PDA

View Full Version : Stubborn Malware or Virus



Dean Morrow
2013-01-02, 02:33
Hello, and thanks for having a look at my problem.

Recently my main PC a gateway laptop running on vista home 64 was having some hang problems when I right clicked on external devices in "my computer". Then 2 days ago the cursor became uncontrollable, right click left click and moving all directions when I touched the pad. After it froze up several times I had to do hard shut downs and when I started it up the last time it would no longer boot or go into repair mode.

I had made recovery discs and decided to install a new drive and recover the factory installation to it. All is good on that computer right now.

So I installed the old drive into an enclosure and moved it to a secondary laptop that I use mostly to save my GPS tracks into. I scanned the drive with AVG and all seemed okay. So I tried to transfer the files off of the old drive so I could move what I needed to the fresh computer. I started getting lots of errors so I ran chkdsk /f/r on the old drive and it took 2 days repaired a bunch of stuff and never finished step 5 "checking free space". I was able to transfer the files with less trouble but was still getting errors although less frequently. I never finished getting all the files off because I started having problems with this secondary laptop.

The secondary laptop, HP running XP home started acting sluggish and began showing links in websites where there are normally no links. Another scan resulted in a reboot. I ran malwarebytes and AVG again without anything showing up. Windows stopped recognizing external usb storage for some reason but this was fixed by unplugging the laptop and restarting.

I looked at windows task manager and noticed Iexplore.exe running multiple instances and switching to different websites. None of this was visible except in task manager and the cpu was running at 100 percent. I did a search and saw someone else used combofix so I ran it without being advised :clown: whoops. Iexplore.exe was now gone and the laptop was running better but there were still some ads and hangs now and again. I'm now scanning with avast and I used aswMBR to scan the old drive only and it hung so after trying everything I could think of to get it unstuck I did a hard shut down.

I would really like to install the old drive back into the fresh computer so I could transfer files at will and find settings and bookmarks as I need them. Right now I have the old drive hooked up to this secondary computer via usb and an enclosure and I'm not sure what is infected and what isn't.

Thanks

Dean

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Capt. Morrow at 16:14:21 on 2013-01-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1494 [GMT -8:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ArcGIS\License10.0\bin\lmgrd.exe
C:\Program Files\ArcGIS\License10.0\bin\lmgrd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ArcGIS\License10.0\bin\ARCGIS.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1356998115890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} - hxxp://download.microsoft.com/download/C/9/C/C9C3D86D-84AC-4AF0-8584-842756A66467/MicrosoftDownloadManager.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{8210BBA5-25D0-4EEB-8993-730449E16DEB} : DHCPNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\capt. morrow\application data\mozilla\firefox\profiles\wnvb3uiv.default\
FF - plugin: c:\documents and settings\capt. morrow\application data\mozilla\firefox\profiles\wnvb3uiv.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\npMSDM.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2012-12-29 12:14; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: 2012-12-31 16:00; {df592fe0-69ce-431a-98d0-12735c27194e}; c:\documents and settings\capt. morrow\application data\mozilla\firefox\profiles\wnvb3uiv.default\extensions\{df592fe0-69ce-431a-98d0-12735c27194e}.xpi
FF - ExtSQL: 2013-01-01 09:49; {e001c731-5e37-4538-a5cb-8168736a2360}; c:\documents and settings\capt. morrow\application data\mozilla\firefox\profiles\wnvb3uiv.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - ExtSQL: 2013-01-01 14:32; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
============= SERVICES / DRIVERS ===============
.
R0 IFP300;iRiver Internet Audio Player IFP-300;c:\windows\system32\drivers\ifp300.sys [2012-11-17 13543]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-1-1 361032]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\program files\arcgis\license10.0\bin\lmgrd.exe [2008-11-6 1500424]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-1-1 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-1-1 44808]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-1-1 738504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [2010-3-6 23208]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [2010-3-6 17448]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-01-01 22:31:40 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-01 22:30:46 41224 ----a-w- c:\windows\avastSS.scr
2013-01-01 22:30:17 -------- d-----w- c:\program files\AVAST Software
2013-01-01 22:30:17 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2013-01-01 17:49:05 -------- d-----w- c:\documents and settings\capt. morrow\application data\QuickScan
2013-01-01 00:14:33 -------- d-sha-r- C:\cmdcons
2013-01-01 00:12:16 98816 ----a-w- c:\windows\sed.exe
2013-01-01 00:12:16 256000 ----a-w- c:\windows\PEV.exe
2013-01-01 00:12:16 208896 ----a-w- c:\windows\MBR.exe
2012-12-31 05:06:58 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2012-12-31 05:05:43 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2012-12-31 05:03:33 -------- d--h--w- c:\windows\msdownld.tmp
2012-12-31 05:03:21 -------- d-----w- c:\windows\Logs
2012-12-30 22:39:59 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-30 22:39:59 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-30 21:30:38 -------- d-----w- c:\program files\VideoLAN
2012-12-30 21:29:51 -------- d-----w- c:\documents and settings\capt. morrow\application data\VLCMediaPlayerPackages
2012-12-30 21:29:35 -------- d-----w- c:\documents and settings\capt. morrow\local settings\application data\couponamazing
2012-12-30 17:13:17 -------- d-----w- c:\program files\CCleaner
2012-12-30 17:10:08 -------- d-----w- c:\documents and settings\capt. morrow\local settings\application data\Mozilla
2012-12-30 17:09:23 -------- d-----w- c:\documents and settings\capt. morrow\application data\Malwarebytes
2012-12-30 17:09:08 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-12-30 17:09:06 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-30 17:09:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-12-29 21:46:34 -------- d-----w- c:\documents and settings\all users\application data\Jeppesen Marine
2012-12-29 19:40:54 -------- d-----w- c:\program files\MSXML 4.0
2012-12-29 19:19:41 -------- d-----w- c:\documents and settings\capt. morrow\application data\TuneUp Software
2012-12-29 19:07:22 -------- d-----w- c:\documents and settings\capt. morrow\local settings\application data\Avg2013
2012-12-29 19:07:21 -------- d-----w- c:\documents and settings\capt. morrow\local settings\application data\MFAData
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 16:15:30.89 ===============





aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-01 16:19:02
-----------------------------
16:19:02.062 OS Version: Windows 5.1.2600 Service Pack 3
16:19:02.062 Number of processors: 1 586 0x408
16:19:02.062 ComputerName: BANK-A3121BD37D UserName: Capt. Morrow
16:19:06.140 Initialize success
16:19:08.562 AVAST engine defs: 13010101
16:19:47.453 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:19:47.468 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD5A Size: 57231MB BusType: 3
16:19:47.500 Disk 0 MBR read successfully
16:19:47.515 Disk 0 MBR scan
16:19:47.656 Disk 0 Windows XP default MBR code
16:19:47.671 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 57223 MB offset 63
16:19:47.718 Disk 0 scanning sectors +117194175
16:19:47.812 Disk 0 scanning C:\WINDOWS\system32\drivers
16:20:04.375 Service scanning
16:20:29.140 Modules scanning
16:20:41.703 Disk 0 trace - called modules:
16:20:41.781 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
16:20:41.796 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dd8ab8]
16:20:42.343 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000073[0x89e549e8]
16:20:42.359 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89de9940]
16:20:42.921 AVAST engine scan C:\WINDOWS
16:20:48.640 AVAST engine scan C:\WINDOWS\system32
16:24:18.000 AVAST engine scan C:\WINDOWS\system32\drivers
16:24:39.156 AVAST engine scan C:\Documents and Settings\Capt. Morrow
16:28:19.359 AVAST engine scan C:\Documents and Settings\All Users
16:28:51.062 Scan finished successfully
16:29:17.296 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Capt. Morrow\Desktop\MBR.dat"
16:29:17.312 The log file has been saved successfully to "C:\Documents and Settings\Capt. Morrow\Desktop\aswMBR.txt"