Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicked a link in email


  • This topic is locked This topic is locked
4 replies to this topic

#1 dglandorf

dglandorf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 09 March 2013 - 10:58 AM

Received an email from my sister and clicked on the link.  Later my sister called and told me her computer had a virus and it sent the email.  What next?

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7600.16385
Run by lilroe at 9:46:51 on 2013-03-09
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.1790.258 [GMT -8:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Browny02\BrYNSvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1333g&r=17360313m106p0435v1k5r44l2s248
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1333g&r=17360313m106p0435v1k5r44l2s248
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1333g&r=17360313m106p0435v1k5r44l2s248
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1333g&r=17360313m106p0435v1k5r44l2s248
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\IPSBHO.dll
BHO: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 172.16.0.1
TCP: Interfaces\{76C09F17-3DAB-4FF0-8A0B-AE83015E5F44} : DHCPNameServer = 172.16.0.1
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1333g&r=17360313m106p0435v1k5r44l2s248
x64-mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=el1333g&r=17360313m106p0435v1k5r44l2s248
x64-BHO: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner64.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
x64-Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\System32\NvCpl.dll,NvStartup
x64-Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R1 BHDrvx64;Symantec Heuristics Driver;C:\Windows\System32\drivers\NISx64\1008030.006\BHDrvx64.sys [2013-3-8 334384]
R1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\NISx64\1008030.006\cchpx64.sys [2013-3-8 561800]
.
=============== Created Last 60 ================
.
2013-03-08 15:38:41 77312 ----a-w- C:\Windows\System32\packager.dll
2013-03-08 15:38:40 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2013-03-08 15:29:06 279160 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\symtdi.sys
2013-03-08 15:29:05 56952 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\symndisv.sys
2013-03-08 15:29:05 476720 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\srtsp64.sys
2013-03-08 15:29:05 44152 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\symndis.sys
2013-03-08 15:29:05 43640 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\symids.sys
2013-03-08 15:29:05 402992 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\SymEFA64.sys
2013-03-08 15:29:05 334384 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\BHDrvx64.sys
2013-03-08 15:29:05 32304 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\srtspx64.sys
2013-03-08 15:29:05 120952 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\symfw.sys
2013-03-08 15:28:34 561800 ----a-w- C:\Windows\System32\drivers\NISx64\1008030.006\cchpx64.sys
2013-03-08 15:28:32 -------- d-----w- C:\Windows\System32\drivers\NISx64\1008030.006
2013-03-08 15:21:07 -------- d-----w- C:\Verizon_Android
2013-03-07 16:27:29 -------- d-----w- C:\Brother
2013-03-07 16:27:26 -------- d-----w- C:\Program Files (x86)\Browny02
2013-03-07 16:27:24 45056 ----a-w- C:\Windows\SysWow64\BRTCPCON.DLL
2013-03-07 16:27:22 103736 ----a-w- C:\Windows\SysWow64\BRRBTOOL.EXE
2013-03-07 16:27:20 77824 ----a-w- C:\Windows\SysWow64\BRLMW03A.DLL
2013-03-07 16:27:20 25299 ----a-w- C:\Windows\SysWow64\BRLM03A.DLL
2013-03-07 16:27:18 73728 ------w- C:\Windows\SysWow64\BrDctF2.dll
2013-03-07 16:27:18 5120 ------w- C:\Windows\SysWow64\BrDctF2L.dll
2013-03-07 16:27:18 2560 ------w- C:\Windows\SysWow64\BrDctF2S.dll
2013-03-07 16:27:18 217088 ------w- C:\Windows\SysWow64\NSSearch.dll
2013-03-07 16:27:18 -------- d-----w- C:\Program Files (x86)\Brother
2013-03-07 16:27:16 180224 ------w- C:\Windows\SysWow64\BroSNMP.dll
2013-03-07 16:26:17 -------- d-----w- C:\ProgramData\Brother
2013-03-07 16:05:50 139264 ----a-w- C:\Windows\System32\cabview.dll
2013-03-07 16:05:50 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2013-03-07 16:05:48 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2013-03-07 16:05:48 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2013-03-07 16:05:48 204800 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2013-03-07 16:05:48 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2013-03-07 16:03:24 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2013-03-07 16:03:21 -------- d-----w- C:\ProgramData\OEM_E471269A730D
2013-03-07 16:03:15 -------- d-----w- C:\Program Files (x86)\OEM
2013-03-07 16:03:09 99840 ----a-w- C:\Windows\System32\wudriver.dll
2013-03-07 15:05:52 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2013-03-07 14:26:22 -------- d-----w- C:\Users\lilroe\AppData\Local\Google
2013-03-07 14:11:55 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2013-03-07 14:11:55 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2013-03-07 14:11:23 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2013-03-07 14:10:27 -------- d-----w- C:\Program Files (x86)\Microsoft
2013-03-07 14:09:59 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2013-03-07 14:09:11 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\5746cd801ce1b3d\DSETUP.dll
2013-03-07 14:09:11 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\5746cd801ce1b3d\DXSETUP.exe
2013-03-07 14:09:11 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\5746cd801ce1b3d\dsetup32.dll
2013-03-07 14:08:08 141402440 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlcE503.tmp
2013-03-07 14:07:50 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2013-03-07 14:06:54 31280 ----a-r- C:\Windows\System32\drivers\SymIMV.sys
2013-03-07 14:06:51 172592 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-03-07 14:06:51 -------- d-----w- C:\Program Files\Symantec
2013-03-07 14:06:51 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2013-03-07 14:06:29 -------- d---a-w- C:\book
2013-03-07 14:05:59 -------- d-----w- C:\Users\lilroe\AppData\Local\VirtualStore
2013-03-07 01:12:52 -------- d-----w- C:\Windows\NAPP_Dism_Log
.
==================== Find6M  ====================
.
2013-03-07 01:21:49 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd
.
============= FINISH:  9:52:28.93 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 10 March 2013 - 03:17 PM

Good evening. :)
 

What next?

Some questions... How does you sister know her PC is infected - is it showing signs, such as sending emails, or is a security program detecting something? If the latter, what scanner is it and what exactly does it detect?

What was the address of the link that you clicked?

Is your PC showing any signs of infection?

 

* Is this a new PC or have you just reinstalled the operating system? One of the logs shows: Install Date: 3/7/2013

 

Please understand that as we, that is generally anybody but you, cannot see the PC we are reliant on what you post to help us. The more you tell, the better able we are to diagnose and resolve problems.


Edited by Noviciate, 10 March 2013 - 03:18 PM.
Extra question.

So long, and thanks for all the fish.

 

 


#3 dglandorf

dglandorf
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 10 March 2013 - 06:32 PM

She let me know that her computer was sending out the emails.  She said it was running real slow and that she was taking it to Best Buy to have it looked at.  I figured I would get ahead of the game since I did follow the link on the first email.  I see svchost running using 140 megs of memory.  When I terminate it the screen flickers and it starts again.  The computer is brand new, I did just finish applying all of the microsoft updates this morning.



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 11 March 2013 - 05:16 PM

Good evening. :)

What was the address of the link that you clicked?


So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:56 AM

Posted 22 March 2013 - 03:51 PM

As there has been no response for ten days this thread is now closed.


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users