My PC seems possesed

samson_419 · 10-19-2009, 07:48 PM

Everything seems to run okay, no redirects. But, I just see strange system type pop ups every once in a while saying certain portions of the Windows Console are not working.

Norton does not detect anything as always.

I do not have a backup disk, just the partition on my PC which I originally made.

Thank you for the help.

DDS (Ver_09-10-13.01) - NTFSx86
Run by Mike at 18:28:52.87 on Fri 10/02/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.2008 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = socks=
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [<NO NAME>]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\8hujgpko.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1361345&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - The Pirate Bay Customized Web Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20090923.001\IDSvix86.sys [2009-10-2 272432]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-2 102448]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-7-24 131616]

=============== Created Last 30 ================

2009-10-02 17:41 <DIR> --ds---- C:\ComboFix
2009-10-02 17:16 <DIR> --d----- c:\users\mike\appdata\roaming\uTorrent
2009-10-02 16:10 <DIR> --d----- c:\program files\Vidalia Bundle
2009-10-02 07:25 <DIR> --d----- c:\program files\Norton 360
2009-10-02 07:24 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-02 07:24 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-02 07:24 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-02 07:24 <DIR> --d----- c:\program files\Symantec
2009-10-01 19:48 <DIR> --d----- c:\windows\system32\vi-VN
2009-10-01 19:48 <DIR> --d----- c:\windows\system32\eu-ES
2009-10-01 19:48 <DIR> --d----- c:\windows\system32\ca-ES
2009-10-01 19:40 <DIR> --d----- c:\windows\system32\EventProviders
2009-09-25 09:41 90,112 a------- c:\windows\system32\dpl100.dll
2009-09-25 09:41 856,064 a------- c:\windows\system32\divx_xx0c.dll
2009-09-25 09:41 856,064 a------- c:\windows\system32\divx_xx07.dll
2009-09-25 09:41 847,872 a------- c:\windows\system32\divx_xx0a.dll
2009-09-25 09:41 843,776 a------- c:\windows\system32\divx_xx16.dll
2009-09-25 09:41 839,680 a------- c:\windows\system32\divx_xx11.dll
2009-09-25 09:41 696,320 a------- c:\windows\system32\DivX.dll
2009-09-18 18:58 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-09-18 18:58 499,712 a------- c:\windows\system32\kerberos.dll
2009-09-18 18:58 175,104 a------- c:\windows\system32\wdigest.dll
2009-09-18 18:58 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-09-18 18:58 270,848 a------- c:\windows\system32\schannel.dll
2009-09-18 18:58 72,704 a------- c:\windows\system32\secur32.dll
2009-09-18 18:58 9,728 a------- c:\windows\system32\lsass.exe
2009-09-10 09:08 <DIR> --d----- c:\programdata\McAfee Security Scan
2009-09-10 09:08 <DIR> --d----- c:\progra~2\McAfee Security Scan
2009-09-10 09:07 <DIR> --d----- c:\programdata\NOS
2009-09-02 19:42 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 19:42 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll

==================== Find3M ====================

2009-10-02 15:29 143,360 a------- c:\windows\inf\infstrng.dat
2009-10-02 15:29 86,016 a------- c:\windows\inf\infstor.dat
2009-10-02 15:29 51,200 a------- c:\windows\inf\infpub.dat
2009-10-01 19:48 665,600 a------- c:\windows\inf\drvindex.dat
2009-10-01 10:29 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-14 02:29 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-09-10 09:48 218,624 a------- c:\windows\system32\msv1_0.dll
2009-09-04 04:41 60,928 a------- c:\windows\system32\msasn1.dll
2009-08-28 19:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 19:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 19:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 19:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-27 06:29 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-27 05:40 834,048 a------- c:\windows\system32\wininet.dll
2009-08-14 09:27 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-14 08:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 06:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 06:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 06:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 06:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 06:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 06:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 06:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 06:48 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 06:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-04 05:34 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 05:34 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 06:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 05:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 05:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 05:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 05:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-11 12:01 513,536 a------- c:\windows\system32\wlansvc.dll
2009-07-11 12:01 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 12:01 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 12:01 65,024 a------- c:\windows\system32\wlanapi.dll
2009-07-11 10:03 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-07-02 09:17 87,608 a------- c:\users\mike\appdata\roaming\inst.exe
2009-07-02 09:17 47,360 a------- c:\users\mike\appdata\roaming\pcouffin.sys
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:29:48.57 ===============

samson_419 · 10-20-2009, 07:53 AM

Also I forgot to mention in my original post. The thing that gets me the most, sometimes my PC will not go into standby on it's own. Or it will just wake up randomly. I know can't be good.

samson_419 · 10-22-2009, 07:27 AM

Bump. . . . . Anyone? :)

Ried · 10-22-2009, 09:21 PM

Hello samson_419,

Quote:

saying certain portions of the Windows Console are not working

Please provide as much detail as you can about this.

What are you doing when this occurs?
What is the exact error message - what portion of Windows Console is not working?
How long ago did this start?
Who advised you to run ComboFix?

samson_419 · 10-23-2009, 09:04 AM

Quote:

Originally Posted by Ried

Hello samson_419,

Please provide as much detail as you can about this.

What are you doing when this occurs?
What is the exact error message - what portion of Windows Console is not working?
How long ago did this start?
Who advised you to run ComboFix?

At this point I really don't know what has been ran on my PC since I am not the only user.

Nothing seems too out of the ordinary now.

It's just random things, nothing has happened since I put up this post. Except when I started Firefox today somehow Ask toolbar was installed and I know for a fact no one installed it.

Ried · 10-23-2009, 10:48 AM

With the use of utorrent and apparent penchant for pirated software, anything could have installed that.

You would be well advised to reconsider the surfing and downloading habits of all who have use of this computer. As long as these types of activities continue, your system is a beacon for malware.

Please take the time to educate yourself and anyone else using this PC about the Perils of P2P File Sharing as well as the use of Cracked/Illegal Software

samson_419 · 10-23-2009, 11:02 AM

I been thinking about that a bit. . . . But, these are the risks I run with my PC. I just try to keep it as clean as possible.

Ried · 10-23-2009, 11:09 AM

Knowing the risks, and engaging in illegal activity, you may find that free assistance from forums such as this, may be hard to come by.

This thread shall be closed.

10-20-2009, 07:53 AM	#2 (permalink)
samson_419 Registered User Join Date: Jul 2005 Location: Phoenix AZ Posts: 51 OS: XP Pro	Re: My PC seems possesed Also I forgot to mention in my original post. The thing that gets me the most, sometimes my PC will not go into standby on it's own. Or it will just wake up randomly. I know can't be good.

10-22-2009, 07:27 AM	#3 (permalink)
samson_419 Registered User Join Date: Jul 2005 Location: Phoenix AZ Posts: 51 OS: XP Pro	Re: My PC seems possesed Bump. . . . . Anyone? :)

10-23-2009, 10:48 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,921 OS: WinXP and Vista	Re: My PC seems possesed With the use of utorrent and apparent penchant for pirated software, anything could have installed that. You would be well advised to reconsider the surfing and downloading habits of all who have use of this computer. As long as these types of activities continue, your system is a beacon for malware. Please take the time to educate yourself and anyone else using this PC about the Perils of P2P File Sharing as well as the use of Cracked/Illegal Software __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-23-2009, 11:02 AM	#7 (permalink)
samson_419 Registered User Join Date: Jul 2005 Location: Phoenix AZ Posts: 51 OS: XP Pro	Re: My PC seems possesed I been thinking about that a bit. . . . But, these are the risks I run with my PC. I just try to keep it as clean as possible.

10-23-2009, 11:09 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,921 OS: WinXP and Vista	Re: My PC seems possesed Knowing the risks, and engaging in illegal activity, you may find that free assistance from forums such as this, may be hard to come by. This thread shall be closed. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."