Something wants control of this computer

[Harold Raby]

Hello, again; Thank you all for being here. My friend said 'I got a new MAC, come get my old computer and clean it up and we will donate it or something.' I brought it home, 200 miles, and plugged it in without a thought and all hell broke loose. Slow loading and windows open unbidden saying they were uploading something. I paniced and just grabbed wires and unplugged it. I disconnected it from my modem and had to go back to Jan to get it to start right. He had no A/V protection except an outdated MS stuff. I used MBAM and SpyBot to clean it up enough to see what is going on. They both say they can't find any more. I got the MS A/V thing working but I cannot update anything from MS or IE. I got Spybot and MBAM updated and they both unloaded a bunch of stuff. The current state is that something is loading that shows as one of the svchost.exe on taskmgr and if I let it run it just keeps getting bigger and using more of the cpu and in less than an hour almost nothing will work. I 'end process' every 5 or 10 minutes. the DDS file is from last night but the computer has been off the whole time. This is a Dell Dimension 4700 using windows xp. About a year ago I installed Norton from Comcast and maxed out the memory and added a 1 TB H/D. It is only 4 or 5 years old. I have been unable to zip the DDS file so if you want it that way you will have to teach an old dog a new trick. Thanks again, Harold


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Owner at 23:21:06 on 2012-03-13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1534 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = https://accounts.google.com/ServiceL...t&ltmplcache=2
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [mshkb] c:\documents and settings\all users\mshkb.exe
uRun: [msixml] c:\documents and settings\owner\application data\msixml.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [mshkb] c:\documents and settings\all users\mshkb.exe
mRun: [msixml] c:\documents and settings\owner\application data\msixml.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [mshkb] c:\documents and settings\all users\mshkb.exe
dRun: [msixml] %APPDATA%\msixml.exe
dRun: [dplaysvr] %APPDATA%\dplaysvr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/dcode/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1274922930406
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1275519197843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{F549F4DD-4793-4423-939D-F5ED184B6743} : DhcpNameServer = 75.75.75.75 75.75.76.76
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 94.228.209.244 www.google-analytics.com.
Hosts: 94.228.209.244 ad-emea.doubleclick.net.
Hosts: 94.228.209.244 www.statcounter.com.
Hosts: 178.250.45.15 www.google-analytics.com.
Hosts: 178.250.45.15 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165648]
R1 MpKsle76f9acf;MpKsle76f9acf;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{604f47c5-e959-421b-bcb1-c9ae2520094c}\MpKsle76f9acf.sys [2012-3-13 29904]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-12 14336]
.
=============== Created Last 30 ================
.
2012-03-14 05:55:10 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{604f47c5-e959-421b-bcb1-c9ae2520094c}\MpKsle76f9acf.sys
2012-03-14 05:20:32 -------- d-----w- c:\windows\system32\LogFiles
2012-03-14 05:19:49 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{604f47c5-e959-421b-bcb1-c9ae2520094c}\offreg.dll
2012-03-14 04:01:46 6552120 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{604f47c5-e959-421b-bcb1-c9ae2520094c}\mpengine.dll
2012-03-13 22:42:12 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-13 22:42:12 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-12 01:52:39 72216 ----a-w- c:\documents and settings\owner\application data\msixml.exe
2012-03-12 01:10:02 -------- d-----w- c:\documents and settings\owner\application data\comcasttb
2012-03-11 23:11:29 72216 ----a-w- c:\documents and settings\all users\mshkb.exe
.
==================== Find3M ====================
.
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2011-12-16 12:22:58 385024 ------w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BD-75JMA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8982F49F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89836740]; MOV EAX, [0x898368b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89DCCAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89670030]
\Driver\atapi[0x898765F0] -> IRP_MJ_CREATE -> 0x8982F49F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8982F2C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:23:09.73 ===============

[diver79]

Hi and welcome to Safer-Networking, sorry for any delay in answering your request for help, the forum is really busy.
My name is Diver79, and I will be helping you with your malware problems.

Before we start please note the following important guidelines.

• The instructions given are for THIS computer only! Using these instructions on a different computer, can make it inoperable!
• Please DO NOT run any other software or scans whilst I am helping you.

Note: If you haven't done so already, please ensure you have read the following article. "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) where the conditions for receiving help here are explained.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
How do I backup my files and folders in XP?
How to backup your data - Vista/Win7

Looking into your logs now. Will post instructions soon...

diver79.

[diver79]

Hi Harold,

I'm afraid I have some bad news...

Your computer has a dangerous Rootkit infection. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

DO NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its rootkit functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are rootkits from Wikipedia
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
How to backup your files in Windows XP

Should you have any questions please feel free to ask.

Please let us know what you have decided to do in your next post.

[Harold Raby]

Diver79, Hi; This might be very easy. This computer has two hard drives, a 20 gig and a 1TB, everything is on the 20gig and my buddy is mailing me the disc's that came with it. I will just trash the 20 gig and re-install on the big one. I have never done that but there is a first time everything. Then I reread what you said and will formatting get rid of it? Did I mention that I am really old and these things come hard for me?
Now the possible problem. The Dell has been hooked up to the internet through my little home system router using wires. I prefer wires when I can and so when I plugged it in it was hooked up with my two desktops. I see no symptoms yet except an svchost.exe that I had not noticed before. It is not growing so I am not worried. I am currently using another computer and have been keeping Mike's Dell turned off, should I be worried? I use Norton from Comcast, set to update as it sees the need. MS updates are done the same except it tells me and I D/L and install myself but still done right away. Mike (the dummy) uninstalled the Norton I installed because 'it was to much trouble'.
When I saw it uploading stuff I called him and told him to change all passwords at all banks and credit cards. I will tell him again.
Tell me what you think I should do. Thanks , Harold

[diver79]

Hi Harold,

Yes, reformatting will get rid of it completely. There is a guide that will help you here.

Have a read over it, if you do not feel comfortable with it, I can attempt to remove the infection.

I must stress that if we attempt removal you should never fully trust the machine with bank details etc, because we do not know what damage the infection has done. The only way you can trust this machine is to format and re-install.

I do not think there is cause to be worried about the other computer. Although svchost can be a target for infections, it also hosts many legitimate services. I would expect to see some symptoms if it were infected.

You can post the issue as a new topic to get confirmation if you like.

Let me know how you would like to proceed.

diver79.

[Harold Raby]

Hi, again; I am afraid this thread will go dead before dipstick gets me the disc's If so I will start a new one when they get here. should I try a format and reinstall first, before I contact you? Either way I will let you know how I fare. Thanks for the link, saves Google the work. Thanks again, Harold.

[Harold Raby]

Well, darn; My other computer, an old Sony (that I love dearly) has found a problem. Norton quarantined a trojan. maljava. Should I ignore it or start a new thread? Harold

[diver79]

Hi Harold,

Apologies for the delay, yes you will need to open a separate topic for this problem.

This computer may have a recovery program that will allow you to restore the computer to factory settings without the disk. Can you run DDS again and post the contents of Attach.txt. This log will show the list of installed programs, one of these may allow us to wipe the machine without the disk.

diver79.

[Harold Raby]

Diver79, Hi; Here is that file. Tell me what to do next. Thanks again, Harold

[diver79]

Hi Harold,

Unfortunately you will need the installation disk to re-install Windows. I can see no recovery partition installed that would allow this without the disk.

Feel free to open another post if you need help with the installation.

Good luck with it, I'm sure you will do fine!

diver79.