|
seneka, ndler2, browser hijack at Google
Standalone Dell Dimension 4700 running XP SP2 with cable connection to Internet. 2.8 GHz Pentium processor, 512 MB RAM, 70 and 20 GB hard drives. Email programs used are Outlook Express and Thunderbird. Browsers most used are Opera and Firefox, IE rarely. Symptoms follow.
Processes with random-string filenames sporadically start in Task Manager and proceed to continuously use 40-50% of processing power. Also sometimes it's a cmd.exe that does this. Other times ndler2.exe
Similarly-named processes sporadically seek Internet access, as I am informed by McAfee Personal Firewall.
Clicks on search results from Google yield completely other sites than what's listed.
Sluggishness in machine function, including network responsivity.
Machine has shut itself down on two or three occasions in the last couple days.
I've been hacking around at this myself and am usually pretty careful not to go beyond what I understand, but this thing is obviously beyond my skill level and weariness is setting in. I was considering a whole new installation until I started reading about ComboFix and your assistance program. Have spent most of the afternoon reading thread 360536 Vundo!grb-trojan-keeps-coming-back. I must be a geek at heart since I found it pretty engaging reading, like a mystery novel (sort of :-).
Anyway, it looks like there's a lot of need out there. Hope somebody can get to me soon. Thanks. Day
DDS (Ver_09-03-16.01) - NTFSx86
Run by Dee Huston at 16:19:49.92 on Tue 04/07/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.502.244 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\snmptrap.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\dmadmin.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Neuber TaskMan\TaskMan.exe
C:\Program Files\Opera9\Opera.exe
C:\Documents and Settings\Dee Huston\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
BHO: {1cd2be82-4e6a-4dec-bb98-922291e73c39} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {b7859779-7635-4d0d-879c-62f32cfdbfdc} - No File
mRun: [MPFEXE] "c:\program files\mcafee.com\personal firewall\MPFTray.exe"
dRun: [InetChk] c:\windows\temp\ms1239146156.exe work
dRun: [Java Syncro] c:\documents and settings\networkservice\local settings\application data\zchMiB.exe
dRun: [WinProx32_1] c:\documents and settings\networkservice\application data\psvrr.exe
dRun: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230311704718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\dejidono.dll
LSA: Notification Packages = scecli c:\windows\system32\dejidono.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\deehus~1\applic~1\mozilla\firefox\profiles\ek174873.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
============= SERVICES / DRIVERS ===============
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2008-5-23 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2008-5-23 17540]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [2008-7-9 76260]
S4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-10-21 126976]
S4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-10-21 122368]
S4 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-9-6 245760]
S4 MemeoBackgroundService;MemeoBackgroundService;c:\program files\wd\wd anywhere backup\MemeoBackgroundService.exe [2008-7-10 25824]
============== File Associations ===============
regfile\shell\edit\command="c:\program files\textpad\TXTPAD32.EXE" "%1"
=============== Created Last 30 ================
2009-04-07 16:15 83,456 a------- c:\windows\system32\krbclick1.exe
2009-04-07 14:51 155 a------- c:\windows\system32\SelfDel.bat
2009-04-07 14:51 84,045 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-07 02:18 310 a------- C:\boot.in_
2009-04-06 04:27 66 a------- c:\windows\wininit.ini
2009-04-06 02:06 0 a------- C:\CEPxAC83.tmp
2009-04-06 00:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-04-06 00:58 <DIR> --d----- c:\program files\Neuber TaskMan
2009-04-05 13:39 20,480 a------- c:\windows\system32\nDler2.exe
2009-04-05 00:59 <DIR> --d----- C:\_virus-related
2009-04-04 23:52 229,584 a------- C:\boot.ini - vlaurie.com^computers2^Articles^bootini.htm.pdf
2009-04-03 12:05 <DIR> --d----- c:\docume~1\deehus~1\applic~1\WD
2009-04-03 12:05 <DIR> --ds---- c:\docume~1\alluse~1\applic~1\WD
2009-04-03 12:05 <DIR> --d----- c:\program files\common files\eSellerate
2009-04-03 12:05 <DIR> --d----- c:\program files\WD
2009-04-03 11:49 <DIR> --d----- c:\program files\Western Digital
2009-04-01 14:45 2,148 a------- c:\windows\system32\wpa.dbl
2009-04-01 14:45 33,024 a------- c:\windows\system32\Status.MPF
2009-03-23 13:01 <DIR> --d----- c:\docume~1\deehus~1\applic~1\STOIK
2009-03-21 02:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-03-21 02:48 <DIR> --d----- c:\program files\AVS4YOU
2009-03-21 02:38 <DIR> --d----- c:\program files\mp3DirectCut
==================== Find3M ====================
============= FINISH: 16:20:09.15 ===============
several symptoms I forgot to mention:
on bootup, transient blocks of solid color show up on right and left ends of taskbar
dragged objects (including scroll bars) get hung and the pointer loses them
files saved with name seneka*.* are saved but are invisible to Windows Explorer
The broswer Back arrow is taking three clicks to work
Last edited by amateur; 04-08-2009 at 05:29 AM.
Reason: to retain 0-reply status
|