Jump to content

Recommended Posts

Hi all,

My personal computer appears to have become infected with an infection of some sort. Malwarebytes and Microsoft Security Essentials were suddenly disabled (the Malwarebytes messages says "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this item"), and any searches conducted on a search engine bring the browser to some sort of dictionary website (with definitions like "sports car", "cooking", etc.) and advertisements on the rest of the page.

The reason why I suspect it's a virus is that in the Windows Task Manager under processes, I can see a long random string of numbers, similar to the string that appeared when the rogue program "Opencloud AV" installed itself on my computer about a month ago (which led to a self-attempted cleaning that ended in disaster and a necessary windows re-installation). I ran the DDS script and have attached the output text files below. Any help you guys could offer would be greatly appreciated.

dds.txt

attach.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by bcrandal at 8:57:06 on 2011-11-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1495 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\WINDOWS\2532553476:4216065129.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\StacSV.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\DellTPad\Apoint.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\DellTPad\Apntex.exe

C:\WINDOWS\system32\rundll32.exe

.

============== Pseudo HJT Report ===============

.

uWinlogon: Shell=c:\documents and settings\bcrandal\local settings\application data\04b3f396\X

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\bcrandal\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1320177274944

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320177332955

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bcrandal\application data\mozilla\firefox\profiles\d2xsf5hk.default\

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

S0 cerc6;cerc6; [x]

.

=============== Created Last 30 ================

.

2011-11-02 03:15:38 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-02 02:45:13 -------- d-----w- c:\documents and settings\bcrandal\application data\OpenOffice.org

2011-11-02 02:44:25 -------- d-----w- c:\program files\OpenOffice.org 3

2011-11-02 02:04:16 -------- d-sh--w- c:\documents and settings\bcrandal\local settings\application data\04b3f396

2011-11-02 01:35:07 -------- d-----w- c:\documents and settings\bcrandal\.swt

2011-11-02 01:35:04 -------- d-----w- c:\documents and settings\bcrandal\application data\Azureus

2011-11-02 01:34:13 -------- d-----w- c:\documents and settings\bcrandal\local settings\application data\Conduit

2011-11-01 23:18:12 -------- d-----w- c:\documents and settings\bcrandal\local settings\application data\Temp

2011-11-01 23:18:12 -------- d-----w- c:\documents and settings\bcrandal\local settings\application data\Adobe

2011-11-01 23:13:51 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{152958b1-1ff9-430f-bb05-44a4b0a55a17}\offreg.dll

2011-11-01 22:58:55 -------- d-----w- c:\documents and settings\bcrandal\local settings\application data\Mozilla

2011-11-01 22:07:57 273408 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp6de.DLL

2011-11-01 22:07:57 149504 ----a-w- c:\windows\system32\hpcpn6de.dll

2011-11-01 22:03:18 272896 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp5r1.dll

2011-11-01 22:03:18 147456 ----a-w- c:\windows\system32\hpcpn5r1.dll

2011-11-01 21:58:57 344064 ----a-w- c:\windows\system32\hpbicoin.dll

2011-11-01 21:58:08 -------- d-----w- C:\HP

2011-11-01 21:57:34 -------- d-----w- C:\OCZ

2011-11-01 21:57:14 -------- d-----w- c:\documents and settings\bcrandal\application data\PeaZip

2011-11-01 21:55:49 -------- d-----w- c:\program files\Xming

2011-11-01 21:50:17 -------- d-----w- c:\program files\VideoLAN

2011-11-01 21:49:36 -------- d-----w- c:\program files\SSH Communications Security

2011-11-01 21:48:18 -------- d-----w- c:\program files\PeaZip

2011-11-01 21:46:31 -------- d-----w- c:\documents and settings\bcrandal\application data\Malwarebytes

2011-11-01 21:46:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-01 21:46:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-01 21:46:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-01 21:45:47 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-11-01 21:45:47 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-01 21:41:46 -------- d-----w- c:\program files\Ghostgum

2011-11-01 21:41:27 -------- d-----w- c:\program files\gs

2011-11-01 21:04:48 274288 ----a-w- c:\windows\system32\mucltui.dll

2011-11-01 21:04:48 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

2011-11-01 21:04:28 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{152958b1-1ff9-430f-bb05-44a4b0a55a17}\mpengine.dll

2011-11-01 21:04:23 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-11-01 21:03:18 -------- d-----w- c:\program files\Microsoft Security Client

2011-11-01 20:58:59 -------- d-----w- c:\program files\Windows Media Connect 2

2011-11-01 20:58:29 -------- d-----w- c:\windows\system32\LogFiles

2011-11-01 20:58:08 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll

2011-11-01 20:20:09 831488 ----a-w- c:\windows\system32\BCMLogon.dll

2011-11-01 20:17:10 -------- d-----w- c:\program files\ATI Technologies

2011-11-01 20:15:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2011-11-01 20:15:59 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2011-11-01 20:15:59 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2011-11-01 20:15:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2011-11-01 20:15:58 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll

2011-11-01 20:15:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2011-11-01 20:15:49 -------- d-----w- c:\program files\DellTPad

2011-11-01 20:15:48 155136 ----a-w- c:\windows\system32\drivers\Apfiltr.sys

2011-11-01 20:15:47 1419232 ----a-w- c:\windows\system32\WdfCoInstaller01005.dll

2011-11-01 20:15:47 100418 ----a-w- c:\windows\system32\Vxdif.dll

2011-11-01 20:15:19 -------- d-----w- c:\program files\O2Micro OZ776 SCR Driver

2011-11-01 20:14:14 -------- d-----w- c:\documents and settings\bcrandal\application data\Dell

2011-11-01 20:14:13 61440 ----a-w- c:\windows\system32\KPower.dll

2011-11-01 20:14:13 307200 ----a-w- c:\windows\system32\BMAPI.dll

2011-11-01 20:14:13 233472 ----a-w- c:\windows\system32\NicConfigSvc.cpl

2011-11-01 20:14:13 -------- d-----w- c:\program files\Dell

2011-11-01 20:14:02 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS

2011-11-01 20:13:47 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2011-11-01 20:13:19 989952 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys

2011-11-01 20:13:19 94208 ----a-r- c:\windows\system32\mdmxsdk.dll

2011-11-01 20:13:19 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys

2011-11-01 20:13:19 217088 ----a-r- c:\windows\system32\UCI32M21.dll

2011-11-01 20:13:19 211200 ----a-r- c:\windows\system32\drivers\HSFHWAZL.sys

2011-11-01 20:13:19 12672 ----a-r- c:\windows\system32\drivers\mdmxsdk.sys

2011-11-01 20:13:19 -------- d-----w- c:\program files\CONEXANT

2011-11-01 20:12:34 160256 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys

2011-11-01 20:12:34 160256 ----a-r- c:\windows\system32\drivers\b57xp32.sys

2011-11-01 20:12:31 -------- d-----w- c:\program files\Broadcom

2011-11-01 20:07:30 94208 ----a-w- c:\windows\system32\stacsv.exe

2011-11-01 20:04:46 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2011-11-01 20:03:28 -------- d-s---w- c:\windows\system32\Microsoft

2011-11-01 20:03:07 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2011-11-01 20:03:07 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2011-11-01 20:03:06 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2011-11-01 20:02:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-11-01 20:01:20 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2011-11-01 20:01:20 272128 ------w- c:\windows\system32\drivers\bthport.sys

.

==================== Find3M ====================

.

2011-11-01 21:45:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-26 16:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll

2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

.

============= FINISH: 8:57:20.98 ===============

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.