Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

System Being Hijacked

This is a discussion on System Being Hijacked within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Okay, I'm guilty. I used a bit torrent without p2p protection. Using Spybot, Ad-Aware, and mostly Avast I think I


Reply
 
Thread Tools Search this Thread
Old 12-17-2009, 11:00 AM   #1
Registered Member
 
Join Date: Sep 2009
Posts: 2
OS: XP Pro


Evil

Okay, I'm guilty. I used a bit torrent without p2p protection.
Using Spybot, Ad-Aware, and mostly Avast I think I have the worst of it. I normally use Firefox as my browser, but I randomly get Internet Explorer popping up. Often sending me to pay system cleaning sites, or the commonest hwwp://media2.tmlatn.com/images/defaults41/approved/404.html. Also, when I use Google and click on a given site, I do not get that site but rather a redirect to some cheesy search site. The majority of the time I can see hard disk activity and network activity on my machine even when I am not online or even using the computer.


The DDS file is


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 12:42:33.26 on Thu 12/17/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.200 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 091217-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\vghd\vghd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\vghd\VirtuaGirl_downloader.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = about:blank
BHO: {04af89d9-0ebd-4684-9653-cc964d1601dd} - c:\windows\system32\efsadu32.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\deskto~1.lnk - c:\program files\vghd\vghd.exe
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: {0400ACA8-DF39-4D18-949C-064FC686AC6A} - hxxps://compass.act.org/eCompass/controls/EcompUtil.cab
DPF: {0536158A-D6A5-4B7B-9B01-D07BE56DF943} - hxxps://compass.act.org/EcompassSkin/servlets/eCOMPKernel.cab
DPF: {24D6F483-823D-11D6-909E-00105A1153A1} - hxxps://compass.act.org/eCompass/controls/Inventory.CAB
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
DPF: {3603C7A0-B0C4-4662-A6A1-C3A99E714488} - hxxps://compass.act.org/EcompassSkin/servlets/GTWebPreviewCA.CAB
DPF: {3B019360-AC08-4F12-8809-5929F914B09F} - hxxps://compass.act.org/eCompass/controls/GualalaAdapter.CAB
DPF: {47DD3A9C-470A-4E20-9D0D-16076E42D51A} - hxxps://compass.act.org/eCompass/controls/BinderAdapter.CAB
DPF: {48323DB0-D943-4773-8C8D-8DA3169290B8} - hxxps://compass.act.org/eCompass/controls/ActBrowser.cab
DPF: {4EA8D85B-4D12-4D3D-8674-8C5F88E913D0} - hxxps://compass.act.org/eCompass/controls/RegistryUpdate.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205160901821
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205160954274
DPF: {7F2C106A-8C3C-4B32-80BF-08B49DDAAB8A} - hxxps://compass.act.org/eCompass/controls/CompassDirectoryUploader.cab
DPF: {8601F281-659E-4336-900D-FEA0DD4ECF9E} - hxxps://compass.act.org/eCompass/controls/ReportCom.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8BA6B955-2701-442D-A628-494125F2FEC5} - hxxps://compass.act.org/EcompassSkin/servlets/LockdownChallengeCTL.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {92A89E16-E319-4786-A975-6DB4F96ADF3C} - hxxps://compass.act.org/eCompass/controls/ACTEWriteLDBridge.CAB
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {A8FF0D0E-8B0E-11D7-90CD-00105A1153A1} - hxxps://compass.act.org/eCompass/controls/ValidateAndDownload.CAB
DPF: {AD3C6FBA-A320-4BB4-997A-0BE381C1C7AB} - hxxps://compass.act.org/eCompass/controls/UnitUploader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {BEA32CE4-A994-4F61-93D8-BAD84B1A5C63} - hxxps://compass.act.org/EcompassSkin/servlets/GTWebCDSBridge.CAB
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D48FB3E7-7944-4C6B-865C-431529D7C99E} - hxxps://compass.act.org/eCompass/controls/SSRSaver.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} - hxxps://www.clientspace.com/download/RapidocsX.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: 744458c9705 - c:\windows\system32\deploytk32.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\deploytk32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\rastusmcnair@basicisp.net\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-11 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-11 138680]
S2 Ca504av;Mega Camera, WDM Video Capture;c:\windows\system32\drivers\ca504av.sys [2009-7-3 516149]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1028432]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-11 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-11 352920]

=============== Created Last 30 ================

2009-12-17 17:07:26 615 ----a-w- c:\windows\system32\q9L5aFlxAQZRwZz.vbs
2009-12-17 16:53:27 193024 ----a-w- c:\windows\system32\efsadu32.dll
2009-12-17 16:53:25 615 ----a-w- c:\windows\system32\XnnZQJ6.vbs
2009-12-17 14:27:08 193024 ----a-w- c:\windows\system32\ctl3dv232.dll
2009-12-17 14:27:06 615 ----a-w- c:\windows\system32\yfN6TH9R7wKU8.vbs
2009-12-17 13:24:58 615 ----a-w- c:\windows\system32\8EOpqdnZED4Wk.vbs
2009-12-16 13:29:17 193024 ----a-w- c:\windows\system32\dfsshlex32.dll
2009-12-16 13:29:15 615 ----a-w- c:\windows\system32\1VCStDe.vbs
2009-12-15 20:23:02 193024 ----a-w- c:\windows\system32\comaddin32.dll
2009-12-15 20:23:00 615 ----a-w- c:\windows\system32\cRjN5vDZexnmh.vbs
2009-12-15 13:19:09 615 ----a-w- c:\windows\system32\BZLWm.vbs
2009-12-14 21:28:33 193024 ----a-w- c:\windows\system32\dplay32.dll
2009-12-14 21:28:31 615 ----a-w- c:\windows\system32\RkTlM.vbs
2009-12-14 18:39:41 193024 ----a-w- c:\windows\system32\EqnClass32.dll
2009-12-14 18:39:40 615 ----a-w- c:\windows\system32\1pQcrpuUoUEawBd.vbs
2009-12-14 18:11:36 193024 ----a-w- c:\windows\system32\dhcpmon32.dll
2009-12-14 18:11:34 615 ----a-w- c:\windows\system32\rPq98EMgMiGG3Rw.vbs
2009-12-14 17:54:06 0 dc-h--w- c:\windows\ie8
2009-12-14 16:33:53 193024 ----a-w- c:\windows\system32\ff_samplerate32.dll
2009-12-14 16:33:51 615 ----a-w- c:\windows\system32\1zsrz.vbs
2009-12-11 22:04:24 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-12-11 20:32:39 0 d-----w- c:\program files\YourWare Solutions
2009-12-11 17:40:04 741888 --sha-w- c:\windows\system32\247.tmp
2009-12-10 16:03:58 69 ----a-w- C:\xcrashdump.dat
2009-12-10 13:20:25 192000 ----a-w- c:\windows\system32\dfrgui32.dll
2009-12-09 15:12:16 264 ----a-w- c:\windows\wininit.ini
2009-12-09 13:46:46 192000 ----a-w- c:\windows\system32\GEARAspi32.dll
2009-12-09 13:18:46 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-08 20:04:46 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-12-08 20:04:19 0 d-----w- c:\program files\Lavasoft
2009-12-08 19:31:38 0 d--h--w- C:\$AVG
2009-12-08 19:29:16 0 d-----w- c:\program files\AVG
2009-12-08 19:29:12 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-12-08 16:13:46 2835 ----a-w- c:\windows\GnuHashes.ini
2009-12-08 1634 1150 --sha-w- c:\windows\system32\605292697
2009-12-08 1632 817 ----a-w- c:\windows\system32\1950636233
2009-12-08 16:05:40 0 d-sh--w- c:\windows\system32\SysWoW32
2009-12-08 16:04:09 203776 --sh--w- c:\windows\system32\unrar.exe
2009-12-08 16:04:09 0 d-----w- c:\windows\system32\1182154670
2009-12-08 16:03:42 741888 --sha-w- c:\windows\system32\1DB.tmp
2009-12-08 16:03:39 121856 ----a-w- c:\windows\system32\deploytk32.dll
2009-11-23 13:43:34 0 d-----w- c:\program files\PokerStars
2009-11-20 21:12:18 0 d-----w- C:\dell
2009-11-20 13:20:10 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 19:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-06 12:36:50 152904 ----a-w- c:\windows\system32\vghd.scr
2009-09-21 12:10:23 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-09-21 12:10:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2008-03-11 19:05:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-06-10 19:42:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061020080611\index.dat

============= FINISH: 12:43:26.59 ===============



I do have an OEM Windows XP Pro SP2 install disk if needed.


Thanks!
Attached Files
File Type: zip ATTACH.ZIP (4.5 KB, 7 views)

__________________
RastusMcNair is offline   Reply With Quote
Old 12-17-2009, 12:40 PM   #2
Registered Member
 
Join Date: Sep 2009
Posts: 2
OS: XP Pro


Idea

Most of the similar threads suggest running ComboFix, so here that is too.
Attached Files
File Type: zip COMBOFIX.ZIP (5.6 KB, 12 views)
__________________
RastusMcNair is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 09:27 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts