No specific infection ID'ed - WIn search executed without system interaction

On 02/25/2011, I found my desktop computer showing a windows search window on the monitor screen with the search string *0000 (maybe 1 or 2 more or less 0's). I live alone and hadn't ran that search. No one else was in my apt and there is no way that user interaction caused this search to be performed.

Also, there are times when certain icons do not appear in my taskbar notification area in the bottom right of the screen (right side of taskbar). Yes, I do have Windows set to always show all notifications and have checked, and double-super-triple-scoop checked that setting. Icons such as MS Security essentials or ZoneAlarm Free firewall icon will not be there but, upon further inspection, the processes will be shown running in the taskmanager.

For my classes this semester, I have had to download and install a host of different software in order to do certain assignments. While my professors are sure that all the applications/libraries that the students need to install and run are clean (OpenSSL, Perl, Hash checking software, etc...), I don't like installing programs that aren't needed for an ongoing basis.

Until the phantom search was run and I found it with the results displayed, I figured I just had some minor system instability. After finding the search had been run on my machine, however, I wanted to get a second set of eyes on my system to see if anything is found.

I have performed the steps from the "Preparation Guide For Use Before Using...." page located on this domain.

Here is my DDS.txt log (MS Security Essentials didn't pop-up a notice when running DDS):


DDS (Ver_10-12-12.02) - NTFSx86
Run by TestUser at 17:57:49.31 on Mon 02/28/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3581.2703 [GMT -6:00]

AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sandboxie\SandboxieRpcSs.exe
C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\TestUser\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {338095E4-1806-4BA3-AB51-38A3179200E9} - hxxps://10.21.50.20/LabManager/ControlPanel/Machines/MachineDetails/ActiveXControls/ViewerXVNC/vmware-mks.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://webvpn.ilstu.edu/dana-cached/sc/JuniperSetupClient.cab
TCP: {D142F1FD-2D42-4665-92E7-8FDB81D9F9CA} = 68.87.72.134,68.87.77.134

================= FIREFOX ===================

FF - ProfilePath - c:\users\testuser\appdata\roaming\mozilla\firefox\profiles\cpsfcbe2.default\
FF - prefs.js: browser.startup.homepage - www.ilstu.edu
FF - component: c:\users\testuser\appdata\roaming\mozilla\firefox\profiles\cpsfcbe2.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com

============= SERVICES / DRIVERS ===============

R0 amacpi;Microsoft Away Mode System;c:\windows\system32\drivers\null.sys [2009-7-13 4608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKslbcf68a88;MpKslbcf68a88;c:\programdata\microsoft\microsoft antimalware\definition updates\{08fe3022-4d00-4ac8-babc-4fd9c6980c4d}\MpKslbcf68a88.sys [2011-2-28 28752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\drivers\WMP54Gv41x86.sys [2010-4-7 376160]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-7 1343400]
S4 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2010-7-28 242176]
S4 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]

=============== Created Last 30 ================

2011-02-28 23:43:48 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{08fe3022-4d00-4ac8-babc-4fd9c6980c4d}\MpKslbcf68a88.sys
2011-02-28 23:43:37 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{08fe3022-4d00-4ac8-babc-4fd9c6980c4d}\mpengine.dll
2011-02-24 04:26:45 -------- d-----w- c:\program files\PFPortChecker
2011-02-15 07:00:16 -------- d-----w- c:\users\testuser\appdata\roaming\Foxit Software
2011-02-15 06:31:25 -------- d-----w- c:\users\testuser\appdata\local\Secunia PSI
2011-02-15 06:31:13 -------- d-----w- c:\program files\Secunia
2011-02-10 02:28:41 75208 ----a-w- c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
2011-02-08 23:39:05 2329088 ----a-w- c:\windows\system32\win32k.sys
2011-02-08 23:39:03 541184 ----a-w- c:\windows\system32\kerberos.dll

==================== Find3M ====================

2011-01-19 03:25:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
2010-12-18 05:32:22 981504 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-04 19:58:48 237056 ----a-w- c:\windows\system32\ssleay32.dll
2010-12-04 19:58:48 237056 ----a-w- c:\windows\system32\libssl32.dll
2010-12-04 19:58:36 1099776 ----a-w- c:\windows\system32\libeay32.dll

============= FINISH: 17:58:32.60 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

• If you have since resolved the original problem you were having, we would appreciate you letting us know.
• If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
• Please tell us if you have your original Windows CD/DVD available.
• If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
• If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
• Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
• If you have already posted a DDS log, please do so again, as your situation may have changed.
• Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Thanks and again sorry for the delay.

Casey

Casey_boy, thank you for responding. I will perform the steps you posted as soon as I am back in town and at my apt; which should be on 3/10/2011. I will then post the results and be sure to provide the requested information. I don't anticipate any problems in carrying out the steps you've posted for me to carry out.

Thank you again, your time and expertise is much appreciated, finiteworld.

I apologize that I didn't respond when I said that I would. I've been swamped with systems analysis coursework on top of my reg work. It will continue this way for the next couple weeks.

I will wait on this until I am able to reply to instructions in a timely manner. Please delete this post and thank you for your time spent thus far. This desktop will sit in the corner until we can hunt down the ghost and I'll make due on my good ol' lenovo.

Thank you for providing this valuable service to the community. Maybe one day I can complete the training and volunteer... AFTER THE UNDERGRAD IS FINISHED!!!! Ahhhh!!!

Cheers, finiteworld

finiteworld,

Thanks for responding back, and informing us that you will not be able to continue working on this issue right now. We truly appreciate being kept in the loop.

I am going to go ahead and close this topic. When you find yourself with a more time to work on this issue, please follow the instructions in this post here: http://www.bleepingcomputer.com/forums/topic34773.html and create another thread with the required logs.

This thread is now closed.

Kindest Regards,
SweetTech.