Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with unknown infection.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Haskin

Haskin

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:33 PM

Posted 27 February 2012 - 02:32 PM

My machine is running Windows XP. My problem is that when I log into a certain user profile, I cannot do anything (open programs, surf the internet, open folders, etc..)

When I first suspected my system was infected (slow, inability to download from the internet, no background) I was instructed by a friend to run ComboFix. This was difficult since I wasn't able to download anything. The internet explorer popup would state that the download could not be completed because the site could not be found. So I decided to create a new user profile and download it that way. I downloaded it to C: on my second user profile and then ran it from the infected one. A EULA for Sysinternal Software kept popping up during the ComboFix scan. When ComboFix was done the previous symptoms were still there. A few days later I logged back in and that's when I found I couldn't do anything (as per the first paragraph).

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Haskin at 12:34:20 on 2012-02-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.170 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Documents and Settings\Haskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\Haskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Haskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Haskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Haskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Haskin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
BHO: ElnkBhoGuard Class: {00000000-0000-0000-0000-000000000002} - c:\program files\peoplepc\toolbar\ScamGrd.dll
BHO: ElnkScamBHO Class: {15f4d456-5baa-4076-8486-eecb38cd3e57} - c:\program files\peoplepc\toolbar\ScamGrd.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\people~1\PRPL_I~1.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~3.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\MSOFFICE.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\MSOFFICE.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235445970931
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1B86A0EC-533E-40B7-9CEA-6EA1B8AD91D7} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-26 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-2-26 337112]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-2-26 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-2-26 44768]
.
=============== Created Last 30 ================
.
2012-02-27 18:28:20 607260 ------r- C:\dds.scr
2012-02-26 18:39:14 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-26 18:38:56 41184 ----a-w- c:\windows\avastSS.scr
2012-02-26 18:38:43 -------- d-----w- c:\program files\AVAST Software
2012-02-26 18:38:43 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-02-26 07:33:20 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-02-26 07:33:20 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-02-26 00:55:39 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-25 22:53:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-02-25 22:53:48 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-02-25 22:49:45 12021760 ----a-w- C:\Ad-Aware96Install.msi
2012-02-25 22:48:41 16409960 ----a-w- C:\spybotsd162.exe
2012-02-25 22:06:51 302592 ----a-w- C:\ko47potu.exe
2012-02-25 21:33:32 98816 ----a-w- c:\windows\sed.exe
2012-02-25 21:33:32 518144 ----a-w- c:\windows\SWREG.exe
2012-02-25 21:33:32 256000 ----a-w- c:\windows\PEV.exe
2012-02-25 21:33:32 208896 ----a-w- c:\windows\MBR.exe
2012-02-25 15:20:06 4418982 ------r- C:\C-Fix.exe
2012-02-25 15:02:01 -------- d-----w- c:\documents and settings\haskin\local settings\application data\Google
2012-02-25 14:57:26 -------- d-sh--w- c:\documents and settings\haskin\PrivacIE
2012-02-25 06:41:42 -------- d-----w- c:\documents and settings\haskin\application data\ScamBlocker
2012-02-24 17:15:34 -------- d-----w- c:\windows\pss
2012-02-24 16:27:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-24 16:27:10 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-02-24 16:21:01 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-02-24 16:20:42 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-02-24 15:48:54 -------- d-sha-r- C:\cmdcons
2012-02-24 15:30:56 -------- d-----w- C:\8f9bfe61fe45646a8282171fcd88db51
2012-02-24 15:26:00 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-02-24 15:26:00 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-02-19 02:47:51 45056 ------w- c:\windows\system32\ppcpanel.cpl
2012-02-15 03:14:51 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-15 03:14:51 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-12 03:37:20 37376 ------w- c:\windows\system32\PPCOUNIN.exe
.
==================== Find3M ====================
.
2012-02-19 02:48:13 34660 ----a-w- c:\windows\system32\ppaluninst.exe
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 12:36:47.25 ===============


GMER:
Log is attached because my post was too long.


Thanks,

-Haskin

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:33 AM

Posted 02 March 2012 - 06:15 AM

Hi,

A few questions before we get started :)

Does your second user profile have any problems? Is the second profile an administrator?

Could you post me the ComboFix log from when you ran it, it will be located at C:\ComboFix.txt.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:33 AM

Posted 08 March 2012 - 02:38 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users