this time.

5.) Now WinPatrol keeps periodically poping up a warning that a change in one of my filetype associations has been detected. It wants to change my .url association (I have a screen shot of the popup but I can't find where to attach a file so I will have to just tell you what it reports). It says the program currently associated with this file type is "Run A DLL as an App" and it points to "C:\Windows\system32\rundll32.exe C:\Windows\system32\ieframe.dll, OpenURL %1" It then tells me a change was made to use the following program for this filetype "Run a DLL as an App" and it points to "rundll.exe ieframe.dll, OpenURL %1" and asks if this change is OK. I keep hitting No.

In relation to 1.) I installed NetNanny (ContentWatch) on this PC before but I uninstalled it months ago. Some time after it was installed I noticed that you could not access Internet Options from IE itself. You had to go into the Control Panel to do it. I presumed that was somethingNetNanny did. However that is still the case even though NetNanny is gone. I presumed it was issues left over from NetNanny and have just ignored it until now. I am bringing this up because I am not sure if the Security issues were there from before (presumably from NetNanny) or not.

I am sorry to be so verbose but I figured every bit of information may be helpful and I don't know what is or isn't important.

I have not run Malwarebytes or done a Scan with MSE since I ran ComboFix (MSE is running though). I am going to do that now but I wanted to begin getting help ASAP and I have to work this afternoon so I won't be able to get back to this until tomorrow or Monday. I will post results though as soon as I can run both of them.

Thank you kindly for your help,

Marty

Edited by Andrew, 13 September 2010 - 02:04 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users