Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection/hacking


  • This topic is locked This topic is locked
2 replies to this topic

#1 KeithVaz

KeithVaz

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 27 April 2009 - 06:46 AM

In response to recent security concerns, I had a shop re-install XP, then I installed an AV, a couple anti-spyware programs and Zone Alarm Free firewall.

ZA initially worked fine with settings set to High, but then one time I couldn't connect to a wireless network which I had previously used without a problem. I had the same problem with a second network which I had also used with settings on High.

After restarting the modem and trying other things without success, I reduced the settings to Medium, and this allowed me to connect. A couple days later I happened to open My Network Places, and saw about 10-20 folders in there. All of them disappeared after a second or two except one called Administrator, which disappeared after about another second.

There was, or should have been, nobody else on the network at the time - I was the only person in that building. The day after this incident, I was able to connect to the same network, and the other one that I had had issues with, with the security settings on High. I have frequently opened My Network Places since this incident, with the ZA at various settings or even swithched off, and nothing has shown up.

I have two DHCP servers and a Loopback adapter in my Trusted Zone, and nothing else. The internet is working fine now.

I am not sure if there is anything suspicious in the ZA logs. On the date i noticed the folders in my Network Places, xpnetdiag.exe accessed three times (outgoing), twice to one IP address and once to a different one. The first two were to Loopback and the third was to www159.mysearch.com. ZA's zlclient.exe also connected to www159.mysearch.com twice. But that wasn't the first time I connected to that network, so maybe any unauthorised access would have been earlier so would be in a different place in the records?

What are the possible explanations for seeing all of those network places? It seems very unusual. Could it have been someone linking to my network remotely (e.g. from another country)?

Someone at the ZA forum suggested I "may not be hacked, but there is an infection or malware present on your computer" and I should post here.


DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 18:19:08.93 on Mon 04/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.874.66.1033.18.2038.772 [GMT 7:00]

AV: avast! antivirus 4.8.1335 [VPS 090426-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Adobe InDesign CS4\InDesign.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\SIMTCNGN\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = https://www.google.com/accounts/ServiceLogi...l%2F%3Fhl%3Den%

26tab%3Dwm%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2&hl=en
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SnoopFreeUI] SnoopFreeUI.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {77227884-AD52-44BE-80D9-18397B4132E3} = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\zdxz5np8.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?passive=true&go=true&continue=https%3A%2F%2Fmail.google.com%2Fmail%

2F%3F&hl=en&service=mail&ss=1&ltmpl=default&fss=1
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll

============= SERVICES / DRIVERS ===============

R0 SnoopFree;SnoopFree Driver;c:\windows\system32\drivers\SnopFree.sys [2009-4-8 9472]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-8 114768]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-8 127768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-8 394952]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2007-9-19 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-8 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-8 138680]
R2 SnoopFreeSvc;Snoop Free Service;System32\SnoopFreeSvc.exe --> System32\SnoopFreeSvc.exe [?]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-8 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-8 352920]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-04-27 17:46 151,552 a------- c:\windows\system32\SSCoInst.exe
2009-04-27 17:46 57,344 a------- c:\windows\system32\SSCoInst.dll
2009-04-27 17:46 20,622 a------- c:\windows\system32\SUGS2LMK.DLL
2009-04-27 17:46 604 a------- c:\windows\system32\SUGS2LMK.SMT
2009-04-27 17:46 208,896 -------- c:\windows\system32\SSRemove.exe
2009-04-27 17:46 8,478 -------- c:\windows\system32\SP119.ICO
2009-04-27 17:46 41,984 -------- c:\windows\system32\drivers\DGIVECP.SYS
2009-04-27 17:46 <DIR> --d----- c:\windows\Samsung
2009-04-27 17:44 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-04-27 17:44 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-04-26 14:28 <DIR> --d----- c:\program files\GRETECH
2009-04-26 14:21 1,498,560 a------- c:\windows\system32\igkrng400.bin
2009-04-26 14:21 155,648 a------- c:\windows\system32\igfxCoIn_v5029.dll
2009-04-21 11:29 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-04-21 11:29 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-21 11:28 <DIR> --d----- c:\program files\iPod
2009-04-21 11:28 <DIR> --d----- c:\program files\iTunes
2009-04-21 11:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 11:28 <DIR> --d----- c:\program files\Bonjour
2009-04-21 11:01 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-21 11:01 1,409 a------- c:\windows\QTFont.for
2009-04-19 15:52 <DIR> --d----- c:\program files\uTorrent
2009-04-19 15:51 <DIR> --d----- c:\docume~1\user\applic~1\uTorrent
2009-04-16 16:18 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2009-04-14 11:47 0 a------- c:\windows\Kruptos.INI
2009-04-13 13:29 <DIR> --d----- c:\program files\Kruptos
2009-04-11 19:53 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-04-09 15:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-08 01:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-08 01:35 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-04-08 01:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-08 01:34 221,184 a------- c:\windows\SnoopFreeUI.exe
2009-04-08 01:34 90,112 a------- c:\windows\system32\SnoopFreeSvc.exe
2009-04-08 01:34 45,056 a------- c:\windows\SnoopFreeDll.dll
2009-04-08 01:34 9,472 a------- c:\windows\system32\drivers\SnopFree.sys
2009-04-08 01:19 5,562,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-08 01:19 67,328 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-08 01:17 <DIR> --d----- c:\program files\ZoneAlarmSB
2009-04-08 01:16 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-04-08 01:16 75,248 a------- c:\windows\zllsputility.exe
2009-04-08 01:16 11,264 a------- c:\windows\system32\SpOrder.dll
2009-04-08 01:15 1,086,952 a------- c:\windows\system32\zpeng24.dll
2009-04-08 01:15 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-04-08 01:15 <DIR> --d----- c:\program files\Zone Labs
2009-04-08 01:15 352,918 a------- c:\windows\system32\vsconfig.xml
2009-04-08 01:14 <DIR> --d----- c:\windows\Internet Logs
2009-04-08 01:12 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-04-08 01:11 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-04-08 01:09 <DIR> -cd-h--- c:\windows\ie8
2009-04-07 21:13 <DIR> --dsh--- c:\documents and settings\user\UserData
2009-04-07 15:42 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-04-07 15:42 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-07 15:42 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-04-07 15:42 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-04-07 15:14 32,592 a------- c:\windows\system32\msonpmon.dll
2009-04-07 13:16 45,392 a----r-- c:\windows\system32\AdobePDF.dll
2009-04-07 13:16 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-04-07 13:04 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-04-07 12:48 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-07 12:45 19,569 a------- c:\windows\002891_.tmp
2009-04-06 19:47 2,463,976 a------- c:\windows\system32\NPSWF32.dll
2009-04-06 19:47 190,696 a------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-04-06 19:07 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2009-04-07 12:52 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-12 08:27 993,816 a------- c:\windows\system32\igxpun.exe

============= FINISH: 18:19:56.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:44 PM

Posted 10 May 2009 - 04:12 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh DSS log back here :thumbup2:
Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:44 PM

Posted 14 May 2009 - 11:09 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users