Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack / Redirects / Bot Detected


  • Please log in to reply
5 replies to this topic

#1 rjind

rjind

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 02 October 2010 - 07:13 PM

I have been fighting this battle for about a month and am giving up. I need help.

I had an infection of Win32 Pretty Park.B. I still find it from time to time. I have deleted large sections of information that I don't use any more. The worm was hiding in archived emails and the like. It is possible that I still have it.

At times .exe files have been disabled. When it works, IE has pop-ups (Consumer News is one site) that won't let me navigate away. I have to kill the process. Firefox also has similar issues. Every time I run an exe file (any application, task manager, the like), a new tab opens with a redirect. Google searches are redirected.

I have scoured the registry and can't manually find this.

I have been using mainly TrendMicro tools, but also ESET and others. RUBotted tells me that I am.

Here is the TCPView log.

[System Process] 0 TCP 4313 194.60.205.224 http TIME_WAIT 1 782
[System Process] 0 TCP 4316 94.228.209.215 http TIME_WAIT
[System Process] 0 TCP 4330 194.60.205.223 http TIME_WAIT 1 296
[System Process] 0 TCP 4290 lga15s14-in-f104.1e100.net:http http TIME_WAIT
[System Process] 0 TCP 4356 bid.xv.dc.openx.org http TIME_WAIT 1 459 1 344
[System Process] 0 TCP 4362 enterprise.xv.dc.openx.org http TIME_WAIT
[System Process] 0 TCP 4363 bid.xv.dc.openx.org http TIME_WAIT
[System Process] 0 TCP 4473 bid.xv.dc.openx.org http TIME_WAIT
[System Process] 0 TCP 4472 enterprise.xv.dc.openx.org http TIME_WAIT
[System Process] 0 TCP 4552 98.136.154.147 http TIME_WAIT
[System Process] 0 TCP 4559 98.136.154.147 http TIME_WAIT
[System Process] 0 TCP 4584 98.136.154.147:http http TIME_WAIT 2 1,794
[System Process] 0 TCP 4371 lga15s14-in-f148.1e100.net:http http TIME_WAIT 1 840 2 2,551
[System Process] 0 TCP 4375 lga15s14-in-f148.1e100.net:http http TIME_WAIT
[System Process] 0 TCP 4382 lga15s14-in-f148.1e100.net:http http TIME_WAIT 1 497 9 33,247
[System Process] 0 TCP 4596 pa-67-238-46-168.sta.embarqhsd.net:http http TIME_WAIT
[System Process] 0 TCP 4597 pa-67-238-46-168.sta.embarqhsd.net:http http TIME_WAIT
[System Process] 0 TCP 4599 94.228.209.215:http http TIME_WAIT 1 666
[System Process] 0 TCP 4331 lga15s16-in-f100.1e100.net:http http TIME_WAIT 2 2,043 2 656
[System Process] 0 TCP 4303 a184-51-170-207.deploy.akamaitechnologies.com:http http TIME_WAIT 1 822 3 3,554
[System Process] 0 TCP s 4304 server.iad.liveperson.net:https https TIME_WAIT 1 23
[System Process] 0 TCP 4209 pa-67-238-46-169.sta.embarqhsd.net:http http TIME_WAIT 13 9,567 13 6,006
[System Process] 0 TCP 4309 lga15s14-in-f154.1e100.net:http http TIME_WAIT
cvpnd.exe 584 TCP 62514 0 LISTENING
cvpnd.exe 584 UDP 62514 * *
firefox.exe 3432 TCP 3369 localhost 3370 ESTABLISHED 8 8
firefox.exe 3432 TCP 3370 localhost 3369 ESTABLISHED 8 8
firefox.exe 3432 TCP 3367 localhost 3366 ESTABLISHED 2,677 2,677
firefox.exe 3432 TCP 3366 localhost 3367 ESTABLISHED 2,673 2,673
firefox.exe 3432 TCP 4210 lga15s14-in-f100.1e100.net http ESTABLISHED 14 12,740 14 4,592
jqs.exe 652 TCP 5152 0 LISTENING
lsass.exe 1280 UDP isakmp * *
lsass.exe 1280 UDP 4500 * *
svchost.exe 1548 TCP epmap 0 LISTENING
svchost.exe 3132 UDP ntp * *
svchost.exe 1904 UDP 1900 * *
svchost.exe 3132 UDP ntp * *
svchost.exe 1904 UDP 1900 * *
svchost.exe 3132 UDP 4315 * * 1,599 1,599 1,599 1,599
svchost.exe 3132 TCP 4323 pa-67-238-46-171.sta.embarqhsd.net http ESTABLISHED 36 42,393 491 2,753,579
svchost.exe 3132 TCP 4335 pa-67-238-46-169.sta.embarqhsd.net http ESTABLISHED 2 811 2 765
svchost.exe 3132 TCP 4338 pa-67-238-46-171.sta.embarqhsd.net http ESTABLISHED 19 17,045 19 11,002
svchost.exe 3132 TCP 4354 netblk-207-171-14-119.adconion.com http ESTABLISHED 4 3,518 7 3,701
svchost.exe 3132 TCP 4355 netblk-207-171-14-119.adconion.com http ESTABLISHED 6 4,856 12 6,161
svchost.exe 3132 TCP 4348 208.66.98.100 http ESTABLISHED 2 2,185 6 3,819
svchost.exe 3132 TCP 4359 208.66.98.118 http ESTABLISHED 8 8,977 16 3,752
svchost.exe 3132 TCP 4376 pa-67-238-46-171.sta.embarqhsd.net http ESTABLISHED 15 13,843 15 10,750
svchost.exe 3132 TCP 4394 lga15s14-in-f148.1e100.net http ESTABLISHED 3 2,055 28 70,629
svchost.exe 3132 TCP 4446 pa-67-238-46-169.sta.embarqhsd.net http ESTABLISHED 3 1,688 3 3,554
svchost.exe 3132 TCP 4451 pa-67-238-46-168.sta.embarqhsd.net http ESTABLISHED 1 722 11 42,031
svchost.exe 3132 TCP 4450 pa-67-238-46-168.sta.embarqhsd.net http ESTABLISHED 2 2,520 10 41,545
svchost.exe 3132 TCP 4456 208.66.98.118 http ESTABLISHED 5 5,802 10 2,345
svchost.exe 3132 TCP 4475 g1.v.fwmrm.net http ESTABLISHED 11 11,201 13 14,164
svchost.exe 3132 TCP 4512 pa-67-238-46-171.sta.embarqhsd.net http ESTABLISHED 1 501 320 2,511,174
svchost.exe 3132 TCP 4508 www.spotxchange.com http LAST_ACK 2 1,787 2 924
svchost.exe 3132 TCP 4529 pa-67-238-46-170.sta.embarqhsd.net http ESTABLISHED 4 3,111 20 73,468
svchost.exe 3132 TCP 4533 pa-67-238-46-170.sta.embarqhsd.net http ESTABLISHED 1 653 1 302
svchost.exe 3132 TCP 4538 96.6.146.77 http ESTABLISHED 4 5,244 5 5,051
svchost.exe 3132 TCP 4541 pa-67-238-46-168.sta.embarqhsd.net http ESTABLISHED 2 3,224 2 1,788
svchost.exe 3132 TCP 4557 pa-67-238-46-170.sta.embarqhsd.net http ESTABLISHED
svchost.exe 3132 TCP 4567 pa-67-238-46-171.sta.embarqhsd.net http ESTABLISHED 3 5,858 3 1,362
svchost.exe 3132 TCP 4592 lga15s14-in-f148.1e100.net http ESTABLISHED 2 2,839 3 3,101
svchost.exe 3132 TCP 4598 a173-222-240-74.deploy.akamaitechnologies.com http ESTABLISHED 2 4,534 4 4,517
svchost.exe 3132 TCP 4603 63.215.202.6:http http ESTABLISHED 3 4,492 3 2,719
svchost.exe 3132 TCP 4609 69.16.184.142 http ESTABLISHED 862 4,484,100
svchost.exe 3132 TCP 4606 69.16.175.10:http http CLOSE_WAIT
svchost.exe 3132 TCP 4604 g1.v.fwmrm.net http ESTABLISHED 1 1,015 1 1,204
svchost.exe 3132 TCP 4608 63.215.202.9 http ESTABLISHED
svchost.exe 3132 TCP 4612 64.111.212.234 http CLOSING
svchost.exe 3132 TCP 4613 pa-67-238-46-170.sta.embarqhsd.net http ESTABLISHED
svchost.exe 3132 TCP 4616 lga15s16-in-f100.1e100.net http ESTABLISHED
svchost.exe 3132 TCP 4617 lga15s16-in-f100.1e100.net http ESTABLISHED
svchost.exe 3132 TCP 4624 pa-67-238-46-171.sta.embarqhsd.net:http http ESTABLISHED 7 9,732 8 6,206
svchost.exe 3132 TCP 4620 64.77.50.10:http http CLOSE_WAIT
svchost.exe 3132 TCP 4627 adk215-68.adknowledge.com http ESTABLISHED
svchost.exe 3132 TCP 4630 www-10-03-ash2.facebook.com http ESTABLISHED
svchost.exe 3132 TCP 4635 63.135.80.46 http ESTABLISHED
svchost.exe 3132 TCP 4639 pa-67-238-46-168.sta.embarqhsd.net http ESTABLISHED 9 4,066 123 540,399
svchost.exe 3132 TCP 4640 pa-67-238-46-170.sta.embarqhsd.net http ESTABLISHED 2 874 7 8,991
svchost.exe 3132 TCP 4645 pa-67-238-46-171.sta.embarqhsd.net http ESTABLISHED 11 4,961 105 258,731
svchost.exe 3132 TCP 4641 pa-67-238-46-170.sta.embarqhsd.net http ESTABLISHED 2 870 20 42,773
svchost.exe 3132 TCP 4646 pa-67-238-46-171.sta.embarqhsd.net http ESTABLISHED 12 5,412 131 353,622
svchost.exe 3132 TCP 4642 pa-67-238-46-168.sta.embarqhsd.net http ESTABLISHED 13 5,823 145 626,010
svchost.exe 3132 TCP 4644 208.68.110.119 http ESTABLISHED 1 418 2 2,354
svchost.exe 3132 TCP 4648 pa-67-238-46-169.sta.embarqhsd.net https ESTABLISHED 3 1,817 11 31,595
svchost.exe 3132 TCP 4651 pa-67-238-46-171.sta.embarqhsd.net http ESTABLISHED 1 437 23 77,474
svchost.exe 3132 TCP 4654 pa-67-238-46-168.sta.embarqhsd.net http ESTABLISHED 1 411 8 9,388
svchost.exe 3132 TCP 4659 pa-67-238-46-168.sta.embarqhsd.net http ESTABLISHED 3 1,450 29 131,449
svchost.exe 3132 TCP 4660 pa-67-238-46-169.sta.embarqhsd.net http ESTABLISHED 3 1,345 40 209,886
svchost.exe 3132 TCP 4658 www.spotxchange.com http ESTABLISHED 4 3,534 6 5,689
svchost.exe 3132 TCP 4657 lga15s14-in-f164.1e100.net http ESTABLISHED 1 418 1 666
svchost.exe 3132 TCP 4656 63.135.86.21 http ESTABLISHED
svchost.exe 3132 TCP 4662 lga15s14-in-f154.1e100.net http ESTABLISHED 1 1,164 1 1,428
svchost.exe 3132 TCP 4674 64.95.46.10 http CLOSE_WAIT
svchost.exe 3132 TCP 4676 cdn-208-111-128-6.lga.llnw.net http ESTABLISHED
svchost.exe 3132 TCP 4672 cdn-208-111-128-6.lga.llnw.net http ESTABLISHED
svchost.exe 3132 TCP 4675 74.120.148.3 http ESTABLISHED
svchost.exe 3132 TCP 4673 pixel.quantserve.com:http http CLOSE_WAIT
System 4 TCP microsoft-ds 0 LISTENING
System 4 TCP netbios-ssn 0 LISTENING
System 4 UDP netbios-ns * * 103 5,150 50 1
System 4 UDP netbios-dgm * *
System 4 UDP microsoft-ds * *
TMRUBotted.exe 964 TCP 4305 rbt.trendmicro.com https ESTABLISHED 5 4,276 8 1,115


I see that there is even a connection to facebook. LOL I don't even have an account. I don't know what else I am supposed to post, so hopefully that gets us started. Thank you in advance for the help.

BC AdBot (Login to Remove)

 


#2 rjind

rjind
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 02 October 2010 - 07:20 PM

Maybe I should add, too, that it disables my sound drivers. Odd.

#3 rjind

rjind
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 02 October 2010 - 09:58 PM

As I was reading over other posts, I see that I didn't state OS: Windows XP. Also, svchost.exe is the process that hogs CPU/Memory when RUBotted alerts me of an attack. It opens Acrobat Reader and Outlook, as well. Just the process, not the GUI for the application. I'm really hoping that someone can help me. I help my parents out with their business, by updating their web stuff. My computer won't allow me to do this at the moment with the CPU hogging and all. I use an old photo editor for that work that I no longer have on disc. If it were not for that one program file, I would reinstall Windows and start over. However, this program saves me half the time it takes with other photo editors, due to its simple interface. So maybe rather than help with the current problem, I should be looking for some way to port that program to a clean install.

#4 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:20 AM

Posted 03 October 2010 - 09:41 AM

This appears to be a malware infection rather than a hack. I suggest you follow the steps here:

http://www.bleepingcomputer.com/forums/topic34773.html

#5 rjind

rjind
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 03 October 2010 - 07:12 PM

I am guessing that I am supposed to start a new topic in the malware section. Please let me know if I am incorrect.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 61,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:20 AM

Posted 03 October 2010 - 07:46 PM

Yes, as explained in step 9 of that guide,thanks.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook Have you seen..Select Real Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users