Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - no documents, no desktop icons, start>all programs> (empty)


  • This topic is locked This topic is locked
7 replies to this topic

#1 help liam

help liam

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 19 June 2011 - 11:44 PM

Hi thanks for the help. Have had an infection that is proving to be a royal pain in the behind. Just so you know, if this will help in any sort of the way, this is dual booted with linux. if i go into my documents i get a blank screen, the same for all documents. when i go to all programs it says (empty) . there are no desktop icons, but after right clicking into properties and unchecking/checking show icons recycling bin came up, and am able to save icons there such as the ones used for this post.

in the whole excitement of the moment i quickly installed malwarebytes anti malware and ran a full scan and removed the infections without writing down what they were :thumbdown: . i believe i remember seeing hijacker and trojan however there were 3 or 4 infections.

thank you so much for helping, will keep this page open to check every 5 or so minuets to not waste your time or my time.




.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Liam at 11:33:22 on 2011-06-20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1132 [GMT 10:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = hxxp://store.steampowered.com/screenshot/app/7940/?size=800
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230349102250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A3D93B25-4601-49D2-B3AF-F447C73D561F} - hxxp://69.199.58.21/program/SonySncRz25View.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: DhcpNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{6934F26E-E952-4B99-A5C2-6905C0F83AAE} : DhcpNameServer = 8.8.8.8 8.8.4.4
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\liam\application data\mozilla\firefox\profiles\zbuethib.default\
FF - prefs.js: browser.startup.homepage - hxxp://monsterfishkeepers.com/forums/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsle8774c2d;MpKsle8774c2d;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{45463217-4833-46eb-8982-42ae9aca41a2}\MpKsle8774c2d.sys [2011-6-20 28752]
R1 SASDIFSV;SASDIFSV;c:\docume~1\john\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\john\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-11 67656]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-2-7 1373480]
S1 MpKsl1526d9d1;MpKsl1526d9d1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0e54eec2-823c-441a-be22-a948fd5ee14b}\mpksl1526d9d1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0e54eec2-823c-441a-be22-a948fd5ee14b}\MpKsl1526d9d1.sys [?]
S1 MpKsl5f10b5dd;MpKsl5f10b5dd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1f2bd92a-2e97-44dd-bd80-7422900bf6c0}\mpksl5f10b5dd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1f2bd92a-2e97-44dd-bd80-7422900bf6c0}\MpKsl5f10b5dd.sys [?]
S1 MpKsl6a7a80b6;MpKsl6a7a80b6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{da69674f-5396-4783-83dd-6aaaf2c7ce6a}\mpksl6a7a80b6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{da69674f-5396-4783-83dd-6aaaf2c7ce6a}\MpKsl6a7a80b6.sys [?]
S1 MpKsl6ac65e5a;MpKsl6ac65e5a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c94e1898-a0b2-465f-b35e-665e7803bcb2}\mpksl6ac65e5a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c94e1898-a0b2-465f-b35e-665e7803bcb2}\MpKsl6ac65e5a.sys [?]
S1 MpKslb41d12d8;MpKslb41d12d8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c94e1898-a0b2-465f-b35e-665e7803bcb2}\mpkslb41d12d8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c94e1898-a0b2-465f-b35e-665e7803bcb2}\MpKslb41d12d8.sys [?]
S1 MpKsled71073b;MpKsled71073b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c94e1898-a0b2-465f-b35e-665e7803bcb2}\mpksled71073b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c94e1898-a0b2-465f-b35e-665e7803bcb2}\MpKsled71073b.sys [?]
S1 MpKslfb6d41c6;MpKslfb6d41c6;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee45d492-5b53-4bb1-9f41-763aaddaa5a3}\mpkslfb6d41c6.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ee45d492-5b53-4bb1-9f41-763aaddaa5a3}\MpKslfb6d41c6.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c99ef252a605fa;Google Update Service (gupdate1c99ef252a605fa);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-20 01:11:31 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{45463217-4833-46eb-8982-42ae9aca41a2}\MpKsle8774c2d.sys
2011-06-20 00:18:45 3085192 ----a-w- C:\WindowsXP-KB941248-v3-x86-ENU.exe
2011-06-19 23:54:51 360448 ---ha-w- c:\documents and settings\all users\application data\24698660.exe
2011-06-19 22:22:42 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-19 22:22:39 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 22:22:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-19 21:48:44 444416 ---ha-w- c:\documents and settings\all users\application data\bpbMHutRXor.exe
2011-06-18 04:02:41 6962000 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{45463217-4833-46eb-8982-42ae9aca41a2}\mpengine.dll
2011-06-13 01:55:22 -------- d-----w- c:\program files\Liquid Entertainment
2011-06-13 01:54:20 53248 ------w- c:\program files\common files\installshield\engine\6\intel 32\msihook.dll
2011-06-13 01:54:20 126976 ------w- c:\program files\common files\installshield\engine\6\intel 32\knlwrap.exe
2011-06-13 01:54:19 114688 ------w- c:\program files\common files\installshield\engine\6\intel 32\scpthdlr.dll
2011-05-21 06:48:51 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-05-24 09:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-27 07:42:38 0 ----a-w- c:\windows\Mwisiri.bin
2011-04-08 03:13:16 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-04-07 23:51:50 252316 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-04-07 23:51:50 1 ----a-w- c:\windows\system32\nvdrssel.bin
.
============= FINISH: 11:33:36.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:38 PM

Posted 20 June 2011 - 12:00 AM

Hello help liam ,

Posted Image


Download this and run it. It *should* unhide most everything you're missing. http://download.bleepingcomputer.com/grinler/beta/unhide.exe

Let me know if that does it, and if you need further help. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 help liam

help liam
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 20 June 2011 - 12:11 AM

thank you very much! yes it is working/has worked. now is there any more i have to do, if there is any more infections and stuff?

#4 help liam

help liam
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 20 June 2011 - 02:08 AM

in all programs, i have just noticed that only 1/2 of the programs are listed that were originally there, also when you go to the program it says empty. for example start>allprograms>adobe>(empty), it works for some programs though.

Edited by help liam, 20 June 2011 - 02:24 AM.


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:38 PM

Posted 20 June 2011 - 04:49 AM

You *should* be able to go your options and UNtick the box that says to hide everything. *Normally* with this, the malware checks the hide box. <_<
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 help liam

help liam
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 20 June 2011 - 06:45 AM

yes i have done this and to no avail. it seems a lot of people have been stung with this infection just from reading.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:38 PM

Posted 20 June 2011 - 03:50 PM

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to liam.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:38 PM

Posted 07 August 2011 - 01:02 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users