Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Post Virus Strange Behavior


  • This topic is locked This topic is locked
3 replies to this topic

#1 deedubbadoo

deedubbadoo

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:11:30 PM

Posted 12 February 2013 - 11:02 AM

Good morning everyone!  I recently had my sister-in-law call me about her computer.  Said "it won't do anything..."  So I brought it home, hooked it up, and sure enough, it would boot to the user select screen but wouldn't do anything.  Neither keyboard nor mouse would work, even though they did work in the bios.  So I took the hard drive out of the machine and hooked it up in an external caddy to my machine.  Kaspersky immediately popped up and said that it detected a threat.  It proceeded to scan the drive and found 18 problems that it "fixed."  I put the drive back into the machine, it booted up, and voila keyboard, mouse functioning fine.  The problem begins there.  I couldn't get an IP address, so I checked the network properties to make sure there wasn't any funny proxy settings, nothing.  I did notice there was manual settings for the IP, subnet, etc... I noted them and selected "obtain automatically" for both.  I get an "acquiring ip address" in the taskbar forever, never get a connection either at home or at the office.  I opened the firewall and I was greeted with "Windows firewall settings cannot be displayed because the associated service is not running..."  I have a feeling our little virus friend left some lingering effects.

 

The machine in question is a Dell Vostro 200 Microtower, running Windows XP SP3.  Here is the DDS log.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Julie at 9:12:06 on 2013-02-12
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1013.651 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! IE Services Button: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: <No Name>: {5ff75fb0-440c-48e4-8073-72f4c67cf503} -
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Windows Live Toolbar: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Conime] c:\windows\system32\conime.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:157
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: turbotax.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {1FB79868-EC67-440F-9B74-2A4DA846D732} - hxxp://scanner.defender-scanner.com/setup/webinst.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1293843933515
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{24F996BB-BB0C-4ED2-B674-C72412EA9504} : NameServer = 10.0.0.1,10.0.0.2
TCP: Interfaces\{24F996BB-BB0C-4ED2-B674-C72412EA9504} : DHCPNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: zip - {b05fbcba-8053-41f5-9ab1-1162c319d93e} - <no file>
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - <no file>
STS: <No Name> - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - <no file>
.
============= SERVICES / DRIVERS ===============
.
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2012-3-16 389120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [2004-8-10 14336]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-02-12 00:49:46    --------    d-----w-    c:\windows\pss
2013-02-11 19:17:20    521728    ------w-    c:\windows\system32\dllcache\jsdbgui.dll
.
==================== Find3M  ====================
.
.
============= FINISH:  9:13:30.70 ===============

 

I've been trying feverishly to get into the Malware Training Program becuase I really want to understand how to diagnose and fix these infections.  For now, I will leave it up to the experts!

 

Thanks in advance!
 



BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 14 February 2013 - 08:00 PM

Hello deedubbadoo,

 

Pretty bad infection showing here. You'll have to download to a clean computer for now, then transfer files over.

 

Before we start though, and I hate to delay things, I have to assume you have attempted some repairs of your own since first posting this request. If so, post the log results from that, but also post back a status report. Then we can dive into what still needs repairing.


Edited by Jintan, 14 February 2013 - 08:01 PM.

Ad eundum quo no duck ante iit

#3 deedubbadoo

deedubbadoo
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana
  • Local time:11:30 PM

Posted 15 February 2013 - 08:41 AM

Jintan,

 

What I ended up doing was just copying the files she wanted over to an external drive (just pictures and music,) and then re-installed Windows XP.  I know that sometimes especially when there aren't a lot of important files, it's just easier to start over.  Is there anyway you could tell me what you gleaned from the log originally?  I'm very interested in learning more about viruses and what to look for initially in the DDS logs.  Hopefully I can get into the Malware and Spyware Removal School one day.

 

Thanks!



#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 16 February 2013 - 05:41 PM

I appreciate you posting back the update.


Ad eundum quo no duck ante iit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users