Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked? or Virus?


  • Please log in to reply
1 reply to this topic

#1 boston617

boston617

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 21 February 2009 - 10:13 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 22:07:55.32 on Sat 02/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.495 [GMT -5:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)
FW: ESET Personal firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\shvhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: {721a0c49-a05a-41f4-bd3f-8609a5e1796c} - No File
BHO: {090ef754-8c8e-9c38-b884-1ca10d78506a}: {a60587d0-1ac1-488b-83c9-e8c8457fe090} - c:\windows\system32\usumgc.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {7C5C0F58-E061-457D-9033-77307F5ED00C} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Windows Services] shvhost.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &NeoTrace It! - c:\progra~1\neotracepro\NTXcontext.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202677008670
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202684780843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
AppInit_DLLs: usumgc.dll c:\windows\system32\diwerovi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli s t e m 3 2 \ h u n u n i h u . d l l

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\1kcoxwcq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?q=&ctid=CT1640187&SearchSource=2
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\1kcoxwcq.default\extensions\{7c5c0f58-e061-457d-9033-77307f5ed00c}\components\FFAlert.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 DLADiagN;DLADiagN;c:\windows\system32\drivers\DLADiagN.SYS [2008-10-1 10908]
R1 DLAPMonN;DLAPMonN;c:\windows\system32\drivers\DLAPMonN.SYS [2008-10-1 22812]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2008-7-11 33824]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2008-10-24 468224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-30 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-9-22 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-9-22 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-9-22 42112]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-21 21:13 19 a------- c:\documents and settings\owner\Bleepingcomputer.com
2009-02-20 21:57 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-20 21:56 <DIR> --d----- c:\documents and settings\owner\.housecall6.6
2009-02-20 21:10 49,244 a------- C:\autoruns.chm
2009-02-20 21:10 540,032 a------- C:\autorunsc.exe
2009-02-20 21:10 647,552 a------- C:\autoruns.exe
2009-02-20 19:37 <DIR> --d----- C:\finalburner
2009-02-20 19:36 <DIR> --d----- c:\program files\FinalBurner
2009-02-20 18:04 1,608,251 ---sh--- c:\windows\system32\ovamowek.ini
2009-02-20 18:04 129,024 a--sh--- c:\windows\system32\usumgc.dll
2009-02-11 17:49 <DIR> --d----- c:\docume~1\owner\applic~1\Propellerhead Software
2009-02-11 17:49 233,472 a--s---- c:\windows\system32\REX Shared Library.dll
2009-02-11 17:33 118 a------- c:\windows\system32\MRT.INI
2009-02-11 17:29 <DIR> --d----- c:\windows\SQLTools9_KB960089_ENU
2009-02-11 17:26 <DIR> --d----- c:\windows\SQL9_KB960089_ENU
2009-02-10 19:13 42,320 ac------ c:\windows\system32\xfcodec.dll
2009-02-03 12:59 <DIR> --d----- C:\.rockbox
2009-01-29 19:37 82,455 ---shr-- c:\windows\shvhost.exe
2009-01-29 19:08 <DIR> a-d----- C:\ipod
2009-01-27 11:42 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-01-27 11:42 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-01-27 11:41 <DIR> --d----- c:\program files\iPod
2009-01-27 11:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2009-02-20 18:04 129,024 a--sh--- c:\windows\system32\yiyawefo.dll
2009-01-16 10:42 33,824 ac------ c:\windows\system32\drivers\oreans32.sys
2008-12-27 19:59 410,984 ac------ c:\windows\system32\deploytk.dll
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-10-05 17:22 125 ac------ c:\documents and settings\owner\ipchange.bat
2008-06-07 10:43 22,328 ac------ c:\docume~1\owner\applic~1\PnkBstrK.sys
2008-04-10 19:14 61,440 ac------ c:\documents and settings\owner\GoToAssistDownloadHelper.exe
2004-07-22 09:51 3,432,656 ac------ c:\program files\ManagedDX.CAB
2004-07-19 21:58 1,156,363 ac------ c:\program files\BDANT.cab
2004-07-19 21:53 976,020 ac------ c:\program files\BDAXP.cab
2004-07-09 13:17 13,265,040 ac------ c:\program files\dxnt.cab
2004-07-09 08:13 15,493,481 ac------ c:\program files\DirectX.cab
2004-07-09 08:13 703,080 ac------ c:\program files\BDA.cab
2004-07-09 03:08 472,576 ac------ c:\program files\dxsetup.exe
2004-07-09 03:08 2,242,560 ac------ c:\program files\dsetup32.dll
2004-07-09 02:03 62,976 ac------ c:\program files\DSETUP.dll
2008-10-29 15:49 82,455 ---shr-- c:\windows\shvhost.exe
1999-04-23 17:22 12 a--sh--- c:\windows\system\WININETICMP32.drv
2008-09-04 15:30 32,768 ac-sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-09-04 15:30 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-05-14 15:46 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051420080515\index.dat
2008-09-04 15:30 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090420080905\index.dat
2008-09-04 15:30 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 22:08:32.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:10 PM

Posted 03 March 2009 - 06:33 PM

hi boston617,

Your log is several days old. Still need help? do this:
We will get a download to use. Its called combofix. There is a guide to read first. Read through the guide. Download combofix to your desktop, disable any AV as explained in the guide, doubleclick the icon and follow the prompts. Post the log in reply.

The guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users